Items from the World Summit on the Information Society, contributed by Carl Landwehr (E58.Jan-2004)

World Summit on the Information Society, December 10-12, 2003

Contributed by Carl Landwehr, January 6, 2003:

The UN/ITU "World Summit on the Information Society" held in Geneva last month. It generated a "Declaration of Principles" including "Building confidence and security in the use of ICTs" (note: "ICT" = "Information and Communication Technologies") as one of 11 "Key Principles" enumerated. Details below. For the whole document, see:

B. An Information Society for All: Key Principles
19.     We are resolute in our quest to ensure that everyone can benefit from the opportunities that ICTs can offer. We agree that to meet these challenges, all stakeholders should work together to: improve access to information and communication infrastructure and technologies as well as to information and knowledge; build capacity; increase confidence and security in the use of ICTs; create an enabling environment at all levels; develop and widen ICT applications; foster and respect cultural diversity; recognize the role of the media; address the ethical dimensions of the Information Society; and encourage international and regional cooperation. We agree that these are the key principles for building an inclusive Information Society.


5)     Building confidence and security in the use of ICTs
35.    Strengthening the trust framework, including information security and network security, authentication, privacy and consumer protection, is a prerequisite for the development of the Information Society and for building confidence among users of ICTs. A global culture of cyber-security needs to be promoted, developed and implemented in cooperation with all stakeholders and international expert bodies. These efforts should be supported by increased international cooperation. Within this global culture of cyber-security, it is important to enhance security and to ensure the protection of data and privacy, while enhancing access and trade. In addition, it must take into account the level of social and economic development of each country and respect the development-oriented aspects of the Information Society.

36.     While recognizing the principles of universal and non-discriminatory access to ICTs for all nations, we support the activities of the United Nations to prevent the potential use of ICTs for purposes that are inconsistent with the objectives of maintaining international stability and security, and may adversely affect the integrity of the infrastructure within States, to the detriment of their security. It is necessary to prevent the use of information resources and technologies for criminal and terrorist purposes, while respecting human rights.

37.     Spam is a significant and growing problem for users, networks and the Internet as a whole. Spam and cyber-security should be dealt with at appropriate national and international levels.

Voice over IP Security Flaws

Contributed by Richard Schroeppel, January 14, 2003:

Subject: Article: Critical flaws found in VoIP products using H.323 protocol,10801,89041,00.html
Story by Jaikumar Vijayan
JANUARY 13, 2004

Several critical vulnerabilities have been discovered in voice over Internet Protocol (VoIP) and videoconferencing products based on the H.323 protocol that's used in IP telephony applications to exchange audio and video communications.

VoIP products from several vendors, including Microsoft Corp., Cisco Systems Inc. and Nortel Networks Ltd., are affected by the flaws, with risks including denial-of-service attacks and remote system compromise, according to an advisory from Atlanta-based Internet Security Systems Inc. (ISS).

The flaws were discovered by the U.K.'s National Infrastructure Security Coordination Centre using a test suite designed by the Finland-based Oulu University Secure Programming Group (OUSPG). The OUSPG test suite was designed to identity flaws in the H.323 protocol.

A similar test suite developed by the OUSPG led to the discovery in 2002 of several implementation specific flaws in the Simple Network Management Protocol.

According to Neel Mehta, a security researcher at ISS's X-Force group, the vulnerabilities are the result of coding errors in the H.323 implementations from each of the vendors.

The vulnerabilities in Cisco's Internetworking Operating System (IOS) software caused the biggest concern because of the widespread use of the operating system on Internet routers, Mehta said.

According to a Cisco advisory, all of its products running IOS and supporting H.323 packet processing are affected. "This may include the Network Address Translation (NAT) components of Cisco devices, and security features in Cisco devices such as Content-Based Access Control," according to an ISS advisory.

Several other Cisco products that don't run IOS are also affected, including Cisco CallManager Versions 3.0 through 3.3, Cisco BTS 10200 Softswitch and the Cisco 7905 IP Phone H.323 Software Version 1.00, according to a statement from the company.

"The vulnerabilities discovered in the affected products can be easily and repeatedly demonstrated with the use of the [test suite]" the Cisco advisory said. It goes on to add that exploitation of the flaws could result in denial-of-service attacks, system crashes and performance degradation. Cisco in its statement announced several fixes and work-around for the vulnerabilities.

In a similar advisory, Microsoft warned users of a critical vulnerability in the H.323 filter for its Internet Security and Acceleration Server 2000. Successful exploitation of the flaw could allow attackers to take complete control of a compromised system, said the Microsoft advisory.

In advising users to patch affected software immediately, Microsoft also announced work-arounds that can block attacks. One of them is to disable H.323 filters, thereby blocking H.323 traffic.

An advisory posted by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh listed more than 60 vendors whose products could be affected by H.323 flaws.