COMMUNICATION TODAY uses a wide variety of devices and technology, such as e-mail, SMS, and voice mail. People communicate with these devices to discuss both personal and business affairs. Security is necessary to maintain the availability, integrity, and confidentiality of these communications. People are naturally confident their information is secure, but that confidence may not be well-founded.
Everybody has different expectations of how secure their communication is, but security is likely lower than people assume. This chapter will differentiate between two types of communication: store-and-forward and real-time. You will learn how devices and methods of popular communication fit into these two types. You also will gain a better appreciation of threats and how to mitigate them.
Have you ever stopped by a coworker's cubicle and started talking, but realized she is on the phone? You both note your need to talk, but she is simply not available. You have two choices at this point:
You can head back to your desk and then try again later when you're both free.
Assuming it's a question with a quick answer, you can write it on a piece of paper and give it to your coworker's assistant. Your coworker later picks up the note from the assistant and either writes the answer and has the assistant contact you, or contacts you directly. Either way, the communication is complete.
The first option is a failed attempt at communication. The second option is an example of store-and-forward communication.
Communication is a two-way street. There are generally two parties involved, the speaker and the listener. Unfortunately, just because one party is willing to speak doesn't mean the other party is able to listen. Store-and-forward communication is one way to handle that issue. This isn't a new phenomenon. Store-and-forward communication is any exchange in which information is temporarily kept or stored at an intermediate point. The information continues or is forwarded when the next intermediate point or the final destination is available.
This section covers many examples of how the store-and-forward technique is used for different communication methods. Some technologies such as voice mail and fax have been around for many years, while social networking site messages are more recent.
Nearly everyone in the world has enjoyed telephone conversations. Telephones are commonplace in the home, office, and, with mobile phones, basically anywhere. Telephones provide direct communication between two people. The only challenge to that communication is both parties have to be available. When that isn't possible, there's still a need for communication. What you need then is voice mail.
Voice mail is a recording of the caller's voice and message. Voice mail is the store-and-forward solution to telephone communication. When the intended recipient isn't available, the caller leaves a message. Voice mail is recorded and stored and kept until the recipient is willing to receive it. Voice mail is a good example of communication using the store-and-forward method.
Voice mail doesn't have to be the consequence of a missed phone call. Sometimes a conversation isn't necessary and you only need to convey information, regardless of whether the recipient is available. You call someone's voice mail box directly and store your recorded voice message to be picked up later. By doing so, you can avoid a phone conversation.
Years ago, it was typical for only offices to have a voice mail system. That system was central to the organization or outsourced to the telephony provider. At home, it was more common to have an answering machine. Today, voice mail is routine for both office and personal telephone users.
Voice mail systems today are typically centralized on a voice mail server rather than on a dedicated device per phone number. Being centralized creates a voice mail system capable of several new features. For example, a centralized server can handle several connections at once and provide functions that were unavailable with the old-fashioned answering machine. Centralized voice mail services are available to both business and personal users, and they offer many advanced features.
Centralized voice mail systems today can provide features more advanced than were available on answering machines. You can send the same voice message to more than one telephone number. You can also forward messages you receive to a different voice mail box associated with another phone number.
Calling voice mail directly allows you to communicate a personal message even though the recipient is away or busy. For example, the recipient may be across several time zones. Voice mail provides the benefits of a direct, personal telephone conversation without the need for both parties' synchronized availability. Being centralized, voice mail systems provide additional, advanced features for distributing, transferring, and personalizing messages.
One voice mail-related service in particular is growing in popularity. This service converts received voice messages into text. The text is then sent via Short Message Service (SMS) to a designated phone number of your choosing. Many services that allow you to make voice calls over the Internet, such as Skype, provide the SMS option. The service can convert voice messages to SMS text messages that are also sent over the Internet. This is especially convenient for international callers. The SMS messages can originate from one of several different countries, keeping the SMS sending fee to a minimum, if not free. For example, a person who moved from the United States to Europe uses Skype with a U.S.-based number. SMSs are sent to a primary phone number in Europe. This allows inexpensive local calling for U.S. callers to leave voice messages. Meanwhile, the message is converted to an SMS text message at little or no cost to the person in Europe. Other providers of this service are YouMail and SpinVox, and the service is also available through some home cable and telephone service packages. You'll learn more about SMS later in this chapter.
Voice mail can be intercepted, listened to, forwarded, or deleted—all without your knowledge. With store-and-forward communication, the information is stored out of your control and is available to anyone who gains access.
Other threats to voice mail include the ability to retrieve and listen to someone's messages, an attack on the owner's confidentiality. While in someone's voice message box, an attacker could send a message to another party, essentially spoofing the box holder's identity. This attacks the integrity of the system. Going further, an attacker need not abuse an existing voice mail box but can set up multiple, fake mail boxes.
Lastly, availability is threatened if an attacker has the capability to disrupt the voice mail system. This could be done by overloading it with messages. However, today's systems hold a significant amount of inexpensive storage space.
