VoIP Now

The term SPIT stands for Spam over Internet Telephony, which may or may not include vishing attempts. I've never noticed this until recently, but on the Share Skype blog, each person commenting on a post has their Skype id revealed, as well as their current online status.

On the one hand, it's kind of cool because you can click-to-call that commenter. On the other hand, a spambot can easily harvest the page and compile a list of Skypers for later SPIT/ vishing activities en masse. It's possible this feature has always been there, but I've never consciously noticed. How do you feel about this? Do you think it's a big deal or nothing to worry about?

The Eye in the Sky: Pushing the IP Communications Envelope
There's been a lot of talk about SEDs - service-enabled devices. SEDs will have their own IP address and are thus pingable across the Internet. Now, imagine that you could query a satellite view a web browser. That's what Iridium is planning: satellites that monitor the Earth, taking pictures. And because they'll be IP-based satellites, Iridium can sell services over the Internet to clients who need to monitor, say, a facility.

Privacy Obligations For VoIP and Telecom Providers
The US FCC is rethinking how it will expect telecoms and VoIP providers to handle CPNI (Customer Propietary Network Information) data - or what amounts to call records and subscriber information. This is as a result of the Hewlett-Packard phone records pretexting scandal and similar cases. Privacy and Security Law Blog has more details on some of the new rules that may be imposed.

Cell Phone Been Bugged?
Despite all the issues of communications -related privacy and security, it's unlikely that most of us have our phones or IP communications bugged. But for whatever reason (jealous spouse, insane employer), if you suspect you do, check out Lauren Weinstein's post How to tell if your cell phone is bugged and the accompanying YouTube video Is your cell phone bugged?

This article about cell phone spam is now proven to be false, but the thought is frightening. Imagine if your cell phone number was legally allowed to be given to telemarketing firms, who could then call or text you mercilessly, all at a cost to you? Your monthly minutes would be eaten up fast. If it happened, would you throw your cellphone in the trash? If you have a contract, forget about it. It'll still cost you.

So let's hope that someone in Washington is at least aware of the potential threat and makes sure consumers don't get stiffed. Pretexting is bad enough; this would be even worse. On the other hand, I can "see" how a Linux-based cell phone could be programmed to auto-filter out unknown callers. Auto-blocking of unknown numbers should be a standard option. Does anyone know if any cellular providers offer this?

Of course, you can still get the equivalent of cell phone spam by using an email text-to-voice application and listening to your spam.

VoIP Comm Now Mainstream?
Ken Camp points out that VoIP is no longer a niche and that it's gone mainstream.

San Fran Wi-Fi Is No-Fi
At least for now, San Francisco is delaying their citywide Wi-Fi network. Again. This is the network that Google is involved in. The issues come from within city council regarding who will own the network.

US Cellular Network Outages Kept Secret
When cell phone networks have service outages in the United States, they aren't announced. In fact, the FCC ordered "wire line" suppliers in 2004 to report them, but in turn removed them from the Freedom of Information Act. [via VoIP and Enum]

Someone's psychology, sociology, and/ or electronic anthropology doctoral paper is lurking beneath all this latest research that shows phishers/ spammers/ scammers are using ever sophisticated methods to grab your attention so they can grab something of yours - preferably e-money.

Now I'm not going to get into the psych makeup of phishers; that's not my intent, despite my opinions. But the low cost of the latest communications technology and its ease of implementation makes it ever so much easier for you to at least be a target if not a victim. That means more vigilance in 2007 and beyond, as several experts are saying that the lastest avenues for phishers are vishing and smishing (SMS phishing). VoIP and SMS are, in fact, the latest tech platforms for phishers.

Tech intelligence and social intelligence seem unfortunately mutually exclusive in these cases. Fortunately, about computer-based crime in general, those getting caught are being given stiffer penalties.

VoIP sys admins will have another potential tool in their arsenal with new VoIP quality monitors
from Network Physics. The offering, called NetSensory Solution Insight for VoIP, works as an extension set for Network Physics' appliances. These extensions measure over 60 metrics related to VoIP call quality.

As I've pointed out before, there are many factors that affect VoIP call service, but I wouldn't have thought there were even 60 IP metrics, let alone that many that affect call quality. Things I haven't touched on before, which Network Physic's solution does, includes using the appropriate CODEC (Coder-decoder) algorithm. Essentially, there are different algorithms to compress and decompress digital audio data, and some perform on the fly better than others, depending on issues related to both network and computing resources.

Grandmaster Bobby Fischer caused a ruckus in the 1970s. when he he denounced the United States - where he grew up - and made pointed political comments. More recently, he renounced his US citizenship to avoid deportation to the US and a 10-year jail sentence. He also spoke in Iceland about President Bush's "regime". By comparison, Umakant Sharma, an Indian chess player, might be considered less trouble, merely cheating at chess using a Bluetooth device stitched into his cap. Now, this isn't the Bluetooth ski cap Motorola offers, but this certainly would be one unexpected way to use it. It's not like it's hard to configure Bluetooth headsets.

His accomplices would run chess simulations on a computer and relayed info to him. Sharma has been banned for 10 years. Maybe he can join Fischer on the fugitive lecture circuit.

Who woulda thunk it? Skype recently suffered from a Trojan horse attack in the Chat mode, which on some computers tried to get users to download an sp.exe file. Apparently, the Yahoo Messenger IM had a Trojan virus as well.

These events show that certain types of VoIP service are susceptible to some form of attacks. Now security experts have been saying that things will be worse in 2007. This is on top of vishing attacks, which are expected to grow. Add to this the fact that e-911 is being mandated of VoIP providers in the US by the FCC. This could be yet another advantage for pure play VoIP services such as Vonage.

It's pure coincidence but as I'm working on this brief article, I've just finished hearing Led Zeppelin's classic Communication Breakdown song. Radio 3net has their own 500 top albums for listening for free online. Yeah, 500. And all the classics are there; all you need is Windows Media Player to listen.

That said, this is a brief overview of some of the issues that could make or break how widespread IP communications becomes. Or at least delay ubiquity.

1. Countrywide bans.
   First, numerous countries in the Middle East and some in Asia (China, South Korea) either fully or partially banned VoIP services - except to the status quo providers in some cases. Then India, who recently allowed Yahoo to provide VoIP services, decided they were going to ban outside providers.
2. Jail sentences.
   Seriously?! Vietnam sentenced a South Korean business man to 16 years in jail after he set up five VoIP systems in Hanoi and Ho Chi Minh City (formerly known as Saigon). It's amazing to think that in the 21st century, there are still people in power who are short-sighted. Or do such people just gravitate to government? Why not absolve him, make him pay a provider fee and a fine, and actually utilize his entrepreunerial spirit? That would actually make sense. This is a similar VoIP crime to what five Asian men did in Namibia, but were out on bail.
3. e911, e999, emergency services.
   Or lack of them. Let's not forget that 911 in the United States was not ubiquitous until, I believe, the late 80s. Still, that's no excuse. In E911 still struggling after 10 years, Wayne Rash says that there's a 16% chance your wireless 911 call won't go through, or that the emergency center won't know where you are. Sad but true. (I didn't know that it's been 10 years since the US FCC mandated e911, aka enhanced 911.) In the UK, they call it 999, and pending regulations by Ofcom (the regulator) could put lives at risk according to ITSPA (Internet Telephony Services Providers Association).
4. Perceived security issues re closed protocols.
   I.e., Skype, which in some cases is the reason countries, corporations and universities have banned Skype in particular.
5. Wiretapping.
   Let's not be naive. Several countries including those considered democracies already have widespread wiretapping in place, whether you know it or not. But Internet tech experts have openly said that architecting a backdoor into VoIP soft clients is not only very difficult but a bad idea.

When Skype recently released its version 3.0 for Windows, it introduced a version that was harder for Skype blockers to detect it. No doubt this has caused grief in the hearts of all those sys admins in countries (and universities and corporations) who have been told to block Skype. Dal at AsteriskVoIPNews provides some technical details about how Skype achieved their cloaking, and what Skype blockers are doing as a result to detect and block the software.

Speaking of blocking, Nokia has launched their own VoIP blocker. What are they thinking? This is the company that announced IM over all their latest cell phones. Why do this then?

Skype's gone release mad these past few days. First it was Skype 3.0 for Windows Beta, then yesterday 2.5 for Mac Beta. They also released an update for 3.0 Windows Beta, and very quietly, Skype 3.0 for Windows - Business Version. What gives? Why not announce it? Are they shy because they themselves said Skype's not meant for the enterprise? The download page does say that it's only for experienced users, because they're still working on it.

The so-called "business friendly features" include a Windows Installer (MSI), increased security, easy deployment, admin control, and multiple account management from the "Business Control Panel". And then there's the standard features. I'll have to look into these further at some point in the near future (probably after it's out of beta), but this version could go a long way towards assuaging the fears that several companies and a few universities have had about security and other issues. And since it's still free, the monetization will have to come from SkypeIn, SkypeOut, and Skype-certified Wi-Fi phones, I guess.

Now, marrying Skype with an IP PBX, such as Pika Technologies has done, makes sense.

Almost every guy that's ever gone nightclubbing probably has the same goal: meet someone. For whatever reasons. And no doubt some have scored a phone number. Out of those, there are the guys that got a real number and those that got a fake one. If you sit back and think about it, it's understandable. Some guys are relentless, and women generally aren't very confrontational; at least not in the past. So to defuse the situation, some of them hand out a fake number. Well online dating has changed the entire dating game, the environment, the rules, etc., but the objective is essentially the same: meet someone compatible. But for women especially, some semblance of anonymity is desirable. To that end, a new service, MatchTalk, from dating site Match.com, uses VoIP technology from Jangl to set up calls between two members without revealing phone numbers.

It's nothing new; Jangl offers their own semi-anonymous calling. Match.com has just integrated Jangl tech [Alec Saunders] into their offering. MatchTalk sets up a unique phone number between each two members that want to connect, so their own phone numbers don't have to be handed out until and if they are ready. This is a step up from Verbdate, which reveals your Skype username if you allow it to be public. Now if someone just added semi-anonymous video calling, touch, smell, etc., nightclubs might just go out of style. But seriously, long-distance relationships would be easier to maintain.

Skype Enterprise Features Coming?
Skype execs have hinted at upcoming enterprise and call center features. So maybe this will be how eBay finally monetizes Skype?

Speed Demons
The 100-Gigabit Ethernet (100-GbE) technology is here, being demonstrated by a number of companies and the University of California Santa Cruz. A test run sent a signal from Tampa, Florida to Houston, Texas, and back - a first for a live production network. If I understand this correctly, IP backbones will get this technology fairly soon. And as 100-GbE becomes commonplace, likely in several years time, it should mean some incredible real-time video conferencing ability, superfast downloads of movies, and live video broadcasts, to name just a few benefits.

Legal Issues Surrounding VoIP Enterprise Implementations
TechRepublic details legal issues to be aware of when planning a VoIP implementation. They have real alphabet soup of issues, some of which I've only peripherally aware of: SOX/ Sarbox (Sarbanes-Oxley Act), GLBA, HIPAA, E911.

One hot voice application space that will be useful in biometrics is voice recognition [Unified Communications]. It's likely less disconcerting to users than, say, fingerprinting, palm vein scans, or facial recognition. This type of app has been around for quite some years, but accurate voice recognition has been waiting expectantly, ready to be called upon - something that's only now happening due to more powerful computers. And there is the potential to use it in mobile phones in the future - at least in my estimation.

To my knowledge, voice biometrics is hypothesized as being accurate - i.e., that human voices are unique enough that they can be used for user authentication purposes in mobile payment, secure access, or other applications. If this is indeed true, or at least sufficient for most authentication purposes, say coupled with a verbally-administered PIN code or password, then all that remains is the horsepower needed for mobile handsets. We live in interesting times.

If what Ken Camp is saying in Advances in 3G mobile solutions include facial recognition in video, you might want to make sure that you wake up on the right side of the bed. Imagine: your hair is mess, you're bleary-eyed, and depending on your inclination, your face is either unshaven or unmade. And guess what? Your mobile phone doesn't recognize you and won't let you place a call. Damn biometric machines. Always thinking for themselves and getting it wrong.

Of course, I'm exaggerating. You don't have to worry about video calling etiquette for video-based facial authentication. But there are experiments going on that use facial biometrics to control functions on a mobile phone. This includes more important functionality such as contactless payment, access control, and identification. The biggest problem I see with this, which Ken also points out, is environmental conditions (such as darkness) that might give an inaccurate biometric and thus lock you out. It'll probably take a few years for DoCoMo and others to work these issues out. But if they succeed, we'll certainly live in interesting mobile times.

VoIP Telephony Service blog has a list of six ways to block Skype using a variety of products and methods, plus a reference from another blog about a seventh. Most of the methods detect and block P2P (Peer-to-Peer) traffic, so it wouldn't be just Skype that's being blocked, but also torrents and other related applications. It appears that part of the fear regarding Skype is that customers are not sure what Skype is doing because its streams are encrypted. (At least, that's what the VoIP Planet article that is quoted is saying. Tom Keating also has an article from last year with some more indepth info about blocking Skype.

This is sort of what I was trying to get at when when I said that Skype was ruffling feathers. I love Skype just as much as the next Skype lover (and SightSpeed and a few other apps as well). But their lack of an open standard, as well as their relative popularity, is going to ruffle feathers. Phil Wolff gave a good explanation of why there are feathers being ruffled.

There has been some confusion lately about Skype's use in Jordan. First it was blocked for security reasons.  Then the decision was reversed. Then some blogs reported that it had been blocked again, due to an intent to protect the local economy. Apparently there's some confusion. David M. DeBartolo, a Fulbright Researcher in Jordan, interviewed the Jordanian telecom minister on Oct 17th and reported his findings in Skype Journal.

The minister, Eng. Omar A. Alkurdi, gave a response that sounds like something a typical politician would give. However, given that SJSU (San Jose State University) in California had planned to block Skype for security reasons (but backed down), it's possible. Apparently the minister is himself a Skype user. While Jordan may now have Skype again, a number of Emirates in the UAE (United Arab Emirates) is still blocking Skype, as is China, and with plans to do so in South Korea.

There seems to be a common refrain here, though. Skype's closed protocol seems to be ruffling feathers everywhere. Here's a prediction. Given a couple of years, Skype will either open up their protocol, or offer some way to make other VoIP services Skype-aware.

New Bloggers: Sightspeed CEO
Peter Csathy, the CEO of Sightspeed - the video and voice calling software - has joined the ranks of bloggers with his DigtalMediaUpdate weblog. [via VoIP Watch]

AllWorx Wins Telephony Award
The 2006 Internet Telephony Excellence Award, issued by TMC (Technology Marketing Corporation). has been given to Allworx for their 24x VoIP system. Allworx is a division of inSciTek, who earlier this year received US$2M in VC funding to expand their Allworx line of VoIP products.

Intrusion Prevention For VoIP
Industry Canada, an agency of the Canadian government that promotes the "knowledge-based" economy and business innovation, including telecommunications policy, etc., is working with Third Brigade to test "intrustion prevention" technology that safeguards converged networks (data, voice, video). [via InterGovWorld] Brian O'Higgins, co-founder and CTO of Third Brigade will be giving a talk in Ottawa, Canada, on Thurs Oct 19, 2006, about the state of the art of intrusion prevention in computer and network security.

The Swiss government is considering a piece of spyware-like software that would be used for wiretapping VoIP calls. The software would not be available to anyone except agencies, but one question is how it would be installed. Both The Register and TechWorld have written about it. If the Swiss government does this, it begs the question of whether any VoIP recording should ever be admissable in court.

If you've spent anytime on YouTube, you might have seen one of the probably many video mashups of some famous person reciting something, maybe a song. For example, this one of President Bush "singing" the lyrics from the U2 song Sunday, Bloody Sunday, which is about an awful event in Northern Ireland three decades ago. Watching the video, it's obvious that it's been mashed up, doctored, or whatever you want to call it. But had the video portion been removed and the intentional audio hiccups been cleared up, it might have been harder to tell that the audio was not authentic in that form.

Take things a step further, and you can see that with the right equipment, audio "proof" of VoIP phone calls could be concocted to make someone appear guilty of something. A frightening thought. In the wrong hands, people could be convicted something they didn't do. History has show this to have happened to dissidents, and not just in countries outside the USA.

The movie Minority Report, based on a Philip K Dick short story, comes to mind. Falsified VoIP recordings could be used to pre-convict someone. I know I'm simplifying, and I'm fully aware of a wide range of mathematical algorithms for analyzing sound. (I've written my own FFT (Fast Fourier Transform) software to analyze audio and visual signals.) I also don't want to delve too deeply into politics, but I'm concerned about acts like CALEA, and regulations on VoIP.

One of the great benefits about VoIP and IP telephony in terms of business use is that a voice call now becomes data. What that means, amongst other things, is that a VoIP system adminitrator can manage user accounts invidually or in groups. Access can be given to voice-related data - such as call recordings - in the same manner that computer file access can be given. It also means that a group of people can be given access to long-distance calling, file transfer, application sharing, or what have you, with relative ease. While traditional telephony offers some of these group-access features, VoIP telephony makes it fairly easy to implement advanced features without special phone lines or equipment. As well, VoIP calls are treated as a computer resource, so security is easier to implement.

VoIP Hacks
Congrats to Ted Wallingford on the publication of his book VoIP Hacks, which is out now. It has all kinds of tips to improve call quality, record calls, create special effects, and more. For example, a trick to sounding like Darth Vader. Might be great if a visher calls you. Silence!!! You begin to annoy me!!! I gotta get me to a book store. (Sorry, don't like buying books online, as I like tactile browsing.)

Virtual e911?
Tom Keating has a snortingly funny silly scenario about potential e911 confusion due to the Second Life online RPG (role playing game) having VoIP ability via Vivox and others.

Making Municipal Wi-Fi Work: Thoughts
The Pulvermedia website has a podcast of an interview with Don Fitzgerald, who is in charge of the municipal Wi-Fi project in Frederiction, New Brunswick, Canada. It's apparently the first city in Canada to offer free Muni Wi-Fi, although Toronto will probably be a close second. The interview is part of the series Canadian IP Thought Leaders.

Believe it or not, Google's official Blogspot blog was hacked over the weekend. Some wag posted, in bad grammar and spelling, that Google's click-to-call project was being cancelled. This of course would be odd considering this project is partly in collaboration with eBay. Click-to-call and VoIP SOA in general are too important a new niche of VoIP for a company as large as Google to suddenly change their minds after signing a big deal. It's not necessarily about immediate costs but more market share.

The Google blog has been hacked before. However,  no one is saying it, but it's probably some disgruntled outgoing employee whose access hadn't been terminated. That makes more sense and is less worrisome than if it was some random hacker outside the company. Om Malik wrote about the official stance from Google.

VoIP blogger Alec Saunders talks about a new Instant Messaging monitoring tool for parents that has been created by his friend Brandon Watson. Called IMSafer, it would run in the background on a computer, discreetly monitoring IM text conversations and using lexical analysis to determine if the person talking to your child might be a sexual predator. The analysis techniques used are the same used by law enforcement.

I have no children myself, but this is a wonderful idea. It's unfortunate that we need these things, but we do. And with VoIP use becoming more widespread, maybe someone can marry voice-to-text translation with something like KishKish lie detector for Skype and come up with something that can protect people from vishers.

In spillover activity spurred on by the recent Hewlett-Packard "phonegate" scandal, Verizon is suing 20 data brokers for fraudulent activity re pretexting. Pretexting is where someone pretends to be someone else so that they can access their phone records. Interestingly, the president and vice chair of Verizon is on the HP board of directors. Verizon says it has spent $100,000 investigate the pretexting fraud.

In related news, Democrats in the US House of Representatives, controlled by the Republicans, stalled a bill to make pretexting illegal. The activity is illegal in some states, including California, where the alleged activities took place. As part of an US House of Representatives probe into the pretexting scandal, five private investigators and at least two HP executives have been subpoenaed. HP is also under investigation in California.

The US House of Representatives has been busy subpoenaing people, including five private investigators and at least two HP executives, for the House probe into the Hewlett-Packard scandal. The whole mess was precipitated by now-former Chair Patricia Dunn when she had PIs access the private phone records of some board members.

Her actions were outside of any legal action such as CALEA. In fact, records were obtained by pretexting, an illegal method that involves having people impersonate someone else to access records. (I've had something similar happen to me. A now ex-friend impersonated me just over ten years ago and convinced my phone company at the time to transfer yet another person's phone bill to my phone. After a shouting match with the company, who denied they'd ever do such a thing - despite my friend's confession - I switched to cell phones, and now VoIP, and have not owned a landline since.)

Here's a quick roundup of what other VoIP/ IP media bloggers are talking about for IP communications ....

Om Malik at GigaOm says that VoIP loves small business but that maybe too many new VoIP startups are focusing on SMBs as their customers.

Cameron Sturdevant and the gang at eWeek Labs have been able to prove that VoIP can coexist with server security such as SSL (Secure Sockets Layer). Which I think means that businesses (and universities) can implement soft VoIP without the same concern for security as they might have had. Andrew Garcia, also at eWeek, offers an option for IT managers at SMBs who want to use VoIP but don't want to replace hardware: virtual PBXes. When you finish that, look at Garcia's article about some new VoIP gear from D-Link, including routers aimed at the small business market.

I have no previous knowledge of QQ is, but Phil Wolff at Skype Journal is speculating on a merger between them and Skype (as well as something eBay China being purchased by Tom.com, a Skype partner). Wolff also wonders if Skype could be like Mercora's IMRadio service, allowing you to build and broadcast your own Internet radio station. The technology's in Skype already. Hey, I've already watched Japanese TV from Skype.

Speaking of Skype, The VoIP Girl gives the lowdown on the meaning of all those shiny little icons in the Skype interface. She also throws in a list of VoIP services for Canadians, to supplement the ones Canadian tech blogger Mark Evans listed.

After the arrest of five foreign nationals in Namibia providing VoIP service without a license, as well as goings on in various Asian and African countries in regards to VoIP, you might be wondering if VoIP is under attack there. Marcelo Rodriguez takes a crtical look [Voxilla] at what Russell Shaw [ZD Net] and Rich Tehrani [TMC Net] are saying.

Rodriguez points out that both Shaw and Tehrani mention "Third World" countries as locales where VoIP seems to be under attack, possibly due to affiliations between the government and the traditional telecoms, but that they leave out the US as being in a similar category. (Examples: Korea and the UAE blocking Skype.) He then goes on to reveal several examples of lobbying, campaign contributions, and all-expense golf vacations.

