Eweek has gone back to the future this week to make us aware that Caller ID can be spoofed.
For those of you who don’t get out much, this has been a known risk of using CallerID as a means of authentication for years now. Thus, the message that should be taken from this article is that
The Rate Of Occurrence for CallerID Spoofing may be increasing, changing the Annual Loss Expectancy calculation, but the Threat has been around for years, with or without VOIP. You can configure a traditional PBX to send fraudulent CallerID information, too, but I don’t hear an outcry to ban or otherwise restrict the use of CallerID for “traditional” PBX’s on voice T-1’s.
The solution here is Security Awareness training. The reason this attack works is probably not because of the CallerID, but because people consistently continue to fall for Social Engineering attacks. Teach people that CallerID issue is not authentication and the problem will go away on it’s own. (yeah, right!)
There was a startup that offered this as a service last fall before it was harassed out of business, allegedly by the same scammers this story claims are abuisng CallerID now. The Register had a good description of it at the time. According to the eweek article, however, a variety of companies have now risen to take that company’s place.
Kevin Poulson also explained how this can be implemented using Asterisk, the open-source PBX in an article back in July.
Given the liberal quoting of unnamed “experts” at AT&T and the lack of any byline other than Reuters, I’m suspicious that this might be more Public Relations FUD, perhaps by AT&T, who are absolutely terrified of VOIP’s market momentum at the moment.
The emerging scams underline the lower level of security protecting Voice Over Internet Protocol, or VOIP, the Internet-calling standard that has upended the telecommunications industry over the past several years.
(emphasis mine)
Umm…hello…H235 anyone? While VOIP has upended the telecom industry and does introduce many security concerns from the rest of the IP Networking world into voice communication, it also provides a multitude of security management options which are detailed in NIST’s long, scary document, SP800-58 (”Security Considerations for Voice over IP Systems”).
Personally, I’ll take strong cryptography implemented using international standards (H235) over security-by-obscurity (PSTN) any day of the week. In a VOIP environment, you can implement all manner of security including authentication, encryption of calls in-transit, filtering, and even PKI authentication to protect the Confidentiality and Integrity of your VOIP infrastructure. In the PSTN, you can implement CALEA to make sure that wiretaps work right.
Pretending, once again, that the world only exists as AT&T would like it to, the article states that:
Traditional phone networks operate over dedicated equipment that is difficult for outsiders to penetrate. Because VOIP calls travel over the Internet, they cost much less but are vulnerable to the same security problems that plague e-mail and the Web.
Now, let’s have a little reality check. The only thing protecting the Public Switched Telephone Network (PSTN) is Security-By-Obscurity and Wishful Thinking. This confusion of “secrecy” and “security” has resulted in numerious serious incidents over the years from Cap’n Crunch to Kevin Mitnick to shady dealings in Nevada.
Come on, Andy…you can do better than this.
(I did find the author, by the way. Andy Sullivan’s Resume is impressive–he got his MA in Journalism at Northwestern.).
Posted in
Leave a Reply