ITS 4050 - Internet and Web Security

Chapter 13, Securing Personal and Business Communications

This lesson presents some material from chapter 13. Objectives important to this lesson:

1. Store-and-forward
2. Voicemail threats
   
3. E-mail and social networking threats
4. Real-time communication
5. Securing telephone and PBX communications
6. Securing VoIP
   

Concepts:

Chapter 13

The previous chapter dealt with mobile communications, which covers a lot the communications most people use. This chapter discusses more traditional communication channels. It begins with a poor example. You want to talk to a coworker, but that person is busy. You leave a note with another person who relays your message, and relays a reply to you when it is available. This is meant to symbolize the passing of information across routers that store the information until a path is found that can be used to send it along its way to the intended destination. The point that the text is trying to make is that there are several kinds of communications that include this feature, storing information until a path is available or until it is picked up by the intended receiver.

• voicemail systems - Voicemail is typically left when a voice channel to an intended recipient is not possible, due to a hardware or availability issue. Systems may include the capacity to convert a voice message to text or email, reducing storage needs and cost. Voicemail systems are typically vulnerable to hacking when users continue to use default passwords. They are vulnerable to attack when attackers send email that looks like a voicemail notification, but actually contains a malware payload.
• e-mail - The chapter presents a list of effective e-mail techniques that have been used to defraud users and damage computers. These include bank scams, malware posing as patches, and messages that seem to be from trusted sources. You should always be in doubt about the intentions of an e-mail sender. Don't enable HTML views because they allow scripts to run.
• social network messaging - As I asked another class this week, why are you on a social network site? The risks are unacceptable.
• real-time communication - The text lists several methods that vary in immediacy. Telephone connections are typically fast, but not without some delay. Text messages of various types are not immediate, although users typically assume that they are. Video communications, like audio channels, give the illusion of immediacy by providing a live microphone on each end of the channel. The person on the other end seems live because you can hear them while you are speaking to them. Regardless of propagation delay, the illusion helps the users enjoy the experience. The text mentions that some applications, Skype in particular, report whether a person is available, and how long they have not been available when they are tagged as busy or away. My experience is that the "time away" reported by Skype is often very wrong. I have learned to ignore the ridiculous numbers of minutes or days my staff are reported as being away from their desks, and to rely more on the status light showing that they are available or not.
  

On page 343, the text turns to traditional Private Branch Exchange (PBX) telephone systems, which may support voice traffic, fax transmissions, modem traffic, and VoIP traffic. The observations in the text about protecting such systems offer few new ideas. A quick Google search on the topic gave me lots of results, but each was from a vendor promoting their own products. The text suggests not allowing remote management, protecting the servers' physical locations, and limiting access to the operational documents for the system. Good advice for any computer system, really.

The text spends a few pages considering specific Voice over IP systems and Session Initiation Protocol systems. The material presented is repetitive and not very helpful.