Voice Over IP Under Threat? 148
An anonymous reader writes "The IT Observer is discussing the possible scary future of Voice over IP targeted viruses, and what that could mean for the consumer. The article discusses the likelihood that VoIP is going to become even more popular, and the damage that a targeted 'flash virus' could perpetrate in a very short amount of time. From the article: 'Let's imagine a scenario that could become commonplace in the near future: A user has an IP telephony system on his computer (both at home and at work). In his address book on the computer there is an entry, under the name Bank, with the number 123-45-67. Now, a hacker launches a mass-mailing attack on thousands or millions of email addresses using code that simply enters users' address books and modifies any entry under the name Bank to 987-65-43. ... If any of these users receives a message saying that there is a problem in their account, and asking them to call their bank (a typical phishing strategy), they may not be suspicious, as they are not clicking on a link in an email ... If they use their VoIP system to call the bank, they will be calling the modified number, where a friendly automated system will record all their details. ' "
Logical progression (Score:5, Insightful)
Open VoIP Clients are Safer (Score:3, Insightful)
VoIP-Spam is another threat (Score:3, Insightful)
VoIP will be cheap enough for spammers, and easy to handle by spamrobots...
Why would this threaten VoIP? (Score:5, Insightful)
VERY UNLIKELY, see why... (Score:4, Insightful)
Re:VoIP-Spam is another threat (Score:3, Insightful)
Whaaat? (Score:2, Insightful)
What if someone hacks the telephone exchange and redirects all calls to the bank to a new number?
What if I get a letter from my bank saying they have moved, and a phisher builds a new bank at that address, thus allowing them to take all my details?
Re:Logical progression (Score:0, Insightful)
Re:and? (Score:3, Insightful)
Re:You could just stop using Windows... (Score:5, Insightful)
I'll never get caught by a phising scam because my web browser doesn't support the HTML used on fake-paypal.com and I can't even connect to it anyway because I'm using a brand of TCP/IP used only by myself and a handful of
Call me crazy, but I want to work on something that I can easily share with my colleagues - I want the most open digital environment I can get.
I refuse to accept that lazy/poor programmers can excuse the security holes in their products by claiming that everyone should be aiming for security through obscurity. Lets stop blaming Windows/Internet Explorer users for the insecurity of the products they use. Security through diversity is just renamed security through obscurity; it's no security at all.
Re:The problem of telephony + the Internet... (Score:5, Insightful)
I have been doing it for a while now (need to clean the code for the AGI plugin and post it). For my incoming phone lines I have scheduled times when the phone does not ring, when it rings only in my office for known callerIDs or when it rings for everyone who has not withheld their callerid. Trivial to do with asterisk+perl-AGI and quite more powerfull compared to the default autoattendant.
The article brands all VOIP to be Skypelike (and vice versa). VOIP is not just PC based systems and this attack currently applies only to PC based systems. In addition to that it is limited to a specific VOIP system. A valid Skype attack is not applicable to Yahoo, MSN, SIP phones, etc.
Things may change in the future when integrated contact management and click-to-dial becomes commonplace. This is not common enough now and can be found only on PHB/Sales laptops so it is not yet an attack vector that is worth mentioning. By the way, this will apply to any phone system that has click to dial, not just VOIP. Now having outlook+voip worm - that is a scary thought...
Re:And that's why... (Score:3, Insightful)
Re:And that's why... (Score:5, Insightful)
Re:You could just stop using Windows... (Score:3, Insightful)
Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft?
The attack described relies upon a worm that can compromise desktop systems. Worms are a lot easier to implement if their are a huge number of identical targets with identical holes. Currently that target is Windows.
This problem exists because of social habits of human beings. Most phishing scams work only when there is action taken by a victim that is either uncaring, or doesn't know better.
You're assuming that improvements to computers can't significantly reduce the risk of the described phishing attack, but that is not the case. Simply by having many different OS's and browsers this type of attack would become a whole lot harder. Further, there is no reason why a given OS should grant a new binary access to read or write to your phonebook without explicit approval from the user with some pretty strongly worded warnings is plain English. In a free market, I'm guessing every desktop OS would include this functionality as soon as it became an issue, but Windows has not done so, despite worms grabbing data from the e-mail address book. The reason for this is, quite simply, it doesn't cost MS a significant amount of money when people are compromised because the vast majority of users don't have realistic options of other OS's (it's not at walmart, kmart or meijer).
So in my above example, Microsoft was not at fault, in fact, they were proactive enough to protect the user.
Do most users have IE7? Is it even available on Win2K? Did IE7 recognize it as a phishing site before a significant number of people had already been there?
Stop blaming third parties for what amounts to human error.
Sure some malware and scams are the result of human error, but a lot of them are also the result of poorly designed software for the environment in which it is operating.
And if you think OS diversity would help the problem, you are wrong. People react the same way to phishing scams regardless of OS.
The previous poster was specifically talking about the scenario in the article. That scenario required that the system was compromised by a worm. Diversity of OS's does reduce the ability of worms to spread and diversity of OS's motivates companies to innovate solutions to out compete others. Those innovations may include ways to stop worms, don't you think? Maybe instead of complaining about people's opinions by trying apply them to a situation they weren't talking about you should consider them in terms of what we're discussing.
How would the average consumer react if they were told "this software won't work on this OS" or worse "this software only works on certain flavors of linux, but not yours".
Who says that would be the case? If other OS's were common the practice of writing portable code that worked on multiple OS's and offering them would be more profitable and thus more common. Further, VM software, like portable Java apps would be more profitable. Your cause and effect is reversed. People offer software only on one platform because there is one dominant OS. When there were multiple competing platforms, even long ago, there was more software offered with cross-platform options.
Re:And that's why... (Score:3, Insightful)