I just happened to see this :
Last month, a company called Internet Security Systems (ISS) issued an alert
to warn users that Cisco's VoIP offering had a security flaw that would allow
just that. According to the company, this implementation flaw in Cisco's Call
Manager, which handles call signaling and routing, could allow a buffer
overflow that would grant an intruder access to the system to listen in on
all calls routed through it.
This is one scenario described by ISS and other vendors focused on selling
technology to plug the security holes in VoIP, a method for sending voice
traffic over IP that many say was not designed with security in mind. ISS and
its competitors, which come to this new field largely from the VoIP
management and IP security markets, forecast big risks for companies that
don't take VoIP security seriously, and undoubtedly look forward to
formidable revenue streams generated by those that do.
Guru