VoIP Soon to Be a Target for ...

Mark Hall

 

January 15, 2007 (Computerworld) ... hackers, and it won’t be difficult to hit. In Hacking Exposed VoIP, which hit bookshelves last month, authors David Endler and Mark Collier argue that voice-over-IP technology “is about to hit critical mass” and will become a favorite security hole for hackers to slip through to disrupt IT operations. Endler and Collier hope their book can show not just how to crack a VoIP network — which it will — but also how to lock one down.

According to Endler, who is director of security at 3Com Corp.’s TippingPoint division in Austin, hackers have begun to use VoIP in phishing exploits that emulate the interactive voice response systems of legitimate companies. “The rate of vulnerabilities will increase,” says Collier, chief technology officer at SecureLogix Corp. in San Antonio. Distributed denial-of-service attacks are likely and could be devastating to VoIP systems, Collier says, noting that even a modest DDoS attack could make it all but impossible to make VoIP calls because of quality-of-service issues.

Then there’s the problem of privacy. “It’s extremely easy to listen in on a call,” Endler says. It isn’t that much harder to inject noise or even spam into VoIP communications. And speaking of unwanted messages, spam over Internet telephony, or “spit,” is another looming problem. As Collier observes, “There’s nothing today to prevent you from getting as much voice spam as e-mail spam.” Endler says it’s possible to deploy a secure VoIP system, but it’s tough to do it right. So if you’re engaged in a VoIP rollout or are thinking about one, read their book. If you’re not, maybe you should consider yourself lucky.

Stop Web surfers from hurting ...
... themselves and your company. It’s wise, of course, to stop internal users from visiting recognized porn or gambling sites from your company’s PCs. But what about legitimate sites that harbor hidden malware? It’s a growing trend.

For example, according to IDC Denmark, companies in that country were afflicted for the first time last year with more malware originating from Web sites than from e-mail. You could put a filtering appliance on your network that checks for evil exploits buried in Web pages, but you’d likely encounter end-user complaints about latency when the appliance got hammered under heavy loads, says Dan Nadir, vice president of product strategy at ScanSafe Services LLC in San Mateo, Calif.

Nadir argues that only a managed service, such as the one his company offers, can handle peak-demand periods. ScanSafe has a dedicated server farm analyzing everything on Web pages before browsers hit them. Nadir says the company analyzes billions of pages every month. This year, he expects more e-mail filtering services, such as Postini Inc.’s, to offer Web filtering capabilities.

Don’t let your database dictate ...
... the availability of your Web content management system. Cascade Server, an online content management system offered by Atlanta-based Hannon Hill Corp., has many of the same bells and whistles that other CMS tools do. Its role-based access lets end users edit only material they’re authorized to. Its workflow processes can leverage e-mail, RSS and other notification methods. And it can check whether your Web pages meet the needs of handicapped users.

But David Cummings, Hannon Hill’s CEO, thinks Cascade Server’s focus on “aggregating content in a vendor-neutral format” is what really ought to intrigue you. The software achieves vendor independence and ensures high availability by attaching database records associated with each Web page to the page itself. If your database crashes, Cascade still tracks edits, additions, deletions and other changes within the file itself and can be synchronized with your database later. Pricing starts at $40,000 per processor. On March 1, Hannon Hill plans to ship Cascade 5.0, which will include improved site analytics as well as integration with applications from vendors like Salesforce.com.

Call, don’t write, when you need ...
... technical support. John Ragsdale, vice president of research at the Service & Support Professionals Association, regularly polls SSPA members about IT support trends. One he recently found interesting is that many vendors say they aren’t investing in e-mail response tools, despite an increased volume of e-mail to their support desks. Ragsdale thinks IT staffers are using the phone on matters of some urgency and relegating the use of e-mail to “noncritical issues.” Of course, phone calls are more expensive to handle, which in turn fuels increases in service and support costs. So even if you have an 800 number to dial, it could be a toll call in the end.