Technology rings up vulnerabilities
As more businesses move their telephone systems off of traditional “land lines” and make calls using Voice Over Internet Protocol technology, the vulnerabilities and risks associated with VoIP should not be overlooked, experts say.
In a November 2009 white paper on VoIP vulnerabilities, McAfee Labs identified several hacking exposures including eavesdropping and “voice phishing,” in which spoof calls are used to extract financial information from a consumer or business. The Santa Clara, Calif.-based computer security company also said the risks are increasing as VoIP technology proliferates.
In addition, VoIP systems can be vulnerable to denial-of-service attacks in which hackers attempt to make computer networks unavailable. For example, a hacker could force the network to reset, which would obstruct legitimate communication over the network.
Alan E. Brill, New York-based senior managing director of technical services for Kroll Inc., a unit of Marsh & McLennan Cos. Inc., said that while there are obvious advantages of a business changing to a VoIP system from standard telephone lines, companies need to weigh the risks and liabilities. For example, technology and software exists that could allow individuals to access sensitive information.
“Risk is evolving at the speed of technology…at the speed of the Internet,” Mr. Brill said. “It’s really a situation that the risk officer or the risk manager has to monitor.”
Mr. Brill said an employee could compromise a VoIP system by using their personal account under a service such as Skype, a software application provided by Luxembourg-based Skype Ltd. that allows users to make calls over the Internet.
Mr. Brill and his colleague Brian Lapidus, New York-based chief operating officer of Kroll’s fraud services division, said risk managers need to set up a policy stating how programs and the network should be used.
“Skype is just the latest entryway into a network, and your business is the one that can take the hit,” Mr. Lapidus said.
In what is believed to be the first conviction associated with reselling hacked VoIP services, Edwin Pena in February pleaded guilty to one count of conspiracy to commit computer hacking and wire fraud, and one count of wire fraud (see story). Co-defendant Robert Moore was accused of a form of eavesdropping, or a “man-in-the-middle attack” in which a third party intercepts a call between two VoIP servers., prosecutors said..
No comments yet.