The preceding risks can be reduced with a few defensive measures. Strong authentication is encouraged to mitigate the threat to confidentiality, for example. Enforcing authorization also may prevent an attacker from hijacking a valid voice message box. Additionally, a user's voice mail box may be accessible only from the desk phone. However, before an organization implements controls such as the last one, it should consider the balance between usability and security.
E-mail is written electronic communication between two or more parties. The sender finishes and submits the message. When the sender's e-mail client submits the message, the message is sent to the application's configured e-mail server. The sender's mail server then forwards the message to the recipient's mail server. This can happen directly, but more often involves a series of mail relays. Once the message is stored at the recipient's mail server, it remains there until the recipient retrieves it. This basic delivery flow is why e-mail is a primary example of store-and-forward communication.
E-mail clients at an organization might likely send e-mail to a server managed internally. A personal e-mail client at home or online might send it to the Internet service provider's (ISPs) local e-mail server. Although this is oversimplified, it is only specific protocol names and port numbers that add complexity to the process. The concept of e-mail as a store-and-forward service is simple and straightforward.
E-mail is the perfect example of store-and-forward communication. You write an e-mail and send it to someone. E-mail is not direct communication. The recipient's e-mail client does not need to be open and running for the sender to send a message. It's much more likely that the recipient is not immediately available to read your message. Your message is stored in a location between you and the intended recipient. When the recipient is ready to open the message, the message is forwarded to the recipient's e-mail client.
E-mail is widely used and depended upon by users, both personal and business. In addition, sending an e-mail to millions of people costs very little. Both of these factors make e-mail the prime vehicle for malicious behavior.
For users of e-mail there are many ways an incoming e-mail can fool, subvert, or attack the reader and his or her computer. Some attacks rely on the user to click on a link; other attacks only need to be rendered as a Hypertext Markup Language (HTML) e-mail. Still others just need to be read and believed. The following are some of the most insidious and prevalent attacks on your e-mail inbox today:
Pictures embedded with scripts—A picture file is attached or inserted in the message. This attack has become especially popular since March 2009. A malicious script is embedded in the picture file; when rendered, the system executes the script with elevated privileges. In the notorious case of Microsoft vulnerability "integer overflow in GDI," the script could execute arbitrary code. This code might install new programs, create new users, or delete data.
Phishing—An illegitimate message posing as one from a legitimate organization, such as a bank or university. Especially common at the time of this writing are phishing attempts from social networking sites. The intent is to trick the user, perhaps to give the user's credentials or personally identifiable information.
419 scam—A message preying on the reader's trust and greed. This attack relies only on the user's gullibility to follow instructions, such as "Send your banking details to receive 20% of a 6 MILLION DOLLAR inheritance, signed Yours sincerely, recently deceased Prince Farquah of Lagos, Nigeria."
Social engineering—A message taking advantage of the reader's desire to help or respond to authority. Phishing is a form of social engineering when a message seemingly from the IT department prompts users for their e-mail account password.
Referenced links from search engine results—A relatively new method to outsmart spam filters. The provided link doesn't go direct to the malicious domain, but instead presents a well-known search engine's link. The search engine link presents results that lead the reader to the spamming pages.
Phony patches—Messages carrying phony patches or linking to Web sites with patches. The patches are not genuine but are instead malware. The deceived user installs the malware, destroying local files or installing a backdoor Trojan to allow the attacker easy remote access and control.
Eavesdropping—E-mail, when sent without encryption, is subject to eavesdropping or unauthorized reading. Often this is not much more than an invasion of privacy, since the subject matter is hardly valuable to anyone besides the sender and recipient. Eavesdropping becomes a more significant threat, however, if the information is actively used. This leads to the last threat, spoofing.
Spoofing or forging—When an e-mail is sent under the guise of being from someone else, this is an invasion of privacy and integrity. If the recipient believes the message is from someone trustworthy or in authority, the impact is more damaging.
The preceding list describes e-mail threats that exist regardless of e-mail client, spam filter software, or other layered defenses. Most of the listed e-mail attacks are successful whether the message is in plaintext or HTML. However, the attractive presentation of e-mail has become more appealing to users. Rendering e-mail in HTML may look good, but the e-mail client uses the same code to display HTML-based messages as a Web browser uses to display Web pages. Those HTML-based messages are prone to the same attacks that take advantage of Web pages. Viewing messages in plaintext reduces your chances of becoming a victim of some e-mail attacks. For example, an attack relying on pictures embedded with a script is ineffective if the recipient uses only plaintext e-mail. Although e-mail has matured over the years, the threats remain remarkably simple and effective.
A valuable defense against e-mail threats is user awareness. Still, other defensive measures are most effective when targeting a certain kind of attack or threat. Table 14-1 associates threats to effective mitigation techniques.
Traditional paper-fed faxes are a blend of telephone, copy machine, and scanner. A fax machine connects to a telephone outlet via a telephone cable. You feed your source document into the fax machine and enter the destination phone number. Once the fax machine connects with the receiving fax machine, the source document is scanned and transmitted. Some fax machines can scan the document and store it for transmission later. You simply enter the destination phone number, and then enter the date and time you want the fax to be sent. Although many faxes are successful on the first attempt, fax transmissions are susceptible to communications errors. It's not uncommon to have to resend a fax two or more times before the recipient receives the document. The bottom line is, faxes are slow, tedious, and more error-prone than e-mail.
Table 14-1. Threats and mitigation techniques.
THREAT | MITIGATION TECHNIQUE |
|---|---|
Phishing and social engineering, e.g., 419 scams | Increase user awareness of these threats |
Eavesdropping | Implement encryption |
Spoofing or forging | Add non-repudiation with digital signatures |
Pictures with embedded scripts | Use plaintext e-mail or ensure antivirus is up-to-date |
Referenced links to malicious sites and phony patches | Use plaintext e-mail, increase user awareness, and use modern spam filtering |
There are alternatives to paper-fed fax machines. Online services and software from companies like eFax, MyFax, and FaxAway permit electronic faxing. These solutions are for both business and personal use. With software or online services, sending a fax is either free or very inexpensive per fax transmitted. Many online fax services integrate your e-mail service with the ability to send and receive faxes. Being digital, the quality is not diminished from the original scan or fax. Lastly, it's more environmentally friendly than handling additional paper and ink.
Fax technology predates e-mail by several years. Faxes are not necessarily obsolete—organizations still accept and rely on fax communication. Because faxes generally use paper at both sending and receiving ends, organizations rely on faxes primarily when a person's signature is needed. This is true even today when digital signatures and other non-repudiation techniques are available.
The most significant threat to traditional faxes is not technological, but physical. The confidentiality of your fax is uncertain as soon as the fax is sent. Sending a traditional fax is not like sending an e-mail. The e-mail goes directly to a particular e-mail address, which most likely is limited to one person. The fax, however, goes to a phone number, most likely one machine shared by many users. The lack of confidentiality is due to the sender not knowing where the machine is located or who has access to it. When you send a fax, you must trust the physical security of the recipient's machine. Another problem with traditional faxes is human error. If you inadvertently enter the wrong fax number, your document may be received by an unknown party and is then out of your control. This can be a serious problem if you are sending highly confidential information, such as a patient's medical information or the bank records of a person applying for a loan.
Another important threat is the disposal of fax machine hardware. Hard drives are not uncommon in fax machines, especially in combination fax and printer devices. Unless explicitly configured not to, the hard drive might store copies of every fax scanned and received. The drive may contain the last few hundred print jobs as well. When the fax machine is discarded or donated, administrators must securely destroy or delete information from the hard drive. Unless the administrator wipes the hard drive of all data, an unauthorized person can easily discover the faxes.
Mitigation of these risks focuses on access and accountability. For fax machines and electronic fax systems, consider having a designated, trusted person in charge of receiving and sending faxes. This introduces a high level of accountability and control.
If that's not possible, consider using an access code. A person would enter the code on the fax machine itself, provided the machine offers this security feature. This also permits accountability to a few trusted employees. Better still, assign a unique personal identification number (PIN) per employee. Unique credentials also work well with electronic fax systems for tracking purposes.
For discarded machines, the appropriate policy should mandate the destruction or secure wiping of any hard drives. That policy would most likely be part of the organization's asset management policy.
A social networking site exists to create and maintain connections with people. This is like networking in the real world, for example at a conference or cocktail party.
Connecting with people and the people connected to them offer new opportunities personally and professionally. Examples range from finding a new job, new relationship partner, new friendship or reuniting with lost friends. The added value of a social networking site is being able to socialize without being physically close.
A popular feature of social networking Web sites is the ability for users to leave messages for friends to read later. A user can create and send a message, even though the other user is not readily available to read it. This is a classic example of store-and-forward communication as the message is centrally stored for retrieval at a later time.
If you're on Facebook, perhaps the most popular social networking site, you're already aware of the Web site's use of store-and-forward communication. All the messages left on a user's Facebook "wall" are created, transmitted, and stored centrally on Facebook's servers. Once the recipient or anyone with access to the recipient's wall logs on, the message is forwarded for viewing.
Social networking sites rely on store-and-forward method for communication. Some social networking sites boast of members' long and frequent visits. However, no visitor can be available all the time. Despite Facebook's boasted popularity, everyone has a life offline.
Typically, a social networking Web site offers ways to secure site messages. Some, however, have more convoluted ways to maintain privacy than others. The temptation by such Web sites is to keep your information open and freely accessible to everyone for the benefit of more targeted marketing. While this may be understandable for personal likes and dislikes, even private site messages are victim of poor security.
Users should be wary of how much private information they divulge on social networking sites, regardless of what privacy settings seem to protect. As social networking sites become more complex, their ability to adequately protect users' information becomes more difficult. At the time of this writing, for example, users' messages on Facebook were exposed.
The safest way to avoid the threats mentioned above is not to use site messages at all. For many, that's not a reasonable option. The next best defense is to strictly monitor what is said. For personal use, you should write only what you would not mind sharing with a much wider audience, be it friends, family, or strangers.
