VoIP-specific malicious attacks can threaten the viability of the VoIP service. Examples noted included: Toll fraud - service theft, Voice SPAM (SPIT), and Identity theft.

VoIP presents new threat vectors. Application specific features and options can be attacked and exploited. New protocols (SIP, H.323, RTP, RTCP) create new ways to attack services and infrastructure

Showed a nice Taxonomy of Threats on one slide.

Noted some examples, but not many. Edward Pena case in Miami was noted. Quoted Tood Goodyear at Merrill Lynch saying his VoIP network was taken down by viruses.

Newsfactor Network was noted as having q,ooo VoIP endpoints deployed over 16 months. VoIP phones deployed to brokers. Problems describe were performance, QoS and patching of firewalls. This really sounded like a design and performance problem rather than anything related to security.

The basic VoIP threats are the same threats any IP service faces - buffer overflos, viruses, worms, and DoS attacks.

The weak points, again matcall IP networks - Weak passwords on PINs, patch management, and misconfiguration issues.

Real focus is on developing secure and reliable code to being with.. Some key points:
- Defective software is not secure
- Poor quality software is not secure
- Verificaition doesn't cover all the security bases.

Addressed Skype and described it as the age old problem of "security by obscurity" rather than anything else. They use binary packing, code integrity checking, code obfuscation, network obsfuscation and encryption.

Naturally, the room discussion touched on the recent reverse engineering of Skype.

Key point seemed to be that you have to use methodical, well-documented security practices during the entire life cycle of code development. That's a lesson developers have been learning and embracing at different levels of maturity for the past several years.

Remember that hackers are working at the assmbler level of the code. Developers are working at the compiler level. They're often very different skill sets and tool sets. Unlike the past, developers don't often work in assembler these days. Working at that level gives the hackers a tremendous advantage. To phrase it another way, hackers are often working at the bit level, while developers are working at the protocol level.

Nice discussion of fuzzing techniques, but that isn't something I can attempt to keep up with.

Those are the development issues for software. Configuration issues present a whole different challenge.

There were some interesting points made about the impact of the "ISP monoculture" approac ocreating a maintenance window for routine service and the potential that leaves o malicious intruders. I jotted some hand written notes as well and will revisit that at some future point. It's a great issue for IT shops to be sensitive too. The maintenance window might be a good and necessary thing, but it could also present an attack vector at some level.

DDoS and SPIT - They're both hard to identify, but the impact can be far greater than SPAM. Voice calls interrupt the user whereas email doesn't. Voice has a sense of immediacy. This discussion led me to look at SPIT in a whole new way. We need to consider SPIT not as a technical attack against network resources. It could be leverage as a DoS attack against human business process. Imagine the disruption of a large company's staff continually answering phone calls and not getting work done. Almost a "soft" DoS attack in a way. Something to ponder.

Nice layered view, not unlike the OSI model, of security risks, where they like, and some discussion of mitigation approaches. Whether it's at the hardware or physical layer, the OS and Network layer, the VoIP services layers, or higher up in the VoIP protocols for signaling and transport or the applications, each potential vulnerability has to be addressed.

Security has to be addressed throughout all layers of the service. The bottom line is that VoIP security isn't really any different thn applications or network security. It can only be provided through a never-ending lifecycle of holistic management and monitoring.

------ Caveat: These notes were typed on wireless keyboard on my Treo at the back of the room during the session. I taped the session and will doubtless cycle back around some of these points time after time. If there are typos or problems, they're mine from attempting to try "live-blogging" a session for the first time on my Treo. A laptop is just too intrusive in a venue like this. I hope there's value here in my notes.