Forgot your password?
typodupeerror
Security Communications The Internet

Voice Over IP Under Threat? 148

Posted by Zonk
from the keeping-phone-calls-expensive dept.
An anonymous reader writes "The IT Observer is discussing the possible scary future of Voice over IP targeted viruses, and what that could mean for the consumer. The article discusses the likelihood that VoIP is going to become even more popular, and the damage that a targeted 'flash virus' could perpetrate in a very short amount of time. From the article: 'Let's imagine a scenario that could become commonplace in the near future: A user has an IP telephony system on his computer (both at home and at work). In his address book on the computer there is an entry, under the name Bank, with the number 123-45-67. Now, a hacker launches a mass-mailing attack on thousands or millions of email addresses using code that simply enters users' address books and modifies any entry under the name Bank to 987-65-43. ... If any of these users receives a message saying that there is a problem in their account, and asking them to call their bank (a typical phishing strategy), they may not be suspicious, as they are not clicking on a link in an email ... If they use their VoIP system to call the bank, they will be calling the modified number, where a friendly automated system will record all their details. ' "
This discussion has been archived. No new comments can be posted.

Voice Over IP Under Threat?

Comments Filter:
  • by Ingolfke (515826) on Friday January 05, 2007 @11:14AM (#17473536) Journal
    is that people will call you up during your dinner to tell you that you're long lost uncle's oil wealth is available to you in Madagascar or about the wonders of this new herbal male health pill.
    • by HugePedlar (900427) on Friday January 05, 2007 @11:18AM (#17473624) Homepage
      I wonder if VOIP might solve this to some extent. After all, with Asterisk or similar, the home user can set up an "Auto-Attendant", or menu system to filter calls that get through. Perhaps even some form of voice recognition (recognising people's voices in your address book, or, controversially, an Indian accent) might become common. I suspect VOIP will make the telemarketers' jobs harder in the end.
      • by arivanov (12034) on Friday January 05, 2007 @12:02PM (#17474380) Homepage
        Exactly.

        I have been doing it for a while now (need to clean the code for the AGI plugin and post it). For my incoming phone lines I have scheduled times when the phone does not ring, when it rings only in my office for known callerIDs or when it rings for everyone who has not withheld their callerid. Trivial to do with asterisk+perl-AGI and quite more powerfull compared to the default autoattendant.

        The article brands all VOIP to be Skypelike (and vice versa). VOIP is not just PC based systems and this attack currently applies only to PC based systems. In addition to that it is limited to a specific VOIP system. A valid Skype attack is not applicable to Yahoo, MSN, SIP phones, etc.

        Things may change in the future when integrated contact management and click-to-dial becomes commonplace. This is not common enough now and can be found only on PHB/Sales laptops so it is not yet an attack vector that is worth mentioning. By the way, this will apply to any phone system that has click to dial, not just VOIP. Now having outlook+voip worm - that is a scary thought...
        • by ajs318 (655362)

          or when it rings for everyone who has not withheld their callerid.

          You actually answer the phone to ACs?

          I uses to pretend to be a recorded message, saying {in a slightly posh accent} "Anonymous calls are not welcome on this line. If your business is important, you may ring back without withholding your number." {still have to on my mobile}. Then I found out about Incoming Call Barring. Sweet! Only bad thing about it is you can't change the message.

          • by arivanov (12034)
            You actually answer the phone to ACs?

            99% of recruiters in the UK call as ACs for reasons of sheer stupidity prevalent in the industry. As a result if you want to have a job, you have no choice, but to answer ACs. The only thing you can do about that is to prearrange the calls. In any case you have to have a phone indicating a ring for these - note, the phone which actually "rings" on these in the house is my office phone which has the ringer off and only a visual indication.

            In addition to that Cambridge

            • by ajs318 (655362)
              Well, not on my line they don't -- I've had ACs blocked at the exchange. If their equipment is fouled-up, that's not my problem <parisian shrug /> and I don't intend to do anything about it. If somebody knows my number, I have a right to know their number!

              An anonymous phone call is the telephonical equivalent of being accosted from behind by a masked stranger. Frankly, I'm amazed it's even legal in this day and age.

              If someone's really desperate to get through to me from behind a badly-design
        • By the way, this will apply to any phone system that has click to dial, not just VOIP

          That was my thought exactly. I use vonage and don't have an address book on my computer. However, lots of people with conventional phones use Outlook. Changing phone numbers in address books should have been a concern many years ago, and is no more of a concern today.

          Hell, I had "click" (F10 key, I think...) to dial on my old Tandy 1000! Modem dialed, then I lifted the handset and the modem disconnected so I could talk.

