Slashdot Mirror
Voice Over IP Under Threat?
An anonymous reader writes "The IT Observer is discussing the possible scary future of Voice over IP targeted viruses, and what that could mean for the consumer. The article discusses the likelihood that VoIP is going to become even more popular, and the damage that a targeted 'flash virus' could perpetrate in a very short amount of time. From the article: 'Let's imagine a scenario that could become commonplace in the near future: A user has an IP telephony system on his computer (both at home and at work). In his address book on the computer there is an entry, under the name Bank, with the number 123-45-67. Now, a hacker launches a mass-mailing attack on thousands or millions of email addresses using code that simply enters users' address books and modifies any entry under the name Bank to 987-65-43. ... If any of these users receives a message saying that there is a problem in their account, and asking them to call their bank (a typical phishing strategy), they may not be suspicious, as they are not clicking on a link in an email ... If they use their VoIP system to call the bank, they will be calling the modified number, where a friendly automated system will record all their details. ' "
is that people will call you up during your dinner to tell you that you're long lost uncle's oil wealth is available to you in Madagascar or about the wonders of this new herbal male health pill.
This seems a logical progression of phishing, but it's hardly going to be a large impediment to the adoption of VOIP. Phishing hasn't dissuaded people from using email.
But that just my opinion.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
I have to say that using malware on VoIP hopes but cannot assume that VoIP is even functional and stable enough to do that. Maybe other people have a different experience but CallVantage is not ready for primetime and if they want to use it for exploits and malware they'll have to compete with the utter crappiness of the service that works like malware all on its own.
Who's got an OSS Flash or Java applet that is a SIP or IAX client? If we keep the VoIP SW on the server (tested and upgraded), and give it access to our network/AV HW only on request in a sandbox, we're pretty safe against viruses. These applets can be signed and distributed easily, unlike OS-installable full apps, or dedicated HW.
--
make install -not war
Spams in my inbox is painfull. Spams using VoIP will be very very painfull.
VoIP will be cheap enough for spammers, and easy to handle by spamrobots...
-- Rastignac was here.
I would say there are likely far more people who use regular landlines and cell phones and don't use VoIP, but that do still maintain phone books on their computers. If they call with their regular phone, the same will occur. Why drag VoIP into the cross-hairs alone?
Isn't the same type of thing possible for cell phones?
Last I checked, I didn't have my bank's phone number in my address book, seems kind of odd to have something like that anyways.
Do people really call their banks with any regularity to need an entry in their address book?
Wow, lets hope there isnt a way where i really dial 712-145-1511 and it really calls 213-215-1111 that would be big shit......as far as i see it, its just editing your speedial
WulframII - Free Online Mutiplayer 3D Tank Shooting Game
Funnypics
And if I go out at night, and if I wear all black, and if a car comes towards me with no headlights on then I might get run over.
Seriously though, there were an awful lot of 'if's and 'maybe's in that, and at least one of those steps can be avoided by being at least slightly knowledgable about the internet. It's a matter of education and in that respect people have to help themselves, or other people will help themselves instead.
To all your money.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
This is just the same problem as before, only people aren't expecting it. A lot of people fell victim to phishing scams (and many still do), using email, because they are stupid. I guess this is a little more advanced, since people expect certain speed-dial numbers to not change. Granted they could probably just have a system where the bank has a password that they have to tell you, so that you can verify that you are actually talking to the bank. This is probably a good idea anyway, as it would be easy to get a 1-800 number similar to a bank, and wait for people to misdial, and then get their information.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Changing phone numbers in an address book isn't unique to VOIP. A virus could scan Outlook and other common address book systems and change phone numbers, whether VOIP or not. Since most people don't have their bank phone numbers memorized, they'll assume that the address book entry is correct. Even if they use a non-VOIP phone, the phishing attack can work.
Now, a VOIP system might have an integrated address-book/speed-dial system that could also be attacked. But otherwise, I don't see where this is unique to VOIP.
The Busy Coder's Guide to Android Development
I too, can come up with lots of non-scenarios based on speculation...
What if someone hacks the telephone exchange and redirects all calls to the bank to a new number?
What if I get a letter from my bank saying they have moved, and a phisher builds a new bank at that address, thus allowing them to take all my details?
Someone please explain how a virus can update a Skype user's telephone book? Seems like a poorly-designed software that allows voice telephone messages to modify its database.
signature pending slashdot approval
"Steve... send the PHONE SPIDERS."
