Aside from all the hackers and all the bothersome constant updates to Windows, there have been surprisingly few reported attacks on Outlook. Of course, now that OCS is integrated into Outlook that will certainly be expected that to change. At the same time, Microsoft (News - Alert) uses Kerberos and digital certificates to provide improved security for OCS. More about that in a future report…

Meanwhile back at the ranch, like so many corporate crimes that go unreported because the company doesn’t want to expose itself to perceived governance incompetence, new types of VoIP/SIP attacks are being reported at an alarming rate in the trade press. Even though none so far show up in searches in Google or Yahoo, attacks like VOMIT (Voice Over Misconfigured Internet Telephony (News - Alert)), SPIT (SPam over Internet Telephony), vishing (the voice equivalent of phishing), SPIM (SPam Over Instant Messaging) and others are the VoIP/SIP equivalent of STDs.

My particular concern is not just annoying problems like SPIT/SPAM, which according to some can be cured along with viruses by filters, spyware, firewalls and routers. Many others think that existing solutions are just supporting existing prevention companies, not realizing what new problems are all about. Think about it. How in the world can you stop something, if you don’t know what it is? Well, for a large number of us, we just deal with lots of patches, fixes and service pack updates. For others, new solutions will be needed. It’s beginning to sound a bit like the Clinton-Obama debate.

The really serious problems, in my opinion, are calljacking or call-hijacking, eavesdropping, MITM (man-in-the-middle) and other types of monitoring, wire tapping and call interception attacks. There are increasing reports of rerouting SIP INVITE registration attacks where the hacker monitors, tampers, injects voice, redirects calls, terminates and other SIP method attacks. Corporate secrets, violations of HIPAA, SOX, GLBA and other compliance requirements and even simple privacy guidelines are all at risk for these attacks. And, if the capture of voice conversations is not enough, one of my other worries is call "injection" where obscenities, threats and even other comments create a hostile work environment, litigation, discrimination and so on.

While some say that VDOS (Voice Denial of Service) attacks are more critical, others believe that existing firewall and IDS (Intrusion (News - Alert) Detection Systems) can be expanded to address VDOS attacks. As you are beginning to see, the range of voice attacks is as large or larger than attacks on data. What is worse is that for one hundred years we have trusted our voice networks to be safe from intrusion, attacks and truly criminal assaults. In addition, other than government monitoring (and that is a separate discussion), reports of criminals stealing corporate or personal secrets is almost unheard of.

Oh, and lest we forget, toll fraud is still a multi-billion dollar industry. Console cracking and other types of toll interception are still prevalent. As one SIP expert said it, "Frankly providers of SIP network solutions and those with premise equipment such as Avaya, Cisco, Microsoft, Nortel (News - Alert) and others have largely left SIP security planning to the customer to figure out. VoIP/SIP attacks are also increasing but product vulnerabilities are also on the rise with a report this week by Cisco that ‘Cisco Unified IP Phone models contain multiple overflow and denial of service (DoS) vulnerabilities. A SIP Security Checklist is not just a do-it-once review but a planning guide for ongoing daily security protection," noted Matt Jolly.

What we really need are guidance and best practices. There is one industry association devoted to that cause. VoIPSA, or the Voice Over Internet Protocol Security Association is a place to "get smart" about VoIP/SIP security. VoIPSA has working for many years to help "you all" get a grip on the challenges, risks as well as providing solutions.

Lastly, have a security plan before not after you implement VoIP/SIP because as Thufir Hawat in the movie Dune reminds us in preventing attacks by the nasty Harkonnen, "the first step in avoiding a trap is knowing of its existence." To keep up to speed, visit http://blog.tmcnet.com/cross-talk/