The Voxilla piece is very revealing and extremely politically charged. I'm going to take my cue to up the voltage. Let's take a few separate scenarios. First scenario, conspiracy: the entire telephony system in North America is fully wiretapped and all calls are monitored either by humans or machines, for whatever political purpose the real men with power wield. Second scenario: the first scenario is crock, but phone calls are a valuable commodity and thus extremely lucrative. Third scenario: a combination of both the first and second scenarios.

Choose your scenario. Either way, VoIP threatens the status quo, and hence spawns acts like CALEA, possibly attacks on Vonage's share price, and debates like neutrality vs tiered Internet service. Everything that is happening politically in telephony satisfies one of those three scenarios. Let's face it: VoiP is a threat no matter how you slice your political pie.

Not too long ago, 23 year old Edwin Pena and his accomplice Robert Moore were arrested for stealing and reselling 10M minutes of VoIP service. Pena recently went on the run and is being sought by authorities for skipping bail. Now five Asian men have been arrested in Namibia for selling VoIP without a license, based on the country's 1992 Postal and Telecommunication Act.

Bail was set at N$3,000 each and was paid. But the group will have to return to court at the end of October and may face jail time. This seems way out of whack. Wouldn't a fine be sufficient? Skype had been told by the Korean government recently that they did not have the appropriate license. No fine was levied, and Skype stopped taking new memberships from Korean citizens.

The primary difference in crime between Pena/ Moore and the five foreign nationals in Namibia is that the former group stole service from other VoIP providers. But they went to great technical lengths to do so, and got away with it for quite a while. The Nambian five were caught when they tried to sell VoIP service to a member of the public.

Additional sources: VoIP News Australia, All Africa, TMC Net.

Some experts are saying that VoIP in the enterprise represents serious security risks [CIO], making a company vulnerable to vishing (phishing via VoIP) attacks. One anonymous security researcher claims that bank networks will be subject to penetration and the phone lines to hijacking - thus leading to the theft of credit card numbers and bank account data.

Now I'm not a VoIP security expert, but I can make an educated guess, based on my many years of computer experience, that this guy, who goes by the pseudonym "The Grugg", is grossly exaggerating the security issues, potentially to gain some attention. It's absurd to think that banks, who have been dealing with electronic security issues for several decades now, would even think to put their data and VoIP networks on the same lines. Besides telecoms, I've worked at a big mutual fund company. Even they had backup and redundant networks, with firewalled access to account information.

While it's likely true that little technology exists at present to filter out vishing attacks, there's nothing that says a bank's data network has to run on a VoIP network. And just because a bank's telecom system is converted to IP telephony doesn't mean the data network is suddenly at risk. In fact, if someone wanted to mount a vishing attack on a bank, they could do so already using an existing VoIP system (sorry, not going to tell you how). And they wouldn't have any more or less success than if the bank had a VoIP network or not. (On the other hand, a VoIP phone system could potentially be taken offline by a DDoS (Distributed Denial of Service) attack if a load balancing system is not in place.)

Despite what The Grugg (give me a break) is saying, I'm not so sure that bank data networks are at risk. Of course, I could be proven wrong, but let's hope I'm not, as this expert is saying that vishing attacks on banks will probably start later this year. I wonder how he knows this.

Steal VoIP, go to jail. Or if you're Edwin Pena, barely out of his teens, you go on the lam, possibly using your 40-foot speed boat, which was paid for by resold stolen VoIP service. Pena was arrested by Miami police a few months back, along with his buddy hacker. They supposedly stole and resold around 10 M minutes of VoIP service and were facing up to 35 years on a couple of charges. Pena skipped bail and is suspected of heading somewhere from where he can't be extradited. Time to bring in the CSI: Miami crew, though I'm not sure they've covered any telecom crimes to date.

These two guys are obviously bright minds, given the way they engineered their whole set up. Had they thought just a bit further, they could have been doing VoIP security consulting and making good money, instead of doing time. Given the shortage of skilled workers in the IP telecom industry, it's a waste. A good mind is a terrible thing to waste; a good VoIP mind even more so.

President Asks For Warrantless Wiretaps
US president George Bush is asking for warrantless wiretaps, particularly in relation to prisoners held at Guantanamo Bay. [via CNBC TV] Recently, US District Court Judge Anna Diggs Taylor ordered a halt to the wiretapping program, concluding in her report that warrantless wiretapping is unconstitutional. CALEA allows a backdoor for law enforcement agencies to wiretap calls if public security is threaten. However, the wiretapping program in question was secretly signed by President Bush in 2001.

Telus Corp Wins 5-Yr Telecom Contract
The government of the Province of Ontario (Canada) awarded Telus Corp (second-largest Canadian phone company) a five-year, Cdn$140 M contract to manage and supply various network services, including IP communication. [via CNW] Telus recently announced that they were converting to an income trust.

Yahoo Messenger Plugins: Pandaf Sudoku Battle
Not sick of the immensely popular Sudoku number puzzles? The Pandaf Sudoku Battle plugin for Yahoo! Messenger 8 lets you battle against an opponent. I assume you race to finish first. This is of course quite the variation on the puzzle, as it's traditionally a one-player challenge.

Stratus Techologies Acquires Emergent
  Stratus Technologies announced the US$10 M buyout of Emergent Network Solutions [Extreme VoIP], a VoIP infrastructure company.

Jupiter Web is giving away free copies of the Avaya edition of VoIP Security for Dummies eBook (PDF, 68 pages) in consideration for people joining the Avaya developer community. The link was sent to me in a regular Jupiter Web email, so I cannot guarantee you'll be able to use it, but I don't see why not.

The ebook is pretty "dummy-ish", in the sense that they've simplied a wide range of IP telephony security issues and summed each of them up in a few short paragraphs. It even mentions privacy issues such as CALEA (Communications Assistance for Law Enforcement Agencies) and a number of US govt regulations that add up to considering why you should record VoIP calls in your company.

This is certainly not a book you would use to actually implement VoIP security measures, but it's not a bad place to start if you feel you don't know enough about the issues, or don't know where to start reading about them. (The book is of course geared towards discussing Avaya solutions, so it's not exactly vendor-neutral.) You can sign up free (just your name, email, and job function) at this Jupiter Web page and download your copy.

Your company has sensitive information and you think that one of your high-profile board members - not employees - is leaking details to the media. What do you do? If you're Hewlett-Packard's Chairwoman Patricia Dunn, you hire private investigators and obtain phone records [CRN] for the suspects. Problem is, those investigators used illegal means to acquire those phone records. Now, the California attorney general is investigating the whole mess.

Acts like Sarbanes-Oxley (aka Sarbox) were designed to protect investors by instituting a number of measures that would ensure transparency in accounting procedures of public companies. The act might even be interpreted in such a manner that a company would decide to record all employee conversations for Sarbox and even CALEA reasons. In this case, however, the records of home and cell phone calls of board member George A Keyworth were obtained, which I'm assuming is out of the scope of both Sarbox and CALEA.

In light of this, I'm wondering if soft VoIP calls stand a chance of not being put under the domain of CALEA. Soft VoIP does not yet have a backdoor (for law enforcement) for recording calls, but some politicians are pushing for it, for dubious reasons.

New software designed for laptops, intended for Army and medical personnel in Iraq, translates English-Arabic audio conversations in near real time. The software, called IraqComm, records spoken words, translates them, and plays the translations. The process takes a few seconds. The predecessor to IraqComm was a handheld device called Phraselator. [via Technology Review]

While IraqComm is currently for military evaluation only, it is also intended for a variety of other users. It shows the potential market for automated language translation tools. It certainly would be nice to have something like this for Skype which, to my knowledge, only has something like ULRTMT, that translates text nearly on the fly.

It's always nice to see VoIP being used in unique new ways, and that's exactly what InnovAlarm is doing. Imagine home and security alarm systems, but which use Skype or another soft client instead of regular phone lines. The service is in pre-beta. [via Read/Write Web]

The only drawback with this application is that your computer has to be turned on. I'm wondering if there's a market for a similar solution using phone2phone with a VoIP bridge, using hardware such as Digifone's plug'n'play adapter. Phone2phone VoIP calls generally seem to have better quality.

There's obviously a perception that there is a market for InnovAlarm's method. In fact, Read/Write Web reports that the company will be getting $10 M of venture cap in Q4 2006.

CALEA, or Communcations Assistance for Law Enforcement Act, has a lot of misconceptions surrounding it in terms of its applicability to VoIP, as well as security issues. The IT Association of America (ITAA) has isued a report (PDF, 21 pgs) to educate VoIP service providers.  [source: TMC Net]

The deadline for CALEA compliance for VoIP providers is May 14, 2007, and the ITAA questions the ability of smaller providers to comply in time, due to the expected financial cost. Amongst other things, they also question whether standards can be developed for CALEA for VoIP because of all the different VoIP types. The ITAA paper includes Vinton Cerf of Google as an author.

Another group, GLIIF (Global Lawful Interception Industry Forum) issued a rebuttal (PDF, 8 pages) with pretty much the exact same title as the ITAA document.

My pure gut instinct says that the GLIIF report sounds like a bunch of companies protecting their own investment in future CALEA solutions, because my educated guess indicates that their main rebuttal points are in turn refutable. In fact, from the glance I had at the GLIIF document, it contradicts the opinions and public statements about CALEA made by many well-known Internet experts earlier this year.

However, that's just my feeling, and without reading both documents thoroughly, I'm not make any definitive declarations. Ultimately, whether I support it or not, I think all types of VoIP calls will be wiretapped - maybe not immediately because of technical issues, but eventually. It's been that way for decades with PSTN lines, and governments are just not going to give up that kind of surveillance power. (Having worked for telcos, I've heard things that worry me, but things aren't going to change, especially in the current climate of fear.)

Hackers-cum-researchers performed an interesting security-testing experiment earlier this year using VoIP phone numbers and Internet social networks. They presented their findings recently at Defcon.

Their primary plan was to determine if secret signals could be passed right out in the open, from enemy agencies to their agents. They theorized that the use of social networks to transmit carrier messages might increase the noise ratio so that it would be harder for "unauthorized parties" to decode the secret but publicly-transmitted messages.

This is in fact a technique already used covertly by intelligence agencies. However, they use shortwave numbers stations, and all governments have denied such operations. The general technique is to broadcast streams of seemingly nonsensical numbers or words, often in a female or child's voice. Of course, the stream represents a code, and only a few parties have the cipher to decode it.

Strom Carlson, a security researcher, and the hackers collective Project Evil teamed up to see if someone could do the same thing using the Internet, particularly using any of the abundant social networks out there. What they did was set up their own numbers stations. But instead of using shortwave transmissions, they used VoIP phone numbers and recordings. If you called such a number, you would hear a stream of code words. They advertised the existence of the VoIP numbers stations using Craigslist pages, using fake messages, to see if anyone would participate.

In short, they were successful getting others with a cryptographic interest to participate and decode messages using a one-time key. They figure enemy forces could be too. This is something proponents of CALEA may want to take note of: if hostile parties want to use VoIP, they are not necessarily going to use unencoded messages. (On the other hand, this experiment by Carlson might just give CALEA proponents more fodder.)