For business use, the need to restrict the content becomes more important. Never divulge intellectual property or any information that would be harmful if exposed outside the organization. The business user should complete user awareness training and understand that messages are transmitted out of organizational control. In fact, the terms and conditions statements of popular social networking sites state explicitly that all user-submitted content becomes the property of that Web site.
Real-time communication is communicating "live." When you're talking with your friend or coworker who is standing in front of you, that's live. Talking face-to-face is the most personal, immediate method of exchanging information. Of course, not everyone is available for face-to-face discussion.
Often when you need to communicate real-time with someone, having a face-to-face chat is not feasible. The primary reason is likely the distance between you and the other person. Another is because you or that person is occupied with another activity.
Does this mean you can't communicate real-time with that person? No. Being busy with another task doesn't preclude communication for the short term. Any distance between two people can be conquered by technologies available today.
Real-time discussion can be enjoyed provided the technology allows you and your conversation partner to exchange dialogue within a reasonable latency. Many of those technologies are discussed in the following sections.
Table 14-2. Available attacks given physical access to a telephone.
ATTACKS | AFFECTING |
|---|---|
Denial of service | Availability |
Spoofing | Integrity |
Eavesdropping | Confidentiality |
Wiretapping | Confidentiality |
The telephone is the most popular method of real-time communication discussed in this section. Aside from face-to-face conversation, this is the oldest tool. You don't need to think twice about having a real-time discussion with your friend just because your friend happens to be elsewhere. When your manager needs to speak with you, does she wait until you're within sight? No, she calls you right away. Lastly, among business partners and stakeholders, the telephone offers the opportunity for direct and immediate dialogue. All this happens without arranging cross-country flights and scheduling meeting times. A conference call can bring people all over the globe together in the same real-time discussion.
Telephone isn't limited to real-time audio exchange. Today, many organizations also have the capability to have video conferencing phone calls. An organization that offers video conferencing might have a dedicated meeting room set up with a screen and mounted projector, which is integrated with video phone conferencing equipment.
The main threat to a telephone is physical access to a malicious user. Unlike an organization's business critical servers, the telephone is highly accessible as one likely exists on every desk. All an attacker has to do is be there, pick up a phone, and dial. This can result in several threats, demonstrated in Table 14-2.
An ill-natured person can abuse telephone access by making unauthorized calls, incurring long-distance charges. This isn't as high a concern today now that telephone rates are much lower than they once were.
The primary way to mitigate most risks above is to require employees to log on to their phones. If a phone will be unattended for an extended period of time, for example, an employee goes on holiday, then the phone must be logged out. A residual risk would be wiretapping.
Information about your presence and availability is as real-time as it gets. The two terms can easily be confused as synonyms, but there are important differences. Presence speaks to accessibility, while availability speaks more to the willingness to communicate.
Recall in the beginning of the store-and-forward section a reference to your coworker? You stopped by her cubicle but she was occupied on the phone. Therefore, you immediately knew she was present but not available.
This is obvious when the coworker is near, but not so if the coworker is in the adjacent building or halfway around the world. Providing, tracking, and reporting on presence and availability solve this problem.
Note
Microsoft reports that the newest version 9 of Windows Live Messenger Service now supports MPOP. The company's Web site states the "enhanced presence model aggregates a user's presence status from multiple endpoints, which can include IP phones, Office Communicator, Office Communicator Web Access, or Office Communicator Mobile."1
For the most part, the typical level of reporting presence is limited to status updates on an application. Whether that application is Microsoft Office Communicator reporting "Away" or your status on Facebook being reported as "Offline," your status is governed by that application alone. When your status reports to an online peer that you're away, does it mean that you are inaccessible? Probably not. You probably have your phone on, or you might be logged on to a different computer.
Today the ability to report presence is beginning to aggregate presence information from multiple devices. In fact, the coined term is called Multiple Points of Presence (MPOP).
The benefits are immediate to both you and people who have access to the information. If a project manager has a quick question, she might note a project team member's availability. Rather than draft an e-mail and wait for a response, she can immediately contact the person for a one-minute conversation. Some managers second-guess allowing their direct reports to telecommute given the "out of sight, out of mind" mentality. When an employee's presence and availability is immediately viewable, the manager's doubt is removed.
Without availability monitoring, coworkers cannot be certain they will be successful if they start an impromptu conversation. The uncertainty comes from not knowing if a coworker is free, in a meeting, on the phone, away from the desk, or otherwise unavailable. When availability is always monitored, peers can be more certain. Availability information can save coworkers time and increase their productivity.
However, you might already see a few potential issues with tracking presence and availability. First is general privacy. Perhaps someone does not want to alert others constantly that he or she is available. For example, a coworker might casually ask you why you were available at 2:30 in the morning. That could be annoying.
Perhaps the information is suitable only for some people some of the time. For example, you likely don't want to alert your manager that you are available on the network at 11 p.m. on Friday. Having your manager call you after 11 p.m. on a Friday could definitely be annoying.