"No freeman shall ever be debarred the use of arms." -- Thomas Jefferson
- Don't use Windows
- Don't all move to the Mac
- Don't all use one OS environment - replacing Windows with everyone using the same version of xyz linux wouldn't help that much
- Don't all use the same CPU (x86)
and all this should go away. When did you last hear of a security breach on Alcatel DECT Phone address books?Maybe, just maybe, this could get closer with Web Apps making the OS irrelevant, but look back at the list and see how many of those rules we break.
Security in diversity?
- Paul
This is a concept at best. A virus going through peoples' cell phones (which are far more in use than VoIP sets) to do the same thing is even more viable. This is another 'exploit' that relies on people to be completely oblivious to what their technology is doing. I agree that it is a problem, but it has nothing to do with VoIP. A lot of PHBs are already afraid enough of 'voices in the network' without somebody throwing 'OMFG What if?!' at them.
OMFG, What if someone wrote a virus that relinked your favorites in your browser to point directly at the phishing sites?
Just like VoIP and cell phones and your browser, when you click on a contact or favorite, the vast majority of them show you the underlying value. If you don't recognize that number, end the call. You need to be cognizant of what is happening. It is your fault, not the technologies' fault, if something bad happens due to something like this.
I think that this type of attack is still, to a large degree, depending on TCP vulnerabilities. This type of malware is going to be highly dependent upon other things to initiate such attacks. Granted, in the case of Skype or other PC-based applications this will be far easier to accomplish. I'm not sure it's a VoIP issue so much as an issue of we need to be aware of yet another medium for the transport of exploits. VoIP is UDP based. Protection of such voice streams, should malware over VoIP become pervasive, is going to require pattern recognition at the packet level, heretofore a difficult task. The only means of identification of such things is to sniff the segment. Yet, I'm not sure that that is the type of exploit this article is eluding to.
...Let's imagine a scenario that could become commonplace in the near future
/. has noted it (assuming of course script kiddies and crackers can read) and scripted kiddies are reading it....
Or sooner now they have described what to do &
Jaj
Personally i thought the whole VOIP on the internet was under threat from the start.
VOIP running on the internet, just asking for trouble, IMHO.
VOIP Firewalls, are there any decent open-source ones ?.
A serious botnet can have 50k-100k minion boxes out there... Imagine if VOIP hit even 20% penetration, that would obviously be 10k-20k phones that botnet owner has access to. If you were the type of slimeball or, gods forbid, terrorist, what would you do with 20 thousand phones you had access to? Think DDOS on 911? Think maybe just dialing pay phone services like the old auto-dialer spyware? People maybe shouldn't be allowed to run their VOIP systems on just any old machine... Perhaps all those writing VOIP code for Windows systems should just stop and burn all copies of their apps? That doesn't sound too bad :P
put the what in the where?
Let's face it, who's the prime target for phishing? Joe Average Users. "We" (as in, people who enjoy technology as a pastime more than just a tool) know about such problems, and we know how to deal with them. I still never heard of a 'clued' person to become a phishing target. We certainly don't answer to mails akin to "Hi, I'm your Bank, please send me all your details in reply or your account will be frozen", and we usually routinely check for unwanted BHOs and tasks, and we certainly run up to date AV software (or at least have another reason to assume with some sort of faith that we are not infected).
In short, we know the threat. And we're also the ones who use VOIP predominantly, aside of companies (who better have someone like us as their IT-security person there). Auntie Mable and Joe Hicksberger won't switch to VOIP any time soon.
So personally, I'd rate THAT threat low. At least for now.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Dammit don't you think the phishers read Slashdot too?
Reality has a liberal bias
seeing that in my VNC.
viruses over a virus from a public pay phone anyday!
Those shankers hurt!
It is easier to build strong children than to repair broken men. -Frederick Douglass
I don't see where this is a threat to VoIP? If I receive an email or a call telling me there is a problem with my bank account, my reaction would be to talk to my bank counselor. I don't know how it is in the US but here in France, each customer has a personal bank counselor to interact with. And I would certainly never give any information to a voice machine. Ultimately, the problem has never been the technology but people's ingenuousness. If somone asks you to give the secret passcode to your account (you know, the one the bank told you never to give to anyone) would you do it? Of course not!
So I really don't think that this could be a threat to VoIP or email, or what else. The ones being tricked by Phishers are people.
This is all hype in my opinion. There probably will be attacks against VOIP banks but they won't be as mentioned. Each VOIP Provider has their own code they use, I don't see how one virus is going to spread through more then the one system it was designed on/for. The attacks will be denial of service attacks most likely.
*DrugCheese rants*
Threat?
Voice
IP
What if I do the same thing, and I do get different results?
To me, this smells like a security company drumming up business.
