VoIP security is frequently talked about, but it is rare to hear of actual VoIP attacks. From both a theoretical and practical point of view there are a number of vulnerabilities and weaknesses in various VoIP implementations, but I think that the attackers are still working out their ‘business model’ and examining how to go from exploit to income. So far it seems like the most prevalent attacks are old-fashioned toll fraud attacks against VoIP systems. Without a strategy to monetize the attack, there is little incentive to execute one. Once the Internet criminals of the world figure out how to make money from VoIP exploits the gloves will be off.

A recent article in CSOOnline.com by Bob Bradley (Excellent last name! He must know what he is talking about), spells out some of the most prevalent security issues with VoIP, and some recommendations and best practices to guard against them. There are plenty of resources available, and a growing number of vendors and consulting companies dedicated to providing VoIP and unified communications security. It is the responsibility of CSO’s, CIO’s, and other IT mangement and security individuals to be informed about the threats and aware of the available mitigations and countermeasures to enure that their VoIP and unified communications environments are adequately protected.

Follow me on Twitter

One of the biggest problems with antimalware, however, is its reactive nature. While most products provide some sort of heuristic detection designed to catch new threats based on characteristics of previous known threats, it generally misses much more than it catches. So, the net result is a system where you are constantly updating your software to protect yourself against yesterday’s threats, but with no real protection against the threats of today or tomorrow.

As Steve points out in his blog, some of the other security controls built in to Windows Vista, such as UAC (User Account Control), Internet Explorer Protected Mode, WIC (Windows Integrity Control), and more provide more proactive security against malware and other threats without the need for constant updating. Using the security controls provided in Vista, and a little common sense, savvy computer users don’t really need antimalware protection.

Still, even the Windows Security Center in Vista will display as Yellow and warn you that your system is less than secure if you are not running a recognized antivirus product. The bottom line is, I agree with Steve when it comes to me, him, or other information security professionals. But, I think that the majority of home users and enterprise desktop users still benefit from having the antimalware software running to act as a little “digital common sense”.

For example, you may like to check your bank account balances and reconcile your accounts via the bank web site. You used AutoComplete to remember your username and password so you can log in at the click of a button without having to recall your credentials. However, if any other person happens to sit down at your computer and click on the link for your personal banking web site, they too will be able to access your confidential information without having to recall…..er, hack, your credentials as well. Check out Disable AutoComplete Password Storage on my About.com Internet / Network Security site for more about how to configure or disable this feature.

The controversy is not over though.  Information continues to trickle out, such as the Monster.com résumé database being used to pharm out malware, or the fact that 146,000 accounts on USAJOBS, the U.S. Government’s job search web site were also affected. Monster.com does seem to be acting to fix things. However, the fact that it took them 5 days to acknowledge and announce the data breach in the first place, or that they seem to either be relying on user apathy regarding data breaches or affected by apathy themselves is disconcerting.

Using a freely available password recovery utility called Cain & Abel v2.5 I was able to discover the passwords below in the following timeframes using an AMD 2500+ CPU with 512Mb memory:

Password                    Attack                         Time

john                             Dictionary                   <1 minute

john4376                     Dictionary                   attack failed

                                    Brute                           >12 hours

j0hN4376%$$             Dictionary                   attack failed

                                    Brute                          attack failed

 

Of course, if you make the password so complex that you can’t recall it yourself, it sort of defeats the purpose. You can learn more about password security, and more importantly some tips and tricks to help you create complex passwords that are virtually impossible to crack, but that are still simple enough for you to remember them by reading my article, Creating Secure Passwords, on my About.com Internet / Network Security site.

Many users actually get their anti-spyware protection through a security suite such as Norton 360, or Trend Micro PC-Cillin Internet Security Suite. To find out how these 5 products rank, along with some insight into their strengths and weaknesses, check out this article from Paul Gil, About.com Guide of Internet for Beginners.