Security Laboratory

Voice over IP, a South East Asian Perspective: an interview with Eric Cole, PhD and Paul Henry

Dec 12th, 2009
By Stephen Northcutt

Stephen: Eric, why are people moving to VoIP so intensely? It seems like everyone that has not yet adopted VoIP is now racing to put it in place.

Eric: Stephen, one factor is that many organizations purchased a new PBX around 1999 to be compliant with Y2K. Since most phone systems last between 8-12 years, as these systems reach end of life, companies would rather invest the money in new VoIP technology as opposed to purchasing a PBX and being locked in for another 8-12 years. Also, for organizations that have large numbers of international calls, VoIP provides significant cost savings over a 5 year period.

Stephen: Paul, what can you tell me about Voice over IP in the South East Asia part of the world?

Paul: Stephen, where do I start? The bottom line in SE Asia literally drove the adoption of VoIP. As the economy tightened, many looked for areas to save and some hopped on the VoIP bus to reduce costs. And, there is an entire infrastructure; let me toss you a link to a web page that shows you some of the links to providers and services that are available, check here.

Stephen: That is impressive Paul, though it looks like there is less coverage of Korea and Malaysia.So, how do they save money exactly?

Paul: Stephen, the latest money saving trick is to offload cell phone minutes to VoIP using a VoIP client on an MS based cell phone over WiFi for employees where the company bears the cost of the cell phone contract. This results in big money being saved but little, if any, security being implemented, hence a tremendous amount of risk that many simply are unaware of. Eric, would you like to add some more information?

Eric: Certainly, Paul. Many companies are also looking at ways to reduce cell phone bills. Almost all knowledge workers expect to have a company cell phone or PDA. For a large company, a $200/month cell phone charge multiplied by 30,000 people adds up very quickly. VoIP can provide methods to run cell phone calls over VoIP enabled networks to reduce overall costs.

Stephen: Sure, that would be Voice over Private Internet (or probably Private Intranet is more accurate). Stuff like iCore. There was an article in ITworld that demystifies this; the author, James Gaskin, just calls it plumbing. So, are you using any particular VoIP technology?

Paul: Stephen, I have been doing calls / presentation for Sipera on VoIP two to three times a day now for two weeks in Thailand and Singapore. The potential cost savings are so high, people are in a rush to deploy; problem is, most deployments are being done by network teams or telco teams that have no clue about the risks in VoIP, such as denial of service. In an outage, you would lose your data networks, voice, and in some cases with voice over private internet, your cell phone capability which is your backup. There is also phishing over VoIP, unsolicited commercial announcements, and the very serious problem of eavesdropping. And no one thinks about this stuff. As one bank told me, neither our vendor or our auditor brought up security as an issue with VoIP, so they thought it was not a problem.

Stephen: Exactly how widespread of a problem is the lack of understanding about VoIP Security, Paul?

Paul: Pretty serious. This runs from large enterprise to banks, and even the Thailand Security Exchange Commission (SEC) was moving ahead with a deployment without understanding the risks. I did a 4 hour session with their network team on Friday and we had a great discussion. Specifically they (SEC) are moving to a new building this year and are in the process of building out the network infrastructure. The head of the SEC was very interested in how easy it was to capture a VoIP voice or video call and commented that VoIP can facilitate insider trading and that they need to consider regulation for officers of public companies in Thailand using VoIP to require encryption; further, he commented that in their environment, VoIP can potentially hinder their investigations if the calls are captured between their teams of investigators. But, they got it; as soon as they heard, they started doing research, and management fully supports doing the VoIP deployment in a secure manner. They are adjusting their VoIP deployment to include security and encryption, now using Sipera UCS firewalls.

Stephen: That is a good story, Paul, and good for the Thai SEC. They are to be congratulated! Any other positive stories about safe VoIP deployment?

Paul: Another good example is a major bank that deployed VoIP three years ago with no security. They have not had an incident to date, that they are aware of! However, now that they understand how easy it is to disrupt communications or eavesdrop, they are now rethinking their architecture and considering the use of certificates for authentication as well as encryption. And not a minute too soon..They were planning to expand their Unified Communication (UC) capabilities to include providing key clients with the ability of speaking to bank tellers / officers via a video call from their PC over the public Internet using VoIP to avoid the hassle of traveling to a bank branch (traffic is bad in Thailand). They had not considered that a VoIP call might be intercepted.

Stephen: Is this primarily a problem in Thailand, or is it all over Asia?

Paul: In Singapore I see the same issue, a total lack of awareness. And, it isn’t just Asia, I have seen this in some large multinationals as well. I discussed what I was seeing with Martin Khoo (runs Singapore CERT) and he agrees that it is an awareness issue. He likes my non-commercial style of presenting the issue and review of technical countermeasures and wants Singapore CERT along with IDA to host a 1 day event the first week of February for invited business leaders to educate them as to the inherent risks associated with VoIP. The morning session will be high level for managers and the afternoon session will include some hands on demonstration of hacking VoIP for the technical among them. I plan to use this event to promote the full SANS VoIP course in SE Asia. The Sipera Marketing Vice President attended my meeting with Martin Khoo and has agreed to fly me over for the event and is kicking in some marketing cooperative dollars to help pay for it.

Stephen: That is great Paul, I love it when commercial companies take the time to do basic education and not just push their own product. I would love to do a phone chat with the VP some time and get his/her perspective. And we need to get the word out, I have heard of some awesome vendor products that allow security with communications. For instance, Golden Orb Networks is a telecommunications service provider to the police, government and security services. By using its own Tier One Operator network, they provide mobile phone and fixed line services to protect the identity of police, informants, those in witness protection, and counter terrorism. Another fascinating company is Salare Security. Their mission is to provide products to defend against covert communication. Another awareness issue which gets little focus is VoIP as a covert communication channel and means for propagating malware. Salare has demonstrated covert communication exploits. And, of course, all the usual suspects, Cisco, Nortel, Avaya, Microsoft and Alcatel / Lucent have VoIP solutions in place and most of them have security capability.

Paul: Nice, I was not familiar with Golden Orb, but Salare are the Vunneling folks, I have heard of them. And yes, Stephen, I am really glad to be involved with a company that gets it. BTW, I ran in to a Stephen Northcutt fan here in Asia. Desmond Hong took your Advanced Intrusion Analysis course many years ago, I believe in the UK, and remembers the experience well. I reflected on having taken the same course and that we recently completed the Virtualization Security and Operations course and were in the process of adding additional courses in the region. I happened to wear one of my SANS shirts to the meeting with him which started the conversation. He is the Lead for Information Security at MSD in Singapore. I can reacquaint you if you would like.

Stephen: Thanks, I am pretty sure I remember him, I just reached out on LinkedIn, my identity there is SANS Institute, by the way, not Stephen Northcutt. Thanks for taking the time to share your thoughts with me on VoIP in Asia and maybe we can revisit this in six months to see what has changed. Eric, can I ask you to close this interview out, what do you think is the primary advantage of VoIP?

Eric: That is easy Stephen, VoIP provides a seamless avenue for telecommuters to work remotely. Since the phone number and details are the same, it becomes seamless to allow people to become more mobile. With the H1N1 concern and more companies looking at contingency plans, VoIP becomes a perfect way to allow people to just unplug their phone, bring it home and have a mobile office. Traditional phones systems are not connected to the data network and have limited functionality. VoIP allows for seamless integration with data networks and more enhanced control. For example, telemarketing organizations, credit card companies, etc. use it to perform caller ID spoofing so the number looks like it comes from a local area and people are more likely to pick up than if it is a blocked number.

Stephen: Fantastic, Eric, Paul, I really want to thank you for your time and for sharing your thoughts on VoIP with us, and our thanks to you (the readers) for visiting the SANS Security Laboratory.


ABOUT SANS

SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center.

The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

Many of the valuable SANS resources are free to all who ask. They include the very popular Internet Storm Center (the Internet's early warning system), the weekly news digest (NewsBites), the weekly vulnerability digest (@RISK), flash security alerts and more than 1,200 award-winning, original research papers.

ABOUT THE AUTHORS

Eric Cole, PhD - SANS Faculty Fellow
Dr. Eric Cole is an industry-recognized security expert with over 15 years of hands-on experience. Cole currently performs leading-edge security consulting and works in research and development to advance the state of the art in information systems security. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. Cole has a master's degree in computer science from NYIT and a PhD from Pace University with a concentration in information security. Dr. Cole is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is also the CTO of the Americas for McAfee. Cole is actively involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS faculty fellow and course author.

Paul A. Henry - SANS Instructor
Paul is one of the world's foremost global information security and computer forensic experts, with more than 20 years' experience managing security initiatives for Global 2000 enterprises and government organizations worldwide. He is currently the lead forensic investigator and president of Forensics & Recovery LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security. Mr. Henry also serves as the board vice president of the Florida Association of Computer Crime Investigators (FACCI) and is the USA board vice president of the International Information Systems Forensics Association (IISFA). Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Henry also advises and consults on some of the world’s most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project, and both government as well as telecommunications projects through out Southeast Asia. Mr. Henry is frequently cited by major and trade print publications as an expert in computer forensics, technical security topics, and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. Paul serves as a featured and keynote speaker at seminars and conferences worldwide. In addition, he regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor.

Stephen Northcutt - SANS Faculty Fellow
Stephen Northcutt founded the GIAC certification and currently serves as president of the SANS Technology Institute, a postgraduate level IT security college (www.sans.edu). Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials and Network Intrusion Detection 3rd edition. He was the original author of the Shadow Intrusion Detection system before accepting the position of chief for information warfare at the Ballistic Missile Defense Organization. Stephen is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, white water raft guide, chef, martial arts instructor, cartographer, and network designer.

Since 2007 Stephen has conducted over 34 in-depth interviews with leaders in the security industry, from CEOs of security product companies to the most well-known practitioners in order to research the competencies required to be a successful leader in the security field. He maintains the SANS Leadership Laboratory, where research on these competencies is posted. He is the lead author for Execubytes, a monthly newsletter that covers both technical and pragmatic information for security managers. He leads the Management 512 Alumni forum, where hundreds of security managers post questions. He is the lead author/instructor for Management 512: SANS Security Leadership Essentials for Managers, a prep course for the GSLC certification that meets all levels of requirements for DoD Security Managers per DoD 8570, and he also is the lead author/instructor for Management 421: SANS Leadership and Management Competencies.