      • Re: (Score:3, Funny)

        by tehcyder (746570)
        Perhaps even some form of voice recognition (recognising people's voices in your address book, or, controversially, an Indian accent) might become common.
        So you'd set up a filter especially to recognise and let through any caller with an Indian accent? That's a fine example of multi-cultural tolerance, it makes such a change from the usual racism on slashdot. Well done sir!
        • by dodobh (65811)
          I would turn it on for everything except a Tamil accent (for some reason I am being telemarketed to by Tamil with an extremely pronounced accent). I know a bunch of Tamilians who don't have any such accent, so I guess it's a side effect of the move into the smaller towns.
      • by gregmac (629064)
        There's a great script on voip-info.org to use to torture telemarketers [voip-info.org].
  • by CommunistHamster (949406) <communisthamster@gmail.com> on Friday January 05, 2007 @11:15AM (#17473542)
    This seems a logical progression of phishing, but it's hardly going to be a large impediment to the adoption of VOIP. Phishing hasn't dissuaded people from using email.
  • And that's why... (Score:4, Interesting)

    by AltGrendel (175092) <ag-slashdot@@@exit0...us> on Friday January 05, 2007 @11:15AM (#17473554) Homepage
    ...I'm still using copper. I know that this will work itself out, that the technology will improve, etc, etc.. but until it does, I'm going to stay away from it. For me, it doesn't make sense to be an early adopter of VoIP.

    But that just my opinion.

    • The only reason I have copper is for E911 service and in case of power failure. I use my cellfone for 99.9999% of all calls even at home. I just like having a little redundancy in case of emergency.
      • by powerlord (28156)

        The only reason I have copper is for E911 service and in case of power failure. I use my cellfone for 99.9999% of all calls even at home. I just like having a little redundancy in case of emergency.

        Exactly.

        Cell Phone for day-to-day calls.
        Cable Modem for day-to-day internet use.
        POTS for reliability when all else goes to heck.

        In the past ten years I've had both Cell and Cable fail and in each case I was able to fall back on POTS to handle my basic needs (and we're talking the center of a major urban metropoli

      • by avdp (22065) *
        I have Vonage and I have E911. Never had to use it so far, but it's there. It's by law (fairly recent) that they provide this service.
    • Not me man, I'm using copper AND VOIP.
    • Re: (Score:3, Funny)

      Yes, I'm following the same strategy with email...
    • by misleb (129952)
      Oh, i think we're past the early adopter stage of VoIP. By now it is pretty mature. I've been using VoIP for a couple years. I save a lot of money on my phone bill. What exactly are you waiting for?

      The ONLY practical difference between my VoIP service and POTS is that I only have a single port for my POTS phone to plug into. I can't run telephone line everywhere. But that is easily solved by getting a set of cordless phones that all share a common base.

      -matthew
      • I'm not sure of how your house is setup, but I was able to get around this problem without cordless phones. I unplugged the internal phone wiring at the junction box in my garage, seperating it from the external phone system. Then I plugged the VoiP box's phone port directly into the existing phone jacks. Now any phone plugged into a normal phone jack anywhere in the house works off the VoiP. Of course this only works if you can disconnect your internal wiring from the external phone system.
        • by misleb (129952)
          Yeah, I would have tried that except that I live in an apartment and can't disconnect the the system at the junction box. Also, I'd heard that you are not supposed to run many phones off of one ATA. I assume because of power draw or some such, but I never verified it.

          In any case, I prefer cordless phones. So I might as well get a set of them.

          -matthew
    • Re: (Score:3, Insightful)

      by walt-sjc (145127)
      Don't worry, this article is mostly FUD. For one, it assumes that all phones will be vulnerable to the same flaws. They won't - they run MANY different code bases. There is no mono-culture in VoIP like there is with desktop operating systems (well, except for the Skype example - I don't use skype anyway due to the closed/proprietary nature of it.) It also assumes that any security flaws won't be fixed or addressed. Anyone that deals with IP phones knows that new firmware comes out every few months. If you h
      • by walt-sjc (145127) on Friday January 05, 2007 @12:27PM (#17474794)
        Oh yeah - one more thing - who does the author of this article work for? Hmm. Panda. What do they do? Antivirus and security software. Self serving FUD is what this is.
        • by Macthorpe (960048)
          Give this guy a cigar.

          I loved the end quote to the article:

          "In this way users will be properly protected against any possible waves of attacks using voice over IP systems. For traditional problems (known malicious code), signature-based scanning; for new problems, new technologies (intelligent detection of unknown code)."

