Alliance wants to beat spam to Net phones

Nearly two dozen companies say they have allied to address spam and security risks of Internet telephones, even though there's little evidence suggesting any threat.

The providers of voice over Internet Protocol (VoIP), as Net phone services are generally known, are bracing for abuses nonetheless because, like e-mail, VoIP calls find their way by locating an IP address, a unique set of numbers assigned to each device connected to the Web. Using VoIP, virus writers could conceivably commandeer someone's phone, or elemarketers could send messages to thousands more phones at a time than they can now.

With little evidence to suggest a problem, however, the 22 member companies of the VoIP Security Alliance run the risk of provoking the digital world's black hats.

But the outlaws' attention is inevitable, alliance members say, because VoIP technology is teetering on the mainstream, becoming an increasingly interesting target. There are about 5 million customers worldwide, with almost a third in the United States, where Vonage, with 500,000 customers, is the world's largest VoIP supplier. VoIP services have begun winning converts, thanks to cheap rates and a slew of features that traditional phone companies can't match.

The alliance includes business telephone maker Alcatel, network security specialists Symantec and several schools, including New York's Columbia University, and the 20 other companies. The alliance was formally unveiled Monday.

"The technology has finally arrived, and vulnerabilities need to be discovered and mitigated," Ron Gula, chief technology officer of alliance member Tenable Network Security, said in prepared remarks.

[Stating]

VoIP Secure?

The protocol itself may or not be secure, but if your computer has been compromised by a trojan then good luck. How difficult would it be to direct a compromised computer to make calls on someone else's behalf? Reminds me of the "leaky PBX" problem where local calls were made in to a company's trunk and then the PBX was directed to dial out and make long distance calls on the company's dime.

The problem with execs at most tech companies is that they don't think like hackers. They want to believe that their systems are secure, and that everyone plays nice-nice and obeys the rules. Every tech company needs to have a CEH - Chief Executive Hacker, who's sole job is to crack/hack/compromise the company's own technology. Better to find your own flaws than someone else.