Therefore, one issue with applications presenting your presence is being able to segregate the audience. Whether you are available may depend on the topic of the discussion. Similarly, you may not want your neighbor to contact you at work. However, segregating the need to know by the audience is not a feature of presence and availability applications. However, the issue of segregating audiences is largely determined by the social network presenting your availability. For example, your manager likely will not monitor your availability on Facebook.
In general, alerting others to your immediate availability helps increase productivity. Fellow workers know you are immediately accessible to answer a question or to help resolve a problem. You also may benefit personally and professionally.
Instant messaging is another real-time method of communicating. Unlike the audio dialogue of a telephone conversation, instant messaging is text-based dialogue. The exchange is similar to talking on the telephone, but the conversation is not as quick.
Although the communication method is considered real-time, there is some lag or latency with instant messaging. It is not uncommon for users to perceive a delay during the exchange of one or two seconds. The user perceives the lag during sending the message, transmission, and receiving a response.
The amount of latency varies, depending on a few factors. For example, latency differs by the instant messaging client used and the different networks the message traverses. This might be especially so in the corporate environment as instant messages (IMs) are relayed across application gateways in the LAN-to-WAN Domain. Latency also occurs when one of the users is busy with other tasks or is juggling several instant message conversations at once.
Note
The seven domains of a typical IT infrastructure, which includes the LAN-to-WAN Domain, were discussed in Chapter 5.
Instant messaging carries multiple serious risks that go beyond similar risks in e-mail or voice communications. Unlike several commercial e-mail clients, few, if any, instant messaging clients offer secure IM communication. Threats instead must be mitigated by using layered defenses external to the client.
Threats to IM span risk to availability, integrity, and confidentiality. Availability-related threats are similar to others discussed throughout this chapter, chiefly, denial of service (DoS) by flooding a user's IM client with messages. The messages could originate from one or several sources, making it difficult for the recipient to block the unwanted traffic.
Integrity comes into question when the flood of messages seems to originate from a user's known contacts. This is possible since IM messages can be spoofed as easily as any other communication technology. IM clients lack any strong mechanism for authentication, since your "buddy list" or "friends" are automatically trusted from the initial connection.
Confidentiality is also a problem because IM traffic is not normally encrypted unless specifically done so by a special IM client. The Trillian IM client, for example, offers encryption in both the free and paid versions.
Perhaps the foremost threat inherent to IM is the immediate delivery of uniform resource locators (URLs). This includes sharing of URLs to malicious Web sites. Instant messaging permits sharing of URLs easily, without any automated filtering.
Short Message Service (SMS) gives users the ability to send and receive short text messages via cellular phones. The qualifier "short" is based on the limited length of a message. An SMS message is limited to 160 characters when using seven-bit characters or 140 eight-bit characters.
One primary vulnerability with the security of SMS messages is the vulnerability of the user's mobile phone. Mobile phones are easily lost or stolen. Loss of the phone means loss of the messages. Compounding the risk is the fact that users rarely take the time to purge their message inbox of old messages.
Another vulnerability related to SMS messaging involves sending a specially crafted SMS message. As written about and demonstrated at prominent conferences, this vulnerability might provide an attacker with the ability to corrupt or even control a phone. The attacker, using presently available tools, can send a maliciously formed SMS text message to the target's phone. Once in control of the phone, the attacker may wish to send an SMS that, by virtue of the sending phone, grants authority and authenticity to the message. The possibilities are covered in the next section.
The primary vulnerabilities concerning SMS messaging are in transmission and delivery. The risks of the most common attacks are with confidentiality and integrity. Although SMS delivery is not guaranteed service delivery, availability is not so much a concern.
Confidentiality is a problem with SMS messaging because encryption during transmission is optional. With encryption, messages are difficult to intercept and read while being delivered over the cellular network. Without encryption, an attacker can more easily eavesdrop on messages. The risk of insecure transmission is worse while the user is roaming. When a user is roaming, delivery of SMS messages are likely to involve the Internet for part of the way. SMS messages along the Internet are subject to far greater risk of interception.
The worse threat known to date involving SMS is SMS spoofing. Spoofing means someone is impersonating the legitimate user and sending SMS messages. The result depends upon the message and the original user. Considering the implicit trust we place in an SMS message coming from whom it says it is from, the impact is significant. The attack, although relatively new, is remarkably easy to carry out. Tools and services exist online. For example, one service makes caller ID spoofing available for low-cost purchase of "spoofing minutes" that you can use to spoof SMS texts, phone calls, and e-mail messages.
Multimedia Messaging Service (MMS) is an extension of SMS. While SMS allows you only to send text messages, MMS allows you to attach audio, images, or video. Extending simple text messages to include multimedia lets you make a much richer message. However, with richer features come greater security risks.
The names Short Message Service and Multimedia Messaging Service suggest the two are closely related. Technically, however, the two are very different in how service providers deliver the two types of messages.
Recall that SMS text messages are limited to 160 characters. For the most part, service providers send these 160-character messages effortlessly, and the service provider's cost is null. This doesn't explain the relatively high fees imposed on sending an SMS, averaging $1 per 10 messages, but that issue is not addressed here. Method of delivery for SMS and MMS messages is also different. SMS messages are delivered purely by the cellular network, as described noted above, with one exception. When a user is roaming outside their domestic network, SMS messages might be delivered using the Internet between SMS relays.