          What, something like your goddamn TruPrevent Technology [pandasoftware.com] which repeatedly identified my uTorrent client as malware and my connection to WoW as an e-mail virus?

          I think not, chumps!
    • Re: (Score:3, Insightful)

      by radish (98371)
      I still use copper too. The copper in my coax cable which carries my internet traffic, and with it, my VOIP calls. Of course, what this article is talking about is people who use autodialers of one kind or another - which includes cell phones, PBXs with click-to-call, Skype, etc - it's got nothing to do with VOIP as a technology for transmitting the voice data. My VOIP solution uses a perfectly normal phone, not a computer, and so until Uniden and VTech start issuing vulnerability warnings I think I'm OK.
    • What? So you refuse to adopt new technologies at the slightest sign of danger? My suggestion: Stay the hell away from all electronics. They could shock you.
  • I have to say that using malware on VoIP hopes but cannot assume that VoIP is even functional and stable enough to do that. Maybe other people have a different experience but CallVantage is not ready for primetime and if they want to use it for exploits and malware they'll have to compete with the utter crappiness of the service that works like malware all on its own.
    • by Cutie Pi (588366)
      I had a great experience with CallVantage for about 6-months. I actually forgot that we had VoIP most of the time. But then Charter, who handled the cable interet connection, did something and my connection became slow and unreliable. I ended up ditching the cable and going with DSL. I see no reason to pay $30/mo for VoIP when I already have phone service (it comes with the DSL), so I'm looking at Skype now for long distance calls.
      • by gelfling (6534)
        My problem is with CV. Cable works fine. But CV drops out at random nearly every day. No dial tone, nada. This requires me to unplug and reboot my cable modem, router and TA. AT&T thinks this is trivial, normal and acceptable. I on the other hand want their home addresses so I can firebomb them. I mean it's a goddamn phone. A PHONE. We licked the 'maybe it works maybe it don't' problem around the year 1890 or so. For my thinking, VoIP is an ENORMOUS step back in terms of reliability and simple ease of u
  • by Doc Ruby (173196) on Friday January 05, 2007 @11:17AM (#17473582) Homepage Journal
    Who's got an OSS Flash or Java applet that is a SIP or IAX client? If we keep the VoIP SW on the server (tested and upgraded), and give it access to our network/AV HW only on request in a sandbox, we're pretty safe against viruses. These applets can be signed and distributed easily, unlike OS-installable full apps, or dedicated HW.
    • I don't know if such a thing exists but you sound like just the right guy to code one up. Shoot me a message when you're done.
    • by Cheesey (70139)
      Open VoIP Clients are Safer

      Yes they are. And good ones are already available. You can now use OpenWengo [openwengo.org] as an alternative to Skype - it's GPL'ed code and uses a standard protocol (SIP), making it interoperable with most VoIP software. Except Skype.

      Skype is a closed-source minefield of terrifying security holes just waiting to be stumbled upon by black hats and exploited for the usual reasons. It's a ready made peer to peer infrastructure that always uses encrypted communications, just waiting to be made int
      • by Doc Ruby (173196)
        OpenWengo is an OS-installed app, not an auto-installed downloadable app maintained on the VoIP server. Their Flash applet is closed source.

        If the distribution and maintenance process is slowed down by requiring users to install (continuously bugfixed) apps under their OS, the ecosystem will remain riddled with insecurity.
  • by Rastignac (1014569) on Friday January 05, 2007 @11:17AM (#17473594)
    Spams in my inbox is painfull. Spams using VoIP will be very very painfull.
    VoIP will be cheap enough for spammers, and easy to handle by spamrobots...
    • Re: (Score:3, Insightful)

      by HugePedlar (900427)
      So you set up a menu system: "Press 3 if you're not a spambot". Solved, more or less.
    • by kfg (145172)
      Spams in my inbox is painfull.

      Try using a cigar/lubricant/antibiotic.

      KFG
    • by Oriumpor (446718)
      Will be? I already get spanish language telemarketing auto dialer messages on my skype account, luckily I can just "Block" but still. The idiots^H^H^H^H^Hmarketeers are out there and their numbers are growing. It's not really a question in my mind of when, but how bad it's going to get.
  • by Raistlin77 (754120) on Friday January 05, 2007 @11:17AM (#17473596)
    I would say there are likely far more people who use regular landlines and cell phones and don't use VoIP, but that do still maintain phone books on their computers. If they call with their regular phone, the same will occur. Why drag VoIP into the cross-hairs alone?
    • by Tim C (15259)
      Well, personally I think I'd notice that the number was wrong if I looked it up and it had been changed - I know roughly what it should be, so if it's much different I'll be suspicious or confused, and likely check their website.

      On the other hand, if I just fired up my VoIP software and double-clicked the "Bank" entry in a phone list, I may never even suspect that anything's amiss.

      No, this isn't VoIP-specific, but I can see how it might be made *easier* if the person uses VoIP.
      • No, this isn't VoIP-specific, but I can see how it might be made *easier* if the person uses VoIP.

        The difference is that with a VoIP system, the system actually uses your computerized address book to do the dialing. Even more troubling is the possibility of modifying the VoIP such that when you (or your address book) dial the correct number for your bank, it actually dials a number that the hacker owns.

        1. User or phonebook dials bank: (123) 456-7890
        2. VoIP system displays 'dialed' number: (123) 456-7890
        3. VoI
    • by TobascoKid (82629)

      Why drag VoIP into the cross-hairs alone?
      Because then no one would take any notice of it. It's all a bit of a stretch, even with VoIP in the mix.
  • by Kookus (653170)
    Isn't the same type of thing possible for cell phones?
    Last I checked, I didn't have my bank's phone number in my address book, seems kind of odd to have something like that anyways.
    Do people really call their banks with any regularity to need an entry in their address book?
    • by balsy2001 (941953)
      I haven't called my bank in over a year. I haven't found anything I can't do online yet. I even got a certified cheque to close on a house without talking to anyone.
      • by Andy Dodd (701)
        While my bank has quite a few online services, it appears that many require a phone call or in-person visit.

        Of course, since my bank has a branch office right next to my company's cafeteria, I don't consider this an issue. :)

        I don't store numbers in any address book that are on websites I frequently use, this includes all of my banks. (100% of phone calls to the bank are usually the result of a "you can't do this online, call 1-800-xyz-abcd".
    • Re: (Score:3, Insightful)

      by LurkerXXX (667952)
      It's not at all a bad thing to have in your phone's address book. Say you are on a trip and your wallet gets stolen, etc. You may want to call your bank, credit card company, etc, very quickly to put stops on your accounts.
  • by jrwr00 (1035020)
    Wow, lets hope there isnt a way where i really dial 712-145-1511 and it really calls 213-215-1111 that would be big shit......as far as i see it, its just editing your speedial
  • by crazyjeremy (857410) * on Friday January 05, 2007 @11:18AM (#17473604) Homepage Journal
    This seems to be a misleading article. Most phishing techniques do not use elaborate setups as suggested. They use very simple techniques. Oddly enough, the article author seems to agree.
    Evidently, this would require a large degree of innovation, research and development on the part of the creators of malicious code, and I genuinely doubt that they would bother.
    The potential scenerio quoted in the post is so far fetched, it's doubtful anyone will ever pull it off. It involves hacking their voip system, home computer (and address book), a mass-mailing spam which happens to also include the email address of the hacked computer, user intervention (they must read the spam and respond), and the hacker must also have a good enough radio voice to fool the homeowner into thinking he's actually calling his real bank. Don't know about you, but we're not to afraid of this possible Voice over IP threat.
    • by Billosaur (927319) *

      The potential scenerio quoted in the post is so far fetched, it's doubtful anyone will ever pull it off. It involves hacking their voip system, home computer (and address book), a mass-mailing spam which happens to also include the email address of the hacked computer, user intervention (they must read the spam and respond), and the hacker must also have a good enough radio voice to fool the homeowner into thinking he's actually calling his real bank.Don't know about you, but we're not to afraid of this possible Voice over IP threat.

      Far fetched? Hey, the author thought it up, didn't he? Everything is far fetched (sailing around the world, explaining gravity, travelling into space) until someone actually does it. This technique requires thought and some actual work. So? If there's money in it, someone or some group out there with the wherewithal and time on their hands will try and exploit it, because basically they know your average computer users are sheep, and they have these nifty shears. It's this kind of complicated and non-obvi

    • by ischorr (657205)
      Also, that the phisher has figured out WHICH bank this particular person uses, and has set up a phone number/system specifically for that bank. Hearing the message "Thank you for calling THE BANK" might be a tip-off that something's up. ...And all of this without leaving enough of a trail that they'll be caught.
    • Far fetched? Not really. Difficult to pull off and thus unlikely due to not being the low hanging fruit? That's more like it.

