BOSTON — Corporate video conferences can still be easily hacked by insiders using a freeware tool that allows attackers to monitor calls in real-time and record them in files suitable for posting on YouTube.
While the exploit was demonstrated a year ago at security conferences, most corporate networks are still vulnerable to it, says Jason Ostrom, director of VIPER Lab Sipera Systems Inc., the Richardson, Tex. voice over IP vendor where he performs penetration tests on clients’ business VoIP networks.
Slide show: Six biggest IT security problems
Once intercepted, the audio and video from the targeted call flow through the laptop, where it can be viewed as it streams by and also where it is recorded in separate files, one for each end of the conversation, Ostrom says.
Encryption is the answer
The best network defense is to turn on encryption for both signaling and media, he says. The problem isn’t with the networking or VoIP and video gear itself, but rather with how they are configured in the network, he says.
One attendee suggested that Layer 2 monitoring tools could pick up on this attack, and Ostrom agrees. But he also says they’re not often used in practice. “I don’t see a lot of Layer 2 protections to defend against this,” he says.
In addition, in his penetration testing he finds that 70 per cent of the networks he tests are vulnerable to toll fraud attacks that use the corporate network as a proxy for make long distance calls.
Edward Amoroso, chief security officer of AT&T Corp., who sat on a panel at the Forrester conference with Ostrom, says that AT&T plants public-facing vulnerabilities on purpose to lure attackers into honeypots that aren’t connected to the network. AT&T then works with law enforcement agencies to identify and prosecute the hackers.
“It introduces a little uncertainty to the hacker,” Amoroso says. “They wonder, ‘Is it real or not?'” and may be reluctant to jump on every vulnerability they see.