Group Aims to Make Internet Phone Service Secure

Wed Feb 9 11:01:47 EST 2005

<http://online.wsj.com/article_print/0,,SB110790485798349353,00.html>

The Wall Street Journal

      February 9, 2005

 TELECOMMUNICATIONS

Group Aims to Make
 Internet Phone Service Secure
Alliance of Tech Companies Looks for Ways
 To Head Off Attacks by Hackers, Viruses

By RIVA RICHMOND
DOW JONES NEWSWIRES
February 9, 2005; Page D4

A group of more than 20 technology companies and computer-security
organizations has gone on the offensive to protect the burgeoning Internet
telephone service from hackers, viruses and other security problems.

The VOIP Security Alliance, which was announced earlier this week, will
focus on uncovering security problems and promoting ways to reduce the risk
of attack for voice over Internet protocol, or VOIP, technology.

The group, known as VOIPSA, includes companies such as 3Com Corp., Alcatel
SA, Avaya Inc., Siemens AG, Symantec Corp. and Ernst & Young LLP. Other
members include the National Institute of Standards and Technology, a
federal government agency; the SANS Institute, a research organization for
network administrators and computer-security professionals; and several
universities.

The group's goal is to help make VOIP as secure and reliable as traditional
telephone service. VOIP breaks voice into digital information and moves it
over the Internet. That can make phone service much cheaper, but it also
opens the door to the kind of security woes that have come to plague the
Internet.

VOIP enthusiasts worry that security and privacy problems could hamper
adoption of the technology.

"VOIP has a lot of great value propositions, but in order for it to be
successful, it has to be secured" and offer service quality that's on par
with the current phone system, said David Endler, chairman of the alliance
and an executive at TippingPoint, a security company that recently was
acquired by 3Com. "VOIPSA is a first step in doing that."

Internet telephone service is expected to be rolled out rapidly to
consumers and business customers, starting this year. Mr. Endler said many
network operators don't realize they need to alter their security
strategies when they add Internet phone service. For instance, traditional
firewalls cannot police VOIP traffic, he said, and so networks will need to
be upgraded with newer security technologies.

There's little understanding of what security problems VOIP might introduce
and what kind of defensive measures need to be taken. VOIPSA intends to
improve that situation by sponsoring research, uncovering vulnerabilities,
disseminating information about threats and security measures, and
providing open-source tools to test network-security levels.

Because VOIP will be dependent on the Internet, there's little hope that
security troubles can be avoided, said Alan Paller, director of research at
the SANS Institute, though early action by technology makers to address
problems is positive and welcome. "It's not a lightweight problem," he
said. "How well would you do with no phone?" If Internet attacks can
disrupt phone service, "you radically expand the number of victims," he
said.

"VOIP networks really inherit the same cyber-security threats that data
networks are today prone to, but those threats take greater severity in
some cases," Mr. Endler said.

For instance, a life-or-death emergency call to 911 might not get through
if a network is crippled by a hacker attack. Worse, a broad assault on the
phone system could become a national security crisis that causes economic
damage.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com