VoIP

Recent FBI vishing scam warning an old issue

Last Friday, the FBI issued a warning about a security vulnerability that could be used by cybercriminals to make vishing telephone scams.

Vishing (combining phishing and voice) uses Voice over IP (VoIP) features to gain access to company information. In this case, the flaw was found in a free and widely used open source toolkit – Asterisk.

According to a posting on the Internet Crime Complaint Center, hackers who gain access and exploit the Asterisk flaw can potentially auto-dial thousands of people in an hour.

Security risk news spreads like wildfire and the FBI vishing warning was no exception — bloggers everywhere began weighing in. It was quickly learned, however, that the security scuttlebutt was actually an old issue.

According to a Digium blog post, the bug was originally found in March (AST-2008-03, a SIP guest permissions problem) and was patched for 1.2 and 1.4 versions of the software (1.6 releases were not vulnerable). The bug did not allow the arbitrary setting of caller ID and would work in only a limited set of circumstances.

It sounds quite similar to the telephone scams already known, no VoIP hacking necessary! The Federal Communications Commission already warns us about everything from the Mexico Collect Call Scam to the 90# Telephone scam.

Just another reminder to keep your information safe by making your passwords safer … and do your homework before going off on new exploits.

2009 cybersecurity threats revealed – wah waaah

You know that new iPhone you got? Or the Android order you put in? Well, not to get all Debbie Downer on you, but your sexy smartphone is a security threat.

The Georgia Tech Information Security Center (GTISC) announced the release of the Emerging Cyber Threats Report for 2009. A big help in our overall awareness and protection, the report outlines security concerns and risks for consumer and enterprise Internet users. So what’s your mobile device got to do with it? Cell phones will become members of botnets.

In the GTISC report, Patrick Traynor, an assistant professor of computer science at Georgia Tech and member of the GTISC, delves into the “digital wallet” smartphone concept (smartphones store personal identity and payment information). He says smartphones will be injected with malware — when this happens, “large cellular botnets could then be used to perpetrate a DoS attack against the core of the cellular network.” The good news? Traynor goes on to say it will provide an opportunity to design security properly for the quickly evolving mobile communications sector.

The overall threat areas to be aware of, according to the report, are malware, botnets, cyberwarfare, threats to VoIP and mobile devices and the evolution of the cybercrime economy. The driving force behind all the attacks? The data.

The cybercrime community (a mafia of sorts, if you will) will be utilizing our recent advancements in social networking to cloak malcode. One example given in the report: Facebook wall links posted by a friend prompting users to install Flash Player updates. When the unaware user clicks to install the update, a piece of malware is installed on the machine. And just like that, the computer is involved in a botnet.

Other stats to be aware of? Botnets have become worse in 2008 and GTISC researchers estimate 15% of online computers will be botnet-affected this year. Cyberwarfare and attempts to “subvert the US economy and infrastructure” will accompany military interaction more often. And the already vulnerable VoIP? Cybercriminals will look to engage in voice fraud, data theft and other scams.