VoIP Hacking: So Easy A Caveman Can Do It?

Oct. 27, 2008

Convicted computer hacker Robert Moore, who broke into 15 telecommunications companies and hundreds of businesses, recently pleaded guilty to conspiracy to commit computer fraud. "It's so easy. It's so easy a caveman can do it," Moore told InformationWeek. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."

Moore 's now infamous quote reminds us all that the more things change, the more they stay the same.

There's a much more technical thread about Moore's quote on the VoIPSA (Voice over IP Security Alliance) website www.voipsa.org , but here's the real lesson — we cannot let the complexity of any new technology cloud our view of what the real security threats are in the digital age of voice and video. The real security threats are nothing new at all.

VoIP hacking is the digital age's version of war dialing — a method of automatically scanning telephone numbers using a modem, usually dialing every telephone number in a local area to find where computers or fax machines are available, then attempting to access them by guessing passwords.

War dialing was the computer age's version of a simple technique used by social engineers for centuries, perhaps going as far back as the days of the caveman. It's just a technical form of eavesdropping.

Breakthrough technology, age-old attack

A recent NYSE survey of 246 CEOs declared that 2008 will be “The Year Of The Customer” — and the customer is demanding unlimited access and an onslaught of new technologies. As security professionals, we understand that we cannot walk into the CEO's office and “just say no.” We have to stay ahead of the hackers until the day finally comes when every company builds good security right into their products at the design phase of product development. Sure…that might happen.

Rather than wait, let's look at the pattern here. One basic tenet of a hacker's attack never changes, no matter how disruptive the technology may look: For every profit-driven breakthrough technology, a profit-driven attack is launched.

Here's a great example. Let's look at “The Pudding” ( www.thepudding.com ). It is “a breakthrough technology that makes conversations even more interesting by displaying Web pages, news and images that are related to your conversation.”

So would you call this “breakthrough technology” eavesdropping or phone tapping? According to the company it is “ad-supported phone calls.”

In a countdown faster than was done for how many days it would take to hack into the iPhone , every social engineer out there is already calculating how many different ways he or she can potentially lure an unsuspecting victim into a “phishing” attack. Or will it be named a “ pudd-shing ” attack?

Here's another breakthrough technology in the communication space worth watching closely: voice-to-text and text-to-voice software combined with visual-audio attendants. Sitepal (www.sitepal.com) is a popular example.

Here's how it works. If you are on a corporate Web site as a new visitor and Sitepal is used, an animated, “lifelike” character shows up to guide you around to find what you are looking for. You can type in a question and the character will audibly speak your answer. There is even software that can translate voice to text and text to voice in multiple languages.

In a 24/7 economy with low unemployment rates and a talent shortage, there is great demand for these types of technologies to support the global customer wherever, whatever and whenever they want to buy.

As a technology, it's all very complex. As a potential opportunity for a hacker, the technology is quite simple — you can replicate a live person and build just the right level of trust needed to entice an unsuspecting victim into disclosing some personally-identifying information they otherwise never would.

What's a CSO to Do?

So what's wrong with meeting customer needs, innovating and technology advancement? Nothing.

The real challenge for the security professional is that the volume and rate of technological advancement has completely outpaced the processes originally designed to support them. Competitive pressures of globalization are forcing new processes to be deployed and new products to be launched in what can only be described as “live R&D” environments. It's overwhelming. So what's a CSO to do?

Here are two basic tenets that every security professional can use as a sanity check when a breakthrough technology or innovative new process is deployed:

Think – What harm can it do?

Remember: the more things change, the more they stay the same.

When you ignore the acronyms and algorithms, when you stop focusing on the bits and bytes, when you tune out the white noise of regulations and compliance-just for a minute; you see a pattern that hasn't changed since the dawn of time. The technology may be innovative, but the ultimate objective of the attackers is not.

Here's one final example. Voice recognition software is about to reach a level of maturity that will rapidly accelerate its adoption by most consumers. Soon you will be able to speak into your cell phone, enabled by mobile VoIP and move money from your checking account to your savings account, hands free at a red light.

Five minutes later, an alert, eavesdropping, voice-recording hacker in the car next to you will be able to move money from your savings account to his Swiss bank account, hands-free at a red light.

Indeed, the more things change, the more they stay the same. Despite the level of complexity required to design, develop and deliver these emerging technologies that all of those new global customers are demanding; hacking into them is still “so easy even a caveman can do it.”

Jackie Bassett is founder and CEO of BT Industrials Inc. Bassett helps CEOs and CSOs of global 500 companies integrate security into their business strategies and processes. Her expertise is in identifying ways to improve business processes, productivity, profitability and shareholder value using security. Her background is in Investment Banking at State Street International and she holds an MBA from Babson College . She is author of the book, A Seat at the Table for CEOs and CSOs . She can be reached at : [email protected]