I saw via Bejtlich that InformationWeek has an excellent article up about Robert Moore, the hacker who, a few years ago, broke into quite a few telecom (and likely other) organizations to route and steal VOIP.
The article continues to pound home that we’re doing the simple things very badly. And we have no friggin’ clue when someone malicious is doing things inside our network. Here’s some meat, though:
“It’s a huge problem, but it’s a problem the IT industry has known about for at least two decades and we haven’t made much progress in fixing it,” said van Wyk. “People focus on functionality when they’re setting up a system. Does the thing work? Yes. Fine, move on. They don’t spend the time doing the housework and cleaning things up.”
That’s really a huge part of the problem, isn’t it? Implement VOIP, and hope that you get time to get back to it later to evaluate the security before your next big projects come up. And so on.
Really, I feel that this problem is twofold. First, we’re still maturing in our grasp of technology. Unfortunately, and *naturally,* the attackers are maturing faster. This happens in biology as well, so we need to accept and expect it as a given. Second, having the time and resources to either do the job correct up front or revisit the job later and fix it up.