Researchers from two different security firms are seeing fresh evidence that attackers are targeting Web 2.0-based business applications and VoIP with increased vigor, and warn that companies are ill-prepared to meet the threat.
Secure Computing Corp. announced Tuesday that it has uncovered a potential new method to gain control of a user's PC by launching an XSS attack via the VoIP protocol known as SIP. This is the first time Secure Computing seen a Web 2.0 attack using the VoIP protocol, said Paul Henry, vice president of technology evangelism for the San Jose, Calif.-based vendor.
Separately, researchers at Websense Security Labs issued an alert about a spike in new spam techniques over Skype, the widely-used VoIP service. Spam is being sent over Skype warning users that their system has been infected with malware. The spam is designed to dupe the user into buying software that claims to clean the spyware from their systems. Instead of removing spyware, however, the spammer is able to steal sensitive data that could be used for identity fraud.
In an interview Tuesday, Henry said that the vendor's researchers discovered proof-of-concept code attackers could use to run malware on any PC via the user's VoIP connection.
"The issue is simple," he said. "Attackers may have found a blind spot in today's popular defenses, as most security products are not looking for Web 2.0 XSS attacks over SIP. Secure Computing recommends using a solution that scans for malicious scripts and malware across every protocol that is permitted to enter the enterprise network."
While users have gotten used to not opening email attachments or being careful when visiting Web sites they're not familiar with, the new VoIP SIP protocol vulnerability is another reminder that "we're living in the Web 2.0 world now and not everything is as safe as we assume," Henry said.
San Diego-based Websense, meanwhile, has labeled the appearance of Skype spam as "SKAM,".
"Traditionally, email [has been] the only conduit for SPAM," a company spokesman said in an email. "However, increasingly the Web and other communication platforms are also being utilized as attack vectors."
The Skype spam Websense has been seeing warns users that their system is infected with malware and tries to trick them into buying software to remove spyware from their systems. "This serves as example of spam propagating on Skype, with malware authors utilizing social engineering to pass their malware off as legitimate software, and attempting to collect money directly at the same time," Websense said in its online analysis.
Henry said he is particularly concerned about what he's seeing because companies have deployed Web 2.0 applications and implemented VoIP systems at a fast and furious pace in the last couple years with little attention paid to the potential security ramifications.
"I don't think companies are using VoIP any more securely than they were two years ago," he said.
That assessment mirrors the concerns raised last summer by Himanshu Dwivedi and Zane Lackey of San Francisco-based digital security firm iSEC Partners Inc. The duo gave a presentation on the various ways attackers can exploit the SIP, IAX and H.323 VoIP protocols during Black Hat USA 2007 in Las Vegas. While Henry warns about SIP being targeted, the iSEC researchers warned that H.323 is particularly vulnerable to attack but that most users assume H.323 is secure because little evidence to the contrary has been presented.
They urged the audience to build a layered defense, noting, as Henry did Tuesday, that the state of VoIP security is as bad now as it was a couple years ago.