TMCnet News

Hacking Scheme, Arrests Highlight Embryonic State of VoIP Security
[June 08, 2006]

Hacking Scheme, Arrests Highlight Embryonic State of VoIP Security


TMCnet Executive Editor
 

The hacking scheme that led to the theft of Internet phone service and the subsequent arrests of two alleged perpetrators serves as high-profile testaments that security problems still afflict voice-over-IP (VoIP); however, the improprieties could have easily been prevented at multiple levels, one security expert advised.



 

As previously reported, on Wednesday, federal authorities arrested one man in Miami and another in Spokane, Wash. , for hacking into a Rye Brook, NY-based company’s network and spoofing VoIP traffic to its service provider, believed to be IDT Corp.’s Net2Phone subsidiary. One of the individuals, Edwin Andres Pena, then acted as a pseudo-service provider offering wholesale phone connections at discounted rates to others.


 

“It was a 100-percent margin business,” mused Seshu Madhavapeddy, CEO of Sipera Systems, a Richardson, Texas-based VoIP security company.

 

But in a telephone interview with TMCnet, Madhavapeddy on Thursday cautioned that the breaches are no laughing matter and the highly publicized incident might even inspire copycat to resort to criminal activity like intrusion, spoofing or spamming – techniques that aren’t entirely insurmountable but vexing nonetheless.

 

“There are a lot of guys out there that are looking at these guys as role models,” Madhavapeddy warned.

 

The security breakdown actually occurred at two points in the communication system and is the best illustration to date of the embryonic state of VoIP firewalling – i.e. enabling VoIP traffic to traverse the pinholes of a corporate firewall, the security expert explained. Because the firewall has grown to be a reliable (and in some cases is the only) security layer in the data realm, enterprises have turned to NAT traversal as a “best-practices” method for voice packets to travel through the network.

 

Yet that alone isn’t enough. Enterprises also need to account for intrusion detection (worms, Trojans, etc.) and direct attacks (spam, Distributed denial-of-service, etc.) to safeguard against malicious hackers.

 

“In order to assemble a security system for an enterprise today, you use multiple products,” Madhavapeddy told TMCnet.

 

And, although this particular enterprise slacked when it came to network security, that doesn’t completely vindicate the service provider either, he added. If the service provider had the right application-layer security deployed, they could have even identified the spoofed VoIP traffic.

 

“The carrier has to learn the fingerprints of what typical traffic looks like. Once you do that, you can identify anomalies in those fingerprints,” Madhavapeddy explained.

 

Many products on the market, like Radware for example, do include functionality that allow technology professionals to identify traffic using triangulation. But the value-added services go beyond that: investigating those anomalies, blocking new incoming traffic and reporting the incidents to the proper authorities – be it the IT manager or the police.

 

But because voice packets can’t to be handled like data packets, special attention has to be paid to quality-of-service issues.

 

“The (VoIP) security application has to be very deterministic and the latency has to be small,” Madhavapeddy added.

 

----

 

Robert Liu is Executive Editor at TMCnet. Previously, he was Executive Editor at Jupitermedia and has also written for CNN, A&E, Dow Jones and Bloomberg. For more articles, please visit Robert Liu's columnist page.


[ Back To TMCnet.com's Homepage ]