[VOIPSEC] Feds Warn Deploy VoIP With Care - Analysis of NIST Recommendations

[voipsa at codenomicon.com]

Good work Tom!

Few points:

"[...] analysis is to consider hiring hackers to really test your
VoIP."

I would avoid the term "hacker" in this context (no matter how you
define it). Although some hackers are more talented than most
commercial security consultants, at least the security consultants are
typically following some best ethical and technical practices in their
work. Hackers in general just typically rely on the limited
penetration testing tools and scripts that are available to them. Not
all security testing and robustness testing tools are available to
hackers (which is good).

"Softphones are not necessarily any more unsecure than other devices
including stand-alone telephone sets."

Softphones are definitely more unsecure. It is not only the bad
quality of desktop software in general but also the access that any
other software can possess over the softphone (typically through IE or
Outlook). It is not too common to route attacks from one software to
another. A dedicated device is always more "simple" and therefore more
secure, although in many cases more difficult to keep updated.

And the key thing is good quality software and that depends on the
skills of the people making the software and the quality assurance
processes of the company behind the products. Some pieces of software
just are waste of bits, and nothing will help a system built using bad
building blocks.

I hope this email-list wil help someone to learn to value software
security and quality over over-extensive feature-sets. Update your
phones regularly!

Best regards,

/Ari Takanen
 Codenomicon Ltd.
 www.codenomicon.com

> Feds Warn Deploy VoIP With Care
> 
> Presented by Thomas B. Cross - TECHtionary.com
> 
> Presented at The Colorado Telecommunications Association Business Meeting -
> February 14, 2005
> 
> For more information and Registration - go here http://www.colotelecom.com
> <http://www.colotelecom.com/> 
> 
> [snip]