On the other hand, MMS messages likely use the Internet for delivery. This largely depends on whether the MMS message stays within the user's cellular service provider's network or hops between cellular networks. Messages with multimedia first convert the attached multimedia in a format not unlike MIME or e-mail messages. Encoding formats are available in great detail in the Multimedia Messaging Service Encapsulation Protocol specification available by the Open Mobile Alliance.
The MMS specification details the many conditions and restrictions on how multimedia messages are handled. However, the specification does not restrict much of how phones produce the content. Given the rather limited processing power and screen size of mobile phones, their content must be adapted. To handle this issue, mobile phone vendors and mobile phone operating systems have created a variety of methods for content adaptation. Content adaptation is how mobile phones handle Web and multimedia content intended for more powerful systems with larger screens.
The real challenge, however, isn't how the different vendors handle this task but whether their techniques are compatible with each other. As a result, the content produced by one vendor's mobile phone and adapted by that user's cellular service provider might not be rendered correctly on another user's mobile phone on a different service provider.
Guarantee of MMS messages also differs from SMS. SMS or text messages are delivered as "best effort" and are not guaranteed. It's a rare case that a message doesn't actually make it. However, if an SMS is lost in delivery and fails to reach the recipient, the sender will not be aware of the failure unless it's specifically requested. On the other hand, if a MMS message attempts but fails to be delivered, the sender will be notified of the failed attempt.
Tip
If you would like to know ahead of time if your SMS text was delivered, you can precede your message with *0# or *N#. Then you will get a delivery report that will confirm whether your message reached the recipient.
End devices that can deliver and receive messages are exposed to threats. Being able to handle multimedia-laden messages compounds the risk involved. In addition, mobile phones do not receive the same attention level as computers regarding vulnerability management. The time between identification of a viable threat and patches or updates to mitigate the threat is relatively high.
The most popular and easiest threats involve exhausting resources, such as a mobile phone's memory or bandwidth. Because of the way inherent insecurities of how MMS messages are handled, an attack exists that forces a mobile phone to exhaust its battery power as well.
Another attack, demonstrated by Collin Mulliner and Giovanni Vigna, two researchers from the University of California, shows that code can be injected remotely by an MMS message. The attack is confirmed by proof-of-concept code. That attack demonstrates two noteworthy threats:
MMS messages can successfully carry remote code to be run at the end user's device.
End-user devices will receive unsolicited MMS messages, by design, and properly execute injected code within the MMS multimedia.
It's uncertain now how to mitigate these threats, but mitigation will involve cooperative efforts between service providers and mobile phone vendors.
Voice over IP (VoIP) is a real-time service that allows voice telephone communications over an Internet Protocol (IP) network such as the Internet. Considering the abundance of low-cost IP network infrastructure, VoIP has become a popular low-cost or free alternative to traditional telephone use.
Threats to VoIP are a combination of two sets of threats: threats to any telecommunications service and threats to any system requiring general availability. In the former, attacks against VoIP systems are aimed at profiting or defrauding the service owner, depending on your perspective. For example, an attacker may make toll charge calls using the VoIP service, but the toll is to be paid for by the VoIP owner, not the caller. To facilitate this, an attacker may connect an unauthorized phone to the VoIP network. If access is granted without challenge, the attacker can freely dial anywhere any authorized caller can. Only with sufficient authentication can an organization mitigate this risk.
In the second set of threats, those toward the availability, a VoIP system in a large organization is especially vulnerable to DoS attacks. Two reasons for this are the wide range of services offered and the wide range of protocols involved in delivering those services.
Regarding the range of services, consider how many different services a VoIP system offers. The VoIP equipment is composed of several specific sub-systems, each offering a particular feature. When an attacker performs a DoS attack against even one or a few of those sub-systems, the entire functionality of the VoIP equipment might likely fail.
Regarding the complexity of protocols, the range of services requires a complex set of protocols. Some of those protocols include Session Initiation Protocol (SIP), H.323, Media Gateway Control Protocol (MGCP), IP, and Real-time Transport Protocol (RTP). Each protocol introduces its own set of vulnerabilities and risks. If any of those protocols, or services behind it utilizing the protocol, is not kept up to date and secured, the respective service can be denied. Again, as with the range of services, if one key service is rendered unavailable, the VoIP service as a whole might be made unavailable.
PBX administrators must take the necessary precautions and exercise due diligence like administrators of any other system. PBX or private branch exchanges are not new technology. PBXs are the central router or switching device for handling telephony traffic. That includes voice telephone, fax, and modems. Some of the more modern PBX systems might also handle VoIP and other SIP traffic.
PBXs are as prone to malicious behavior as any other equipment and, given the wide range of valuable data crossing through them, PBXs make an attractive target. However, if you do your due diligence, you can secure a PBX with relatively high confidence. Further securing the PBX might require vendor-specific configuration changes. Some of the best practices for securing a PBX are:
Physical security—The PBX should be physically isolated and protected from unauthorized users.
