Blue Box: The VoIP Security Podcast

October 20, 2008

Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Synopsis: Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Welcome to Blue Box: The VoIP Security Podcast #84, a 30-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
VoIPShield announces new vulnerabilities and http://www.voipshield.com/research.php
http://www.theregister.co.uk/2008/09/30/voip_eavesdropping_tool/
"Sipera Develops VoIP Spy Program - to Prove a Point" - http://www.voipplanet.com/trends/article.php/3776136
SecureLogix Announces Free Availability of VoIP Security Tools
NY Times: Surveillance of Skype Messages Found in China - http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?_r=2&partner=rssnyt&pagewanted=print
http://securitywatch.eweek.com/privacy/skypechina_breach_is_anyone_really_surprised.html
http://www.informationweek.com/news/telecom/voip/showArticle.jhtml?articleID=210605439
Skype CEO's blog post about the issue: http://share.skype.com/sites/en/2008/10/answers_to_some_commonly_asked.html
http://www.itbusinessedge.com/blogs/top/?p=398
http://www.voip-news.com/feature/google-phone-europe-growth-092408/
http://www.itnewsafrica.com/?p=1269
http://news.cnet.com/8301-1009_3-10052393-83.html
http://www.broadbandreports.com/shownews/VoIP-Vulnerabilities-Being-Exposed-Today-98039
http://www.itbusinessedge.com/blogs/top/?p=402
http://voipsa.org/blog/2008/10/07/5th-emergency-services-workshop-to-be-held-oct-21-23-in-vienna/
http://eon.businesswire.com/news/eon/20080924005342/en
http://www.crn.com/security/210602442
http://it.tmcnet.com/topics/it/articles/41236-infoblox-unveils-dns-firewall-address-dns-vulnerability-concerns.htm
http://www.newswire.ca/en/releases/archive/September2008/29/c9005.html
No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
30:26 - End of show

NOTE: Long-time listeners will note that the show notes above are in a less descriptive form than usual. After almost three years of using one wiki for preparing for our shows, Jonathan and I switched to using a new system and are still working out some of the details that will speed the input into show notes.

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to [email protected]. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to '[email protected]' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Posted by Dan York on October 20, 2008 at 09:32 AM in Blue Box, Podcasts, VoIP Security, VOIPSA | Permalink | Comments (1) | TrackBack (1)

Tags: avaya, blue box, bluebox, china, cisco, dan york, danyork, jonathan zar, nortel, securelogix, sipera, sipera systems, skype, skype security, tools, voice, voice over ip, voice security, voip, voip security, voipsa, voipsecurity, voipshield

October 16, 2008

Blue Box #83: SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more…

Synopsis: Blue Box #83: SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more…

Welcome to Blue Box: The VoIP Security Podcast #83, a 39-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 18MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was recorded on September 4, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
Remote DoS in reSIProcate
Remote root shell in Trixbox
Second route of VoIPShield Cisco/Avaya/Nortel vulnerabilities
AST-2008-010 – IAX2 ‘POKE’ Resource Exhaustion
AST-2008-011 – IAX2 Firmware Provisioning System
Saunderslog: Squawk Box – July 10, 2008: Voice biometrics and VoiceVerified.com
Saunderslog: Squawk Box – July 9, 2008: P2PSIP
IETF: P2PSIP Security Requirements
Voice of VOIPSA: “Aircell blocking VoIP on a plane” – part 1 , part 2 and an update
Voice of VOIPSA: Shawn Merdinger’s series on “Asking The Cisco IPICS Expert” – Questions 1-5 – 6-10 – 11-15 – 16-20 – 21-25
Voice of VOIPSA: Asterisk ‘hack’ to show blocked Caller-ID points to larger trust issues with SIP (and SpeechTEK speech)
NetworkWorld: Georgia student arrested for hacking grades, VoIP
CRN: Analysis: Hacking VoIP as easy as 1-2-3
Ari Takanen starts blogging at InfoWorld
InfoWorld: Motivation for VoIP Fuzzing
TMCnet: How to keep your tech career afloat
New analyst report: Security Threats Loom Over Unified Communications pointing to Light Reading report and article
VoIP Companies to Fight For Market Share
IEEE approves 802.11r standard
Google Chrome – upgrading the web to be application-centric
Items on my DisruptiveTelephony blog… Skype 5th birthday, Asterisk future, Digium/Nortel
No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
39:08 - End of show

Thank you for listening and please do let us know what you think of the show.

