Cyber-Security Expert Addresses VoIP Vulnerabilities at ITEXPO West 2009

Typical VoIP sales pitches do not address critical issues of security, and problems such as the theft of IP telephony minutes often are swept under the carpet and go uncovered by mainstream media outlets, an IP security expert told more than 20 listeners jammed into a session during ITEXPO West 2009 today.

 

According to Paul Henry, a security analyst and consultant at central Florida-based Forensics & Recovery LLC – which provides global clients with expert assistance in the forensically sound identification, preservation, recovery, analysis and reporting of digital evidence – the entire VoIP marketplace is driven by the potential for cost-savings.

 

“As the economy worsens, more and more companies are adopting VoIP, but there’s no allowance for security there,” Henry said during the UC Security Workshop at the ITEXPO (News - Alert). “Companies are jumping in the bandwagon for savings, but they’re not applying security safeguards. It’s not being done in any fashion, whatsoever.”

 

The session – sponsored by Richardson, Texas-based Sipera Systems, a company that helps ensure security for enterprises and service providers seeking to benefit from VoIP and unified communications – addresses one of the critical issues now facing businesses of all sizes, as sensitive information lives on the network, including information that’s spoken through VPNs on VoIP-based calling systems.

 

The workshop is running throughout the day today.

 

Adam Boone (News - Alert), vice president of marketing for Sipera, said during opening comments to the session that the day’s main thrust would be to go into UC and the role that security plays in enabling UC in various environments.

 

“As you’re looking to deploy VoIP and UC out to external parties, there are many vulnerabilities to be considered that may not be readily apparent,” Boone – a colorful character who peppered his talk with anecdotes such as how Vonage (News - Alert) kicked him off its service because he was trying to teach his neighbors about the dangers of VoIP vulnerabilities through a practical, unannounced demonstration – told his rapt listeners. “Ther are issues like exposing traffic to an unwanted network that emerge constantly.”

 

And – according to Henry – companies that promote and sell VoIP services are short-cutting security to provide widely desired cost-savings.

 

“Dropping VoIP in on top of network infrastructure is suicide today,” Henry said. “Yes, it can be simply layered into an existing network, but you are leaving yourself wide open to a myriad of issues. The ideal way to deploy it is on a dedicated network with a separate infrastructure. But all that new gear eliminates any possible savings.”

 

Henry also cited statistics – possibly already outdated – that 200 million minutes per month are being stolen from IP telephony systems through so-called “VoIP theft.”

 

“It’s an issue that currently is not being addressed by the media,” he said. “I don’t know if the losses aren’t high enough ($26 million per month) or it isn’t an interesting enough topic. . . . In most large enterprises, when they’ve had a theft of VoIP minutes, they sweep it under the carpet. They don’t want to be known as vulnerable because it hurts business.”

 

Other sessions today include: “Managing the Unified Communications Transformation:
Proactive Security Planning,” to be hosted by Cory Stephens, founder of Encompass Technologies, LLC; “Chief Security Architecture Considerations for VoIP and UC Deployments,” with Drew Bloczynski, director of business & security consulting practice at Sipera (News - Alert); “Threat Mitigation Strategies: Aligning VoIP and UC Security with Your Information Security Posture” with Benjamin Huey, chief security officer at Dieko Corporation; and “Security Assessments: Overview and Best Practices for
Using Self Assessment Tools” with Mike Jones and Arjun Sambamoorthy of VIPER.

 

Henry called his session “Evolving VoIP Threats,” and it included examples of cybercriminals arrested for tapping into VoIP networks and stealing minutes.

 

VoIP threats still to hit the United States as hard as they’ve hit other parts of the world, Henry said, include “VoIP Phishing,” which takes a VoIP construct and sends out an e-mail asking recipients to call a local number to correct some sort of falsified problem, as well as “SpIT” – or “Spam over Internet Telephony (News - Alert),” which will work like regular spam except that instead of a text message sent through e-mail, victims will receive unwanted phone calls.

 

One of the striking points that Henry hit more than once during his talk was the ready availability of hacking tools for cybercriminals seeking to steal VoIP minutes or do things such as eavesdropping.

 

“I don’t understand why people involved in VoIP products still say these threats are theoretical,” he said. “All that’s lacking is the will to use the tools.”