Remote management capabilities—Virtually any PBX allows the administrator to manage the device remotely. Disable these capabilities if not used. If used, protect them by changing the default password, if any. In addition, any local physical ports are a security risk if they are not routinely used.
Remote management—Remote management is done via the Internet, likely via Telnet or File Transfer Protocol (FTP). Those protocols are insecure, sending your authentication "in the clear" or using no encryption. To ensure confidentiality, instead use secure alternative protocols, if the option exists. You may also tunnel them through a VPN. Consider using an isolated virtual local area network (VLAN) specific for device management.
Training and administration—Maintaining the PBX doesn't happen frequently. Likewise, many systems administrators are unfamiliar with PBX administration. Therefore, poor configuration and inadequate training are commonplace. The person most familiar with administrating the PBX should take the time to document lessons learned with that PBX. For example, documenting the most frequent problems and common configuration changes can save a lot of time for junior PBX administrators.
Document control—Documents for the PBX, such as operational procedures, policies, and configuration settings, are too valuable to leave lying around. Keep them securely protected when they're not needed.
Denial of service (DoS)—Many attacks do not take control of a PBX system but consume all its resources. This robs availability of the PBX or at least limits its functionality to legitimate users. Mitigate the risk of DoS attacks by filtering service requests to trusted networks, keeping device software up to date, and enabling only necessary features and services.
In summary, the PBX is a central, necessary piece of equipment for any organization. Because more and more services are available through the common PBX, the device is a strong target for attacks. While many attacks exist, security can be achieved with defense in depth, due diligence, and awareness.
Threats concerning voice over IP (VoIP) technology were discussed earlier in the chapter, in the real-time communications section. As popular as VoIP has become, it's important to implement best practices with VoIP. The primary reason for having VoIP capability is for the user. To have a successful VoIP capability, the user must perceive the expected level of quality—few or no dropped calls, and little to no latency, for example. Security best practices must be implemented to preserve that quality.
Some top best practices related to introducing and implementing VoIP phones are:
Weigh the network impact—Assess the organization's ability to handle the additional load.
Train users—Develop and distribute adequate training for users to adapt to and make use of the new technology.
Before an organization decides to implement VoIP, all costs must be considered. The network impact, user training, and security risk mitigation techniques discussed in the next section all factor into the total costs.
Some best practices relevant to maintaining VoIP phones in the organization are:
Monitor capacity and usage—Capacity should not pushed to limits by VoIP but only moderately affected.
Employ VPNs—Use encrypted traffic for VoIP traffic to avoid potential eavesdropping.
Segregate traffic from data network—Use VLANs or dedicated networking equipment to isolate VoIP traffic from data network attacks.
Protect traffic—Use VLANs to protect and prioritize VoIP traffic.
Isolate traffic—Use application-layer gateways or proxies in the LAN-to-WAN Domain.
Patching and antivirus—Always maintain a sound patching program and keep antivirus software and signature files up to date.
Detect and prevent — Install, tune, and staff intrusion detection and intrusion prevention systems.
Introducing VoIP devices to an organization's network means introducing a new attack vector. Prior to the new devices, the threat of VoIP attack posed no real risk. With VoIP devices on the network, so are a myriad of vulnerabilities that come with each new device. Mitigating the risk beforehand can save a lot of time and headache for administrators and potential downtime for users.
Session Initiation Protocol (SIP) is the protocol used for managing communication sessions, particularly those involving multimedia, over the Internet. Some examples already covered in the chapter are instant messaging, presence information, and VoIP. Other examples of multimedia sessions are online gaming and streaming multimedia.
SIP allows the management of more than one simultaneous multimedia channel at once, for example, a file transfer over the instant messaging client. SIP also controls sessions that are unicast, or client to client, as well as multicast, or single client to multiple clients at once.
It's important to understand that SIP is only a signaling protocol, not an all-purpose communications protocol. Using the telephone as an analogy, SIP would govern how a telephone rings, connects, and hangs up. SIP would not provide, for example, what the telephone physically looks like, which features are included, or how users should communicate. Text-based SIP packets can be inspected directly by administrators using a protocol analyzer for troubleshooting.
According to Request for Comments (RFC) 3261, which fully describes SIP, the protocol provides five aspects in helping initiate or end a multimedia connection:
User location—Discovering and detecting the user to be reached
User availability—Finding out if both ends are available to hold the session
User capabilities—Finding out the type of media and parameters involved
Session setup—Notifying the end device or user agent, also known as "ringing," and setting up the parameters between both ends
Session management—Including session transfer and termination, altering parameters, and initiating related services.
A session of two SIP user agent clients (UACs) is controlled by the SIP protocol. Figure 14-1 shows how this works. In the figure, the two user agents are telephones starting and managing a peer-to-peer session.
