Blue Box: The VoIP Security Podcast

Synopsis: A brief show with VoIP security news, our listener survey and more

---

Welcome to Blue Box: The VoIP Security Podcast show #25, a 20-minute podcast  from Dan York and Jonathan Zar with news and commentary about the world of VoIP security.  This show also introduces our listener survey.

Reminder: There will not be a show next week as Dan will be away.

Download the show here (MP3, 18MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

In this show we also mentioned our new promotion - anyone submitting audio comments (either by email or calling the comment line) during April will be eligible for a drawing for a free copy of "Practical VoIP Security" from Syngress Press. Many thanks to Bruce Stewart and the folks at O'Reilly & Associates (who distribute Syngress books) for providing this book.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 02:45 - Discussion of language in comments and desire to keep the show "work- and family-safe"
• 03:57 - Mention of Dan's impending visit to the Podcast Academy at Boston University
• 04:24 - Tutorials in May - would you be interested in participating?
• 04:37 - VOIPSA has launched a new VoIP security-related weblog
• 05:26 - CNET (published by Znet): VoIP products could face export crackdown
• 07:40 - The Register: Security pros give VoIP the brush-off
• 08:33 - Sci-Tech Today: Symantec tunes up IM Monitoring
• 09:14 - Daily Tech: Intel Details Hardware Acellerated VoIP  (also IT Week UK )
• 09:54 - Aswath: How COULD Skype support CALEA? (tip of the hat to Ken Camp’s blog )
• 11:45 - TMC.Net: Cloudmark Detects – and Thwarts – New VoIP Phishing Threat Discovered on its Network - See also:
  • InformationWeek: Phishers Snare Victims with VoIP
  • Techweb wire )
  • TechWorld UK (via IDG): VoIP technology aids phishers
  • Dan’s blog rant about all of this
• 15:09 - Comment from Mike Thompson with feedback about the show
• 16:26 - Introduction of our our listener survey
• 17:56 - Review of the last week's traffic on the VOIPSEC public mailing list. Discussion around identity management and VoIP, IPSec and VoIP security, and the "phishers snare victims with VoIP" article
• 18:35 - Wrap-up, info about how to leave comments, upcoming shows, etc.
• 19:42 - End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Super-sized edition - Two interviews, one with David Schwartz, CTO of Kayote networks and one with Rodolfo Rosini, CEO of Cellfire Security.  VoIP security news, opinions and many comments from listeners, along with a way to potentially win a copy of a new book on VoIP security.

---

Welcome to Blue Box: The VoIP Security Podcast show #24, a 109-minute podcast  from Dan York and Jonathan Zar with news and commentary about the world of VoIP security.  This show also features a 38-minute interview with David Schwartz, CTO of Kayote Networks about his perspective on the IETF meeting in Dallas in March and SIP Identity and SPIT as well as another 18-minute interview with Rodolfo Rosini, CEO of Cellfire Security about his new startup.

This show is extra-large this week because there will be no show next week due to vacation travel and we wanted to make these interviews available.

Download the show here (MP3, 100MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

