VoIP is susceptible to the same types of attacks that threaten other network applications, but there are some potential new ones that focus directly on VoIP. David Endler, chairman and founder of the VOIP Security Alliance and director of security research for TippingPoint, spoke with Network World Senior Editor Tim Greene about VoIP security issues and what you can do to protect your assets.

What new VoIP threats do you see out there?

We saw the first voice phishing attack. It looks much like the traditional e-mail phishing attack except that, instead of tricking or inducing your victim to click on a spoofed link to take them to a Web site, you're actually tricking them to dial a phone number that takes them to a spoofed automated attendant.

If I can trick you into calling a number that you think is Bank of America, and I can mock up a VoIP system fairly easily with free tools, then I can ask you to enter in your account info and your PIN number and even some other verification like your Social Security number or your billing ZIP Code. Then the hacker can go in and reconstruct those tones after the fact and use them to access your account.

These aren't new scams, it's just voice over IP makes it a lot easier to perpetrate them in a widespread manner.

What can be done to combat voice phishing?

What you could do if you have a constant feed of these voice-phishing numbers is program them into your PBX as restricted numbers. So that way your users wouldn't necessarily be able to call these numbers back despite falling for the e-mail come-on.

Another thing is user education.

What other new threats have you seen?

The rest of them are more mischievous or not necessarily as financially motivated. Things like redirecting someone's incoming calls to yourself might become a problem. It requires some knowledge of what you are doing.

Registration hijacking is the way you would do that. The way these phones work is when I take my VoIP phone and plug in, the PBX knows that I am where I am basically by my IP address, and all incoming calls to me go to my office phone.

But if I go on the road and I take my phone or I use the softphone on my laptop, I'll want incoming calls to go there. Wherever I am, the phone will register. Registration hijacking is tricking the PBX into thinking that someone has moved and then having all their calls directed to the wrong IP address.