Slashdot Mirror
Voice Over IP Under Threat?
An anonymous reader writes "The IT Observer is discussing the possible scary future of Voice over IP targeted viruses, and what that could mean for the consumer. The article discusses the likelihood that VoIP is going to become even more popular, and the damage that a targeted 'flash virus' could perpetrate in a very short amount of time. From the article: 'Let's imagine a scenario that could become commonplace in the near future: A user has an IP telephony system on his computer (both at home and at work). In his address book on the computer there is an entry, under the name Bank, with the number 123-45-67. Now, a hacker launches a mass-mailing attack on thousands or millions of email addresses using code that simply enters users' address books and modifies any entry under the name Bank to 987-65-43. ... If any of these users receives a message saying that there is a problem in their account, and asking them to call their bank (a typical phishing strategy), they may not be suspicious, as they are not clicking on a link in an email ... If they use their VoIP system to call the bank, they will be calling the modified number, where a friendly automated system will record all their details. ' "
This seems a logical progression of phishing, but it's hardly going to be a large impediment to the adoption of VOIP. Phishing hasn't dissuaded people from using email.
I would say there are likely far more people who use regular landlines and cell phones and don't use VoIP, but that do still maintain phone books on their computers. If they call with their regular phone, the same will occur. Why drag VoIP into the cross-hairs alone?
I've seen this argument crop up regularly on /. recently, but that doesn't make it a good one. Why? Well lets extend your argument to its logical conclusion - not only should we all use different operating systems, web browsers, CPU architectures, but we should all also use different file formats, standards and networking protocols.
/. geeks.
I'll never get caught by a phising scam because my web browser doesn't support the HTML used on fake-paypal.com and I can't even connect to it anyway because I'm using a brand of TCP/IP used only by myself and a handful of
Call me crazy, but I want to work on something that I can easily share with my colleagues - I want the most open digital environment I can get.
I refuse to accept that lazy/poor programmers can excuse the security holes in their products by claiming that everyone should be aiming for security through obscurity. Lets stop blaming Windows/Internet Explorer users for the insecurity of the products they use. Security through diversity is just renamed security through obscurity; it's no security at all.
Exactly.
I have been doing it for a while now (need to clean the code for the AGI plugin and post it). For my incoming phone lines I have scheduled times when the phone does not ring, when it rings only in my office for known callerIDs or when it rings for everyone who has not withheld their callerid. Trivial to do with asterisk+perl-AGI and quite more powerfull compared to the default autoattendant.
The article brands all VOIP to be Skypelike (and vice versa). VOIP is not just PC based systems and this attack currently applies only to PC based systems. In addition to that it is limited to a specific VOIP system. A valid Skype attack is not applicable to Yahoo, MSN, SIP phones, etc.
Things may change in the future when integrated contact management and click-to-dial becomes commonplace. This is not common enough now and can be found only on PHB/Sales laptops so it is not yet an attack vector that is worth mentioning. By the way, this will apply to any phone system that has click to dial, not just VOIP. Now having outlook+voip worm - that is a scary thought...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Oh yeah - one more thing - who does the author of this article work for? Hmm. Panda. What do they do? Antivirus and security software. Self serving FUD is what this is.