In this show we also mentioned our new promotion - anyone submitting audio comments (either by email or calling the comment line) during April will be eligible for a drawing for a free copy of "Practical VoIP Security" from Syngress Press. Many thanks to Bruce Stewart and the folks at O'Reilly & Associates (who distribute Syngress books) for providing this book.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 04:04 - Discussion of the "IP Telephony Solutions for Government" show where Dan spoke last week in DC and where he was able to spend some time with listener Craig Bowser.
• 07:28 - Mention of the book promotion, audio comments via  Waxmail, vacation plans and an impending visit to the Podcast Academy at Boston University
• 09:40 - Tutorials in May - would you be interested in participating?
• 12:16 - General Dynamics Sectera vIPer secure phone
• 12:56 - Federal Computer Week: Army using VoIP in the battlefield
• 15:14 - ITWales: Keeping the VoIP house in order  (Jonathan Zar article again! Not in Welsh, though…)
• 16:46 - EFY News: Juniper Introduces Solution to Enhance VoIP Security
• 17:34 - ZDNet UK: Security report sponsorship defended  (should report on security be sponsored by security companies?)
• 21:17 - TMC.Net: Deploying Secure VoIP in the Small Enterprise (by Bogdan Materna)
• 21:42 - VoIPLoop: Does VoIP Need Encryption? (by Irwin Lazar)
• 25:02 - Realtime VoIP: Ken Camp wrote a VoIP and Firewall paper
• 25:38 - VoIP News: Tom Cross on VoIP Security Series: Part One – The Server
• 26:16 - Skype Journal: FT: Zennström confirms Skype filters text; questions he would not answer points to Financial Times article
• 28:18 - Gary Audin at VoIPLoop on Sox Compliance  (tip of the hat to Irwin Lazar)
• 30:45 - beta-dot: Narus Helps Countries to Block VoIP
• 32:14 - New blogs:
  • Telecom, Security and P2P
  • VoIPLoop
• 33:36 - Westcon Group and Sipera announce global distribution agreement=
• 33:58 -UHS Broadens Availability of IP-Based Alarm Monitoring in the U.S.
• 34:43 - Upcoming shows:
  • April 18, DC (Arlington, VA) Homeland Defense & IT Security Training Conference  (I’ll be speaking)
  • Interop, April 30-May 5, Las Vegas (anyone going?)
  • June 1-2, DC, Workshop on VoIP security by Cybersecurity Industry Alliance and tekVizion – free to US gov, $195 for others
  • June 1-2, Berlin, Third Annual VoIP Security Workshop
• 37:08 - Feature interview with David Schwartz of Kayote Networks. In this 38-minute interview, David discusses:
  • The background and products of Kayote Networks
  • Why he believes SPIT is more of a concern than many others view it as
  • SIP peering, business models and security issues
  • His perspective on attending the IETF meeting in Dallas last month, and specifically issues discussed there around SPIT and SIP Identity
  • An explanation of the proposed SIP Identity mechanism
  • His views on why "policy" is incredibly important
  • The dangers lurking in SIP routing and how unprotected it is
  This is the second part of our IETF-related interviews (the first was in show #22) and we hope this has given you a good perspective on what occurred at that meeting.
• 74:48 - Comment section and review of quick comments from Shawn Merdinger, Martyn Davies, Mark Collier and Craig Bowser
• 75:10 - Albert Maruggi on how the medium has impacted our business
• 80:02 - Leslie Asamoa-Krodua on identity management
• 81:49 - Martyn Davies on show format
• 83:11 - Kand Palanisamy on show format
• 84:20 - Dan Wing with a slight correction to his slides  (also note that IETF changed the URL after I uploaded the show notes – thanks to Irwin Lazar for catching that)
• 85:26 - J.Stein on episode 22
• 86:18 - Feature interview with Rodolfo Rosini, CEO of Cellfire Security, a startup focused on VoIP security with a particular focus on cell phones.  He provided a background on the company, its product that is now entering beta, the survey they recently concluded and the fact that they are hiring in London and San Francisco.
• 104:39 - Review of the last week's traffic on the VOIPSEC public mailing list. Discussion around client authentication, Cisco-specific tools, reviews of the Practical VoIP Security book, SOX compliance, managed security service providers and much more
  
• 106:49 - Wrap-up, info about how to leave comments, upcoming shows, etc.
• 109:00 - End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, opinions and many comments from listeners, along with a way to potentially win a copy of a new book on VoIP security.

---

Welcome to Blue Box: The VoIP Security Podcast show #23, a 35-minute podcast  from Dan York and Jonathan Zar with news and commentary about the world of VoIP security.  This show was also to feature the second of two interviews we have coming at you about the IETF meetings that took place in March 2006, however due to some production issues that interview will be pushed to the next show.

Download the show here (MP3, 33MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

In this show we also introduced our new promotion - anyone submitting audio comments (either by email or calling the comment line) during April will be eligible for a drawing for a free copy of "Practical VoIP Security" from Syngress Press. Many thanks to Bruce Stewart and the folks at O'Reilly & Associates (who distribute Syngress books) for providing this book.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 02:06 - Note that if you are hearing advertising it is not from us! (and we would like to know about it)
• 03:05 - Note about the book promotion
• 04:52 - Request to help promote the show with reviews at PodcastAlley and iTunes
• 05:37 - Wired: A Pretty Good Way to Foil the NSA
• 06:20 - Wired: Why VoIP Needs Crypto (Bruce Schneier) - Ken Camp response to Schneir  and Bruce Stewart comment as well as Ars Technica reaction to Schneier: VoIP maybe not so secure?
• 08:07 - Network World: 802.11w fills wireless security holes
• 08:50 - FCW.com: Pentium computers vulnerable to cyberattack (about CanSecWest and mentions VoIP)
• 09:35 - Voiponder: Examining Two Well-Known Attacks on VoIP and Slashdot: Overlooked VoIP Security Issues?  and points to SiVuS scanner at  www.vopsecurity.org
• 11:33 - Red Herring – print: Spams New Target: VoIP and Ken Camp’s response 
• 12:51 - Techworld: Universities given more cash to secure VoIP  (Ram Dantu and colleagues) - also Newsblaze: U.S. Team To Study Potential Problems in Internet Phone Systems, Continuity Central: Research collaboration to investigate VoIP vulnerabilities and Contractor UK: VoIP dials up 2 million Brits (also other info about Skype users in UK)
• 14:36 - Sci-Tech Today: From PBX to VoIP: Making the Change  (security on page 4)
• 14:57 - Global Knowledge: Enterprise VoIP Security
• 15:31 - Searchsecurity.com: VoIP Security Learning Guide  (great list of links)
• 16:30 - Network World Security Strategies – newsletter pointing to Siemens white papers  (Telcom fraud, etc.)
• 17:41 - JaJah back in the news… eWeek: Cell Phones, Web Browsers to get VOIP Features  and JaJah Going Wireless Soon 
• 19:02 - Ken Camp: Skype Thoughts: P2P, tiered networks, or security risk?
• 19:28 - Podcast on telecom - Telecom Junkies
• 20:39 - Skype Podcast  (from a Skype enthusiast)
• 21:20 - Steve Gibson also continues his excellent series of podcasts with Security Now! Episode 34 on public key cryptography
• 22:09 - Upcoming shows:
  • April 18, DC (Arlington, VA) Homeland Defense & IT Security Training Conference  (I’ll be speaking)
  • Interop, April 30-May 5, Las Vegas (anyone going?)
  • June 1-2, DC, Workshop on VoIP security by Cybersecurity Industry Alliance and tekVizion – free to US gov, $195 for others
  • June 1-2, Berlin, Third Annual VoIP Security Workshop
• 23:11 - Comment from Alexis Laliberte
• 25:35 - Comment from Craig Bowser about meeting in DC
• 25:44 - Comment from Julien Goodwin about willing to engage in the debate
• 27:10 - Comment from Bruce Stewart
• 27:19 - Comment from Shawn Merdinger about  VoIP arrests in Bangladesh
• 28:08 - Comment from anonymous posting to #21 on breathing into the mike
• 29:08 - Comment from  Kandy on show 22
• 30:07 - Comment from Mark Collier that he'll be out at Interop on a VoIP Security Panel
• 31:00 - Review of the last week's traffic on the VOIPSEC public mailing list. Great discussion around IPSec vs TLS/SRTP (with metrics), softphones and VPNs and much more
  
