Thursday, April 03, 2008

Over 100 Vulnerabilities in Leading Enterprise VoIP Systems Uncovered By VoIPshield

It was unbelievably shocking to see the vulnerability database and so many of them. Ignorance is a bliss until something bad happens to someone. Follow the link below to see the database of vulnerabilities and related equipment. Yours might be there. At VoIPshield, you can also download a copy of VoIPauditLite. VoIPauditLiteTM is a basic version of the award winning VoIPauditTM Enterprise. It provides the same vulnerability assessment and penetration testing functions, and is intended to give the prospective VoIPaudit Enterprise purchaser a no cost introduction to the product. VoIPauditLite is a single-user license, includes vulnerabilities for a single vendor, and scans up to 128 targets on a single network.


Ottawa, Ontario (April 2, 2008) – VoIPshield Laboratories, the research division of VoIPshield Systems Inc., today announced it has discovered over 100 security vulnerabilities in Voice over IP systems marketed by Avaya, Cisco and Nortel. A vulnerability is a design or implementation flaw in a VoIP system that can be exploited by a hacker with malicious intentions, including extortion through service outage threats, industrial espionage through call recording, or identity theft through the stealing of sensitive customer information.

VoIPshield notified the vendors of its findings earlier this year. Under the terms of its Responsible Disclosure Policy, VoIPshield works with the vendors to help them recreate the vulnerabilities in their own test labs, and offers its services to assist the vendors in determining the best remediation approach.

“It is important that companies understand the security risks associated with their VoIP systems”, said Rick Dalmazzi, president and CEO of VoIPshield. “Now is the time to start planning a protection strategy, while the hacking community is still learning about VoIP, not after the attacks begin.”

The vulnerabilities are cataloged and presented on the company’s website at www.voipshield.com/research . Each vulnerability is categorized based on an exploit’s most likely malicious intent: unauthorized access, code execution, denial of service or information harvesting. Each is also given a severity rating based on a modified industry standard index. Vendor responses are also included, indicating what action if any the vendor has indicated they will take to remediate the vulnerability, and when.

“The limited number of high-profile attacks against IP telephony has lulled most chief information security officers and voice/data managers into a false sense of security, with the result that most do not have adequate protection for their converged networks,” said Lawrence Orans, research director for networking and communications equipment at Gartner Research. “As IP telephony continues to gain momentum, targeted attacks — and possibly broad-based attacks — will surface and gain greater visibility, highlighting vulnerabilities and the overall lack of focus on IP telephony security.”

The database marks the first of ongoing announcements that VoIPshield Labs will make as it continues its research into these and other vendors’ products. Avaya, Cisco and Nortel were chosen for the initial round of research because of their popularity in the North American market. Microsoft has recently announced its entry into the enterprise VoIP market.

Just this month, communications research firm In-Stat revealed that while 80% of companies said they’d deployed some type of VoIP solution, more than 40% do not have specific plans for securing them. This finding, based on a survey of U.S. companies conducted in September 2007, was published in a report titled U.S. Businesses Lag in Securing VoIP. “Regardless of the VoIP solution that is in place or planned, security should be an integral part of an implementation from the beginning,” the report summarized.

The vulnerabilities discovered are used by VoIPshield to create signatures for its enterprise VoIP security solutions: VoIPauditTM, a VoIP Vulnerability Assessment system, and VoIPguardTM, a VoIP Intrusion Prevention System (VIPS). Users are protected against attacks attempting to exploit the known vulnerabilities. VoIPshield products are regularly updated with new signatures through the VoIPshield UpdateTM subscription service.

"Digital video and voice enabled by Voice over IP technologies are vital to commerce and are substantially at risk", said Jonathan Zar, chairman of the threat taxonomy committee of the Voice over IP Security Alliance (VoIPSA). It is important that products be developed that are specifically designed to protect VoIP systems. VoIPSA encourages all research leading to such products."

For more information about the vulnerabilities database and VoIPshield’s products visit www.voipshield.com/research.

tag: , , , , , , , , , ,

0 comments:

Blog Widget by LinkWithin