wg-voip - RE: caller id
List archive
- From: Jeremy George <>
- To: Jim Schuman <>
- Cc: "'Ben Teitelbaum'" <>, <>
- Subject: RE: caller id
- Date: Wed, 29 Jan 2003 19:47:25 -0500 (EST)
Well, maybe and maybe to Ben as well. Mitnick's major point is
social engineering but that isn't the only point. In this case the
illustration required access to the gateway. Not all attacks do, of
course.
The core problem I meant to point to is that I realized the caller id
issue from reading Mitnick. I think the people deploying ip-based
communications need a substantially better source as a basis for a
security plan. Otherwise telling people to create a security plan isn't
really helpful.
- Jeremy
On Wed, 29 Jan 2003, Jim Schuman wrote:
> Date: Wed, 29 Jan 2003 18:33:48 -0500
> From: Jim Schuman
> <>
> To: 'Ben Teitelbaum'
> <>,
>
>
> Subject: RE: caller id
>
>
> Jeremy,
>
> I think the key point here is, as you said, "Anyone with access to the
> ip-pbx gateway." The issue is determining who we allow access to this
> interface and how we monitor this access. This is not a problem that is
> unique to an IP based system but also affects traditional PBX's and Central
> Office switches. Hopefully, your Security Plan has been created with this
> in mind and addresses these issues.
>
> js
>
>
>
> -----Original Message-----
> From:
>
>
> [mailto:]On
> Behalf Of Ben Teitelbaum
> Sent: Wednesday, January 29, 2003 5:16 PM
> To:
>
> Subject: Re: caller id
>
>
> Mitnick's book is excellent. The moral, however, is not that we need
> to sit down with security folks, but rather that security folks need
> to sit down with ordinary users and educate them about good security
> practices.
>
> Essentially all the attacks that Mitnick describes rely on social
> engineering (i.e. they are non-technical). Ordinary users need to
> understand that caller ID information is trivial to change and should
> not be used for authentication, just as they need to understand that
> giving out their password over the phone to a stranger is inviting
> trouble.
>
> I'm certainly no expert or phreaker, but I think that ANI is much
> harder to spoof as it is set by the CO based on the incoming trunk.
>
> -- ben
>
>
>
>
--
---------------------------------------------------------------wg-voip-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
---------------------------------------------------------------wg-voip--
- caller id, Jeremy George, 01/29/2003
- Re: caller id, Ben Teitelbaum, 01/29/2003
- <Possible follow-up(s)>
- RE: caller id, Jim Schuman, 01/29/2003
- RE: caller id, Jeremy George, 01/29/2003
- Re: caller id, John Kristoff, 01/29/2003
- Re: caller id, Egon Verharen, 01/30/2003
Archive powered by MHonArc 2.6.16.