• 32:09 - Wrap-up, info about how to leave comments, upcoming shows, etc.
• 32:24 - Question about whether we should continue with the current format of including an interview in the show or run the interviews separately?
• 34:45 - End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

In the spirit of the programming version of Easter eggs I will ask the question: what did we do differently with regard to the audio in the recording of this episode? I did something subtle... and I'm curious to know if it is detectable.  (Hmmm... sounds like a good idea for an audio comment back to us, eh?)

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, opinions and comments from listeners as well as a 25-minute interview with Dan Wing and Cullen Jennings from Cisco about SIP media security coming out of recent IETF meetings.

---

Welcome to Blue Box: The VoIP Security Podcast show #22, a 45-minute podcast  from Dan York and Jonathan with news and commentary about the world of VoIP security.  This show also features the first of two interviews we have coming at you about the IETF meetings that took place in March 2006.  This week's 25-minute interview is with Dan Wing and Cullen Jennings of Cisco Systems and is primarily about Dan Wing's presentation on methods of securing the SIP media stream.

Download the show here (MP3, 43MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 02:06 - Lycos offers free phone  (also Tom Keating blog entry)
• 08:07 - Wall Street Journal: op-ed on Skype (subscription only) – but also visible on Bruno Giussani’s blog – The fine print on Skype
• 09:37 - Jeff Pulver: Senate Extends Telephone Privacy Rules to VoIP Providers  (found via Bruce Stewart )
• 11:27 - Converge! Network Digest: Security in VoIP Networks – Stronger than TDM!
• 12:26 - Interoute Launches the First Genuinely Secure Corporate VoIP Service  – see also iSip product page – “Secure business calls wherever you are online, for free” (via Craig Bowser)
• 14:01 - TMC.net: Is Your Network VoIP Ready? (tip of the hat to Ken Camp )
• 14:58 - Upcoming shows:
  • April 18, DC (Arlington, VA) Homeland Defense & IT Security Training Conference  (I’ll be speaking)
  • Interop, April 30-May 5, Las Vegas (anyone going?)
  • June 1-2, DC, Workshop on VoIP security by Cybersecurity Industry Alliance and tekVizion – free to US gov, $195 for others
  • June 1-2, Berlin, Third Annual VoIP Security Workshop
• 15:34 - Feature interview with Dan Wing and Cullen Jennings of Cisco Systems primarily about Dan Wing’s presentation on SIP key exchange mechansims at the recent IETF meeting in March in Dallas, Texas.   In this segment, Dan goes through his first slides and explains the basic security issues around securing SIP media streams, talks about design choices for various proposed solutions and discusses where all this is going.   Given that SRTP interoperability between systems is an extremely important issue right now, it's well worth grabbing a copy of the slides and joining Dan in a journey through the issues.  At about 32:03, the interview shifted to Cullen Jennings where he discussed the IETF re-organization and creation of the Realtime Applications and Infrastructure (RAI) Area and what that means for these issues.  Cullen also provides his view on the security discussions that occurred down at the IETF meeting.  Definitely all well worth a listen.
• 39:54 - End of interview
• 40:03 - Comment from Craig Bowser
• 40:40 - Comment from voipuser about Codenomicon interview
  
• 42:33 - Review of the last week's traffic on the VOIPSEC public mailing list. Continued discussion of SRTP and UDP and much, much more
• 43:27 - Discussion of the ability to subscribe to the podcast via e-mail
• 44:04 - Wrap-up, info about how to leave comments, upcoming shows, etc.
• 45:25 - End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.