ITS 4050 - Internet and Web Security
Chapter 13, Securing Personal and Business Communications
This lesson presents some material from chapter 13.
Objectives important to this lesson:
- Voicemail threats
- E-mail and social networking threats
- Real-time communication
- Securing telephone and PBX communications
- Securing VoIP
previous chapter dealt with mobile communications, which covers a lot
the communications most people use. This chapter discusses more
traditional communication channels. It begins with a poor example. You
want to talk to a coworker, but that person is busy. You leave a note
with another person who relays your message, and relays a reply to you
when it is available. This is meant to symbolize the passing of
information across routers that store the information until a path is
found that can be used to send it along its way to the intended
destination. The point that the text is trying to make is that there
are several kinds of communications that include this feature, storing information until a path is available or until it is picked up by the intended receiver.
- voicemail systems - Voicemail
is typically left when a voice channel to an intended recipient is not
possible, due to a hardware or availability issue. Systems may include
the capacity to convert a voice message to text or email, reducing storage
needs and cost. Voicemail systems are typically vulnerable to hacking
when users continue to use default passwords. They are vulnerable to
attack when attackers send email that looks like a voicemail notification,
but actually contains a malware payload.
- e-mail - The chapter presents a list of effective e-mail techniques
that have been used to defraud users and damage computers. These include
bank scams, malware posing as patches, and messages that
seem to be from trusted sources. You should always be in doubt
about the intentions of an e-mail sender. Don't enable HTML views because
they allow scripts to run.
- social network messaging - As I asked another class this week,
why are you on a social network site? The risks are unacceptable.
- real-time communication - The text lists several methods that
vary in immediacy. Telephone connections are typically fast, but not
without some delay. Text messages of various types are not immediate,
although users typically assume that they are. Video communications,
like audio channels, give the illusion of immediacy by providing a live
microphone on each end of the channel. The person on the other end seems
live because you can hear them while you are speaking to them. Regardless
of propagation delay, the illusion helps the users enjoy the experience.
The text mentions that some applications, Skype in particular, report
whether a person is available, and how long they have not been available
when they are tagged as busy or away. My experience is that the "time
away" reported by Skype is often very wrong. I have learned to
ignore the ridiculous numbers of minutes or days my staff are reported
as being away from their desks, and to rely more on the status light
showing that they are available or not.
On page 343, the text turns to traditional Private Branch Exchange
(PBX) telephone systems, which may support voice traffic, fax transmissions,
modem traffic, and VoIP traffic. The observations in the text about protecting
such systems offer few new ideas. A quick Google
search on the topic gave me lots of results, but each was from
a vendor promoting their own products. The text suggests not allowing
remote management, protecting the servers' physical locations, and limiting
access to the operational documents for the system. Good advice for any
computer system, really.
The text spends a few pages considering specific Voice over IP
systems and Session Initiation Protocol systems. The material presented
is repetitive and not very helpful.