Blue Box: The VoIP Security Podcast

Synopsis: Blue Box #63: Cisco and Asterisk VoIP vulnerabilities, the "Athens affair" (Greek wiretapping), iPhones and Duke, IETF and SPIT, SunRocket flares out, Skype phishing, VoIP security news and more...

Welcome to Blue Box: The VoIP Security Podcast #63, a 38-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 18MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• 01:14 - Programming notes
  
  • Special Edition coming out with VON session.
  • Anyone going to Black Hat or Defcon next week?  We'd love a report.
• 01:41 - Cisco vulnerabilities: Cisco patches two VoIP security flaws.  Details at: Cisco Security Advisory: Cisco Unified Communications Manager Overflow Vulnerabilities  Dan Kaplan Cisco Patches Two Security Flaws reports IBM-ISS X-Force as having discovered them.
• 02:33 - Asterisk security vulnerabilities (several of them) – http://www.asterisk.org/security
• 06:25 - TechRepublic: VoIP threats: Beyond eavesdropping (pointer to it from Russel Shaw: VoIP security? Encrypt, encrypt, encrypt )
• 07:50 - Network World: Security firm: Don’t use iPhone Web dialer
• 09:13 - Duke University IT department reported as claiming:IPhones flooding wireless LAN at Duke University with various blogs speculating on the issue Interestingly the trade media is now reporting on what the blog writers are saying. Readers speculate on Duke University’s iPhone problem (and yes, we'll talk about the recent developments on Blue Box #64)
• 11:50 - Blogger News Network: If Social Security Calls requesting personal information, it might be smart to verify who you are talking to
• 13:57 - Register: Blacklists are Bad (and Hannes makes the connection to VoIP )
• 16:09 - Hannes Tschofenig had a number of posts relating to standards:
  
  • Disclosing SRTP Session Keys with a SIP Event Package
  • New Drafts to Tackle SPIT
  • A Survey of Protocols to Control NAT and Firewalls
  • Just read Hannes’ blog for more info about IETF 69!
• 16:42 - FTC Spam Summit
• 19:07 - IEEE article on Greek wiretapping scandal (sent in by Kand Palanisamy)
• 24:05 - Hackers stealing PBX phone minutes to on-sell cheap
• 25:52 - Emerging Telephony SunRocket Folds – Whither the Numbers
• 28:50 - Network World: Online ads could become a phisher’s dream
• 30:04 - Voice of VOIPSA: It’s What the Computer Has Become
• 31:52 - News Releases:
  • TippingPoint enhancing its IPS
  • Frost & Sullivan Extols XConnect’s Unique and Comprehensive Product Line Strategy for Federated VoIP Peering
• 33:58 - Upcoming shows:
  
  • Aug 20-23, San Francisco, CA, USA VoiceCon SF 2007
  • Sept 10-12, Los Angeles, CA, USA ITEXPO West 2007
  • Oct 29-Nov 1, Boston, USA, Fall 2007 VON
• 34:41 - comment (email) from listener Frank Leonhardt on possible Skype phishing email
• 37:03 - Review of the last week's traffic on the VOIPSEC public mailing list
• 37:35 - Wrap-up of the show 
• 38:25 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to '[email protected]' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #62: CAPTCHA for SPIT, covert channels, SIP Identity, is VoIP safe?, Fiji, Google, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #62, a 41-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Note: Originally recorded back on July 6th.  There were some, well, "challenges" with the quality of the recording and so post-production took far longer than usual and you will still hear some audio artifacts every once in a while when Jonathan is speaking.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• 01:21 - Programming notes
  
