Peer-to-Peer Blog: The Seven Deadliest UC Attacks
Just as smartphones using Apple OS and Android are attracting the attention of hackers, as noted with the increase in benign and malicious phone apps, so too has the IP community become a target.
August 4, 2010
By David Byrd
The number of endpoints continues to increase dramatically. As such, they are drawing the attention of hackers globally. Just as smartphones using Apple OS and Android are attracting the attention of hackers, as noted with the increase in benign and malicious phone apps, so too has the IP community become a target. In addressing this increase, service providers must work in conjunction with their sales channels and customers to make every effort to prevent or minimize the exposure.
Dan York completed a book earlier this year, the “Seven Deadliest Unified Communications Attacks,” to provide a better understanding of the types of attacks, risks involved and actions a business might take. This is his list of the deadliest attacks:
The Ecosystem: Unified Communications (UC) integrates voice, video and data to provide for true presence, collaboration and transparency of location, time and method of interaction. The IP ecosystem includes the obvious IP based equipment (phones, PBXs, routers, etc.) but the ecosystem also includes applications that we use every day (e-mail, search tools, document creation, database access, etc.). The transition from TDM to IP exposes voice and video applications to the same security challenges that data has always faced.
Insecure Endpoints: Hackers cruise the Internet looking for open/insecure access points into a network. IP Phones, routers, IP PBXs all require increased vigilance. Just as the smartphone is integrating the functions of a computer and wireless phone, IP Phones have security issues. IT management needs to apply similar methods and procedures for insecure endpoints as they always have for access to business IT networks and applications. IT must formalize efforts to control and strengthen passwords, usage, certified devices, patch management, etc.
Eavesdropping/Modification: As always, the easiest place to listen in on conversations or alter information is within the enterprise or business. These man-in-the-middle style attacks are both the most difficult to prevent, occur the most often and result in the greatest loss of money/value. Certain activities such as instant messaging and social networking traffic increase this risk.
Control Channel: This vulnerability leads to toll/international calling fraud, fuzzing, and spam. Denial-of-service attacks may also be a consequence of a hacker gaining access to the control channel.
SIP Trunking and PSTN Interconnection: Authentication of traffic that crosses from legacy to IP networks and vice versa is important, although, the act of authentication effort lies mostly with the service provider. Dynamic registration improves the mobility of the user but increases the exposure to hackers.
Identity/Spoofing: It is possible to spoof/change Caller ID information on IP connections resulting in phone phishing misleading recipients into providing potentially confidential information. Interestingly, certain businesses actually request DID spoofing in order to hide their identity (credit collections is an example) and they do so without concern to the ethical issues. Both types of spoofing require changes in approval processes and access.
The “end of geography”: Perhaps no such much the end of geographical limits but the expansion of potential victimization. A business can implement a very secure environment and then have it all exposed due to a connection to a partner that is not secure. Dan Yorks thoughts relate to the sheer proliferation of endpoints, in both number and type”
Mr. York has created a website for the book. If you can, take a few minutes to see if this information can improve your practices or those of your customers.
See you on Friday.
David Byrd is vice president of marketing and sales for
Broadvox
, and is responsible for marketing and channel sales programs to SMBs, enterprises and carriers as well as defining the product offering. Prior to joining Broadvox, David was the Vice President of Channels and Alliances for Eftia and Telcordia. As Director of eBusiness Development with i2 Technologies, he developed major partnerships with many of the leaders in Internet eCommerce and supply chain management. As CEO of Planet Hollywood Online he was a pioneer in using early internet technologies to build a branded entertainment and eCommerce website company partnered with Planet Hollywood. Having over twenty years of Telecom sales and marketing experience, he has held executive positions with Hewlett-Packard, Sprint and Ericsson.
Read more about:
AgentsYou May Also Like