Tony's Blog : vulnerabilities

VoIP Service Theft Fugitive Captured

tony — Wed, 11 Feb 2009 20:26:00 GMT

Edward Pena was arrested in Mexico yesterday. Pena was originally charged in 2006 with computer fraud and wire fraud for selling stolen VoIP service. Working with his partner Robert Moore, the two scanned networks to find open or poorly secured VoIP systems. Moore would deliver the information to Pena and Pena in turn used the information to sell more than 10 million stolen minutes of VoIP service from 15 different VoIP providers.

Pena's lucrative criminal enterprise netted him more than $1 million, enabling him to live a lavish lifestyle. Pena purchased real estate in Miami, a 40-foot Sea Ray Mercruiser boat, and a BMW M3 among other things with his ill-gotten gains.

Pena has been on the run for the past couple of years. Now that he has been apprehended he faces up to 25 years in prison. In this case justice will apparently be served. I am not sure however if any of the 15 victimized entities will be able to recover any of the income they lost in paying for the 10 million stolen minutes of VoIP service.

It is important that organizations understand the threats that exist to VoIP systems, and the security best practices necessary to protect against them. Performing a VoIP security assessment is the first step to ensuring that your VoIP system isn't targeted by the next 'Pena' that comes along.

IBM Reports Increase in VoIP Vulnerabilities

tony — Fri, 06 Feb 2009 14:36:00 GMT

The most recent IBM X-Force report provides a lot of insight into the state of network security and malware, including some bad news for VoIP (Voice over IP). The report which summarizes IBM's findings from 2008 and illustrates some trends and predictions of what to expect for 2009 is a valuable source of information. Among other tidbits (like an overall increase of 13.5% in discovered vulnerabilities, but a 50% drop in 'Critical' vulnerabilities from 2007) is the news that IBM reported a 49% increase in client-side vulnerabilities for VoIP.

The report states "As we mentioned, client-side vulnerabilities trended downwards in 2008, though VOIP clients were a notable exception; the total number of VOIP client flaws rose 49 percent over the past 12 months."

Take a look at the complete IBM Internet Security Systems X-Force 2008 Trend & Risk Report to learn more about what 2008 looked like and what the trends are for 2009. In particular though, pay attention to the trends for VoIP and unified communications security. VoIP and UC are reaching that critical mass where attackers are going to find them to be increasingly attractive targets. Once attackers come up with a solid model for generating revenue from VoIP and UC exploits (aside from toll fraud), many companies are going to find that their VoIP and UC security measures are not adequate to protect them.

VoIP Security: The Basics

tony — Thu, 05 Feb 2009 19:34:00 GMT

It is no secret that VoIP is a popular and growing technology. VoIP, and its bigger, more converged, and feature-rich brother, unified communications, represent a significant shift in communications technology and a quantum evolution in how businesses leverage communications to improve productivity and increase efficiency. Bottom line- businesses that don't have it now will have it soon and new tools and technologies will continue to drive the adoption of VoIP and unified communications.

VoIP security is frequently talked about, but it is rare to hear of actual VoIP attacks. From both a theoretical and practical point of view there are a number of vulnerabilities and weaknesses in various VoIP implementations, but I think that the attackers are still working out their 'business model' and examining how to go from exploit to income. So far it seems like the most prevalent attacks are old-fashioned toll fraud attacks against VoIP systems. Without a strategy to monetize the attack, there is little incentive to execute one. Once the Internet criminals of the world figure out how to make money from VoIP exploits the gloves will be off.

A recent article in CSOOnline.com by Bob Bradley (Excellent last name! He must know what he is talking about), spells out some of the most prevalent security issues with VoIP, and some recommendations and best practices to guard against them. There are plenty of resources available, and a growing number of vendors and consulting companies dedicated to providing VoIP and unified communications security. It is the responsibility of CSO's, CIO's, and other IT mangement and security individuals to be informed about the threats and aware of the available mitigations and countermeasures to enure that their VoIP and unified communications environments are adequately protected.