      This "technique" is already possible. A mass mailed email worm (or whatever) modifies the user's "hosts" file (C:\WINDOWS\System32\Drivers\etc\hosts) so that www.paypal.com gets pointed to his or her IP address. The usual precautions the victim would engage in wouldn't apply, as the victim would actually be going to the website directly (rather than clicking on a link in an email)

      • by walt-sjc (145127)
        Yes it is far fetched. Unlike the world of Windows, there is no monoculture in VoIP. In fact, it's a big jumble of crap right now, with many different competing protocols. With the sole exception of the abortion that is skype (being closed-source, closed protocol, encrypted PTP) you NEVER know what your victim will have for service / equipment. If they have vonage, what phone do they have? Probably just an ATA with a standard phone hooked up, and even then it can be one of 18 different models.

        The only way y
  • And if I go out at night, and if I wear all black, and if a car comes towards me with no headlights on then I might get run over.

    Seriously though, there were an awful lot of 'if's and 'maybe's in that, and at least one of those steps can be avoided by being at least slightly knowledgable about the internet. It's a matter of education and in that respect people have to help themselves, or other people will help themselves instead.

    To all your money.
  • This is just the same problem as before, only people aren't expecting it. A lot of people fell victim to phishing scams (and many still do), using email, because they are stupid. I guess this is a little more advanced, since people expect certain speed-dial numbers to not change. Granted they could probably just have a system where the bank has a password that they have to tell you, so that you can verify that you are actually talking to the bank. This is probably a good idea anyway, as it would be easy
  • Not Unique to VOIP (Score:4, Informative)

    by mmurphy000 (556983) on Friday January 05, 2007 @11:22AM (#17473690)

    Changing phone numbers in an address book isn't unique to VOIP. A virus could scan Outlook and other common address book systems and change phone numbers, whether VOIP or not. Since most people don't have their bank phone numbers memorized, they'll assume that the address book entry is correct. Even if they use a non-VOIP phone, the phishing attack can work.

    Now, a VOIP system might have an integrated address-book/speed-dial system that could also be attacked. But otherwise, I don't see where this is unique to VOIP.

  • Whaaat? (Score:2, Insightful)

    I too, can come up with lots of non-scenarios based on speculation...

    What if someone hacks the telephone exchange and redirects all calls to the bank to a new number?

    What if I get a letter from my bank saying they have moved, and a phisher builds a new bank at that address, thus allowing them to take all my details?
  • Someone please explain how a virus can update a Skype user's telephone book? Seems like a poorly-designed software that allows voice telephone messages to modify its database.
    • by LurkerXXX (667952)
      Because we all know, no major software has undiscovered bugs, buffer overflows, yadda, yadda. Linux, Firefox, Apple, Microsoft, never put out patches for newly found security holes because all their software is well-designed.

      What color is the sky in your world?
    • I have Skype at home. Unlike e-mail, or my home phone, or my cell phone, or SMS on my cell phone, I have not ever received any spam or phishing or telemarketing calls on my Skype account. (I have Skype on my Cell phone.)

      Right now, it is my VoIP that is the least prone to these.

      I guess the point to all this is how to prevent it pro actively.

      Right now, when I sign into my bank they present me with a picture and some text to go with it. This, in theory, means that I am actually on their site and not an elab
    • by Andy Dodd (701)
      "Someone please explain how a virus can update a Skype user's telephone book? Seems like a poorly-designed software that allows voice telephone messages to modify its database."

      Easy. The skype user's telephone book is most likely (I don't use Skype so I can't be sure) a file on their PC.

      A virus can enter that PC in any of the normal ways that they can propagate and go modify that file. (i.e. it isn't a "VoIP Virus", it's a traditional virus that attacks your address book once you're infected)
  • by Sneakernets (1026296) on Friday January 05, 2007 @11:25AM (#17473754) Journal
    "Steve... send the PHONE SPIDERS."
  • This is the price we pay for a computing monoculture. Don't use Windows, this won't happen. Yes this is Microsoft's fault, BUT, to be fair, this would happen to a certain extent with any computing monoculture. So:
    • Don't use Windows
    • Don't all move to the Mac
    • Don't all use one OS environment - replacing Windows with everyone using the same version of xyz linux wouldn't help that much
    • Don't all use the same CPU (x86)

    and all this should go away. When did you last hear of a security breach on Alcatel DEC

    • by solevita (967690) on Friday January 05, 2007 @11:42AM (#17474096)
      I've seen this argument crop up regularly on /. recently, but that doesn't make it a good one. Why? Well lets extend your argument to its logical conclusion - not only should we all use different operating systems, web browsers, CPU architectures, but we should all also use different file formats, standards and networking protocols.

      I'll never get caught by a phising scam because my web browser doesn't support the HTML used on fake-paypal.com and I can't even connect to it anyway because I'm using a brand of TCP/IP used only by myself and a handful of /. geeks.

      Call me crazy, but I want to work on something that I can easily share with my colleagues - I want the most open digital environment I can get.

      I refuse to accept that lazy/poor programmers can excuse the security holes in their products by claiming that everyone should be aiming for security through obscurity. Lets stop blaming Windows/Internet Explorer users for the insecurity of the products they use. Security through diversity is just renamed security through obscurity; it's no security at all.
    • by planetmn (724378) on Friday January 05, 2007 @11:45AM (#17474128)
      WTF?

      Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft? This problem exists because of social habits of human beings. Most phishing scams work only when there is action taken by a victim that is either uncaring, or doesn't know better.

      I recently received a phishing scam email from somebody purporting to be Wells Fargo Bank. First clue is obvious, I don't have an account with them, but I was curious. So I clicked the link in Firefox. The site comes up, looks similar to the real Wells Fargo site, but has a completely non-legitimate URL. So then I clicked the link in IE7. Guess what, IE7 knew it was a phishing site.

      So in my above example, Microsoft was not at fault, in fact, they were proactive enough to protect the user. Stop blaming third parties for what amounts to human error. And if you think OS diversity would help the problem, you are wrong. People react the same way to phishing scams regardless of OS.

      And your suggestions are absolutely insane. One thing that computing monoculture brings is a standard implementation. How would the average consumer react if they were told "this software won't work on this OS" or worse "this software only works on certain flavors of linux, but not yours". The reason the PC grew so quickly was the ability to choose between different software and hardware easily, and be sure of compatibility. Sure, niche markets existed, such as the Mac, but the PC was much more extensible and much more desirable.

      -dave
      • Seriously, VoIP != Windows. The author of the article mentions "flash-virus". He's speaking primarily of what we in VoIP call hard sets. Real telephones that you plug into your network (or use 802.11). Most of them have internal phonebooks that could theoretically be overwritten. Frankly, as an administrator of several hundred VoIP hard sets (Cisco 7940, 7960, 7941) run on Asterisk, I think a more likely fear is that someone writes a virus that trashes all my very expensive phones and cripples my business o
        • by ajs318 (655362)
          Indeed. Using naught but a cheap TFTP server, which need not be on the Asterisk box, you can alter the configuration and even upgrade the firmware. We use this to configure a few dozen ZIP4x4 handsets (run Linux on a G3 processor).

          It's not at all unfeasible that someone could write a trojan to run on an easily-compromised Windows box (many businesses still have to use a few of these for running legacy apps), listen for VoIP traffic, determine from the headers what phone models are in use, download a
      • Re: (Score:3, Insightful)

        Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft?

        The attack described relies upon a worm that can compromise desktop systems. Worms are a lot easier to implement if their are a huge number of identical targets with identical holes. Currently that target is Windows.

        This problem exists because of social habits of human beings. Most phishing scams work only whe

        • by planetmn (724378)
          The attack described relies upon a worm that can compromise desktop systems. Worms are a lot easier to implement if their are a huge number of identical targets with identical holes. Currently that target is Windows.

          Or, it would only require a user to run certain software, which is the reason a lot of people get malware/spyware on their computers in the first place. This would not stop if there were no holes. It would only stop if there was a way to ensure that people didn't run software they download
          • Re: (Score:3, Interesting)

            Or, it would only require a user to run certain software, which is the reason a lot of people get malware/spyware on their computers in the first place.

            Yeah, trojans are a problem, although all the studies I've seen by number of infections put malware without user interaction in the lead.

            This would not stop if there were no holes. It would only stop if there was a way to ensure that people didn't run software they download AND that any software provided to them was legitimate.

            OS's don't need to pr

            • by planetmn (724378)
              OS's don't need to prevent software from running, just have mechanisms to determine trust levels (signing) and provide granular controls based upon those trust levels, while keeping the user informed about what is happening.

              Keeping the user informed, when the user isn't a computer expert can be extremely difficult. How is an OS to know that the file being modified is phone numbers rather than configuration settings?

              The problem with trojans isn't that people double click on things, it's that when they
              • How is an OS to know that the file being modified is phone numbers rather than configuration settings?

                Because the first one is called "Phone Numbers.db" and the second is called "Address Book Settings.xml."

                So if every time a user double clicks a file, you would like the OS to inform them that they have run a program?