CALEA stands for Communications Assistance for Law Enforcement Act, and, in short, gives any Law Enforcement agency the right to wiretap communications networks, including the Internet and VoIP, in special circumstances. Although to date, it's not on the agenda to tap soft VoIP calls using clients such as GoogleTalk and Skype.

Of course, there are those people that believe that email spam is being used as numbers stations for intelligence communications. Although who is behind it is hard to say. (I particularly notice some interesting word patterns in the spam in my university alumni email account.) Public key cryptography concepts date back centuries, and the Internet is a perfect distribution vehicle. Just never thought VoIP could be used as a supplementary broadcasting outlet.

Additional sources: Slashdot, Homeland Stupidity, Defcon.

By now you've likely heard that a clone of the ultra-popular Skype VoIP client was supposedly created by reverse engineering. Charlie Paglee, a blogger and head of VoIP provider Vozin Communications stirred up the Internet recently when he claimed a friend called him from China with the supposed clone, a screenshot of which is posted at his VoIPWikiBlog.

Skype has denied the claim. Because Skype's system is proprietary, there is nothing officially compatible with their soft client. Skype must have been sure that no one would crack their code, though, because apparently, they never patented their protocol.

Art Reisman thinks the Skype clone is unlikely and gives a great explanation of why (via a discussion of encryption), and why it doesn't matter. Even if a clone did exist, for Skype, a large-scale migration to clones would crash their network, but would not otherwise be a security risk.

Security issues are more likely to occur in other components of VoIP systems, such as the hardware or software switching mechanisms, particularly in PBXes (Private Branch eXchanges).

In fact, two flaws have just been patched in Asterisk, an open source VoIP PBX package. The flaws, were they not patched, could lead to DOS (denial-of-service) attacks, thus bringing down a business's VoIP phone system.

DOS attacks have been used in the recent past to bring down websites for a variety of reasons, including attempts to take the site over, or just have mischievous fun. In the case of enterprise VoIP phone systems, the purpose would be to inhibit a business' telephony functions. For some businesses, that obviously means a temporary shutdown of operations.

A DOS attack is usually accomplished by overloading a web server or, in this case, a VoIP PBX. Version 1.2.10 of Asterisk PBX has fixed the flaws in the IAX protocol that would have allowed DOS attacks.

Additional sources: [ZD Net UK, CIO Tech Informer]

If you're using VoIP and do not have a "real" phone number to go with it, it may affect your ability to conduct banking or carry on the way you would with a regular phone or cellphone. That's according to Nuno from 21 Talks, who is quoting Brian Youngblood.

Youngblood's experience was that he called customer support at his bank using SkypeOut, and because that person could not tell what number he was calling from, they flagged his account. Unwittingly, he tried unsuccessfuly to pay for lunch the next day with his ATM/ debit card. That's obviously a good thing in terms of banking security, but also an unexpected convenience. Not displaying a real phone number might become a problem for some VoIP services.

Interestingly, I used Skype last night to call my own cellphone and the display said the caller was "0123456". Then I used Skype to call a buddy (one who has no voice mail and no cell phone and never intends to get either) and his display said "long distance - unknown caller". He's probably an extreme case, but seeing "unknown caller", he would not have answered his phone. That's just the way he is. In fact, the only reason he did answer was because I'd called him from my cell a few minutes previous to let him know what I was trying.

I had another experience yesterday with Skype, that may or may not have been because of the "unknown caller" issue. I called one of my website hosting providers - a very large, very well-known hosting provider - to fix a tech issue in trying to sync an existing web domain of mine with a newly purchased hosting plan.

The guy who answered didn't say anything about the audio quality of the call, but he was unusually rude and short-tempered. I'm not big on their atrociously confusing website or their customer service in general, and I only called once before. That was from my cell phone, and it cost me big because they do not have a 1-800 number (they are a budget host after all).

The result was that I didn't get my issue resolved, and cannot do it via email. What could have been a good experience in customer support most definitely was not. (Although I suppose it didn't help that I didn't know the 4-digit pin on my account, which someone else normally manages.) For now, though, I'll stick to email support and filling out annoying, hard-to-find web forms with some companies, or use a regular phone in situations like these.

Phishing is defined as the act of sending targeted, unwanted emails to people in the hopes of tricking them into giving up their financial details, be it credit card numbers, banking codes, or even Paypal or eBay account information. This is usually accomplished by getting the victims to click on a fraudulent website link, using the graphics and text copied directly from a legitimate service-based website. Phishing is related to spam but is typically more targeted to small groups of people at a time. Unfortunately, people are falling prey to phishing, and because of past successes via email, it didn't phishers long to apply their wiles to VoIP.

Vishing, or VoIP-based phishing, is already becoming a problem, according to a couple of very recent reports. With the proliferation of free VoIP software and services such as Skype, Sightspeed and Gizmo Project, it's also easy when the software often has SDKs (Software Development Kits) that can be used to build vishing applications right into fraudulent websites.

PC World reports that such fraudulent websites sometimes appear to offer financial services. Such sites offer a "Skype me" type of button, which legitimate sites also offer. But when you call the fraudulent site's Skype phone number, they ask you via recorded message to leave credit card details. Another new scam is getting auto-dialed calls via VoIP telling you that there are problems with your credit card. An IT Observer article elaborates further.

It goes without saying that vishing is going to be a big problem if there isn't a concerted effort in the VoIP industry to come up with solutions now.

Additional sources: Business Week.

VoIP ubiquity in software and hardware [1, 2, 3] is just around the corner, and it's likely to come in (now) familiar packages. Some of these VoIP voice applications are already here, some just arrived, and countless others are on their way. Imagine being able to initiate a VoIP call via Microsoft Outlook, just by clicking on a contact's name in your address book. Your familiar email client becomes a VoIP client. Or maybe you want to send a Paypal payment via Skype, or track and buy something from an eBay auction via Skype.

Of course, you can already do all of those activities, and many people have. I don't have sales figures for Skype-based Paypal payments, but it's pretty obvious that electronic payments in general are increasing. That's true whether via the Internet, through RFID-enabled smartcards or smartphones, or with biometric devices that incorporate RFID. In fact, it's said that India will have the largest market for contactless electronic payments via cell phones, with possibly up to 100 million users.

While I have a bit more faith in the security of hybrid biometric-RFID contactless payment systems, I'm not so sure I'd want my cell phone, or Skype or Outlook software, to be able to make a payment without my explicit authorization. So it made me wonder if there could be some way to authorize e-payments via VoIP, in terms of a digital audio voice signature.

The theory's long been put forth that each human voice is unique (notwithstanding comedian and impersonator Rich Little). While that theory has had a bit of difficulty in courts of law in the past, newer research suggests that it's true. It wouldn't be all that difficult, then, to take a voice scan for authorizations as an alternative to fingerprints.

It's my feeling that such an alternate will be more welcome than biometric scans. The reason for this may be purely psychological. Human beings have been familiar with voice recordings for decades. So recording their own voice does not make them uncomfortable. Biometrics, on the other hand, is a new science and the general populace does not have first-hand familiarity with it, unless they work in secure-access offices, military bases, or laboratories.

Of course, biometrics could be combined with VoIP technology for secure authorizations. However, my feeling is that such a combination would be unnecessary and more costly when digital audio voice signatures could be used reliably instead, and would probably have wider acceptance.

Sources: Owl Investigations - Aural Spectrographic, TC-Helicon - Voice Modelling Parameters.

Unless you've been sleeping under a mushroom, you probably know that North Korea's leader, Kim Jong-il, stirred from his dormancy and fired off not one but seven missiles, even after several countries cautioned strongly against it. Warnings of this may or may not have been this reason why South Korea suddenly backed off, a few days previous, against blocking VoIP calls by U.S. Forces Korea members.

South Korea had originally planned to block out U.S. calls due to non-compliance to their Telecommunications Business Act. However, at the request of US Forces Korea, they agreed to suspend the deadline.

It all begs the question, however, of how secure VoIP really is that the US Military would allow its individual members to use it. Or why they wouldn't set up Internet access, say, via satellite.

VoIP may generally be considered insecure, but it doesn't have to be. Calls could be encrypted and decrypted on the fly, by caller and receiver, respectively. However, to reduce the lag time on such encryption, the process would have to be done on small packets of sound, possible a few seconds at a time, else non-computer VoIP phones would have an extra processing burden.

Now, without delving into the inner workings of existing VoIP services, I'll hazard a guess that there already is some level of encryption conducted on VoIP calls. However, with encryption laws in the US and Canada being fairly strict (against exportation of algorithms), the level of encryption might actually be quite low.

Of course, the real issue in South Korea is over the ISPs that regular officers use to access the Internet and make VoIP calls. The service provider(s) they use allow unlimited VoIP calling, which the three South Korean ISPs who requested the US military block are upset about.

I seriously doubt, however, that the US Military's necessarily secure communications are being conducted via the same ISPs that individual members of the military are using.

On a related issue, Skype was recently told by South Korea to stop signing up new SkypeOut customers, until Skype adheres to telecom laws - in particular, two e-business codes. In fact, Skype's Korean Market Manager recently issued a statement that Skype was not currently doing business in South Korea.

It's interesting to note that South Korea has been a center of a considerably number of technology trials in both VoIP and RFID technology. Part of the aforementioned restrictions have to do with protecting the interests of South Korean companies.

Sources: Stars & Stripes, ZD Net Korea [via Skype Journal].

New technologies have always had their naysayers and VoIP is no exception. It's the target of a lot of misconceptions, and it'll take some time before consumers understand as well as they do regular phone systems.

Some people have actually openly stated, in comments on websites, that VoIP is a passing fad and that it'll go away. There is also a perceived jealousy towards VoIP from the perspective of old school telecom, which might be a motive for bringing down recently-IPO'd Vonage (NYSE: VG). Bring down the stock price, then either buy them out or bury them. However, there is no way VoIP is going away. Vonage was just unfortunate to be the first VoIP provider to become a publicly traded company.

Unfortunately, the criminal element will always find a way to abuse technology. But this pair strikes me as very odd. Two American men were recently charged with telecom fraud after they re-routed about a half-million VoIP calls through at least 15 VoIP providers' routers, around the world. The descriptions I've read about how these guys did it made me wonder just one thing: what were they thinking?

It appears that these guys had to have the brains to pull off what they did. It took a fair bit of technical skill and networking knowledge to reroute their customers' calls through other providers services. The technical description of their activity proves that.

But it's such a shame that they employed their obvious skills in such a manner. Instead, had they just thought a little bit more about the situation, instead of committing fraud, they could very likely have turned their knowledge into VoIP security consulting and made a nice living. And they would have stayed out of jail and not given VoIP publicity a black eye. A missed opportunity for sure.

The researchers at Cambridge University and the Massachusetts Institute of Technology (MIT) suspect that the VoIP software like Skype can be another tool for hackers to gain access to user's computers. While the Communications Research Network claims that it is only a matter of time before the technique becomes   mainstream and turn out to be the same problem that instant messaging has where hackers cause DoS attacks using the IP protocol. The communications experts believe that the hacking problem could be removed only when the VoIP publishers were to make known their routing specifications or switch over to open standards.

Via: [Breaking News Blog]

US courts have said that authorities can continue tapping of VoIP calls and VoIP providers must provide access to their networks.

