Alec Saunders SquawkBox

Congratulations to the AssetMetrix team!  Ina Fried at CNET reports that they’ve been bought by none other than Microsoft. AssetMetrix’ software is an asset management system for IT departments.  Capable of cataloging every PC and all the installed software on your network, it’s an essential part of the IT managers toolkit. 

Here’s a fascinating new development.  Cloudmark has announced anti-phishing software for VoIP systems.  The latest new criminal scam is to clone a bank’s IVR using Asterisk, or some other inexpensive IVR system, and then send email to users asking them to call the bank’s (er scammers) number, and enter in account and PIN information. 

Adam J. O’Donnell, Ph.D., senior research scientist at Cloudmark, says, "We’ve seen two separate VoIP attacks hit our network this week, the first we’ve been able to analyze in detail. In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem." Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR system that sounds exactly like their own bank’s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN. "The result," O’Donnell surmises, "can be personally financially devastating."

According to this report from PC World, more than 1000 messages were received over a 3 day period targeting a small bank in a large US city.  Techweb reports that the messages likely originated from virus infected computers — virtually undetectable trojans. 

There you have it. 

Cloudmark is wrong to classify this as a VoIP attack.  This is a phishing scam plain and simple.  Although VoIP likely made it easier to obfuscate the phone number, and inexpensive VoIP equipment was likely used to clone the IVR, the root cause of this attack is the lack of a widely adopted identity and credentialling system.  Such a system could be used to thwart more ordinary email based phishing schemes too.

As Dan York puts it:

say a gang of thieves rob a bank and use a beat-up station wagon as their get-away car. The headline is probably going to read

"Local bank robbed by thieves"

Say they do it again, only this time they use a Ferrari as their get-away car. Should the headline now be?

"Local bank robbed by a Ferrari"

Wendy Kennedy asks the perennial marketing question Would you pay for this?  Is it a business, or a hobby?  Or, as many VC’s ask in today’s built-to-flip world, "is it a company or a feature?" 

Go read the rest of her post.

Right on the heels of my own post about getting your blog noticed, Osh Momoh has published his blog setup.  His post isn’t about blog optimization, but rather about the toolset that he uses to run his blog.  His suggestions are excellent.

I’ve been thinking about Akismet for a while (spam is a real issue). Brian’s Latest Comments looks really good too.  Osh uses both these tools.  Perhaps I’ll give them a try as well. 

Via Bruce Stewart on the O’Reilly ETel blog comes the news that an Asterisk Advisory Council has been formed.  According to the press release, "the Council will assist in the management of the Asterisk open source telephony project. Responsibilities of the council include the selection and supervision of community developers, management of release cycles, and maintenance of Asterisk contributions, among other duties. "

Asterisk is growing up rapidly, and it’s heartening to see the folks at Digium recognize and respond to this growth.