|
CRN finds security risk in VoIP applications
(DMEurope Via Thomson Dialog NewsEdge)DMEUROPE-27 January 2006-CRN finds security risk in VoIP applications (C)2006 DMeurope.com (http://www.dmeurope.com) & DME Ltd. All rights reserved.
The Communications Research Network (CRN), a community of industry experts based at Cambridge University in the UK, has discovered a security loophole in VoIP applications which could give internet criminals a better method of covering their tracks.
The CRN's working group on internet security, led by Cambridge professor Jon Crowcroft, discovered that VoIP applications, such as those offered by Skype and Vonage, could provide excellent cover for launching denial of service (DoS) attacks. DoS attacks infect computers which then act as 'zombies' to spread viruses or other malicious software, usually through spam e-mails.
The scale of the DoS problem is notoriously difficult to assess, said the CRN, because many attacks go unreported because organisations do not want to undermine client or employee confidence in their network security. Even conservative estimates as to the number of zombie computers range in the millions, though.
Attack commands delivered to zombies are usually delivered via instant messaging. ISPs have caught on to this method, however, and are able to survey instant message servers to ascertain where the control is coming from and where it is going to prevent an attack, or at least determine the location of the culprit who instigates it.
The CRN has discovered that VoIP applications provide cover traffic for DoS attacks because VoIP runs continuous media over IP packets, making it almost impossible to trace the source of an attack. Also, encryption for user privacy and 'superpeer' systems which assist with call routing further obscure the source of DoS commands.
The CRN noted that there has not yet been a recognised instance of a VoIP-coordinated DoS attack, but its experts believe it is only a matter of time. Such attacks could not only compromise network security but could severely undermine consumer confidence in VoIP. The CRN suggests that VoIP providers publish their routing specifications or switch over to an open standard so that traffic can be more easily monitored.
The CRN is funded by the Cambridge-MIT institute, a joint venture of Cambridge University and the Massachusetts Institute of Technology.
[ Back To TMCnet.com's Homepage ]
|
INDUSTRIES
Activate Email 
INDUSTRIES
Find Solutions for Enterprises, SMBs & Service Providers at the INTERNET TELEPHONY Conference and EXPO West, September 1-3, 2009. Los Angeles, CA.