According to Kevin Martin, court chairman:

Enabling law enforcement to ensure our safety and security is of paramount importance. Today, the United States Court of Appeals for the District of Columbia Circuit affirmed the Commission's decision concluding that VoIP and facilities-based broadband internet access providers have CALEA obligations similar to those of telephone companies. I am pleased that the Court agreed with the Commission's finding, which will ensure that law enforcement agencies' ability to conduct lawful court-ordered electronic surveillance will keep pace with new communication technologies.

A deadline of 14 May 2007 has been set for VoIP companies in order to comply with the decision.

Via theregister

CounterPath Solutions and Convergence have entered into a partnership for offering bullet proof VoIP security. CounterPath’s eyebeam 1.5 Video SIP softphone has been certified by Convergence for use with its Eclipse SIP security and management offering.

The companies are offering customers VoIP security which prevents any unauthorized access to user’s call and protects the service providers from attacks meant to disrupt or disable their service. The companies are trying to lessen concerns regarding VoIP security that continue to present a major obstacle for organizations seeking advantage of the benefits of VoIP.

Via vnunet

SIP has become the call control protocol of choice for VoIP networks because of its open and extensible nature but the integrity of call signaling between sites is of utmost importance and SIP is susceptible to attackers if not protected.

It is a security mechanism which has been defined by SIP RFC 3261 for sending SIP messages over a Transport Layer Security encrypted channel. Transport Layer Security can be repurposed for protecting SIP session communications from eavesdropping or tampering. Deployment of SIP based devices benefits network administrators from increased levels of security for their VoIP networks.

via techworld

VOIP security is one the main, if not the main topics at the ongoing Interop in Las Vegas. Since it is already clear that VoIP over WiFi will be big thing, many vendors are promoting their software solutions for a secure VoIP over WiFi.

This time around, the fear indeed is real and not a mere marketer's gimmick. For example, Trapeze is going to introduce two new security features that come with the upgraded version of its Mobility System Software.

Expect more vendors to address VoIP security in the days to come.

Via CRN

Cloudmark, Inc., which develops messaging security solutions for VoIP service providers, business users and consumers, claims that it can identify and block phishing attacks carried out over voice over IP (VoIP) systems. Most of these spoofs are aimed at users of any online financial service.

In such cases, users receive emails form scammers posing as bank or financial institution of any kind to spoof an unwitting target's financial institution. These emails tell you to dial a number and enter your personal information if you want to access your account.  Of course, the first thing to do when users receive such emails is to notify their service providers immediately.

Cloudmark combines a global threat detection network that uses real-time reporting by trust-rated users, with a unique fingerprinting technology. Thus, Cloudmark can easily identify and begin blocking new spam, phishing and virus attacks immediately.

Via MarketWire

Organizations around the world, including businesses are investing millions in VoIP-ready systems. However, they are still to fully grasp the security implications related with VoIP.

Data Network security must address a range of threats ranging from network-clogging unsolicited 'special offers', to unauthorized eavesdropping. Customers can easily lose voice communications if their network runs out of bandwidth.

Organizations engaged in data-sensitive businesses such as finance and government & defense need to be more aware of the security problems.

Starts with a VoIP-enabled firewall, an area a number of VoIP vendors are paying increasing attention to these days.

Via IT Wales

Take for example, Security software vendor Certicom. The company will ship a security software suite later this year specially targeted at desktop and mobile VoIP (voice-over-IP) handsets. The suite, called "Certicom Security for VoIP", will support Windows XP Embedded, Windows CE 5.0, and Windows Mobile 5.0, among other OSes. The software will protect signaling and media channels, plus including mobile phones with FMC (fixed-mobile convergence) capabilities.

Read More

Certicom has launched Certicom Security for VoIP in order to provide developers with means of easily and cost effectively secure devices as well as protect the signaling and media channels. It is a flexible, standard based solution for desktop VoIP handsets and mobile VoIP devices.

It consists of multiple, integrated modules that implement key security protocols such as SSL/TLS, DTLS and IPSec. It also offers trusted boot, cryptographic algorithms, secure provisioning and code signaling technology which is key to securing advanced applications such as IMS and UMA.

via [NewsWire]

Australians may have wholeheartedly embraced VoIP over the last twelve months but the internet protocol telephony also becomes a favorite target of malicious activities. James Scollay, Messaging security company MessageLabs's Asia-Pacific vice-president while detailing his next year plans on net phone security management says, "VoIP is very clearly a likely next target in information security, because it is close to the critical mass needed to make it worth a criminal's time to target it.” He further says that ever increasing use of VoIP will only lead to a flood of spit that is spam over IP telephony. Theft of VoIP services will no more be uncommon and by illegally entering into a VoIP network people will make outbound calls.

Via [TheAustralian]
 

An emergency VoIP communication system will make emergency personnel’s communication possible even if they are on opposite sides a mountain range.

Washington State's Emergency Management Division has deployed this emergency communication system (provided by Last Mile Networks) using VoIP connections over satellites which provides eight simultaneous IP voice channels. What’s more, it will also provide video links, by using non-blocking architecture so that video streams do not perturb the voice links off the air. 

Via [Voip-Magazine]

Telestra is implementing a three digit number for VoIP calls to emergency service operators in order to ensure critical information such as exact location and address can be recorded. VoIP has been playing havoc with emergency services globally as after the call goes through the gateway, no hard location information is forwarded with the call. Hence emergency services personnel are unable to automatically track the caller to their destination. Currently emergency services dispatchers within Telstra can locate VoIP callers by asking their address but the new number system aims to reduce any further problems.

via  [ITNetCentral]

According to an expert, threat of an attacker or virus bringing down a businesses VoIP network or IP PBX is more phantom rather than a menace. A lot of hype has been created about IP telephony security threats and for companies devoid of a security team having knowledge about security issues it can be pretty scary. The best practices which can be used for securing VoIP networks are disabling unnecessary services on devices running call control software, updating security and software patches, running VoIP gear along with firewalls and intrusion prevention systems etc. Companies that make use of security best practices to protect their IP telephony servers would not be affected by these threats.

via [ComputerWorld]

The Communications Research Network has detected a security loophole in VoIP applications which could lend internet criminals a better way of covering their tracks. It has been discovered that VoIP applications provide cover traffic for DoS attacks as VoIP runs continuous media over IP packets which makes it difficult to track the source of an attack. Although there hasn’t been a recorded instance of a VoIP coordinated attack but experts believe that the day is not far away when such attacks would take place. If such attack takes place it would not only compromise network security but also dent consumer confidence in VoIP.

via [TMCnet]

Avaya and Juniper Networks have come together to provide security along with enterprise telephony. Avaya would be reselling Juniper security products along with its IP telephony gear and offer integration and support for both. This step has been taken to fight competition from Cisco Systems which provides integrated security and IP telephony capabilities. Making use of Juniper products, Avaya can provide for virtual private networks, firewalls and intrusion detection tools in order to secure the network while supporting IP calls. The joint offering would be available in North America in the month of February and later in Africa, Europe and Middle East.

via  [Computer World]

Internet phone service provider such as Vonage and Skype could provide a way for cyber criminals to send spam and launch attacks that could be used to affect websites. The attacker’s cannot be identified as VoIP applications use proprietary technology and encrypted data traffic which cannot be easily monitored. These applications could give cyber criminals a better opportunity to control their zombies and cover their tracks. It could provide cover for launching denial of service attacks. VoIP providers are being requested by Communications Research Network to publish their routing specifications or switch to open standards.

Via [Tech Spot]

According to Tom Ridge, the first Secretary of US Homeland Security VoIP must be adopted by all levels of the government in order to effectively respond to another natural disaster or terrorist attack. According to Ridge, a government VoIP network would assist in getting vital information about a disaster situation to emergency workers. A national VoIP system along with geo location devices can help emergency workers to trace people with the assistance of data, video and photographs. VoIP can also be used to alert and warn the public of imminent disaster.

via [Comment Wire]

Cisco Systems’ disclosure regarding security alerts and patches for CallManager has exposed VoIP vulnerability as a software application. Although the threats posed are miniscule as compared to blocking of websites and stealing customer data still it cannot be ignored. Since Cisco is the market leader it is likely going to be the prime target of VoIP hackers. Another threat lies in the inexperience of IT staff which might not be having much knowledge about security aspects of the network. With the use of VoIP expected to increase over the years the need to reduce the threats posed to it is very important.

via  [InformationWeek]

A free paper on VoIP security titled ‘Sound Choices for VoIP Security’ written by Jonathan Casteel is available from the Rowan county Public Library in Salisbury, N.C.  It is a ten page PDF tome which contains authoritative and plainly written info on subjects such as implementation flaws like malformed request DoS, remote access etc. and IP PBX vulnerabilities such as support software attack, application manipulation etc. This report offers informative explanations and is much better as compared to expensive consultant reports which can be priced up to $2,995.

via [ZDNet]

Ipoque has launched a new add on filter for its PRX Traffic Manager which would enable to block communication from Skype program. This step was taken as Skype was posing a number of security problems for networks which ranged from published vulnerabilities to consumption of bandwidth and the current client using strong encryption which posed regulatory and information risk in certain environments. The company is confident about its module in blocking Skype traffic. According to unconfirmed sources even the U.S. government is trying to find out ways to block Skype traffic in times of national security.

via [ techworld ]

Whenever a technology is implemented with data or any kind of voice or banking information questions are raised about how secure it is. VoIP is one such technology regarding which security issues are being put up. Since VoIP uses IP addresses for locating other entities in the voice communication network therefore IP security becomes a major issue which needs to be addressed in order to secure the VoIP network. A number of VoIP security issues can be catered to by implementing general IP security. Threats to VoIP security must be studied so that a system can be put in place that will follow the basic security recommendations

via [IT Observer]

Bitek, the British firm that has developed VoIP blocking systems, is receiving communications from several telecom providers and regulators that are showing an interest in the company’s product, “Guardian”. The Guardian system monitors the activity of an IP network and blocks an activity declared illegal by the system owner. itp.net reports:

“Guardian has 20 or 30 separate signatures or settings, which gives a telco for instance the flexibility to determine exactly what type of usage is allowed,” Butler explained.

Read More: Regional authorities weigh up anti-VoIP solution

The Itheon Network Emulator (INE) from Itheon, which offers support for multi-site networks, VLANs, and MPLS, has had new features added to it. Apart from emulating point-to-point traffic, INE version 4 enables traffic classification, prioritization, and selective routing. The latest VPNremote software from Avaya offers secure extension of HQ-quality telephony.

The 4600-series IP telephones can have VPN capabilities embedded in them by means of this software, which will enable telecommuters to be in touch with the head office at all times. The software also offers a built-in screen that enables web access. techworld.com reports:

Avaya claimed that the new software makes IP phones as simple to connect as a laptop, requiring merely power and a link to a broadband router.

Read More: Virtual interfaces, secure IP voice and remote controls

Carriers and cable companies that are involved in large-scale VoIP deployments need to consider the fact the quality of voice service can impact their revenues and failure to deliver mission critical services on time can incur legal repercussions. VoIP services are highly sensitive to QoS fluctuations; they utilize a number of different protocols, and support a wide range of infrastructure devices.

These attributes have led to a direct relationship between VoIP security and the performance of the VoIP service. VoIP security is affected by the number of features offered and the fact that in the near future VoIP services will have to coexist with PSTN, which necessitates media gateways. Carrier class service providers need to implement VoIP security in a step-wise manner.

