Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, October 24, 2005

Alliance Tackles VOIP Security Threats

From the perspective of those who hold a stake in voice over IP, however, “social irritations” such as spam are the least of their worries.  According to the VOIP Security Alliance, the greatest threat to VOIP comes in the form of deceptive or fraudulent behaviors, such as unlawful monitoring of calls, DoS (denial-of-service) attacks, false caller ID and eavesdropping.  VOIPSA is unveiling a Taxonomy Threat Model as its preferred framework for addressing privacy and security policies surrounding VOIP deployment.

“Certainly, the criminal behavior that happens today is the greatest risk,” said Jonathan Zar, senior director at SonicWall Inc. and chairman for outreach at VOIPSA, which has more than 100 members from the hardware, software and telephone carrier businesses.

In an initiative reminiscent of the industry’s lobbying campaign leading up to the ineffectual CAN-SPAM Act of 2003, VOIPSA is trying to direct policy-makers’ attention away from the technologies that enable new headaches for users and turn the spotlight on human behavior.  The distinction between the human action behind threats to VOIP and their technical means is meant to dissuade policy-makers from imposing technology-related rules that could hinder growth and innovation in the industry.

“There is a policy and regulatory effort under way, and a number of us have been concerned that that was not informed,” said Zar in Sunnyvale, Calif.  “We want it to be secure, but we don’t want it to be as secure as East Germany was under the Stasi.”

In addition to the vulnerabilities inherited from data networking, a number of VOIP-specific threats confront calls carried over IP.  Privacy advocates, who widely rate Congress’ action to reduce e-mail spam as ineffective, argue that more needs to be done to protect consumers.  “What often is missed with social irritants like spam and telemarketing is that they are a product of privacy violations,” said Chris Hoofnagle, director and senior counsel at the Electronic Privacy Information Center, in Washington.

Lessons learned from the ongoing problem of e-mail spam likely will help the industry reduce the risks to VOIP, said Ray Everett-Church, chief privacy officer and senior consultant at Philadelphia-based ePrivacy Group.  “With the current deployment of VOIP systems, you’re not seeing nearly the risk of spam that you saw very quickly with the rise and popularity of e-mail,” Everett-Church said.,1895,1876547,00.asp

Posted on 10/24