Group seeks to bolster VoIP security

By Bill Brenner, News Writer 25 Oct 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security experts have long lamented that enterprise Voice over Internet protocol (VoIP) rollouts are outpacing efforts to harden the technology against thieves, hackers and fraudsters. There has also been little consensus on how to define VoIP-specific threats and develop best practices to fight them.

But one industry group hopes to at least solve the latter problem with a new 36-page .pdf document outlining a threat taxonomy users, vendors, carriers, law enforcement agencies and legislators can use to make the technology more secure.

The document was released Monday by the Voice over IP Security Alliance (VOIPSA). The global organization was formed in February to "find and mitigate VoIP security risks through testing, research and education so that VoIP technology can thrive and propagate," according to its Web site.

Jonathan Zar, senior director of Sunnyvale, Calif.-based SonicWall Inc. and secretary of VOIPSA, said the document is important because it provides a foundation for all future discussions on VoIP security that are both technically and socially informed.

"This gives enterprises, designers and carriers a clear and common understanding of what the problems are, how they might be measured and how they can be dealt with," Zar said. "The idea is also to bring law enforcement, legislators and technologists together on the same page and get them to speak the same language."

Specifically, Zar said, the taxonomy document offers:

• Core definitions that give specific meaning to privacy and security;
• A framework to connects public policy and technology issues;
• Recognition that the human element in threats is distinct from their technical means;
• Specific sets of issues for consideration by legislative bodies and by law enforcement; and
• A detailed structure for technical vulnerabilities across the value chain.

VOIPSA also announced Monday that its membership now exceeds 100 companies and institutions around the world "that represent the entire value chain for VoIP." Zar said members include major carriers, software companies, equipment vendors, large users and system integrators. New members include Juniper Networks Inc., Nokia Corp., Deloitte & Touche USA LLP. and BearingPoint Inc. The group has also unveiled a new Web site with expanded membership services.

Examples of VOIPSA's threat taxonomy
Here are some of the definitions VOIPSA uses to describe the threats users face:

Call-pattern tracking is the unauthorized analysis of traffic to or from any node or collection of nodes on the network. This technique enables unauthorized conduct such as theft, extortion and deceptive practices like phishing.

Traffic capture is the unauthorized recording of traffic by any means and includes packet recording, packet logging and packet snooping. Traffic capture is a basic method for recording a communication without the consent of all the parties.

Number harvesting is an unauthorized means of capturing identity and enabling subsequent unauthorized communication, theft of information and other deceptive practices.

Conversation reconstruction is a technique for collecting, duplicating or extracting information on the audio content of a conversation without the consent of all parties to the communication.

For more information Read more of our news coverage on VoIP security: VoIP to have 'Pretty Good Privacy' Is it time for a VoIP firewall? VoIP: Is anyone responsible for security?

Voicemail reconstruction is any unauthorized monitoring, recording, storage, reconstruction, recognition, interpretation, translation, and/or feature extraction of any portion of any voice mail message.

Call black holing is any unauthorized method of dropping, absorbing or refusing to pass IP or other essential elements in any VoIP transmission. This can be used to prevent or terminate a communication. Call black holing is defined to include any VoIP protocol for any form of communication, whether voice only or converged with other media, including video, text and images.

Call rerouting or call sinkholing is any unauthorized method used to redirect an IP signal or other essential element of any VoIP transmission to divert communication. When authorized, call rerouting may also be used as a defensive technique against attack or an enabler for other services.

Fax alteration is any unauthorized modification of any of the information in a facsimile or other document image, including header, cover sheet, status and/or confirmation data.

Conversation alteration is any unauthorized modification of information in the audio, video and/or text portion of any communication, including identity, status or presence information.

Conversation impersonation and hijacking is the injection, deletion, addition, removal, substitution, replacement or other modification of any portion of any communication with information that alters any of its content and/or the identity, presence or status of any of its parties.

False caller identification is the signaling of an untrue identity or presence.

Tags: Web Application Security,  Security Awareness Training and Internal Threats,  Network Protocols and Security,  Email and Messaging Threats (spam, phishing, instant messaging),  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Security Awareness Training and Internal Threats Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Network Protocols and Security How to keep networks secure when deploying an 802.11n upgrade Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary