Wednesday, September 22, 2010

Technical Surveillance Threat: Hack IP voice and video in real-time

I can't tell you how many times I've been called into a corporation to perform a Technical Surveillance Countermeasures Sweep, only to be informed upon arriving that "It won't be necessary to audit any of our VoIP or network protocols, our IT dept has that under control".

Really?....Take a moment to read this article, and let me know how you
really feel about it...JDL
BOSTON -- Corporate video conferences can still be easily hacked by insiders using a freeware tool that allows attackers to monitor calls in real-time and record them in files suitable for posting on YouTube.

While the exploit was demonstrated a year ago at security conferences, most corporate networks are still vulnerable to it, says Jason Ostrom, director of VIPER Lab at VoIP vendor Sipera, where he performs penetration tests on clients' business VoIP networks.

He says he sees only 5% of these networks are properly configured to block this attack, which can yield audio and video files of entire conversations. "I almost never see encryption turned on," he says.

To eavesdrop on the calls, someone with access to a VoIP phone jack -- including the one in the lobby of the business -- plugs a laptop with the hacking tool on it into the jack. Using address-resolution protocol (ARP) spoofing, the device gathers the corporate VoIP directory, giving the hacker the ability to keep an eye on any phone and to intercept its calls. There's a tool within UCSniff called ACE that simplifies capturing the directory.


No comments: