RE: caller id

["Jim Schuman" <>]

Jeremy,

I think the key point here is, as you said, "Anyone with access to the
ip-pbx gateway." The issue is determining who we allow access to this
interface and how we monitor this access. This is not a problem that is
unique to an IP based system but also affects traditional PBX's and Central
Office switches.  Hopefully, your Security Plan has been created with this
in mind and addresses these issues.

js



-----Original Message-----
From: 

 
[mailto:]On
Behalf Of Ben Teitelbaum
Sent: Wednesday, January 29, 2003 5:16 PM
To: 

Subject: Re: caller id


Mitnick's book is excellent.  The moral, however, is not that we need
to sit down with security folks, but rather that security folks need
to sit down with ordinary users and educate them about good security
practices.

Essentially all the attacks that Mitnick describes rely on social
engineering (i.e. they are non-technical).  Ordinary users need to
understand that caller ID information is trivial to change and should
not be used for authentication, just as they need to understand that
giving out their password over the phone to a stranger is inviting
trouble.

I'm certainly no expert or phreaker, but I think that ANI is much
harder to spoof as it is set by the CO based on the incoming trunk.

-- ben



---------------------------------------------------------------wg-voip-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------------------wg-voip--