The first step is prevention in which the already present VoIP-related security issues need to be tackled in a proactive manner. This involves assessing vulnerabilities, initiating remedial actions, and monitoring compliance. The second step is to deploy devices such as IDS, IPS, VPN, firewalls, and anti-viruses such that the VoIP service is adequately protected. The third step is to be in a state of readiness for an eventuality that may occur inspite of prevention and protection. This will help to mitigate the severity of the breach in security by offering a real-time automated response. voip-magazine.com reports:

While all these processes are critical to implementation of a comprehensive carrier-class security framework, in this article we will focus on the prevention as the simplest and most economical way of improving VoIP security.

Read More: Developing Carrier-Grade Security for Service Providers

The rapid convergence of voice and data networks has mean that network security too has had to evolve accordingly. Till recently, most security concerns were regarding data networks; however, the development of IP telephony as a strategic tool has exposed it to application layer attacks, DoS, spoofing, etc. Since there is no uniformity in architecture of telephony platforms, vulnerabilities present in one platform may not necessarily be present in another.

It is important for businesses to realize that securing a converged network requires more than a one-step, one-layer, one-vendor solution. tmcnet.com reports:

With cyber attacks becoming more sophisticated, organizations that rely on securing the network infrastructure alone will find themselves defenseless if an intruder penetrates that first level.

Read More: Securing Voice In An IP World

Webtorials is a community of next-generation-network designers. It will soon be releasing the 2005-2006 Webtorials "VoIP State-of-the-Market Report.” The report presents experiences of users regarding Spam over Internet Telephony (SPIT). Around 375 respondents cover the entire range of network planners and implementers for companies of all sizes spread over the globe. The Webtorials community feels that networking-related security issues pose the biggest threat to secure VoIP implementation. DoS attacks and viruses too figure high on the list of security concerns. Apart from these traditional security threats, SPIT is fast becoming a cause of concern.

CloudShield is offering its CloudSentry VoIP Services Assessment (VSA) to network operators. VSA is a VoIP traffic analyzer that offers lawful intercept capabilities, analysis of infrastructural shortcomings, intrusion detection, etc. Service providers can use the information provided by VSA to better understand the traffic trends and offer their subscribers a better experience. They can control their offering in a better manner by understanding their main subscribers, call volumes, QoS levels, etc.

An enterprise migrating to IP telephony has the option of deploying IP PBXs or going for IP Centrex, also referred to as hosted IP. A hosted IP has the IP PBX, application servers, and the media gateways situated at the service provider’s premises. The IP phones and the failover media are deployed at the user’s premises. The security of a hosted network is managed by the third party. The end-user can boost security by installing security components like network switches, SIP-aware firewalls, SEPs, etc.

Hosted IP with access over the Internet does not provide the same level of security as hosted solutions for enterprises that offer failover to the PSTN. In a hosted environment, the devices installed at the end-user’s premises include softphones that are by and large SIP-enabled; low-density media gateways that facilitate IP communication for circuit-switched devices; survivable Proxy for communicating with PSTN as a cover if connectivity to the service provider is not available; an edge device for NAT functions. An enterprise needs to have information on the manner in which the service providers provide security to their IP PBX and media gateways, and if they have an action plan in the case of an attack on their servers.

IP phones are the visible components of the network and hence more vulnerable, enterprises need to be aware of the security measures promised in the SLAs; the mode of executing NAT needs to be understood; preventive measures against attacks that are SIP-specific such as registration hijacking, DoS, etc; enterprises should check for the availability of TLS and SRTP and the preparedness for handling attacks that are initiated from within the network. voip-magazine.com reports:

One requirement of a hosted IP deployment is that the IP phones must be externally addressable in order to accept inbound calls. This means that these devices are "public" to some degree on the service provider’s voice network.

Read More: IP Security in a Hosted Environment

NimSoft will soon introduce a tool, NimBUS, which will help to monitor Cisco-based IP telephony networks. It will be able to scrutinize protocols and IP PBX hardware. NimBUS is a VoIP monitoring tool for the Cisco CallManager. It keeps track of the activities of the Cisco CallManager IP PBXs, IP phones, gateways and messaging servers, etc. NimBUS resides on a separate network server and reports on the quality of VoIP calls and also the robustness of the IP nodes. networkworld.com reports:

Users can get detailed statistics from CallManager servers, such as those relating to call setup and processing, as well as memory and CPU utilization for the Windows-based IP PBX server itself. Alerts can be sent to administrators as well if a CallManager’s hardware becomes overtaxed or is in danger of failing.

Read More: Software promises better monitoring of Cisco VoIP networks

Information Security Forum has released a report that highlights the security threats in IP networks. The report says that as VoIP grows, the threats will evolve to a greater degree of sophistication. The risks associated with VoIP will increase as it moves into the enterprise environment. Security threats such as caller-ID spoofing, voice modifiers, SPIT (voicemail spam), etc have the potential to seriously hamper voice communication and also lead to identity theft. Theft of VoIP bandwidth and packet injections are other security hazards mentioned in the book.

SS8 Networks will be providing emerging IP Multimedia Subsystem (IMS) based networks with the capability of Lawful Intercept. convergedigest.com reports:

Xcipio interprets the messages, correlates them with a specific warrant and sends the SIP signaling and RTP voice streams to the collection function nodes at law enforcement agencies (per ANSI T1.678 protocol).

Read More: SS8 Develops Lawful Intercept For IMS

According to telecom provider Thus, users who are a part of a P2P VoIP network end up losing bandwidth without realizing it. Their bandwidth gets used for carrying voice and data of other users. These applications that can find their way across firewalls are difficult to identify and control. In order to prevent productivity loss due to high bandwidth consumption and also to ensure network security, Thus recommends that the IT administration should educate users on the risks associated with VoIP, installation of applications from desktops should be disallowed, traffic flows should be monitored to check for unusual activity, if used, VoIP applications should be managed as supported business applications, and up-to-date antivirus should be in place.

LiteScape Technologies has launched a Secure Profile Management (SPM) service that allows users of IP phones to gain access to enterprise services. The product supports only the Cisco IP PBX as of now but will hopefully offer support to IP PBX solutions from other vendors. The LiteScape Multi-modal Application Platform (MAP) that is used for real-time data management in a converged network has the SPM application on top of it. SPM uses authentication measures such as policy, RFID, biometric readers, etc. voipplanet.com reports:

The authenticated user gets access to whatever services their policy level dictates, no matter where the physical IP device may happen to be. SPM also provides logging and auditing capabilities in order to meet potential regulatory compliance issues.

Read More: LiteScape Takes Aim at Improving Profile Management

Free VoIP services such as Skype are not a serious security threat according to an assessment by Networkworld. Most NAT-based firewalls are unable to stop Skype from entering the system. Given that there are more than four million users online at any given time, it is not improbable that Skype is already present in several organizations. networkworld.com reports:

We evaluated the security of Skype Instant Messaging and file transfer, along with the internetworking of Skype 1.4 and 2.0 beta. We also tracked the effect of Skype operations, in terms of CPU and memory use, on laptops.

Read More: Assessing Skype's network impact

The VoIP Security Threat Taxonomy has been released by the VoIP Security Alliance (VoIPSA). The taxonomy classifies and explains the various threats. The study comprises a path for integrating public policy and technology issues; understanding the human and technological inputs; the role of the law; and a study of the susceptibilities that exist throughout the value chain.

A network element forwards packets according to a network layer address for routers and a datalink layer address in the case of a LAN switch. The content of the packets is processed by the end systems. As a convention, the network elements have operated at Layer 3 and below. However, the network elements too can inspect content, which can even be dropped for reasons of security or traffic control. Content-based network security and monitoring carried out by the network elements is important as the security provided by firewalls using Access Control Lists is not sufficient against attacks that target vulnerabilities at the application layer.

Network elements allow IT administrators to quickly add a signature update if a new security threat occurs. The content processing abilities of the network elements provide the necessary time to update servers, mobile computing devices, etc against the threats. Content processing also facilitates traffic control as it enables the server load balancer to allocate a server for a request more effectively. XML routers and switches and P2P traffic managers manage traffic based on the content in the application layer headers and the payload. Content-based traffic control also helps to curtail costs by managing the bandwidth more efficiently.

Checking the content of the network traffic is also useful in IP service applications and billing. IP addresses are not a sufficient pointer for billing in the case of wireless networks. This is because several wireless boundaries are crossed while providing wireless services. The billing has to consider the bandwidth consumption and the applications used. securitypipeline.com reports:

The enterprise environment is not alone in its vulnerability to viruses and other attacks. User and network equipment in IP-based telecom networks, such as VoIP and wireless networks, face similar problems.

Read More: Maximize IP-based VoIP And Wireless Network Security

Verso Technologies, which is based in Atlanta, has announced that it will be demonstrating its products at the GSM Africa Conference in Cape Town, South Africa, to be held this week. The company is looking to market its NetSpective M-Class content management solution in the African telecom market. Verso will be partnering Taide Networks, which is a Norwegian company and has a presence in Africa. Interest in Verso’s products has grown ever since the company made an announcement regarding a trial of its Skype-blocking solution in China.

Verso is targeting enterprises and carriers for NetSpective, which blocks P2P traffic. There are approximately 150 enterprise customers for NetSpective in the US. The device assiduously filters network traffic and is compliant with the federal mandates regarding filtering. The phenomenal success of Skype has led several existing telecom carriers to take steps against it in order to protect their own business interests, particularly the revenue generated from long distance calls. Carriers in Oman and the UAE have banned Skype and other VoIP products and Costa Rica plans to do the same.

Dynamic Threat Mitigation is a VoIP security solution developed by Juniper Networks. It consists of routers, IDP systems, and SDX software. The solution offers security against SIP attacks, worms, and DoS attacks that can harm SIP-based voice services.

The solution will enable service providers to tackle attacks as they occur on an application. Attack prevention is achieved by enforcing policies and exercising dynamic policy control. The solution identifies the intrusive traffic and intimates the IDP Manager.

Upon being informed by the IDP manager the SDX system implements the policy defined by the service provider in order to control the flow of traffic. A VoIP subscriber infected with a worm can be quarantined to a captive Web-page and is provided with links that help in remedying the situation.

Experts feel that hackers or phreakers may succeed in making free calls by manipulating the data that is switched through hybrid TDM-VoIP networks. The hacking can be carried out by tricking the system into believing that the call is no longer connected whereas the call is still continuing in reality. The billing software logs the call as disconnected and does not charge the call. The incidents of VoIP hacking are on the rise due to increased usage and people getting familiar with the technology.

The term phreaking evolved with the advent of hackers who concentrated on telecom systems to make free calls and gather information on the telecom infrastructure in order to manipulate it. The Asterisk SIP server, which is downloaded close to 1,000 times every day, is not vulnerable to phreaking attacks when the default is implemented.

VoIP security threats can be categorized on the basis of their objectives. Attacks can either aim to compromise service availability, impact the integrity, and to eavesdrop on the conversation.

Service availability is critical for maintaining the QoS as VoIP conversations are carried out in real-time. Thus, a DoS attack will have serious repercussions on a voice network. Virus- and worm-based threats usually target applications like end-user phones, call managers, and billing applications. Buffer overflow attacks concentrate on SIP servers. Service availability can also be compromised by threats such as zero-day VoIP worms. If the service availability is compromised, it can disrupt vital services such as E911 and also result in production loss, system downtime, and increased maintenance costs.

Attacks that concentrate on undermining the integrity of the network usually occur in the form of toll fraud, identity theft, etc. Service providers need to be particularly wary of such threats as they can undermine the confidence of the user in the network and inaccurate billing can invite court cases. VoIP features such as caller ID, three-way calling, etc can be used for executing phishing and SPIT attacks. The increased mingling of the PSTN and VoIP networks may open up further avenues for attackers.

Eavesdropping is employed by attackers to alter information by engineering man-in-the-middle attacks. The signaling and media paths are eavesdropped upon and the attacker can gain access to sensitive information by using the SIP messages and RTP packets. Activities such as registration hijacking, impersonation, and replay are similar to eavesdropping and are a source of worry for banks and government organizations.

ServGate Technologies has released the EdgeForce M Series, its latest platform for network perimeter defense solutions. tmcnet.com reports:

The M Series comprises five new products in the UTM category that will set new levels of affordability and establish new standards in terms of best-of-breed third-party integration.

Read More: ServGate to Unveil VoIP-Friendly UTM Platform Line

VoIP users have not been exposed to the kind of security threats that IP networks have encountered and grown wary of over the years. The primary concerns of VoIP end-users are QoS and accuracy of billing. networkworld.com reports:

Historically the endpoints of communications have been dumb. One lesson the IP world has learned is that complexity breeds insecurity; dumber is securer.

Read More: With VoIP, it's déjà vu all over again

A Chinese telecom company has begun a paid trial of software, the NetSpective M-Class filter, developed by Verso Technologies, Georgia. The NetSpective M-Class filter will keep out VoIP calls made by using Skype and other such P2P networks.

In China, Skype is not allowed to be used and VoIP usage is strictly regulated. If the trial is successful, the Chinese telecom operator may buy the application before the end of 2005. China Telecom has been blocking Skype calls made by using Skypeout in the city of Shenzhen.

Verso has labeled its solution as “carrier grade Skype filtering technology” Skype has responded to the sensitive situation by making available a version of Skype in Chinese. This version has been made available in partnership with Tom Online and it does not support Skypeout.

Ingate Systems has developed the SIParator, which enables firewalls to recognize SIP and communicate with it. The SIP protocol is used for IM, video, VoIP, etc. The Firewall 1450/1450+ and SIParator 45/45+ provide a solution for the NAT issues that are present in SIP. The two offerings enable corporate networks to extend their SIP capabilities to remote employees. commweb.com reports:

The Ingate Firewall 1450 has four ports and offers a 180 Mbit/s throughput. For companies needing more capacity and higher throughput, Ingate offers the Firewall 1450+, which has a throughput of 285 Mbit/s and can, for example, handle more concurrent RTP sessions than the 1450.

Read More: New Firewall from Ingate

The “lockx.exe” rootkit file was found bundled with a variant of the W32/Sdbot Trojan in the most recent attack on the AIM network. This is the first time that SDBot has been found in an IM chat network. eweek.com reports:

"The situation is ripe for a fully automated worm to cause some serious damage," said Jose Nazario, senior software engineer at Arbor Networks Inc., a network security firm based in Lexington, Mass.

Read More: Researchers Say Automated IM Worm Is Inevitable

The draft version of the VoIP security framework by VOIPSA has been released and new security solutions for IP telephony are being released regularly by vendors. VOIPSA was formed in February 2005 and currently has more than a hundred member organizations. voipplanet.com reports:

The Taxonomy provides a detailed structure that discusses potential VoIP vulnerabilities including social attacks, eavesdropping attacks, interception and modification, service abuse, and intentional interruption of service attacks.

Read More: VoIP Security Framework Emerges amidst Vendor Releases

Since VoIP applications are exposed to the same threats as other IP services, they can also be protected using the same techniques that are used for the other services.

Hijacking of calls can be prevented by setting up sessions for SIP-supported VoIP. A firewall with a Simple Traversal of User Datagram Protocol and network address translators can be used to enable phones to route calls via an external server between the SIP end points. The external server, which can be a registration or a session server, is used for the authentication of the phones.

Along with data security, privacy features high on the list of concerns. This is because unlike PSTN phones, IP phone-tappers do not require a physical connection by means of a wire. Calls that traverse over the Internet can be captured and analyzed with the help of a protocol analyzer.

The Voice over IP Security Alliance (VoIPSA) has released a classification of the threats that IP telephony is vulnerable to. The VoIP Security Threat Taxonomy is intended to serve as a single reference point for looking up the type and description of threats; thereby facilitating a systematic approach to tackling these threats. The taxonomy has resulted in a clearer understanding of the gravity of the threats; voice spam was considered to be a major threat but according to the taxonomy deceptive practices pose a bigger challenge.

The threats have been classified into four categories that include DoS; unlawful signal or traffic modification; signal interception; and bypass of refused consent. The first two types of threat categories are concerned with the integrity of the network signal. The latter two types of threats are specific to VoIP and concerned particularly with maintaining privacy.

The rate at which VoIP is growing has given rise to network security concerns that need to be addressed as early as possible. Security risks include DoS and DDoS attacks. These are carried out by overloading a company’s system to cause a loss of service. Hackers flood the bandwidth available to the network with malicious traffic and starve the network.

A DoS attack that targets the central network can spread to branch networks as router performance gets affected. When a DoS attack is orchestrated by using a network of zombie PCs, it is referred to as a DDoS attack.

Networks are vulnerable to the threat of call interception that very often originates from within. SIP servers can be compromised by registration hijacking and impersonation. Voice packets can be monitored over real-time if two phones can be made to work as if each possesses a codec that the other one lacks.

Signal protocol tampering occurs when the data that initiates the call is captured by a malicious user. This enables a person to make VoIP calls without actually using a VoIP phone and run up huge bills in another person’s name. If a hacker succeeds in impersonating a sender or receiver of data, he can gain access to sensitive information such as medical and credit card details. A legitimate user unaware of the fact that the traffic is being redirected may continue to give the information.

If a hacker can commandeer an IP phone, he can execute online transactions by impersonating the legitimate user. The security of the call handling software of the IP-PBX systems is dependent on the security of the operating systems and their components such as the Microsoft IIS, which is used as a web-based configuration tool for IP-PBXs. SPIT or Spam over Internet Telephony has the potential to become a full-fledged security threat and a major drain on the productivity resources. Clearing unwanted messages may appear to be no more than a nuisance but having to do it everyday can affect the business practices of a company and divert energies from achieving the business objectives.

According to a report from Deloitte, worms and related malware are spreading to connected mobile devices leading to loss of data and increasing downtime. In order to ensure the security of VoIP networks, the following practices should be absorbed by companies.

• Voice and data should be segregated and kept on different VLANs with separate DHCP servers for each; this facilitates implementation of filtering devices and firewalls between the two VLANs. It also reduces the chances of malicious footprinting and prevents DoS and spoofing attacks. Voice and data networks should exist on logically different networks with different subnets and separate address books.

• VPNs should be used to implement encryption, preferably at a central point such as a router in order to facilitate IPsec tunneling. Encryption can lead to increased latency and affect performance but if the operating efficiency of a VoIP network is adequate, the overhead that results due to encryption should not affect VoIP performance.

• The firewall that monitors VoIP traffic should provide direct support for SIP and H.323 without having to open a new port.

• Commercial scanning tools should be used to monitor the call servers. The number of open ports should be kept to a minimum and only the mission-critical services should be run. Standard security practices such as password-protection, backups, etc should be followed.

According to security experts, it is important that VoIP vendors and customers factor in the security aspects along with cost and performance when considering a VoIP network. Chris Thatcher, national practice leader, Dimension Data Holdings is of the opinion that the design of VoIP systems has not covered the security aspects satisfactorily. VoIP networks are exposed to risks such as distributed denial-of-service attacks, spoofing, worms, viruses, Trojans, etc. Vbombing is a threat unique to VoIP networks in which a VoIP console is bombarded with voice mails and can crash.

Since the market is relatively new, awareness regarding the security threats to VoIP networks is not very high and on occasions even the vendors are not very keen to discuss the fallibility of their applications. Scripts for launching attacks on VoIP networks can be found on several hack sites. Transport-layer security can be handled by firewalls but many attacks target the application layer, which in case of several VoIP applications, is based on SIP. SIP is not unlike SMTP and HTTP and all the security issues that are present in emails are a threat to VoIP as well.

The use of PCs in conducting VoIP operations makes VoIP systems susceptible to a host of threats ranging from spam and spoofing to worms and Trojans. One way of reducing threats to VoIP is to run voice and data networks separately. eweek.com reports:

Dr. Shashi Phoha, director of the Information Technology Laboratory at the National Institute of Standards and Technology, said she thinks that the growth of VOIP technology brings with it some significant risks that users need to be prepared to address.

Read More: 'Severe' Vulnerabilities Are Possible in VOIP, Official Warns

According to the Yankee Group, VoIP has chalked up an impressive growth record till date. Results of a research by In-Stat show that more than 40% of the larger companies use VoIP. However, this growth is bound to attract the menace of Spam and other security issues. This could actually lead to loss in productivity and expenditure in security tools and their maintenance. Spam in a VoIP scenario is going to occur in the shape of voice messages that will have to be treated in real-time in order to prevent a company’s voice mail system from being flooded with spam messages.

Pierce Reid, V.P Marketing, Oovia, opines that it will take time for VoIP spam to really come to the public’s notice. A more serious threat for the more than 600,000 VoIP phone users is a DoS situation that could occur as a result of too much spam. One way of recognizing VoIP spam is that packets of machine generated messages do not exhibit the randomness associated with human VoIP messages.

Evil Twin is new threat to Wi-FI users. It refers to the use of malicious servers that pose as genuine ones and try to extract sensitive information such as credit card numbers and bank details. The attack can be carried out by a person close to a hot spot.

The malicious server interferes with the signals sent to the wireless users. The users are tricked into logging in to the fake server. Evil Twin has special significance for countries like the UK and US as they have a very high concentration of Wi-Fi hotspots. The UK has more than 9,000 hotspots whereas the US has more than 22,000.

The growth of Wi-Fi has been helped by the Centrino chip, which now comes with additional security features and a built-in support for Cisco-compatible extensions. T-Mobile has a network of more than 4,500 hotspots across the US and it is implementing authentication based on 802.1x in order to prevent security breaches.

The implementing of a strong security network assumes special significance because of the variety in which the breaches can occur. Attackers can launch man-in-the-middle attacks and can capture data without even requiring a cellular card. These attacks are more likely to occur at public hotspots as corporate VPNs are generally more secure; however, a company employee can expose himself to risk if he tries to access a corporate network via a public hotspot.

Corporates are faced with the problem of rogue access points that can spring up anywhere in the company premises. The problem lies in the fact that any network to which a Windows user has connected to in the past gets reconnected by default. A patient attacker has only to wait long enough for a user who has previously networked with him. As with any technology that gains currency, the first step in the defense process is to educate the user.

According to Varun Nagaraj, V.P, Product Development, Extreme Networks Inc., from a security point of view, it is a better idea to opt for a two-tier network than the current three-tiered networks. A two tier network architecture provides continuous uptime and more robust security. The two tiers consist of a core network and a unified access tier, which faces the user.

Extreme has launched the Aspen 8800 Series of enterprise LAN switches that enable a sturdy edge network that provides greater performance than the currently available edge switches. The switches also assure greater availability as they provide management modules with automatic failover and redundant controller boards. The Aspen 8800 Series comes with a ten slot and a six slot chassis. A module with 48 ports of 10/ 100/1,000BaseT, POE (power over Ethernet) is also provided in order to extend better support to the wireless access points. 

