If you’re not familiar with the leak, this article on TorrentFreak talks about phonecalls between a New York attorney and MediaDefender which were leaked out.
Funnily enough (for some), during the phone call one of the parties says: “what we could do if you wanted, change the port … change the login, obviously the password, if you guys need to know the password that we’re using we can just communicate that by phone. …. If you need to .. anything which is really really sensitive we can just communicate in this [phonecall] fashion”.
There were different opinions on how this call was captured. One suggestion floating on the forums are that the VoIP call was recorded by one of the parties (MediaDefender or NY attorney) and put on a compromised server. Another idea is that that the call was sniffed by the attacker.
Which ever way this call was compromised, this show two things with regards to VoIP communications:
- Phone traffic now goes over the Internet. Don’t assume that your call cannot be intercepted over the Internet .. that assumption is very outdated.
- Encryption definitely has an important place in VoIP security. In this case, it would probably have helped