[VOIPSEC] Soft phone as trojan horse

J. Oquendo sil at infiltrated.net
Tue Sep 5 07:57:21 CDT 2006 

Michael Slavitch wrote:
>> When you install a soft phone on your computer, that executable has
>> definitevely the right to access the file system of your computer and
>> other
>> mounted file systems. Even better, it goes nicely through your firewall.
>>     
Your comment can be applied to one of the countless millions of programs 
available. From MS, to Symantec, to Dell, you name it, most can be said 
as having the capability to traverse into your machine. Bring *Nix based 
systems into discussion and we can talk about servers @ Debian getting 
owned and who knows what was backdoored.


>> If a vendor of a soft phone does not publish the protocol, that makes me
>> very sceptical. Who knows if the programmers had a bad day and put in some
>> back doors "for future software upgrades" or so?
>>     
I don't get your point. What operating system are you using if I may 
ask. Pray you do not respond with MS lest you want others to laugh. If a 
vendor of anything chooses not to publish their methods and codes you 
have the choice of not using them. Obviously you would "hope" that a 
bonafide corporation would not stoop that low, although realistically 
this occurs frequently (most just never hear about it... MS Remote 
Desktop anyone?). One would hope as an IT person, security engineer, 
network engineer, etc., that updates would be assessed by the admins, 
heaven knows how many updates on machines sometimes have a habit of 
breaking things (Sun Updates, Windows Updates, Linux Updates, they're 
all prone to break things at times.)

>> This is a new way of file sharing - initated from the other side of the
>> session! Lets go phishing and publish a new free soft phone.
>>
>>     
This boils down to a clueful person. "So will I download 31337 
S0phtPh0ne from this Geocities Page, or should I dl Googletalk?!"

>> Am I getting this right? How much do I have to trust my soft phone vendor?
>>
>>
>> Christian
>>     
X Files pitch... Trust no one.

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams

More information about the Voipsec mailing list