VoIP is gaining ground in the consumer market. More and more companies are implementing VoIP to provide a better technology to consumers at a cheaper rate. However, they are a little bit concerned over the security systems. This apprehension about the security system has forced them to tread cautiously.

But such fears are unfounded. Over the past few years, many business establishments have applied VoIP in their operations. Companies used VoIP for trunks, where security was easier. Network reliability and mobility are the biggest concern for the VoIP providers. computerworld.com reports:

Telecom service provider Primus Canada Inc. in Toronto, secures VoIP communications the same way it protects its Internet service. Primus offers VoIP services -- dubbed TalkBroadband -- to Canadian businesses and consumers.

Read More: Spam may be a future threat to VoIP

The next-generation technology, VoIP is growing stronger day by day. More and more companies are adopting VoIP to provide the customers a better infrastructure at a cheaper rate. VoIP can add a number of features to business telecom systems. However, vendors and customers face tough security challenges to take advantage of these benefits.

According to In-Stat, the market research firm, three-fourth of the companies have implemented VoIP plan to replace their existing security appliances by 2006. The security appliance market is expected to grow stronger over the next few years. Traditional firewall technologies can complicate several aspects of VoIP. Security vendors are adding functions that address voice applications in their products. digitimes.com reports:

A recent report by In-Stat found that large and middle-scale companies show a higher percentage of concerns about VoIP security than small-scale companies. The report also states that budgets allocated for new security appliances are significantly higher in companies that have already implemented VoIP. In addition, reliability is apparently the most important criteria for the purchase of new security appliance products.

Read More: In-Stat: VoIP driving security appliance market

The Federal Communications Commision (FCC) has set a deadline for providers of internet-based telephone calls to get confirmation from their VoIP customers that they understand the problems they may encounter while dialling 911 emergency service. The customers who do not give the comfirmation are likely to be disconnected. The service providers now urged the Commission to extend the deadline so that they can get response from all the customers. The deadline has been given for Monday, 29 August 2005.

the coalition of providers have requested the commission for an additional deadline of 90 days to get the confirmation from the customers. The decision of the FCC to give a deadline is based on the reports that VoIP users are having problems in connecting the 911 Emergency service. Vonage, the biggest VoIP carrier has informed that it has received response from 96% of its customers. Another carrier, AT&T Corp. said that it is receiving customer acknowledgments at a faster pace. technewsworld.com reports:

Unlike traditional telephones, where phone numbers are associated with a specific location, VoIP users can place a call from virtually anywhere they have access to a high-speed Internet connection. But that can make it difficult to connect VoIP accounts to the computer systems that automatically route 911 calls to the nearest emergency dispatcher and transmit the caller's location and phone number to the operator who answers the call.

Read More: VoIP Providers Again Ask FCC to Extend Deadline

Of all the security concerns that affect an enterprise, the most disturbing ones are the ones committed internally by its own employees. Unprotected VoIP networks can be a nightmare for those using it as new hacking techniques like VoIP eavesdropping make them vulnerable to various kinds of cyber crime.

Encryption of voice packets has been adopted by several companies in order to protect their VoIP networks, but such encryption needs to be centralized so as to prevent the violation of certain legal requirements and also to provide for an easy functioning of the network within the company. SIP firewalls are being developed to address the specific security requirements of VoIP and other SIP related communications.

BorderWare, an Internet security provider, has introduced a new SIP firewall that does deep packet inspections to prevent fraud and unauthorized access to VoIP networks. Though there are security products available to filter IM traffic and VoIP traffic, BorderWare's product is the only one providing filtering of SIP traffics at the application layer. BoderWare's appliances are included in the general purpose firewall, where at the time of its deployment certain ports are opened up enabling the VoIP firewall to handle the VoIP traffic.

As most companies are adopting the SIP protocol for all real-time communications, a SIP specific firewall will eventually come in demand.tmcnet.com reports:

Rich Mendoza the Managing Director of SIP Solutions at BorderWare tells me that the firewall, not encryption, is going to deal with VoIP security issues and you know what? He thinks we will need specific firewalls for various applications such as e-mail.

Read more:VoIP Security: Is a Firewall the Answer?

With new technology comes added risks, and many believe that more needs to be done to help VoIP become as secure as it can.  Some believe that without universal security measures emplaced by VoIP vendors; it will never truly be a secure technology.  Voice traffic on data networks puts many at risk of eavesdropping and fraud.  However, a group of 25,000 members of the VOIPSA, or VoIP Security Alliance are dedicated to make VoIP a more secure medium.  According to PRNewswire:

"VoIP handsets are simply Internet-capable computers disguised as telephones. They are subject to the same security threats as other web- connected devices. Until the VoIP world gets serious about security, industry growth risks being stunted," says Info-Tech Research Group Senior Research Analyst Carmi Levy.

Read more at: Analyst Firm Identifies Security Gaps in VoIP Networks

A DNS flaw in some VoIP enabled routers manufactured by Cisco Systems, allowed users to be subject to DoS attacks.  While no known attacks have been carried out, there is a push for those who own the affected products to download and install the updated patch.  The patch removes the risk that users face from using the router.  Have faith in the quality of Cisco products because the patch came out on Wednesday and the flaw was discovered yesterday.  How’s that for customer service.  According to InternetNews:

Cisco said products that could be affected by the flaw are DNS clients, including its 7902/7905/7912 series of IP Phones, its Unity Express and ACNS devices.

Read more: Cisco Patches DNS, VoIP Flaws

Security, security, security.  Those are three words that every VoIP user needs to understand and be aware of.  Unfortunately, many people and even service providers are unaware of the danger that they are putting themselves into when they use their VoIP connectivity.  These risks come in the form of Denial of Service attacks, hackers making free calls at your expense, and third party listeners on your conversations.  While I am not trying to scare people away from using VoIP, people have to understand that their connection is not an impenetrable wall.  According to IDM:

"Like any infrastructure which is accessible on a network, it can be attacked or used as a launching point for deeper, inter-network and inside the organisation attacks. VoIP opens voice communications to the same types of security threats that expose data communications to attacks."

Read more: Security Fears Raised Over VoIP

We live in the digital age and with every new technology comes another way for people to exploit it for their own benefit.  With networks being hacked and viruses being produced daily, VoIP is by no means resistant to such attacks.  While the average consumer may think that they are safe behind their firewall and router, it is by no means an impenetrable fortress.  The main security issue with VoIP is that it transcends the bridge between phone and Internet which leaves a large playing field for instabilities.  These instabilities are what hackers look for to break into networks or place free phone calls at your expense.  Since VoIP is in its most infant form, many companies are moving ahead without fully knowing how secure the technology is.  However, the people of BusinessEdge Solutions are teaming up with industry experts to discover the means to increase security.  While the problems regarding security with VoIP will not be solved overnight, there will definitely be improvements as the technology grows.  Always remember, where there is profit, there will be action and by all means there is profit in tightening the bolts with VoIP connectivity.  According to EMediaWire:

“There are hackers today focused on the PSTN and the Internet, but VoIP, which unites the worlds of voice and the Internet, exacerbates the existing security vulnerabilities inherent in both,” Mr. Raps says. “Further, VoIP introduces unique security and fraud threats that never existed before.”

Read more at: You Need Carrier-Grade Mousetraps in the World of VoIP

Insight Research estimates that the global market for voice over IP will reach $196.5 billion by 2007 and that much of this growth has been driven by business. For the trend to continue, however, great strides need to be made to make VoIP networks more secure against hackers. The VoIP Security Alliance, formed in February 2005, announced today that they will discuss what can be done to combat threats to the IP community. According to Red Herring:

Hackers have already developed ways to take advantage of this burgeoning communication system. Malicious researchers are working to make IP telephones do their bidding.

Such threats could include filling a phone’s voicemail with unsolicited advertisements, or programming all the telephones in an office to simultaneously call the same number, be it your boss’ home phone number or a 1-900 pay-by-the-minute scam in the Bahamas.

Read more: Securing VoIP

The VoIP Security Alliance has been formed by companies such as Alcatel, Avaya, Comcast, Qualsys, Symantec, and TippingPoint. With all of VoIP's security vulnerabilities, the group has been formed to research and distribute information on issues dealing with security as well as promote certain security tools. Many may not be fully aware of the fact that upgrading IP networks is integral to both the security and the usability of voice over IP technology. According to PCWorld.com:

One goal of the group is to clear up misconceptions about the technology, which allows voice conversations to be transmitted over the Internet. One misconception the group will try to dispel is that deploying VoIP is the same as deploying traditional data networks, Endler says.

"There's this idea that you don't need to do anything different after you install VoIP applications," he says.

Read more: VoIP Security Alliance Forms

The National Institute of Standards and Technology has released a 99-page report Security Considerations for Voice over IP Systems (PDF link) to help IT administrators deal with the many security issues of implementing VoIP. While the technology promises "lower costs and greater flexibility," according to the report, certainly there exist many security problems. For instance, while many may opt to converge voice and data onto one single network, the report suggests having separate networks and building a separate VoIP firewall. Additionally, there are some applications for national security as well, as ComputerWorld suggests:

Ray Bjorklund, an analyst at Federal Sources Inc. in McLean, Va., said the report might be especially valuable for federal agencies involved in war or national security efforts in which network security is paramount. “If an operation overseas were suddenly relying on IP to transmit voice through a satellite or through the Public Switched Telephone Network with many places for potential failure, that’s a particular problem for the national security community,” he said.

Read more: NIST report urges caution with VoIP security

Making VoIP secure is no easy task. The three main threats to VoIP security include authentication failures, integrity failures, and privacy failures. ComputerWorld offers its suggestions on how to tackle these challenges:

The VoIP servers all will run a general-purpose operating system, Windows or Unix. You'll forever have tension between the VoIP application vendor, which doesn't want you to touch its carefully tuned systems, and the operating system vendor, which will release periodic patches. If you have dreams of unprotected VoIP connections over the Internet, you'll not only open yourself to huge risks but also put yourself on an upgrade treadmill with your firewall vendor as it tries to get its VoIP code right.

Read more: A VoIP Security Plan of Attack

Voice over IP is heading for the big-time with most major telecommunications carriers currently readying VoIP services for mass deployment. But how secure is the fast-growing technology?

According to TMCnet.com:

Because most VoIP traffic over the Internet is unencrypted, anyone with network access can listen in on conversations. Eavesdropping is one of the most common threats in a VoIP environment. Unauthorized interception of audio streams and decoding of signaling messages can enable the eavesdropper to tap audio conversations in an unsecured VoIP environment.

Read more: How Secure Is VoIP?

KPMG's new white paper, "Voice over IP - decipher and decide," warns organizations that they should fully understand VoIP before implementing it; otherwise security breaches, including DoS attacks, may become an issue.

According to silicon.com:

Although there is extensive information available from numerous sources regarding the benefits of VoIP and IP Telephony, there is a "distinct absence of information detailing the risks and associated risk management practices", KPMG said.

KPMG said that the introduction of VoIP means that voice traffic needs to be treated in the same context as data for security purposes, since it will share a common medium.

"The increased technical complexity of integrating voice and data into one network further increases an organisation's dependence on network availability.

Read more: KPMG: Watch out for VoIP risks