Posted by Dan York on October 16, 2008 at 11:10 AM in Blue Box, Podcasts, VoIP Security | Permalink | Comments (0) | TrackBack (2)

Tags: aircell, asterisk, avaya, blue box, bluebox, cisco, dan york, danyork, jonathan zar, nortel, p2psip, security, sip, skype, squawkbox, trixbox, voice, voip, voip security, voipsa, voipsecurity

September 03, 2008

Blue Box SE#026 - Astricon 2007 presentation on VoIP security and Asterisk

Synopsis: Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk. Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

Hacking and Attacking VoIP Systems - What You Need To Know

View SlideShare presentation or Upload your own. (tags: voip voipsecurity)

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him! Kudos to Michael for getting it to sound as good as it does.

Thank you for listening and please do let us know what you think of the show.

Posted by Dan York on September 03, 2008 at 07:54 PM in Conferences, Podcasts, VoIP Security, VOIPSA | Permalink | Comments (0) | TrackBack (0)

Tags: asterisk, asterisk security, astricon, astricon2007, blue box, bluebox, dan york, danyork, open source, security, voip, voip security, voipsa

August 27, 2008

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Thank you for listening and please do let us know what you think of the show.

Posted by Dan York on August 27, 2008 at 08:53 PM | Permalink | Comments (0) | TrackBack (0)

Tags: asterisk, asterisk security, blue box, bluebox, dan york, danyork, jonathan zar, security, security tools, SIP, SIP security, skype, skype security, steganography, tools, voip, voip security, voipsa, voipsecurity

August 26, 2008

Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Synopsis: Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #81, a 42-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on May 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the hiatus
Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
Voice of VOIPSA: Chronology
Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls

Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable

IT Business Edge: Pay Attention to VoIP Security Before The Storm

NetworkWorld: Business Guide to VoIP Security

Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article

Network World: Security and management considerations when deploying OCS

LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative

[H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=

VoIP News: The Essential Guide to VoIP Privacy

Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security

eWeek: VoIP Security through Responsible Software Development

Microsoft gives back door keys to Vista to police

Comment (blog) from Martyn Davies

Comment (email) from Detlef

Comment (email) from Dan McGinn-Combs

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

41:43 - End of show

Thank you for listening and please do let us know what you think of the show.

Posted by Dan York on August 26, 2008 at 09:16 PM in Blue Box, VoIP Security, VOIPSA | Permalink | Comments (0) | TrackBack (0)

Tags: blue box, bluebox, dan york, danyork, iskoot, jonathan zar, ofcom, security, SIP, SIP security, skype, voip, voip security, voipsa, voipsecurity

Returning from the hiatus...

Blue Box listeners,

Well, it's been a while. A long while. This summer turned out to be a bit crazier than Jonathan or I ever expected. The good news is that the renovation at my home is finally done and I've moved into my home office. The box of podcasting gear has come up from the basement. I'm not traveling for several weeks... so everything looks good to finally get the huge queue of back episodes out the door.

My goal this week is to get some of the older main shows out first followed by some of the excellent Special Editions that our volunteer production team has put together. If things work out the way I hope I should be getting you a show a day for the rest of the week. (We'll see.)

Thanks for your patience and continued interest in the show. We have very definitely not "podfaded"... and we'll be back with more shows and interviews in the weeks and months ahead! Thanks for continuing to listen.

Dan & Jonathan

Posted by Dan York on August 26, 2008 at 09:15 PM in Administrivia | Permalink | Comments (0) | TrackBack (0)

July 15, 2008

Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance – getting it organized now

Ingate SIP Trunking webinar now available (and a note about participating in things like this)

VOIPSA blog site hacked

Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary

VoIPshield list of vulnerabilities

Cisco Advisory

Cisco Advisory about Disaster Recovery Framework

Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video

Washington Post: Reach Out And Hack Someone

Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers

VoIP News: The Essential Guide to VoIP Security

Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier

Voice of VOIPSA: VoIP and the International Space Station

Voice of VOIPSA: Xplico Network Forensic Analysis Tool

Voice of VOIPSA: Australians falling victim to foreign phone hackers

VoIP News Australia: How ACMA Plans to Regulate VoIP

Network World: Government agencies rejecting VoIP?

