Monday, October 09, 2006

Messaging Security 2006: Vishing: The Next Big Cyber Headache?

Halloween is almost here, but you may not have to wait until the end of the month to get a good fright from the latest cybersecurity headache: Vishing.

What's that I hear? Your phone's ringing? According to the Caller ID readout it looks like your bank is calling. Better put this blog aside and take the take that call. But don't leave any personal data behind--it could be a case of vishing.

Such was one of the dire warnings from the security experts at last week's Messaging Security 2006 conference at the Mandalay Bay Resort & Casino in Las Vegas.

Like "phishing"--fraudulent e-mail that has the look and feel of legitimate e-mail from banks, etc.--those who practice vishing use broadband phone systems to pry personal information from their victims via fake voice mail, computer-generated phone calls or by other means.

"We're seeing the first examples of it," said Dr. Paul Judge (left), chief technology officer for Secure Computing Corp., sponsor of the conference. " These are the warning shots."

For example, you could get an automated called from your credit card company alerting you that you are over your credit limit. The call might ask you to log in the phone system with your credit card number and the card's expiration date. The Caller ID you see on your phone might be accurate for your bank but the call could actually be coming in from overseas.

The potential problems from vishing include eavesdropping, Caller ID spoofing, unauthorized access to your personal voice mail, intentional overloading of your voice mailbox, the harvesting of phone numbers from your broadband phone provider, access to billing information and other maladies, said Judge.

Broadband phone services like Vonage, SunRocket and Skype send phone calls over the Internet or via private digital networks instead of the traditional phone network. Since they often have to link to old phone networks, the connection points required to properly hand off the calls have opened new doors for hackers, said Judge.

"You're bringing together many systems that didn't talk or didn't like to talk to each other over the years," said Judge during an Oct. 6 presentation.

Broadband phone services allow users to acquire phone numbers with area codes from other cities, thus making it easy for a distant hacker to appear like a local business. Many broadband phone services offer members sophisticated voice mail systems which sound very professional. Judge told the audience of network security experts that while they might be wise to many vishing techniques, today's hackers have become "...very ingenious in finding ways around your network defenses."

Judge said that while separating bad phone calls from the good can be done by tracking the source of vishing calls to the computers that spew them out, this can be a difficult task since so many new vishers crop up daily. He noted that while there are many widely used data standards for broadband telephony, some services, like Skype, use proprietary protocols and are thus harder for network security experts to work with to keep vishing calls out of their offices.

Jay Chaudhry, vice chairman and chief strategy officer for Secure Computing, also noted that Caller ID data can be easily faked but also noted that encryption of broadband phone traffic can be done relatively easily, thus offering a layer of protection from eavesdroppers.

One strategy to fight vishing is to develop "reputations" for the Internet protocol (IP) addresses of the computers on the Internet that handle voice traffic, he said.

"An IP address is like a Social Security number," said Chaudhry, founder of CipherTrust Inc., which merged with Secure Computing this past summer. "IP is a little bit more tricky [to deal with] but it can be done."

By pinpointing the physical locations of known safe and bad broadband phone services, he said security experts can create multi-layered software and hardware defenses against vishing.

"You don't depend on one technique," said Chaudhry.

So the next time you grab that phone, don't be so eager to respond to requests for sensitive information. You could end up swimming with the vishes.

(Full disclosure: Secure Computing, the conference sponsor, covered the travel and lodging expenses for myself and other journalists.)

Photo and text © Copyright 2006 Stadium Circle Features

No comments: