OCS Exposed – Practicing Safe OCS

February 21, 2008
Aside from all the hackers and all the bothersome constant updates to Windows, there have been surprisingly few reported attacks on Outlook. Of course, now that OCS is integrated into Outlook that will certainly be expected that to change. At the same time, Microsoft uses Kerberos and digital certificates to provide improved security for OCS. More about that in a future report. 
 
Meanwhile back at the ranch, like so many types of corporate crime that go unreported because the company doesn’t want to expose itself to perceived governance incompetence, new types of VoIP/SIP attacks are being reported at an alarming rate in the trade press. Even though none so far show up in searches in Google or Yahoo, attacks like VOMIT-Voice Over Misconfigured Internet Telephony, SPIT-SPam over Internet Telephony, vishing (the voice equivalent of phising), SPIM-SPam Over Instant Messaging and others are the VoIP/SIP equivalent of STDs. My particular concern is not just annoying problems like SPIT/SPAM, which according to some can be cured along with viruses by filters, spyware, firewalls and routers but unknown new approaches. Many others think that existing solutions is just supporting existing prevention companies, not realizing what new problems are all about. Think about it. How in the world can you stop something, if you don’t know what it is? Well, many just deal with lots of patches, fixes and service pack updates. For others, new solutions will be needed. Sounds a bit like the Clinton-Obama debate.
 
The really serious problems, in my opinion, are calljacking or call-hijacking, eavesdropping, MITM-man-in-the-middle and other types of monitoring, wire tapping and call interception attacks. There are increasing reports of rerouting SIP INVITE registration attacks where the hacker monitors, tampers, injects voice, redirects calls, terminates and other SIP method attacks.   Corporate secrets, violations of HIPAA, SOX, GLBA and other compliance requirements and even simple privacy guidelines are all at risk for these attacks. And, if the capture of voice conversations is not enough, one of my other worries is call “injection” where obscenities, threats and even other comments create a hostile work environment, litigation, discrimination and so on.
 
While some say that VDOS-Voice DOS-Denial Of Service attacks are more critical, others believe that existing firewall and IDS-Intrusion Detection Systems can be expanded to address voice DOS attacks. As you are beginning to see, the range of voice attacks is as large or larger than attacks on data. What is worse is that for one hundred years we have trusted our voice networks from intrusion, attacks and truly criminal attacks. In addition, other than government monitoring (and that is a separate discussion), reports of criminals stealing corporate or personal secrets is almost unheard of for fear of bad PR or poor compliance.   However, least we forget, toll fraud is still a multi-billion dollar industry. Console cracking and other types of toll interception is still prevalent. 
 
As one SIP expert said it, “Frankly providers of SIP network solutions and those with premise equipment such as Avaya, Cisco, Microsoft, Nortel and others have largely left SIP security planning to the customer to figure out. VoIP/SIP attacks are also increasing but product vulnerabilities are also on the rise with a report this week by Cisco that ‘Cisco Unified IP Phone models contain multiple overflow and denial of service (DoS) vulnerabilities. A SIP Security Checklist is not just a do-it-once review but a planning guide for ongoing daily security protection,” noted Matt Jolly.  What is really needed is guidance and best practices. There is one industry association devoted to that cause. The VoIPSA-Voice Over Internet Protocol Security Association (http://www.voipsa.org) is a place to “get smart” about VoIP/SIP security. VoIPSA has working for many years to help “you all” get a grip on the challenges, risks as well as providing solutions. 
 
Lastly, have a security plan before not after you implement VoIP/SIP because as Thufir Hawat in the movie Dune reminds us in preventing attacks by the nasty Harkonnen, “the first step in avoiding a trap is knowing of its existence.”
 


See this page in TechnoratiTechnoratibook mark in del.icio.usDel.icio.usSlashdot.comSlashdotSubmit to Digg.comDigg BoingBoingBookmark in FurlFurlBookmark in SpurlSpurl

Related Tags: , , , , ,

Listed below are links to sites that reference OCS Exposed – Practicing Safe OCS:

Trackback Pings

TrackBack URL:
http://blog.tmcnet.com/mt3/t.fcgi/35200

Comments to OCS Exposed – Practicing Safe OCS


(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)