The W0w Factor
Wired has a good article today on the lack of security in VOIP and AJAX.
[snip] Like the traditional phone, a VoIP call is broken into two parts, or channels. The first is signaling, which negotiates things like when to start and stop a call, what to do if another call comes in, and what to do if something about the call changes. The second part is media, the bit where we talk. In most VoIP systems neither of these channels is actually encrypted.
According to Dustin Trammell, VoIP security researcher at Tipping Point, this leaves most VoIP calls vulnerable. Calls can be hijacked without either party’s knowledge anywhere along the route over the net that connects the call, and nearly all VoIP systems can fall victim to signal-channel attacks that can fake caller ID, degrade call quality, end calls suddenly, and crash the end device — either your VoIP phone or computer. Internet telephony can even fall victim to denial-of-service attacks that flood a phone with fake requests to start a call, rendering it useless.
[snip]
An AJAX-capable browser can load up pages and step through complex forms without the browser’s owner ever knowing anything has happened. This technique was used most famously by a teenager named “Sami,” who wrote an AJAX worm and put it on his Myspace profile which caused anyone who looked at his site to “friend” him and propagate the exploit on their own page. To his dismay and surprise, within a day he had a million new friends. This was a relatively harmless application, but Stamos warns that the damage doesn’t end there. “There are a lot of (AJAX bugs) that are being exploited now.”
I’ll leave it to Ken and Shelley to comment on their VOIP and AJAX respectively as they are experts in those fields.
Related posts
« GOP scum
