[VOIPSEC] ComputerWorld.au: "Enterprises must avoid IP telephony for teleworkers or face attack" - and my response

Henry Sinnreich hsinnrei at adobe.com
Fri Mar 9 09:40:29 CST 2007 

>I think we have to be careful not to believe/react/promote our own
press >and stay focused on delivering real world (not just another RFC
draft)

Amen to this!

I would also like to add that open source code has made many de facto
standards, while some RFCs designed on paper and by the WG have not made
it, due to lack of available OS code. Plug in your own examples...

Thanks, Henry
 
-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of Simon Horne
Sent: Friday, March 09, 2007 1:34 AM
To: dave_endler at 3com.com; dan_york at Mitel.com; voipsec at voipsa.org
Subject: Re: [VOIPSEC] ComputerWorld.au: "Enterprises must avoid IP
telephony for teleworkers or face attack" - and my response


Guys

You also have to be careful to review the story carefully (aside from
the 
hype) and see that a lot of what is being said is true. Most teleworkers
do 
not have access to secure VoIP and if they did, it's expensive and may
or 
may not interwork with their existing PBX systems. Not mentioned in the 
article is the other more serious issues such as hacking the Border 
controller. (The program SIPcrack is an example of how easy that is) and

the malformed or large INVITE message vulnerability of some SIP servers 
which if the INVITE is formed in a certain manner can bring down even
the 
most expensive SIP server.

You shouldn't just throw out the story because it's critical or 
over-hyped.  A lot of it (not all) is perfectly valid to a simple 
teleworker in Australia, maybe not to VoIP security experts in the US
who 
has access to all the latest VoIP security stuff simple Joe Blow in 
Australia doesn't.

On a side note: Lets be honest, a lot of people have profited from this 
type of poorly researched sensationalist journalism. In fact the VoIP 
industry would not be where it is today without it. Over the years I
have 
read a lot of nonsense which promotes an agenda or the flavor of the
month 
"Hype". I think we are only feeling it now because some of the luster is

wearing thin.

Like for instance I read the other day this story
"RADIUS Billing a Thing of the Past: SIP Takes Over"

huh? SIP takes over radius billing? What has SIP to do with billing? I 
researched further and found another article to do with SIP and RADIUS
in 
the same magazine and in the body of the article the author had made a 
small typo and put SIP or RADIUS is a good fit ...instead of SIP and
RADIUS 
is a good fit... Obviously the ill-informed author had seized upon that 
typo to create and "hype" a new story without researching the facts on
what 
exactly RADIUS is.

I think we have to be careful not to believe/react/promote our own press

and stay focused on delivering real world (not just another RFC draft) 
secure voice/video solutions to Joe Blow in Australia.

My 2 cents

Simon





At 05:19 AM 9/03/2007, dave_endler at 3com.com wrote:
>Yikes, I'm just now catching up from email after VoiceCon and finally
had a
>chance to read the ComputerWorld article.  I didn't realize until now
that I
>had been quoted in it.
>
>Mark Collier and I presented a 3 hour tutorial on VoIP security this
Monday
>at VoiceCon where I think the reporter grabbed all of those quotes
from.
>It's unfortunate that the reporter took about 15 minutes worth of our
>presentation and used it to further his faulty premise. Our
presentation
>outlined certain threats to general VoIP installations, and then
detailed
>the specific countermeasures that could be applied to mitigate each
threat.
>Mark and I stated several times throughout our presentation that even
though
>there are security concerns associated with deploying VoIP (as with any
>application), all of the enterprise class VoIP solutions that we had
tested
>are securable with the right amount of effort and research.  It's a
shame
>that point didn't get included in the article.
>
>Dan York is spot on with his rebuttal on the VOIPSA blog.  Having been
in
>the security industry for a while, I'm not as surprised anymore at fear
>based reporting.  It's just a little more upsetting when it's your own
words
>being taken out of context to sex up a headline.
>
>My hope is that as VOIPSA grows as a voice piece in this industry, we
can
>continue to combat this type of FUD with our projects, guidelines, and
>outreach messaging.
>
>-dave
>
>Obligatory disclaimer, I work for TippingPoint, which is a division of
3Com
>that develops VoIP products.
>
>David Endler
>Director of Security Research
>TippingPoint, a Division of 3Com
>
>-----Original Message-----
>From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
>Behalf Of dan_york at Mitel.com
>Sent: Tuesday, March 06, 2007 3:00 PM
>To: voipsec at voipsa.org
>Subject: Re: [VOIPSEC] ComputerWorld.au: "Enterprises must avoid IP
>telephony for teleworkers or face attack" - and my response
>
>Mason,
>
>Sadly, I think we will continue to see this coverage for some time.
>Telling people that VoIP works great for teleworkers (when done right)
>doesn't "sell papers" (or, in today's lingo, "attract links").
Conflict
>does.  Fear does.  Ergo... this kind of coverage.  (Cue "It's the End
of
>the World as we Know It!"... dang... I need to get a
>"free-to-play-on-a-podcast" version of that song to play on Blue Box!)
>
>Thanks,
>Dan
>--
>Dan York, CISSP
>Dir of IP Technology, Office of the CTO
>Mitel       http://www.mitel.com
>dan_york at mitel.com +1-613-592-2122
>PGP key (F7E3C3B4) available for
>secure communication
>
>
>
>
>
>
>Mason Harris <maharris at cisco.com>
>Sent by: voipsec-bounces at voipsa.org
>03/05/2007 03:45 PM
>Please respond to maharris
>
>         To:     dan_york at Mitel.com
>         cc:     voipsec at voipsa.org
>         Subject:        Re: [VOIPSEC] ComputerWorld.au: "Enterprises
must
>avoid IP telephony for teleworkers or face attack" - and my response
>
>
>Dan, i thought your rebuttal in the blog was spot on. Clearly this a
>headline aimed at creating paranoia for the uninformed public.
>
>The headline could have just as easily read "Enterprises must avoid
>internet access for remote teleworkers or face attack"
>
>Again we need to help educate the general public that all security
>controls still apply when connecting your IPTel solution to the
internet
>(split-tunneling is bad, change default pws, turn off unecessary
>servers, etc.)
>
>Sadly we'll probably continue to see this kind of "the sky is falling"
>media coverage as teleworker deployments proliferate. Knowledge is
power
>in this case, i suppose.
>
>cheers,
>Mason
>
>
>dan_york at Mitel.com wrote:
> > VOIPSEC readers,
> >
> > FYI, ComputerWorld in Australia came out today with the article
> > "Enterprises must avoid IP telephony for teleworkers or face attack"
>found
> > at:
> >
> >   http://www.computerworld.com.au/index.php/id;350011373
> >
> > Since I use (secure) teleworker phones every day, I was rather
annoyed
>at
> > their headline and wrote this response (since I couldn't comment at
> > ComputerWorld.au):
> >
> >
> >
>http://voipsa.org/blog/2007/03/05/why-computerworldau-is-dead-wrong-abo
ut-en
>terprises-must-avoid-ip-telephony-for-teleworkers-or-face-attack/
>
> >
> > As you would expect, I will naturally talk about this on this week's
>Blue
> > Box podcast when Jonathan and I record it later this week.
> >
> > Given that ComputerWorld.au is an IDG property, I would expect that
this
>
> > article might show up on other IDG websites over the next while.
(PC
> > World, Linux World, Computer World, InfoWorld, NetworkWorld, CIO,
CSO,
> > etc.)
> >
> > Regards,
> > Dan
> >
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list