-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cyber Security Tip ST05-018 Understanding Voice over Internet Protocol (VoIP) With the introduction of VoIP, you can use the internet to make telephone calls instead of relying on a separate telephone line. However, the technology does present security risks. What is voice over internet protocol (VoIP)? Voice over internet protocol (VoIP), also known as IP telephony, allows you to use your internet connection to make telephone calls. Instead of relying on an analog line like traditional telephones, VoIP uses digital technology and requires a high-speed broadband connection such as DSL or cable. There are a variety of providers who offer VoIP, and they offer different services. The most common application of VoIP for personal or home use is internet-based phone services that rely on a telephone switch. With this application, you will still have a phone number, will still dial phone numbers, and will likely have an adapter that allows you to use a regular telephone. The person you are calling will not likely notice a difference from a traditional phone call. Some service providers also offer the ability to use your VoIP adapter any place you have a high-speed internet connection, allowing you to take it with you when you travel. What are the security implications of VoIP? Because VoIP relies on your internet connection, it may be vulnerable to any threats and problems that face your computer. The technology is still new, so there is some controversy about the potential for attack, but VoIP could make your telephone vulnerable to viruses and other malicious code. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash (see Avoiding Social Engineering and Phishing Attacks and Understanding Denial-of-Service Attacks for more information). Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, will also affect your VoIP service. There are also inherent problems to routing your telephone over your broadband connection. Unlike traditional telephone lines, which operate despite an electrical outage, if you lose power, your VoIP may be unavailable. There are also concerns that home security systems or emergency numbers such as 911 may not work properly. How can you protect yourself? * Keep software up to date - If the vendor releases patches for the software operating your device, install them as soon as possible. These patches may be called firmware updates. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities (see Understanding Patches for more information). * Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current (see Understanding Anti-Virus Software for more information). * Take advantage of security options - Some service providers may offer encryption as one of their services. If you are concerned about privacy and confidentiality, you may want to consider this and other available options. * Install or enable a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer (see Understanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled. * Evaluate your security settings - Both your computer and your VoIP equipment/software offer a variety of features that you can tailor to meet your needs and requirements. However, enabling certain features may leave you more vulnerable to being attacked, so disable any unnecessary features. Examine your settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. _________________________________________________________________ Author: Mindi McDowell _________________________________________________________________ Produced 2005 by US-CERT, a government organization. Terms of use <http://www.us-cert.gov/legal.html> This document can also be found at <http://www.us-cert.gov/cas/tips/ST05-018.html> For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ3JMP30pj593lg50AQKPXQf/WwmsuccVWMVZ2krzu4MMJTMEyarpCa56 8hcOy8d+VZ3Jk2LXAtW8LgFS9leb8185/r7bLWzIaqNlp9Pi802sNvL0kt2aVyiJ 2Ac35GxpanfJFNfCF0fNxEsNSixcoCQycaBTfdlR06vV2fc2X90bhj65TMSVyyYf GohOjm6bdL0BqX17rRO4Qb2d1v5F/V7yPy/tZsPNB7gjLd2NEZudDdIh8neMqPug WVNgG3XwdmdYGBHcJA6Px/rFXEiGhwOKu33PGK1L/VfdU4Tp8uUxn9mhM05MzeSI sIuAbEUDmixq0MatWeWD2MygOVXCEV9Y7RPg230VVCH91PxtIQIJ2g== =21US -----END PGP SIGNATURE-----