First, as with every technology outside the Windows desktop monoculture, viruses are not easy to spread: A variety of CPUs and OSs make it less likely the next machine a virus encounters will be able to run the virus code.
Second, the hypothetical attack depends on a combination of two attacks: A virus plus phishing. That is an uncommonly sophisticated combination. Is there any basis in current experience with attacks that shows this is likely to happen?
Third, the culture and user experience in voice communications is converging with IM: permission based, filtered based on a list of known contacts. VoIP users will talk mainly to people they know - others go to voicemail. Is there any study that shows a virus/trojan/phishing attack could spread in that type of community?
I wrote parts of this stuff
A bank will NEVER ask you for information that they already have. They will only CONFIRM data... Name, Mother's Maiden Name (or some other confirmation - favorite color, first pet's name, city you were born in), and the last 4 of your social or last few of your account number. They will match this information up with what they have, then they will talk to you about your account. They won't have a recording take this information, they won't ask for you PIN (EVER...they will NEVER ask for this information), and they already have your full account number...so they won't ask for that... It only takes a little common sense to avoid being the target or being a victim of identity theft via phishing... ...
--E--
Having a regular phone line doesn't save you from possible the future of junk calls. The barrier is that people initiating the call up until now have had to spend a lot of money. If they can call a POTS line from overseas and not spend a boatload of cash, they'll call you sooner and more often considering your number is probably listed... Unlike most VOIP providers.
The hypothetical scenario described is extremely weak... I don't know of any people who have their address book that tightly integrated into their VOIP software/service. Even if they did, con-artists are like any other good engineer... lazy... they'll go for the low hanging fruit and defraud grandma by simply talking to her.
So you have an email attack based on the idea that people keep the phone number of their bank in their address book? Rather why would I bother if I can always just get it off their website or from my statement? I suppose changing an electronic statement to put the fake number on it is also possible. But how is this really related to VOIP? The problem still remains one of some email attachment taking over your computer and accessing your personal and confidential information that you have stored there. The rest could just as easily be accomplished via the regular phone.
Computer viruses are not an unavoidable fact of life. In fact, computer viruses are largely limited to Windows. Maybe computer viruses threaten VoIP on Windows, but other platforms and embedded systems are fine. Really.
As someone who uses Vonage, I don't see this ever happening to me and I don't think that this would be a widespread issue. Personally, I only use Vonage as a replacement for POTS. I only really want a telephone number and caller ID but in order to get that, it costs the same amount as buying a big bundle with every option under the sun. So, I switched to Vonage and disconnected my house from the POTS line (as was advised from somewhere to prevent a fire hazard of some sort... still not sure I believe that). They're not going to get any phone numbers out of my regular phones without tracking my actual phone calls.
Anyways, my point is that I see a lot of people (read: non-geeks) using VoIP in the way that I am by using their regular phones interfaced with a VoIP box. Sure, you may have some people using their computers but I would assert that many people would rather not sit at their computer to talk on the phone with someone.
Then we get to the attack method. How would the attacker answer the phone assuming I was using a piece of VoIP software that the attacker would target to look in the address book of that piece of software and I had an entry of "Bank?" "Hello. This is your bank, how may I help you?" I sure as hell wouldn't fall for that and I would also say that the vast majority of people that might fall for a phishing e-mail or something of that sort wouldn't fall for that either. I would assume that you would have actually called the bank before if you put the bank's number in the speed-dial or address book.
people still don't mind being raped by their local provider. Do you enjoy paying insane rates for an infrastructure that has been paid for a million times over?
I don't believe all IP Telephony solutions are by default vulnerable to this type of attack. As others have said it also assumes the system is some kind of skype derivitive or whatever, that isn't what one would call an enterprise class IP Telephony solution.
Take for example the deal I am working with now, from 3Com where there are gateways that connect the IP Telephony solution to POTS. In effect my System i running Linux is back behind the POTS gateway and thus isn't really open to the internet per se. Although of course it could be, and it would certainly be connected to my ip network.
I suppose if folks are using soft phones on some random network somewhere and they aren't properly secured etc that something could get through but then again this assumes that the system on the back end is open to that attack.
I don't see this doomsday scenario becoming a serious reality in the near future, but then again anything's possible.
K.
Instead of redirecting you and having you enter your banking details they could simply send you to a toll number, charge you five cents and then redirect your call back to your bank. You call your bank at most a few times a month. So you won't notice 25 cents in extra charges on your phone bill if you aren't paying attention. If they do this to enough people they could go unnoticed for months, meanwhile racking up millions in small charges. Of course I'd rather I lose a few cents than have all of my banking information stolen. But they're much less likely to get caught this way.
Read my short stories - You won't regret it.
Most people will either look the phone number up when they need it on their bank's Web site, on their monthly statement, or on the back of their bank card. Trusting sensitive phone numbers (where a "man in the middle" type of attack could be devastating) to a computer address book is a bad idea, anyway.
I've never heard of a cell phone address book hack, however I'd be equally hesitant to store these phone numbers in my cell phone address book, especially if that cell phone is running an OS like Windows Mobile.
Have you driven a fnord... lately?
You must wait a little bit before using this resource; please try again later.
Take it a step further and have it append the number of your real bank to its number, with a computer on the other end to listen and have it dial that number so your conversation with you real bank is tunneled through the phishing database which can record your real conversation with your real bank.
Hypothetically, if this were to happen to me, and I got a message from my bank asking me to call them to verify information, and I called this automated system, what message would I be presented with?
Are the phishers going to look up the phone number stored under 'Bank' and see which bank it actually is and then record the voicemail using my bank's actual name, and then ALSO have an automated system with my bank's actual name in it?
What if you were using a small-town bank? I highly doubt the phisher would be able to accurately determine your address to get the city and state required to lookup said bank, unless you also had that stored in your address book.
As a previous poster said, too many ifs and maybes.
Rarely is the question asked: Is our children learning?
You cant expect technology to do everything. Being human beings and apparently one of the most intelligent species on the planet, if your stupid enough not to check the number when dealing with somthing as sensitive as banking, then clearly you have no common sense, and shouldnt be using a PC to do your banking in the first place.
Therein lies the rub. If you don't use the original voice talent the people you're trying to scam will immediately know somthing is up.
Having worked with the voice talent that you hear on some major voicemail systems (Lorrain Nelson, who did Merlin and Audix) these kinds of systems don't come cheap. So to set up a phony system you would need to
a) be in cahoots with the voice talent, who are usually reputable people or they wouldn't've got the first contract (or they're employed by the company you're targeting, which make your job harder)
b) pay them $200/hr to set up your phony system
With the number of takes to get this kind of stuff right you could easily spend tens of thou$ands on just that piece, not including the various hackers and servers you need to pay/buy to set up the system.
This kind of attack would be a lot harder to pull off than the headline makes it sound. The devil is usually in the details, though details don't usually sell as many front page headlines.
Have fun: Join D.N.A. (National Dyslexics Association)
For the same reason that people who don't pay attention to what website they are on and whether it is secure or not before putting in their login information, credit card numbers, or other sensitive information - Those who fall for something like this would almost deserve to be taken advantage of, just to teach them a lesson...
Unfortunately, I can see people falling for such a lame scheme - heck, even an email with a phone number asking them to call to verify something on their account would be enough to fool some people.
But back to the main problem with this whole idea: Currently it isn't very feasible - in the future when Micro$oft develops VoIP phonebook and click-to-dial integration with Outlook, and millions of people fall for their software again only to be shocked and amazed that it has so many security holes, I'm sure this will be a definite possibility.
On a side note, and not to in ANY way defend Micro$oft - but they do receive a lot of flack over bug-ridden software compared to open source. Nobody takes into account the amount of end-users (your typical, no-nothing, novice, home user) their software has, compared to open source which makes the number of casualties higher, and attracts those seeking to do the exploitation making the numbers even higher, and so on and so forth, and you get my point, I'll shut up now.
Using the following: 1-9 a-z < > ? {} (and maybe a few more) arrange appropriately, and you're programming!!!
That was my thought exactly. I use vonage and don't have an address book on my computer. However, lots of people with conventional phones use Outlook. Changing phone numbers in address books should have been a concern many years ago, and is no more of a concern today.
Hell, I had "click" (F10 key, I think...) to dial on my old Tandy 1000! Modem dialed, then I lifted the handset and the modem disconnected so I could talk.
i've been reading /. for around 8 years now. this is the worst piece of tin-foil-hat shit i've ever read. it's been a fairly decent 8 years, but - quite frankly - this article has turned me off for good.
so long, and thanks for all the phish.
Actually, the only security available is through two things. One is courtesy and the other is obscurity.
No, really. Hear me out.
If everyone behaves like sheep and no one behaves like wolves, no sheep get eaten, right?
Of course not right. Wolves serve a purpose in the overall scheme of things. But the simplification helps for people who don't understand that true courtesy derives from enlightened self-interest and a certain amount of laziness:
If I keep my hands off other people's stuff, that's one less person making it fashionable to take what isn't theirs.
