Blue Box: The VoIP Security Podcast

Synopsis: new VoIP security tools list, teleworker FUD, Phil Zimmermann, ETel conference feedback, SPIT, IETF, listener comments and more...

Welcome to Blue Box: The VoIP Security Podcast #54, a 57-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 27MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content: 

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• 01:36 - Programming notes
  
  • Brief notes about Emerging Telephony show
    • O’Reilly: ETel Coverage: VOIPSA wants VoIP to be secure!
    • ETel pictures now on flickr
    • Notes about Black Bag Security Review
  • Authors of upcoming O’Reilly Asterisk Cookbook are looking for contributions related to security
  • Dan will be in Cairo, Egypt, on the week of March 19th and would be delighted to meet with any listeners
  • SRT episode on OpenID almost up there
  • If you are a CISSP, listening to podcasts can be counted as CPE credits
• 10:00 - Debian: Gnomemeeting vulnerability
• 10:35 - Asterisk Unspecified SIP packet handling DoS – also see sparse Asterisk notes here and here
• 11:33 - ComputerWorld.au: Enterprises must avoid IP telephony for teleworkers or face attack and Dan’s response on VOIPSA blog - see also:
  
  • ITWorld Canada: IP telephony potential security risk for businesses
  • CSO: IP telephony Can Create Open Door for Attackers
• 15:56 - Silicon.com: VoIP threats to watch out for - part of Silicon.com VoIP Security Special Report – notice upcoming reports on “big three”, Skype and Best Practices
• 17:42 - ComputerWorld: How dangerous is Skype?
• 18:48 - TechNet: Infonetics Report Predicts Continued Growth for Network Security Gear Through 2007
• 19:35 - IT Business Edge: Security Must Be Built In From The Start – points to article about Pew Internet & American Life report ... last line of ITBusEdge entry is key… IT must be involved from the start.
• 21:57 - O’Reilly: VoIP encryption in a surveillance society
• 22:27 - Dean Takahashi: Interview with Phil Zimmermann
• 24:06 - xChange Online: Securing VoIP Relative to Number Mapping
• 24:52 - Voxilla: Getting Smart about SPIT
• 26:11 - Malaysia Star: Calling with confidence
• 26:56 - Voice of VOIPSA: New VoIP Phishing Scheme
• 28:36 - Voice of VOIPSA: New Hacking for Traditional Networks
• 29:31 - Voice of VOIPSA: Phone "Phreakers" Steal Minutes
• 31:38 - Voice of VOIPSA: IETF – Secure Call Recording with SIP and SRTP
• 32:48 - Voice of VOIPSA: Comment to Ringjacker story – important point here about older clients being around
• 34:27 - Mark and Dave’s book gets good reviews – read on Mark’s blog - including SearchNetworkingChannel.com- VoIP Security: Cisco Unified CallManager Quiz & Chapter – fun review in the form of a quiz.
• 36:04 - News releases:
  • Lenovo Teams Up with Avaya To Add Secure VoIP Capability to Laptops  – interesting the note about the fingerprint reader for user authentication
  • SNOM TECHNOLOGY AND BORDERWARE TECHNOLOGIES ANNOUNCE STRATEGIC PARTNERSHIP TO INCREASE VOIP SECURITY
  • snom technology focussing on VoIP security and interoperability at the CEBIT 2007
  • TMC.net Sipera delivers VoIP Security to Enterprise Branch Offices
  • Sipera and INSI Sign Agreement To Offer Secure Solutions for VoIP Services=
  • Nevis Networks Enhances its Persistent LAN Security, Per-User Costs at $15
  • Mu Security Demonstrates VoIP Testing, Measurement and Attack Surface Coverage Weaknesses at VoIPCON, VON
  • Guidebook from Infineon exposes myths about VoIP – Voice quality and security put traditional telephony in the shade
• 38:48 - Feature discussion around IETF 68 coming up next week in Prague.  The critical discussion of interest to this group is the RTPSEC BOF discussion around how to securely exchange keys for Secure RTP
  • Draft agenda for RTPSEC BOF about SRTP key exchange
• 42:31 - Feature discussion about VoIP security tools:
  • Heise – New version of live security distribution Backtrack which points to Backtrack which now includes a number of VoIP security tools
  • Voice of VOIPSA: BackTrack Version 2: Pen-test CD unleases VoIP security tools
  • new VOIPSA VoIP security tools list
  • VoIP researcher to release auditing tool at Mid East Hackers’ Conference – “The Grugq” will release “TacVTK” at HackInTheBox Dubai, April 2-4
• 49:28 - Brief commentary on Verizon/Vonage judgement and impact on VoIP with regard to patents
• 51:45 - Upcoming shows:
  
  • Mar 19-21, 2007, San Jose, CA, Spring 2007 VON
  • Mar 19-23, 2007, Prague, Czech Republic, 68th IETF Meeting
  • Mar 23-25, Washington, DC, ShmooCon ‘07 
  • Apr 16-20, Vancouver, BC, Canada CanSecWest 2006
• NOTE - Jonathan will be out at VON next week - drop him a note if you are going to be there
• 53:37 - comment (email) from Frank Leonhardt about conference in London April 18-20
• 54:17 - comment (email) from Miguel Garcia
• 55:15 - Review of the last week's traffic on the VOIPSEC public mailing list 
• 56:32  - Wrap-up of the show 
  
  • Reminder that you can subscribe to the show via email as well as RSS 
• 57:16- End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to '[email protected]' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.