VoIP Hacking: So Easy A Caveman Can Do It?

Convicted computer hacker Robert Moore, who broke into 15 telecommunications companies and hundreds of businesses, recently pleaded guilty to conspiracy to commit computer fraud. "It's so easy. It's so easy a caveman can do it," Moore told...


Convicted computer hacker Robert Moore, who broke into 15 telecommunications companies and hundreds of businesses, recently pleaded guilty to conspiracy to commit computer fraud. "It's so easy. It's so easy a caveman can do it," Moore told InformationWeek. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."

Moore 's now infamous quote reminds us all that the more things change, the more they stay the same.

There's a much more technical thread about Moore's quote on the VoIPSA (Voice over IP Security Alliance) website www.voipsa.org , but here's the real lesson — we cannot let the complexity of any new technology cloud our view of what the real security threats are in the digital age of voice and video. The real security threats are nothing new at all.

VoIP hacking is the digital age's version of war dialing — a method of automatically scanning telephone numbers using a modem, usually dialing every telephone number in a local area to find where computers or fax machines are available, then attempting to access them by guessing passwords.

War dialing was the computer age's version of a simple technique used by social engineers for centuries, perhaps going as far back as the days of the caveman. It's just a technical form of eavesdropping.

 

Breakthrough technology, age-old attack

A recent NYSE survey of 246 CEOs declared that 2008 will be “The Year Of The Customer” — and the customer is demanding unlimited access and an onslaught of new technologies. As security professionals, we understand that we cannot walk into the CEO's office and “just say no.” We have to stay ahead of the hackers until the day finally comes when every company builds good security right into their products at the design phase of product development. Sure…that might happen.

Rather than wait, let's look at the pattern here. One basic tenet of a hacker's attack never changes, no matter how disruptive the technology may look: For every profit-driven breakthrough technology, a profit-driven attack is launched.

Here's a great example. Let's look at “The Pudding” ( www.thepudding.com ). It is “a breakthrough technology that makes conversations even more interesting by displaying Web pages, news and images that are related to your conversation.”

So would you call this “breakthrough technology” eavesdropping or phone tapping? According to the company it is “ad-supported phone calls.”

In a countdown faster than was done for how many days it would take to hack into the iPhone , every social engineer out there is already calculating how many different ways he or she can potentially lure an unsuspecting victim into a “phishing” attack. Or will it be named a “ pudd-shing ” attack?

Here's another breakthrough technology in the communication space worth watching closely: voice-to-text and text-to-voice software combined with visual-audio attendants. Sitepal (www.sitepal.com) is a popular example.

Here's how it works. If you are on a corporate Web site as a new visitor and Sitepal is used, an animated, “lifelike” character shows up to guide you around to find what you are looking for. You can type in a question and the character will audibly speak your answer. There is even software that can translate voice to text and text to voice in multiple languages.

In a 24/7 economy with low unemployment rates and a talent shortage, there is great demand for these types of technologies to support the global customer wherever, whatever and whenever they want to buy.

As a technology, it's all very complex. As a potential opportunity for a hacker, the technology is quite simple — you can replicate a live person and build just the right level of trust needed to entice an unsuspecting victim into disclosing some personally-identifying information they otherwise never would.

 

What's a CSO to Do?

So what's wrong with meeting customer needs, innovating and technology advancement? Nothing.

This content continues onto the next page...