Figure 14-2 shows how a session of three SIP user agents is controlled by the SIP protocol. The difference between this and Figure 14-1 is the additional SIP user agent (UA) acting as a SIP user agent server (UAS). The UAS acts as a proxy between the two user agent clients. Although SIP is a peer-to- peer protocol, it is more likely to have a proxy between two clients in real-world application. There might be several proxies between SIP user agent clients. In addition, a SIP session relies on the Real-time Transport Protocol (RTP), which streams audio or video in packets over an IP network. The Real-time Transport Control Protocol (RTCP) manages and maintains the quality of RTP.
Table 14-3. SIP response numbers and message examples.
SIP RESPONSE NUMBER | TYPE OF MESSAGE AND EXAMPLES |
|---|---|
1xx | Information Message 100 = trying 180 = ringing |
2xx | Successful Request Completed 200 = OK |
3xx | Call Forwarding 302 = temporarily moved 305 = use proxy |
4xx | Error 403 = forbidden |
5xx | Server Error 503 = server internal error |
6xx | Global Failure 606 = not acceptable |
SIP was created for use with other protocols to provide a complete multimedia delivery architecture, such as for streaming media. SIP is text-based and is similar to Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP).
Response messages are formed similarly to HTTP with a three-digit code. Table 14-3 shows various SIP response numbers and their meaning.
SIP with all its simple elegance is a vulnerable protocol and must be implemented with that understanding. After some due diligence, the SIP environment can be considered as secure as any part of the organization's network. The following is a list of best practices to follow before putting SIP into practical use.
Ensure the SIP infrastructure is included in the organization's patch program.
All SIP hardware should be running antivirus with consistently up-to-date definitions.
Employ application-level gateways in the LAN-to-WAN domain.
Enforce strong physical security to protect access to areas with SIP infrastructure.
Utilize VLANs to separate SIP traffic network from data network.
Warning
SIP protocol is vulnerable to DoS attacks by a simple flood of INVITE requests to a user agent.
This list is not exhaustive. Other special conditions in any organization may warrant additional controls.
Having SIP devices and applications carries the same responsibility as having any other network asset. SIP infrastructures must be regularly tested and monitored to ensure no malicious traffic is in play. Further, devices dependent on SIP, such as VoIP phones, may suddenly experience dropped calls or extreme latency. The cause might be a DoS attack on SIP hardware.
This chapter covered two types of communication: store-and-forward and real-time. For both types, the chapter provided several example technologies, along with their benefits and disadvantages. The types of threats and vulnerabilities are covered per technology as are some mitigation steps, where applicable.
The typical threat to real-time communication affects availability, while threats to store-and-forward communication center on confidentiality. These are the prevailing types of threats, but different threats affect either communication form in various ways.
Content adaptation
Latency
Multimedia Messaging Service Encapsulation Protocol
Multiple Points of Presence (MPOP)
Presence and availability
Real-time Transport Control Protocol (RTCP)
Real-time Transport Protocol (RTP)
SIP user agent (UA)
SIP user agent client (UAC)
SIP user agent server (UAS)
Store-and-forward communication
When information is temporarily kept at one or more middle points during transmission, that technique is called _____ communication.
Which of the following describes Multiple Points of Presence (MPOP)?
Aggregating multiple e-mail accounts to your current logged on account
Aggregating presence information from multiple applications or devices
Dividing voice mail to lessen the risk of eavesdropping
Dividing MMS messages to separate text and graphics or video pieces
Phishing, social engineering, and 419 scams are some of the threats encountered when using _____.
Social networking site messages or chats can be considered very private and secure.
True
False
Why are PBXs an attractive target to attackers?
Several services depend on the PBX's operation.
Numerous protocols are involved.
The device is usually left out in the open.
All of the above
A and B only
Store-and-forward communication is preferred over real-time communication in which environments? (Select two.)
When delivery is unreliable
When the destination is not always available
When source and destination are not in the same country
When low latency is critical
Which of the following are primary threats inherent in fax machines? (Select two.)
Fax machines are too heavy for safe lifting by one person
Hard drives storing faxes are not wiped prior to disposal
Fax paper is lighter weight, posing a larger risk of paper cuts
Poor physical security leaves confidential faxes unprotected
Which areas of concern are associated with SMS vulnerabilities? (Select two.)
Availability
Integrity
Confidentiality
All of the above
SMS and MMS are primarily the same service apart from the addition of multimedia with MMS.
True
False
Protocols such as SIP, H.323, MGCP, IP, and RTP are encountered when discussing which of the following?
E-mail
Voice mail
VoIP
Fax
SMS
This chapter discussed which issues brought on by adding VoIP devices to an organization? (Select two.)
Performance issues: significantly more network traffic
Security issues: new attack vectors and more vulnerabilities to deal with
User-related issues: users require additional training and might be less productive
Facility issues: finding the space to put the phones
A networking method of segregating VoIP traffic from data traffic is _____.
Select one way the SIP protocol does not assist with establishing a multimedia connection.
User availability
User location
User capabilities
User distance
The SIP protocol manages multimedia sessions with features similar to how the telephone system dials, rings, and manages responses from phones.
True
False
The SIP session request and response messages are formed similarly to _____ messages.
DHCP
DNS
HTTP
SNMP