                No, I'd like them to be aware before they click that the item they are clicking is an executable or data. The UI should make this 100% crystal clear. Today, this is not the case. Then, i

    • by Tim C (15259)
      You seem to assume that virus writers and other malware producers won't simply follow the market trend as well, and target whatever platforms it makes sense to target.

      Right now, the vast majority of people are running some flavour of Windows on x86, so that's what's targetted. It helps that Windows machines are also generally a soft(er) target, used by people with little or on clue as to how to use a PC safely. As and when significant numbers of users move to other platforms, those platforms will also be ta
    • by soft_guy (534437)
      Yeah, then the hackers will all have to buy Qt licenses.
  • Scaremongering (Score:2, Interesting)

    by vaderhelmet (591186)
    This is a concept at best. A virus going through peoples' cell phones (which are far more in use than VoIP sets) to do the same thing is even more viable. This is another 'exploit' that relies on people to be completely oblivious to what their technology is doing. I agree that it is a problem, but it has nothing to do with VoIP. A lot of PHBs are already afraid enough of 'voices in the network' without somebody throwing 'OMFG What if?!' at them.

    OMFG, What if someone wrote a virus that relinked your favorite
  • I think that this type of attack is still, to a large degree, depending on TCP vulnerabilities. This type of malware is going to be highly dependent upon other things to initiate such attacks. Granted, in the case of Skype or other PC-based applications this will be far easier to accomplish. I'm not sure it's a VoIP issue so much as an issue of we need to be aware of yet another medium for the transport of exploits. VoIP is UDP based. Protection of such voice streams, should malware over VoIP become pervasi
  • ...Let's imagine a scenario that could become commonplace in the near future

    Or sooner now they have described what to do & /. has noted it (assuming of course script kiddies and crackers can read) and scripted kiddies are reading it....

    Jaj
  • What about a BotNet? (Score:3, Interesting)

    by bhsx (458600) on Friday January 05, 2007 @11:40AM (#17474052)
    A serious botnet can have 50k-100k minion boxes out there... Imagine if VOIP hit even 20% penetration, that would obviously be 10k-20k phones that botnet owner has access to. If you were the type of slimeball or, gods forbid, terrorist, what would you do with 20 thousand phones you had access to? Think DDOS on 911? Think maybe just dialing pay phone services like the old auto-dialer spyware? People maybe shouldn't be allowed to run their VOIP systems on just any old machine... Perhaps all those writing VOIP code for Windows systems should just stop and burn all copies of their apps? That doesn't sound too bad :P

    • A 911 center typically has a handful of human operators - so what is needed to DOS a typical PSAP is a handful of cell phones and you just have a few people phone in and the 911 center is totally full. You don't need a bot net of voip systems. The reason this does not happen is because there is very little incentive to DOS a 911 center.
      • by powerlord (28156)
        The reason this does not happen is because there is very little incentive to DOS a 911 center.


        Not to mention that it is probably a federal offense and would initiate an FBI investigation ... one with more of an incentive to find and prosecute the "bad guy" than going after typical SPAM mailers.
    • by mpapet (761907)
      Ugggh.

      I'll keep it brief. As other informative posts have explained, the virii potential of VOIP clients is unlikely.

      Say I'm a bad guy and I want to simultaneously call 100,000 machines. I would have to spawn 100,000 connections to a voip server. Your voip server firewall has a threshold for dropping connections from a single IP address doesn't it? If the bad guy is using 100,000 zombies then the problem is not voip is it?

      Let's say for a minute that I'm able to connect to a client. *The phone will ring
      • by bhsx (458600)

        Say I'm a bad guy and I want to simultaneously call 100,000 machines. I would have to spawn 100,000 connections to a voip server. Your voip server firewall has a threshold for dropping connections from a single IP address doesn't it? If the bad guy is using 100,000 zombies then the problem is not voip is it?

        You wouldn't have to spawn 100,000 connections to a single voip server, the botnet would already be running on an IRC server somewhere, awaiting orders. I just login to the IRC channel after making a few dozen ssh hops around my bots and through a TOR network somewhere. I send the command and the bots start cycling through commands to hijack the 10 most common VOIP apps and dial whatever number i have the bots set to dial. It wouldn't be that hard. My original post was a bit tongue-in-cheek, but I did

    • A serious botnet can have 50k-100k minion boxes out there... Imagine if VOIP hit even 20% penetration

      Unless they're all running the same VoIP client and service, it is pretty hard to grab all those 20%. Another option would be to use a custom VoIP client, if there are free services available for calling out.

      If you were the type of slimeball or, gods forbid, terrorist, what would you do with 20 thousand phones you had access to? Think DDOS on 911?

