Items from the World Summit on the Information Society, contributed by Carl Landwehr (E58.Jan-2004)
World Summit on the Information Society, December 10-12, 2003
Contributed by Carl Landwehr, January 6, 2003:
The UN/ITU "World Summit on the Information Society" held in Geneva last month. It generated a
"Declaration of Principles" including "Building confidence and security in
the use of ICTs" (note: "ICT" = "Information and Communication
Technologies") as one of 11 "Key Principles" enumerated. Details below. For
the whole document, see:
www.itu.int/wsis/
B. An Information Society for All: Key Principles
...
5) Building confidence and security in the use of ICTs
36. While recognizing the principles of universal and non-discriminatory
access to ICTs for all nations, we support the activities of the United
Nations to prevent the potential use of ICTs for purposes that are
inconsistent with the objectives of maintaining international stability and
security, and may adversely affect the integrity of the infrastructure
within States, to the detriment of their security. It is necessary to
prevent the use of information resources and technologies for criminal and
terrorist purposes, while respecting human rights.
37. Spam is a significant and growing problem for users, networks and
the Internet as a whole. Spam and cyber-security should be dealt with at
appropriate national and international levels.
Voice over IP Security Flaws
Contributed by Richard Schroeppel, January 14, 2003:
Subject: Article: Critical flaws found in VoIP products using H.323 protocol
http://www.computerworld.com/securitytopics/security/story/0,10801,89041,00.html
Several critical vulnerabilities have been discovered in voice over
Internet Protocol (VoIP) and videoconferencing products based on the
H.323 protocol that's used in IP telephony applications to exchange
audio and video communications.
VoIP products from several vendors, including Microsoft Corp., Cisco
Systems Inc. and Nortel Networks Ltd., are affected by the flaws, with
risks including denial-of-service attacks and remote system
compromise, according to an advisory from Atlanta-based Internet
Security Systems Inc. (ISS).
The flaws were discovered by the U.K.'s National Infrastructure
Security Coordination Centre using a test suite designed by the
Finland-based Oulu University Secure Programming Group (OUSPG). The
OUSPG test suite was designed to identity flaws in the H.323 protocol.
A similar test suite developed by the OUSPG led to the discovery in
2002 of several implementation specific flaws in the Simple Network
Management Protocol.
According to Neel Mehta, a security researcher at ISS's X-Force group,
the vulnerabilities are the result of coding errors in the H.323
implementations from each of the vendors.
The vulnerabilities in Cisco's Internetworking Operating System (IOS)
software caused the biggest concern because of the widespread use of
the operating system on Internet routers, Mehta said.
According to a Cisco advisory, all of its products running IOS and
supporting H.323 packet processing are affected. "This may include the
Network Address Translation (NAT) components of Cisco devices, and
security features in Cisco devices such as Content-Based Access
Control," according to an ISS advisory.
Several other Cisco products that don't run IOS are also affected,
including Cisco CallManager Versions 3.0 through 3.3, Cisco BTS 10200
Softswitch and the Cisco 7905 IP Phone H.323 Software Version 1.00,
according to a statement from the company.
"The vulnerabilities discovered in the affected products can be easily
and repeatedly demonstrated with the use of the [test suite]" the
Cisco advisory said. It goes on to add that exploitation of the flaws
could result in denial-of-service attacks, system crashes and
performance degradation. Cisco in its statement announced several
fixes and work-around for the vulnerabilities.
In a similar advisory, Microsoft warned users of a critical
vulnerability in the H.323 filter for its Internet Security and
Acceleration Server 2000. Successful exploitation of the flaw could
allow attackers to take complete control of a compromised system, said
the Microsoft advisory.
In advising users to patch affected software immediately, Microsoft
also announced work-arounds that can block attacks. One of them is to
disable H.323 filters, thereby blocking H.323 traffic.
An advisory posted by the CERT Coordination Center at Carnegie Mellon
University in Pittsburgh listed more than 60 vendors whose products
could be affected by H.323 flaws.
19. We are resolute in our quest to ensure that everyone can benefit
from the opportunities that ICTs can offer. We agree that to meet these
challenges, all stakeholders should work together to: improve access to
information and communication infrastructure and technologies as well as to
information and knowledge; build capacity; increase confidence and security
in the use of ICTs; create an enabling environment at all levels; develop
and widen ICT applications; foster and respect cultural diversity; recognize
the role of the media; address the ethical dimensions of the Information
Society; and encourage international and regional cooperation. We agree that
these are the key principles for building an inclusive Information Society.
35. Strengthening the trust framework, including information security
and network security, authentication, privacy and consumer protection, is a
prerequisite for the development of the Information Society and for building
confidence among users of ICTs. A global culture of cyber-security needs to
be promoted, developed and implemented in cooperation with all stakeholders
and international expert bodies. These efforts should be supported by
increased international cooperation. Within this global culture of
cyber-security, it is important to enhance security and to ensure the
protection of data and privacy, while enhancing access and trade. In
addition, it must take into account the level of social and economic
development of each country and respect the development-oriented aspects of
the Information Society.
Story by Jaikumar Vijayan
JANUARY 13, 2004
COMPUTERWORLD