  • Facebook group has grown to 22 members. If you are on Facebook, do check out the group.
  • Special Edition #18 – we hope you enjoyed that and thank Martyn for doing the interviews.  We welcome such contributions.
• 02:34 - Asteridex remote command execution
• 05:41 - Voice of VOIPSA: Now I’ve CAPTCHA’d Your Attention pointing to Hannes Tschofenig’s blog entry about his Internet Draft around using CAPTCHA for SIP to prevent SPIT
• 15:38 - Voice of VOIPSA: ‘Voice over VoIP’ project aims to show use of ‘covert channels’ to tunnel voice inside of voice pointing to VoIP Covert Channel project at the Georgia Institute of Technology.
• 16:30 - Voice of VOIPSA: It’s Just Not Meant To Be Open
• 16:51 - IETF - Dan Wing issues Internet Draft SIP Identity using Media Path and receives feedback and also circulates note about Cisco IPR/patents
• 29:20 - ComputerWeekly.com: VoIP SIP fundamentals
• 25:11 - TMCnet: Caller ID Spoofing Soon to be Outlawed?
• 25:49 - PC Magazine Experts: VOIP Just Another Way to Hack
• 26:38 - eWeek: Experts: Enterprises Must Focus on VoIP Security
• 27:52 - NetworkWorld: Six burning VoIP questions – specifically what really happens when I dial 911?  and Is VoIP safe?
• 30:31 - Islands Business: Fiji Opens VoIP
• 32:06 - YouTube: VoIP Security introduction featuring Peter Cox – we talked about it on show #61 but I am now told he actually works for Borderware
• 32:28 - New podcasts involving two folks involved with the show (Dean Elwood and Martyn Davies): Bending the Needle
• 33:35 - Google acquires GrandCentral (Dan's blog) pointing to GrandCentral announcement and Google blog posting
• 37:16 - Upcoming shows:
  
  • July 19-20, New York, USA, IPTComm2007
  • July 22-27, Chicago, USA IETF 69
  • Aug 20-23, San Francisco, CA, USA VoiceCon SF 2007
  • Sept 10-12, Los Angeles, CA, USA ITEXPO West 2007
  • Oct 29-Nov 1, Boston, USA, Fall 2007 VON
• 38:29 - comments from Martyn about Peter Cox and Takehiro about the Covert Channels and comment (blog) from Adrian P. on Blue Box #51 (show on Feb 22)
• 40:02 - Review of the last week's traffic on the VOIPSEC public mailing list
• 40:32 - Wrap-up of the show 
• 41:20 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to '[email protected]' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Session Border Controller (SBC) Special - Martyn Davies interviews Rod Hodgman from Covergence and Jeff Carr from Borderware about their products and the role of the SBC.

Welcome to Blue Box: The VoIP Security Podcast Special Edition #18, a 33-minute podcast of interviews by Martyn Davies of Rod Hodgman from Covergence and Jeff Carr from Borderware about their products and the role of the SBC and the question "Do SBCs break the rules of SIP?"

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

This Session Border Controller (SBC) special features two back-to-back interviews with Rod Hodgman from Covergence (www.covergence.com) and Jeff Carr from Borderware (www.borderware.com).

In the first interview, Martyn Davies speaks to Rod Hodgman, VP of Marketing at Covergence, about their SBC product line, Eclipse.  Rod talks about SBCs that support peering and access edge applications, and then focuses on access edge features such as NAT traversal and DoS protection.  The discussion also covers software vs. appliance; OS hardening, ATCA and media acceleration.  Rod answers the question "do SBCs break the rules of SIP?", and tells us a user story.

In the second part, Martyn speaks to Jeff Carr, VP of the SIP Solutions Group at Borderware, about their software SBC, SIPAssure.  Jeff talks about the access edge, SPIT (Internet Telephony SPAM): content filtering and reputation management; firewall vs. SBC.  He also tackles the question "do SBCs break the rules of SIP?", and goes on to tell us a story about one of their OEM customers.

We thank Martyn for contributing these interviews.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to '[email protected]' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

(P.S. In the spirit of full disclosure, I'll note that one of the customer stories turns out to be my employer, but I had no clue about that as this was entirely Martyn's production.)