Here’s a roundup of some current important articles on VoIP security problems:

Cambridge prof warns of Skype botnet threat :

Voice-over-IP apps could be used to cloak networks of zombies, used to launch denial of service attacks, a Cambridge professor has warned.

Armies of ordinary PCs – "botnets" – that have been infected by a virus and put under malicious control, could be controlled and orchestrated by messages hidden in VoIP traffic generated by programs such as Skype, warned Jon Crowcroft, Marconi professor of communications systems at Cambridge University.

How bad is the Skype botnet threat? :

In the botnet threat, Skype is not the threat itself, but a tool others might use. In a "botnet" a set of PCs are infected with Trojan software; they can then be controlled remotely and used to launch a denial of service attack on any victim. Skype is therefore being hijacked as the channel though which these bots can be given instructions.

Botnets are usually tracked down by the commands used to control them – usually an IM or IRC stream. "VoIP offers a lot more scope for hiding informaiton in the traffic," says Ian Brown, who leads the Internet security group at the Communications Research Network, which has publicised the threat. "There is a lot more traffic coming through, and audio traffic is a lot of random looking bits. If you can’t see the botnet messages, you can’t dismantle the botnet."

Skype 2.0 triggers Data Execution Prevention Warning :

"With the DEP exception in place, an even bigger concern is the security implications of turning off DEP protection for Skype.  Skype is an application that interacts with the wild and public Internet and Skype has had its share of vulnerability issues in the past so turning off a critical protection mechanism like DEP is the last thing I want to do," George points out.  "Having DEP enabled on Skype will at least give users some protection if Skype has any future vulnerabilities." 

Why pay $2,995 for VoIP security advice? I have a better idea :

You won’t believe where I’ve just read a very authoritative report on VoIP Security.

No, not one of those overpriced consultant reports- the ones you pay $2,995 for and come away from with a "tell me something I don’t know" reaction.

Actually, this one is from a term paper, gleaned from journals available via the Rowan County Public Library in Salisbury, N.C.

Entitled "Sound Choices for VoIP Security," the paper is written by Jonathan Casteel. The 10-page PDF tome contains plainly written and authoritative info on such subjects as implementation flaws (Remote access, Malformed request DoS, Load-based DoS) and IP PBX vulnerabilities such as Operating system attack, Support software attack, Protocol attack, Application attack, Application manipulation, Unauthorized access,and Denial of Service.