If I don't want somebody messing with my stuff, I'll mark it as something not to be messed with. That's also courtesy, although I should understand that "No Trespassing" signs are more bait than warning. A fence that is just tall and strong enough to keep the casual passerby out usually goes a long way without advertizing that there is something to protect behind it. Also, if one wants to reclaim some property that has developed a public path through the center, the best way is usually to build a path along the edge and not make it too hard to use that path.
Letting people know that something has a claim on it is part of the courtesy, just as much as providing alternatives where possible for those who will insist on going through anyway.
One of the best fences for letting people know something is off limits without making it bait just happens to be one of the simpler forms of obscurity: the picket fence around the garden.
Fences are not unscalable, neither are locks are not unbreakable or unpickable. The harder it is to feel where the tumblers fall, the better a lock is (other things equal). That is another form of obscurity. Assymetric cryptographic keys are also a form of obscurity. In theory, there is a vanishingly small chance someone could guess if they tried, but there's no chance at all they'll guess if they don't. They claimed difficulty of cryptographic security makes it more secure from casual entry. If it's easy, casual passersby might give it a try. If it's known to be hard, only someone with motivation tries it.
That's why houses in middle-class neighborhoods in the US (as opposed to Japan) have garden fences, walkways, and front doors. The garden fence is the courtesy announcement that the property is not public. The door and lock are enough out of the public eye to remove temptation for most casual trespassers. And the tumblers in the lock are hidden from prying eyes, if not hidden from skilled fingers holding a pick. Two levels of obscurity, two levels of courtesy. If you need more security, the safe is inside the house, even less visible to casual inspection.
Now, what about Microsoft?
Microsoft says that obscurity is using fancy tumblers on the latch on the garden gate without putting them in a strong case and then saying that there's no need of a lock on the door, and no need to hide the safe. To overcompensate, they then put cheap padlocks on everything in sight, while leaving it all in sight.
And then they say that courtesy is obeying the "No Trespassing" sign.
See the difference?
The final element of security is not to have things that others want, or if you must have them, not to advertise them. Obscurity and courtesy play there, as well.
If e-mail providers hadn't been pushed into such a rush by Microsoft's desire to rule the world through software, your average mail provider would provide you with multiple addresses, whitelists for your private addresses, and blacklists for your public addresses. That would remove most of the incentive for spam.
Likewise, if Microsoft had not been intent on winning the war through the browser, bank access would be through special-purpose browsers, probably provided in Java or something similar on CDs to reduce the likelihood of spoofing. The best protection against phishing, you see, is exactly the non-standard browser.
Split the company along product lines, then split it again in a year.
.net, VC, etc.; etc.
1st year: OS, office productivity, development, others
2nd year: desktop OS, server OS, handheld OS, etc.; word processing, spreadsheet, db, mail, calendar, etc.; VB,
The only interaction the baby MSses would be allowed would be through API documents published under the EFF's documentation license, and all patents held by Microsoft placed in the public domain. The reason for giving them the year is that it would take that long to produce the APIs. Of course, the judge would probably have to place a limit on the length of the API documents.
No, that's probably not possible, and that's the real reason Microsoft should cease to exist.
I don't think this is something one should be worried about.. as the article implies. Granted, such a virus' functionality is possible, but the article seems geared more towards bringing awareness on the issue, rather than prophesying doomsday. There's solutions to this scenario that can be easily incorporated into applications - for example, applications can do internal monitoring of their address book.. if anything is programetically changed, or the address book differs (CRC32?) on startup from the last time the application was run, the system prompts the user with the changes made, and asks whether or not to keep those changes. Then there's address book encryption.. there's all sorts of methods that can be used to easily thwart such viruses. In the long run, the only practical VOIP-specific virus I can think of that'd be difficult to deal with, would be phone spam, viruses who hijack your voip connection with their own built-in voip protocols, to dial through your PSTN to deliver spam, or trojans which allow a hacker to make phone calls at your expense. Any takers on this one? :)
This is along the lines of your typical exploit where certain conditions have to be met under extremely specific circumstances. The threat of VOIP DOS attacks is much more viable... I've seen it happen, but even the most typical of moron users will think something is up when they speed dial their bank only to find a generic greeting message or at best, an operator with a South Africanish accent. This is why companies have different levels of priority for their patches... things like this only work in theory.
All of that aside, I do believe that companies shelling out millions of dollars in hopes that they will "save money" by switching to VOIP will start to realize the risk they're taking by pushing all of their communications resources onto an already overhauled network. It's not a pretty sight when a mission critical portion of your company comes to a screeching halt because the switch in the back room flopped... especially when the IT guy has to be called in at 3AM by a frantic supervisor to hit the reset button (Yeah, on his cell phone... the VOIP lines were down).
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"