      To what end? 911 is for reporting crimes and emergencie

  • by Opportunist (166417) on Friday January 05, 2007 @11:43AM (#17474098)
    Let's face it, who's the prime target for phishing? Joe Average Users. "We" (as in, people who enjoy technology as a pastime more than just a tool) know about such problems, and we know how to deal with them. I still never heard of a 'clued' person to become a phishing target. We certainly don't answer to mails akin to "Hi, I'm your Bank, please send me all your details in reply or your account will be frozen", and we usually routinely check for unwanted BHOs and tasks, and we certainly run up to date AV software (or at least have another reason to assume with some sort of faith that we are not infected).

    In short, we know the threat. And we're also the ones who use VOIP predominantly, aside of companies (who better have someone like us as their IT-security person there). Auntie Mable and Joe Hicksberger won't switch to VOIP any time soon.

    So personally, I'd rate THAT threat low. At least for now.
    • by kebes (861706)
      Good post (I agree with you), but you're wrong about one thing:
      "Auntie Mable and Joe Hicksberger won't switch to VOIP any time soon."

      In some places, cable companies are starting to offer their own VoIP services. It's a great deal because you can get a package (TV + Internet + Long distance Phone) for a reasonable price. So lots of "Auntie Mable" types are starting to sign up for these things, without really knowing (or caring) that it's VoIP.

      My mom, for instance, is about to make ths switch (finally upgradi
      • True. But do they have a computer attached that can be infected and have their entries changed? While there are certainly boxes available that double as that, my guess would be that the companies that use those boxes will do whatever they can to steel them against that possibility. If for nothing else, then to be safe against lawsuits.

        This isn't phishing, where Joe Average is putting his data into peril by trusting it to a machine which is (by its very nature and reason to exist) open and easy to infect, wh
        • by kebes (861706)
          Yes you are absolutely right (which is why I prefaced my post with "I agree with you"). Despite the fact that VoIP is becoming more widespread, it is being implemented very much as a "black box" consumer device that is not in any way connected to other computer equipment. People will still store their speed-dial in the actual phone, for instance.

          So you're quite right that TFA is needlessly alarmist.
  • Dammit don't you think the phishers read Slashdot too?
  • viruses over a virus from a public pay phone anyday!

    Those shankers hurt!
  • This is all hype in my opinion. There probably will be attacks against VOIP banks but they won't be as mentioned. Each VOIP Provider has their own code they use, I don't see how one virus is going to spread through more then the one system it was designed on/for. The attacks will be denial of service attacks most likely.

  • To me, this smells like a security company drumming up business.

    First, as with every technology outside the Windows desktop monoculture, viruses are not easy to spread: A variety of CPUs and OSs make it less likely the next machine a virus encounters will be able to run the virus code.

    Second, the hypothetical attack depends on a combination of two attacks: A virus plus phishing. That is an uncommonly sophisticated combination. Is there any basis in current experience with attacks that shows this is likely t
  • Having a regular phone line doesn't save you from possible the future of junk calls. The barrier is that people initiating the call up until now have had to spend a lot of money. If they can call a POTS line from overseas and not spend a boatload of cash, they'll call you sooner and more often considering your number is probably listed... Unlike most VOIP providers.

    The hypothetical scenario described is extremely weak... I don't know of any people who have their address book that tightly integrated into the
  • So you have an email attack based on the idea that people keep the phone number of their bank in their address book? Rather why would I bother if I can always just get it off their website or from my statement? I suppose changing an electronic statement to put the fake number on it is also possible. But how is this really related to VOIP? The problem still remains one of some email attachment taking over your computer and accessing your personal and confidential information that you have stored there.
  • by oohshiny (998054)
    Computer viruses are not an unavoidable fact of life. In fact, computer viruses are largely limited to Windows. Maybe computer viruses threaten VoIP on Windows, but other platforms and embedded systems are fine. Really.
  • "they will be calling the modified number, where a friendly automated system will record all their details."

    Therein lies the rub. If you don't use the original voice talent the people you're trying to scam will immediately know somthing is up.

    Having worked with the voice talent that you hear on some major voicemail systems (Lorrain Nelson [voicelady.com], who did Merlin and Audix) these kinds of systems don't come cheap. So to set up a phony system you would need to

    a) be in cahoots with the voice talent, who are us

  • i've been reading /. for around 8 years now. this is the worst piece of tin-foil-hat shit i've ever read. it's been a fairly decent 8 years, but - quite frankly - this article has turned me off for good.

    so long, and thanks for all the phish.

From Sharp minds come... pointed heads. -- Bryan Sparrowhawk

Working...