ITS 4050 - Internet and Web Security


Chapter 13, Securing Personal and Business Communications

This lesson presents some material from chapter 13. Objectives important to this lesson:

  1. Store-and-forward
  2. Voicemail threats
  3. E-mail and social networking threats
  4. Real-time communication
  5. Securing telephone and PBX communications
  6. Securing VoIP
Concepts:
Chapter 13

The previous chapter dealt with mobile communications, which covers a lot of the communications most people use. This chapter discusses more traditional communication channels. It begins with a poor example. You want to talk to a coworker, but that person is busy. You leave a note with another person who relays your message, and relays a reply to you when it is available. This is meant to symbolize the passing of information across routers that store the information until a path is found that can be used to send it along its way to the intended destination. The point that the text is trying to make is that there are several kinds of communications that include this feature, storing information until a path is available or until it is picked up by the intended receiver.

  • voicemail systems - Voicemail is typically left when connection to a voice channel to an intended recipient is not possible, due to a hardware or availability issue. Systems may include the capacity to convert a voice message to text or email, reducing storage needs and cost. Voicemail systems are typically vulnerable to hacking when users continue to use default passwords. They are vulnerable to attack when attackers send email that looks like a voicemail notification, but actually contains a malware payload.
  • e-mail - The chapter presents a list of effective e-mail techniques that have been used to defraud users and damage computers. These include bank scams, malware posing as patches, and messages that seem to be from trusted sources. You should always be in doubt about the intentions of an e-mail sender. Don't enable HTML views because they allow scripts to run.
    The text offers some advice about avoiding email scams:
    • phishing and social engineering - educate yourself and others about the threats
    • eavesdropping - encrypt your outgoing messages (has to be done on both ends)
    • spoofing and forging - use multi-factor authentication and nonrepudiation methods
    • steganographic images - either don't allow images in email (year, good luck with that) or update your antivirus and antimalware programs regularly
    • links in email to malicious sites - update your antivirus and antimalware programs regularly
  • social network messaging - As I asked another class recently, why are you on a social network site? The risks are unacceptable. The text offers links to information from Facebook, Instagram, LinkedIn, and Twitter about theirsecurity guidelines and recommended best practices.
  • real-time communication - The text lists several methods that vary in immediacy. Telephone connections are typically fast, but not without some delay. Text messages of various types are not immediate, although users typically assume that they are. Video communications, like audio channels, give the illusion of immediacy by providing a live microphone on each end of the channel. The person on the other end seems live because you can hear them while you are speaking to them. Regardless of propagation delay, the illusion helps the users enjoy the experience. The text mentions that some applications, Skype in particular, report whether a person is available, and how long they have not been available when they are tagged as busy or away. My experience is that the "time away" reported by Skype was often very wrong. I have learned to ignore the ridiculous numbers of minutes or days my staff are reported as being away from their desks, and to rely more on the status light showing that they are available or not. As you may know, Microsoft bought Skype and now calls it Teams. The availability information is not much improved.

The following video is a very professional presentation on scams from Symantec.


This video is from 2021, and it is quite relevant. It explains several scam techniques you may or may not have heard of. I have seen some of them myself, and have seen some people fall for them.


On page 343, the text turns to traditional Private Branch Exchange (PBX) telephone systems, which may support voice traffic, fax transmissions, modem traffic, and VoIP traffic. The observations in the text about protecting such systems offer few new ideas. A quick Google search on the topic gave me lots of results, but each was from a vendor promoting their own products. The text suggests not allowing remote management, protecting the servers' physical locations, and limiting access to the operational documents for the system. Good advice for any computer system, really.

The text spends a few pages considering specific Voice over IP systems and Session Initiation Protocol systems. The material presented is repetitive and not very helpful.

In the video below, David Bombal shows us how to capture VOIP traffic with WireShark.


 And at least this one talks about the conflict between two different vendors.



Assignments

  1. Continue the reading assignments for the course.
  2. This week you have a lab and part 9 of the project.
  3. Complete and submit outstanding assignments, things that are very late will be assigned a 0 per school policy.