Voice Over IP Under Threat? 148
An anonymous reader writes "The IT Observer is discussing the possible scary future of Voice over IP targeted viruses, and what that could mean for the consumer. The article discusses the likelihood that VoIP is going to become even more popular, and the damage that a targeted 'flash virus' could perpetrate in a very short amount of time. From the article: 'Let's imagine a scenario that could become commonplace in the near future: A user has an IP telephony system on his computer (both at home and at work). In his address book on the computer there is an entry, under the name Bank, with the number 123-45-67. Now, a hacker launches a mass-mailing attack on thousands or millions of email addresses using code that simply enters users' address books and modifies any entry under the name Bank to 987-65-43. ... If any of these users receives a message saying that there is a problem in their account, and asking them to call their bank (a typical phishing strategy), they may not be suspicious, as they are not clicking on a link in an email ... If they use their VoIP system to call the bank, they will be calling the modified number, where a friendly automated system will record all their details. ' "
And that's why... (Score:4, Interesting)
But that just my opinion.
Re:The problem of telephony + the Internet... (Score:4, Interesting)
Scaremongering (Score:2, Interesting)
OMFG, What if someone wrote a virus that relinked your favorites in your browser to point directly at the phishing sites?
Just like VoIP and cell phones and your browser, when you click on a contact or favorite, the vast majority of them show you the underlying value. If you don't recognize that number, end the call. You need to be cognizant of what is happening. It is your fault, not the technologies' fault, if something bad happens due to something like this.
What about a BotNet? (Score:3, Interesting)
Maybe a FUTURE problem (Score:4, Interesting)
In short, we know the threat. And we're also the ones who use VOIP predominantly, aside of companies (who better have someone like us as their IT-security person there). Auntie Mable and Joe Hicksberger won't switch to VOIP any time soon.
So personally, I'd rate THAT threat low. At least for now.
Re:You could just stop using Windows... (Score:5, Interesting)
Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft? This problem exists because of social habits of human beings. Most phishing scams work only when there is action taken by a victim that is either uncaring, or doesn't know better.
I recently received a phishing scam email from somebody purporting to be Wells Fargo Bank. First clue is obvious, I don't have an account with them, but I was curious. So I clicked the link in Firefox. The site comes up, looks similar to the real Wells Fargo site, but has a completely non-legitimate URL. So then I clicked the link in IE7. Guess what, IE7 knew it was a phishing site.
So in my above example, Microsoft was not at fault, in fact, they were proactive enough to protect the user. Stop blaming third parties for what amounts to human error. And if you think OS diversity would help the problem, you are wrong. People react the same way to phishing scams regardless of OS.
And your suggestions are absolutely insane. One thing that computing monoculture brings is a standard implementation. How would the average consumer react if they were told "this software won't work on this OS" or worse "this software only works on certain flavors of linux, but not yours". The reason the PC grew so quickly was the ability to choose between different software and hardware easily, and be sure of compatibility. Sure, niche markets existed, such as the Mac, but the PC was much more extensible and much more desirable.
-dave
Re:You could just stop using Windows... (Score:3, Interesting)
Or, it would only require a user to run certain software, which is the reason a lot of people get malware/spyware on their computers in the first place.
Yeah, trojans are a problem, although all the studies I've seen by number of infections put malware without user interaction in the lead.
This would not stop if there were no holes. It would only stop if there was a way to ensure that people didn't run software they download AND that any software provided to them was legitimate.
OS's don't need to prevent software from running, just have mechanisms to determine trust levels (signing) and provide granular controls based upon those trust levels, while keeping the user informed about what is happening. The problem with trojans isn't that people double click on things, it's that when they do so the OS doesn't tell them if they ran a program or opened a file, and if a program how trustworthy is it and what is it doing, and giving them the option to stop it from doing things they don't want it to do. The average user never, ever, ever installs a program that they want to have access to their e-mail addresses and phone numbers. Why then can a user click on something called nakedpic.jpg and have a program silently access and modify that list? There is no technical reason and there are even OS's in use today that will stop exactly that.
The problem is that many people get annoyed at those prompts to the point that they turn them off (if that's an option) or they ignore them.
This is called poor UI design. If there are so many prompts that users get annoyed, you've messed up your design. The example I gave above will show a prompt that will never be seen by 99% of users. If the user can ignore a prompt it was poorly designed, like almost all prompts on Windows. People can ignore prompts because most of them are useless and they almost all have the same two options (OK)(Cancel). A proper dialogue would say something like, "The program 'nakedpic.jg.exe' would like to read and modify your phone numbers (Stop it from changing my phone numbers)(Let it change my phone numbers once)(Always let it change my phone numbers)(advanced Options)." So the user has four options all in plain English. In they must either read at least one of them, or pick randomly, and even that would be better than defaulting to always allowing everything. People who think UI design is not a security issue (like MS) are way off base.
The average consumer just doesn't know when to allow permissions and when not to.
There are probably people in the world that could not understand the message I gave as an example. They are few and far between. For the rest, it is more a matter of giving them the info and control they need, rather than asking them obscure questions in technobabble, most of which are wholly unnecessary.
Consider that XP is the dominant OS, and that IE7 was rolled out through windows update, yes.
Assuming all users running a system that supported it and IE6 have already switched, it would have 54% according to the numbers I've seen, so yeah, most but not by a lot.
Irrelevant. The average consumer is running XP, and therefore has IE7.
No, it isn't irrelevant. A lot of people are on Win2K and MS decided not support them. Would they have made the same decision if they did not have monopoly control of the market?
I don't know. But it recognized it, and Firefox didn't. So I fail to see how Microsoft could be blamed in this instance.
I'm not blaming MS at all, just asking a question and hopefully implying that anecdotal evidence is not particularly useful for making decisions. The point I was making was that MS can do a lot more to stop malware. I showed an example of how they could do so above. Now, I'll hypothesize a reason. MS has no need to respond to customers and give them what they want because they have no competition and, as such, to motivation to do so. I firmly believe that if MS was bro