Cisco Confirms Its VOIP Phones Spies On Remote Calls

Linda Leung

Cisco confirmed it is possible to eavesdrop on remote conversations using Cisco VoIP phones. In its security response, Cisco says: "an attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol (RTP) audio stream."

Cisco adds that Extension Mobility authentication credentials are not tied to individual IP phones and that "any Extension Mobility account configured on an IP phone's Cisco Unified Communications Manager/CallManager (CUCM) server can be used to perform an eavesdropping attack."

The technique was described by Telindus researcher Joffrey Czarny at HACK.LU 2007 in Luxembourg in October.

Cisco has published some workarounds to this problem in its security response.

Also in October, two security experts at hacker conference ToorCon9 in San Diego hacked into their hotel's corporate network using a Cisco VoIP phone.

The hackers, John Kindervag and Jason Ostrom said they were able to access the hotel's financial and corporate network and recorded other phone calls, according to a blog on Wired.com.

The hackers used penetration tests propounded by a tool called VoIP Hopper, which mimics the Cisco data packets sent at three minute intervals and then trades a new Ethernet interface, getting the PC - which the hackers switched in place of the hotel phone - into the network running the VoIP, according to the blog post.

The Avaya configuration is superior to Cisco, according to the hackers, because you have to send requests beyond a sniffer. Although it can be breached the same way, by replacing the phone with a PC.

Sphere: Related Content

Cisco Gives Oracle 11g A Boost

Stephen Lawson
Cisco did its part for Oracle users as the OpenWorld conference opened Monday, announcing a protocol it developed with the software company for running Oracle databases over larger server clusters.

The two vendors developed the RDS (Reliable Datagram Sockets) protocol and will make it part of an industry-developed open-source software distribution called Open Fabrics Enterprise Distribution, said Pramod Srivatsa, a product line manager for Cisco server fabric switches. It is intended for Cisco switches using Infiniband high-speed data-center technology.

Growing data centers and demands for processing have driven the development of new forms of connectivity, such as Infiniband and 10-Gigabit Ethernet, between servers in data centers. But pure networking speed -- up to 20G bps (bits per second) in the case of Infiniband -- isn't all that's needed to make data centers run faster.

Enterprises that want to set up a very large deployment of the Oracle 11g database software once had to do it on a single large server, Srivatsa said. Oracle already offers RAC (Real Application Clusters) 11g software for distributing that deployment over multiple, smaller Intel-based servers running Linux. But that only works up to a cluster of about four servers, and RDS makes it more scalable, he said. RDS has been tested successfully with as many as 16 servers and is designed to work for clusters of as many as 64 using Infiniband, according to Srivatsa.

Infiniband is well-suited to Oracle database software because it has to quickly exchange many messages of varying sizes, Srivatsa said. Mellanox, which supplies some of Cisco's chips for Infiniband switches, helped develop RDS. In the future, customers will probably be able to use RDS with 10-Gigabit Ethernet too, Srivatsa said.

RDS was designed for clusters of servers in one data center, which could include blade as well as rack servers, he said. Customers of both Oracle and Cisco can request the software from the companies now and start testing it. Cisco will start providing RDS for commercial use in its Infiniband servers after it is certified by Oracle, probably next month, Srivatsa said.

On Tuesday, at the SC07 supercomputing conference in Reno, Nevada, Cisco introduced the SFS (Server Fabric Switch) 3504, designed to let enterprises connect blade servers running Oracle database software with traditional Fibre Channel storage-area networks (SANs). The switch connects to a blade or rack server using Infiniband and serves as a gateway to both an Ethernet LAN and a Fibre Channel SAN, Srivatsa said. In the case of blade servers, it helps IT departments do more with systems that typically have just one type of external connectivity, he said.

The SFS 3504 can be ordered starting later this month and is set to ship in December. The average starting list price, depending on configurations, will be US$150 per port.

Sphere: Related Content

Redefining Second Life

When Cisco Systems decided to enter the Second Life virtual world, things didn't turn out exactly as the network equipment supplier expected.

"We were quick. We got into Second Life and put up a big building with repurposed web content. It was a ghost town. Digital tumbleweeds," said Christian Renaud, head of Cisco's networked virtual environments.

It turned out people wanted to log on to Second Life to hang out with friends and play casual games, not visit a 3-D version of a corporate website.

It's an experience many companies that rushed to set up in Second Life have had in recent months, but rather than abandon its virtual homestead, Cisco changed tack.

"Two or three months in we bulldozed everything we'd done. It's now a place for meetings rather than repurposed web content," Renaud said.

Privately-owned Linden Lab is the operator of Second Life, which lets companies create open as well as private areas.

Instead of constantly swapping email or holding conference calls, Cisco employees around the globe can interact with each other, customers, partners or trainers in the company's Second Life offices.

Instead of declaring virtual worlds a failed experiment and pulling out, companies are rethinking their approaches, much as they did on the internet a decade ago, when websites began evolving from little more than a few pages with brochure-style photos and information.

Some $200 million in investment has flowed to virtual world companies over the past year, and many of the three dozen or so efforts are focusing on corporate uses.

"We know enterprise folks are looking at this primarily as a communication medium," said Chris Sherman, director of the Virtual World Conference that kicked off on Wednesday.

"The first iteration of virtual worlds saw Second Life as a platform of choice, for experimental purposes. Now in the second iteration we're seeing new platforms as well," Sherman said, referring to other virtual worlds.

The conference schedule reflects the shift, with sessions focusing on what went wrong with initial corporate forays into virtual worlds, how large businesses should use them, and how to manage employee behaviour in a medium where inhibitions can quickly melt away.

"There are things we need to do behind the corporate firewall. I don't want to have an HR discussion or a legal discussion in Second Life," said Ian Hughes, a virtual worlds promoter for IBM.

A virtual meeting space, Hughes said, is a good replacement for a telephone conference call, which typically has a lot of "dead" time at the beginning as participants dial in. A virtual meeting emulates a real one, giving people a chance to mingle.

Hughes reckoned that IBM, with 330,000 employees worldwide, could recover more than 9 years' worth of wasted time every week by replacing all conference calls with virtual meetings.

Examples of companies focused on the corporate aspect of virtual worlds include Forterra Systems, Millions of Us, The Electric Sheep Co, and Unisfair. Some help clients get set up in Second Life while others build boutique virtual worlds that may never get exposed to the public eye.

"If you create an island in a virtual world, you have to allocate a representative amount of money to drive people there. If not, there will be cobwebs in your space," said Brent Arslaner, head of marketing for Unisfair, which sets up virtual rooms for corporate meetings, conferences and training events.

The entertainment industry is also adapting, drawing up complex storylines that flit across television, computer and mobile phone screens.

The hit CBS show "CSI: Crime Scene Investigations" plans an episode later this month where a killer is pursued into Second Life. Viewers can continue the chase from within the world, or try a few other games related to the show.

"There's been a lot of negative press about Second Life lately," said "CSI" creator Anthony Zuiker. "I think that's because a lot of companies are cutting big checks into Second Life and there's no real application in mind."

Sphere: Related Content