Security Weekly
Email security

Contact Us, New Web Site, and Why I “Dislike” Voicemail

I first wanted to mention that we finally have put up a contact page, so you can Contact Us and tell us that we are doing a good job, just day “Hi!” tell us that we suck (be certain to accompany that with suggestions on how we can get better), or provide suggestions for the show. I’ve listed out Larry, myself, and the general podcast email separately. We love to hear from our listeners! I promise that I read every email that comes to me directly or the podcast. If we don’t respond, its just because we are busy and it can be difficult to respond to each and every email, but we try, I promise!
Just a quick note on the web site, we are planning to get a new web site. This means a complete face-lift, better organization, more content, etc.. If you have suggestions, please send them along.
I also just configured my voicemail on my new iPhone. I am using a service called YouMail (www.youmail.com), which I like very much. However, after some travel, I realized that I hate, okay hate is a strong word, “dislike” voicemail. Many of the reasons are security related, so I thought I would share them here:
1) There is no way to identify the caller – I could call you up and leave voicemail and state that I am your credit card company and you should call me right away at the following number. Since there is no way for you to prove that, some users may panic and call the number that I leave on your voicemail. This happens to me a lot, many people have called me and left voicemail stating that “I have seen malicious traffic coming from your network, please call me at once”. Why should I call you back and answer questions about my network?
2) Most Voicemail systems rely on called-id for authentication – This is just wrong. Lets start with caller-id information can be spoofed VERY easily! Why would you rely on such a crude authentication mechanism? This would allow you to access a person’s voicemail, which could potentially contain sensitive information (such as some random person calling you up and leaving a message that states, “Hey, your web server at IP address x.x.x.x is compromised and they used a PHP flaw to do it”). Great, thanks. (and yes, that it just an example).
3) It goes in clear-text – With VoIP becoming more and more popular, using voicemail to retrieve any kind of sensitive information is just plain silly. RTP (Real-Time Protocol) can be easily sniffed off the network, and so can DTMF. This means if I am listening, not only do I get to listen to you check your voicemail, but I get your pin number so I can go back and listen later. This is scary given that you may not control what information is left on your voicemail because someone else is exposing the information for you.
4) It is difficult to store voicemail for long periods of time – I like to have a record of all email so I can go back and prove who said what. Such as, “Yes, we were hacked due to a weak password, here is a copy of the email where I suggested a password policy”. It’s hard to do this with voicemail, unless you have a system that will email you a WAV or MP3 file (Such as YouMail).
5) You can’t respond to voicemail – With an email, I can take it right off my to do list by simply replying to it. With voicemail, I have to try to call the person back, and then leave them a voicemail. But, if they are not around, we play phone tag. Then I have to leave my phone number on their voicemail, so now my information is held in someone else’s voicemail box!
6) Its easy to mis-interprate voicemail – I always get voicemail that I cannot understand, and its always the company name, person’s name, or phone number that goes missing. At least with email, I can read the phone number and not have to listen for it and play it back 8 times before I get the phone number.
7) Its one more thing to check and receive to do’s in – Its bad enough that I have email, instant messenger, and IRC to deal with, but voicemail too. I hope that as time goes on we will move away from voicemail as a communications mechanism. I like systems that will take the voicemail, do the speech-to-text conversion, and email it to me. However, that still does not let me respond to it via email :-(
8) The best protection that you get is a four-digit pin – We’ve talked about this before, why are we, in today’s day and age, limited to a four-digit pin number for authentication!?!? A four-digit pin is easy to guess, brute force, and just plain should not be used.
Now, I’m off to check my voicemail…

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Related

US automaker subjected to FIN7 attack

BlackBerry researchers disclosed that a major U.S.-based multinational automaker had been targeted by the FIN7 hacking group in a spear-phishing attack late last year that sought to facilitate systems compromise with the Anunak malware, BleepingComputer reports.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.