[VOIPSEC] ComputerWorld.au: "Enterprises must avoid IP telephony for teleworkers or face attack" - and my response

dave_endler at 3com.com dave_endler at 3com.com
Thu Mar 8 15:19:16 CST 2007 

Yikes, I'm just now catching up from email after VoiceCon and finally had a
chance to read the ComputerWorld article.  I didn't realize until now that I
had been quoted in it.  

Mark Collier and I presented a 3 hour tutorial on VoIP security this Monday
at VoiceCon where I think the reporter grabbed all of those quotes from.
It's unfortunate that the reporter took about 15 minutes worth of our
presentation and used it to further his faulty premise. Our presentation
outlined certain threats to general VoIP installations, and then detailed
the specific countermeasures that could be applied to mitigate each threat.
Mark and I stated several times throughout our presentation that even though
there are security concerns associated with deploying VoIP (as with any
application), all of the enterprise class VoIP solutions that we had tested
are securable with the right amount of effort and research.  It's a shame
that point didn't get included in the article.

Dan York is spot on with his rebuttal on the VOIPSA blog.  Having been in
the security industry for a while, I'm not as surprised anymore at fear
based reporting.  It's just a little more upsetting when it's your own words
being taken out of context to sex up a headline.

My hope is that as VOIPSA grows as a voice piece in this industry, we can
continue to combat this type of FUD with our projects, guidelines, and
outreach messaging.

-dave

Obligatory disclaimer, I work for TippingPoint, which is a division of 3Com
that develops VoIP products.

David Endler
Director of Security Research
TippingPoint, a Division of 3Com

-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of dan_york at Mitel.com
Sent: Tuesday, March 06, 2007 3:00 PM
To: voipsec at voipsa.org
Subject: Re: [VOIPSEC] ComputerWorld.au: "Enterprises must avoid IP
telephony for teleworkers or face attack" - and my response

Mason,

Sadly, I think we will continue to see this coverage for some time. 
Telling people that VoIP works great for teleworkers (when done right) 
doesn't "sell papers" (or, in today's lingo, "attract links").  Conflict 
does.  Fear does.  Ergo... this kind of coverage.  (Cue "It's the End of 
the World as we Know It!"... dang... I need to get a 
"free-to-play-on-a-podcast" version of that song to play on Blue Box!)

Thanks,
Dan
-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel       http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication






Mason Harris <maharris at cisco.com>
Sent by: voipsec-bounces at voipsa.org
03/05/2007 03:45 PM
Please respond to maharris
 
        To:     dan_york at Mitel.com
        cc:     voipsec at voipsa.org
        Subject:        Re: [VOIPSEC] ComputerWorld.au: "Enterprises must 
avoid IP telephony for teleworkers or face attack" - and my response


Dan, i thought your rebuttal in the blog was spot on. Clearly this a
headline aimed at creating paranoia for the uninformed public.

The headline could have just as easily read "Enterprises must avoid
internet access for remote teleworkers or face attack"

Again we need to help educate the general public that all security
controls still apply when connecting your IPTel solution to the internet
(split-tunneling is bad, change default pws, turn off unecessary
servers, etc.)

Sadly we'll probably continue to see this kind of "the sky is falling"
media coverage as teleworker deployments proliferate. Knowledge is power
in this case, i suppose.

cheers,
Mason


dan_york at Mitel.com wrote:
> VOIPSEC readers,
> 
> FYI, ComputerWorld in Australia came out today with the article 
> "Enterprises must avoid IP telephony for teleworkers or face attack" 
found 
> at:
> 
>   http://www.computerworld.com.au/index.php/id;350011373
> 
> Since I use (secure) teleworker phones every day, I was rather annoyed 
at 
> their headline and wrote this response (since I couldn't comment at 
> ComputerWorld.au):
> 
> 
> 
http://voipsa.org/blog/2007/03/05/why-computerworldau-is-dead-wrong-about-en
terprises-must-avoid-ip-telephony-for-teleworkers-or-face-attack/

> 
> As you would expect, I will naturally talk about this on this week's 
Blue 
> Box podcast when Jonathan and I record it later this week.
> 
> Given that ComputerWorld.au is an IDG property, I would expect that this 

> article might show up on other IDG websites over the next while.  (PC 
> World, Linux World, Computer World, InfoWorld, NetworkWorld, CIO, CSO, 
> etc.)
> 
> Regards,
> Dan
> 

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list