Linux Professional Institute to develop enterprise-level security exam

Net neutrality and Bell Canada

ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?

Google XSS Attack (interesting as it shows the complexity of such attacks)

The Economist: Special Report: The New Nomadism

VoiceBiometrics – May 14-15, New York

IP Telephony University – June 23-24, Alexandria, VA

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

44:22 - End of show

Thank you for listening and please do let us know what you think of the show.

Posted by Dan York on July 15, 2008 at 05:20 PM in Blue Box, Podcasts, VoIP Security, VOIPSA | Permalink | Comments (0) | TrackBack (0)

Tags: avaya, blue box, bluebox, cisco, dan york, danyork, jonathan zar, nortel, security, SIP, SIP security, voip, voip security, voipsa, voipsecurity, voipshield

July 14, 2008

FYI - I'll be out at O'Reilly's OSCON next week in Portland talking about voice mashups...

If any of you reading this will be out at O'Reilly's OSCON Open Source Convention next week (July 21-25) in Portland, Oregon, I (Dan York) will be there giving a talk on Wednesday on "Mashing Up Voice and the Web Through Open Source and XML". Here's the abstract:

With over 4.5 billion mobile and fixed phones out there as of November 2007, the phone represents the most ubiquitous user interface out there. As “mashups” on the Web let us quickly and easily access information from multiple data sources, how do we extend those mashups to the world of the phone? How do we bring the old world of voice and telephony into the new world of the Web, social networks, and social media? And how do we do that using open source tools and open standards?

If any of you will be attending, please do drop me a note as I always enjoy meeting up with people who read this blog. If you are not attending but are interested, it's not too late... you can still register at the OSCON site. Should be a great convention for those interested in open source development. The schedule is pretty amazing as it truly has a collection of some of the best folks out there in the open source world. (The convention starts on Wednesday with Monday and Tuesday being for tutorials.) I'm definitely looking forward to the event!

Technorati Tags: open source, conferences, oreilly, development, python, voicexml, ccxml, sip, portland, dan york

Posted by Dan York on July 14, 2008 at 09:03 AM in Conferences, Open Source | Permalink | Comments (0) | TrackBack (0)

June 10, 2008

Blue Box SE#025 - An interview with Eric Hernaez about Solegy and the OpenSBC Project

Synopsis: Blue Box Special Edition #25: An interview with Eric Hernaez, CEO of Solegy, about the OpenSBC project

Welcome to Blue Box: The VoIP Security Podcast Special Edition #25, a 13-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

In this interview, I sat down with Eric Hernaez, CEO of Solegy, to talk about the OpenSBC Project and how it provides an open source implementation of a session border controller (SBC). We talked about how OpenSBC came about, who is using it, how scalable it is and where users can learn more. We also discussed Solegy, the company supporting the open source OpenSBC project and what they are doing. It was an enjoyable talk that really came about randomly when I met Eric near the press room at IT Expo in Los Angeles back in September 2007. We had been wanting to learn more about the OpenSBC project so I put my recorder on a table and we started talking.

More information about the OpenSBC project and other open source SIP-related projects can be found at opensourcesip.org.

Production assistance on this Special Edition was provided by Sergio Meinardi.

Thank you for listening and please do let us know what you think of the show.

Posted by Dan York on June 10, 2008 at 10:53 PM in Blue Box, Open Source, Podcasts, Special Editions, VoIP Security | Permalink | Comments (0) | TrackBack (0)

Tags: blue box, bluebox, eric hernaez, opensbc, opensourcesip, sip, solegy, voip, voip security, voipsecurity

June 09, 2008

Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Synopsis: Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 32-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on March 27, 2008. Yes, that was over two months ago... we know...

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance

Dan met with Craig Bowser down at VoiceCon, also David Endler, Mark Collier, etc.

Jonathan met with Dean Elwood, Martyn Davies, etc.

Four Asterisk vulnerabilities

The Economist: Bugging The Cloud

Forbes: How to Make Your Phone Untappable

VoIP News: VoIP: Who Might Be Spying on Your Communications? (Hint – It’s Not Just the NSA

VoIP News: Listen Up: 17 Signs That You Are Being Wiretapped

eChannelLine: Businesses lagging in securing VoIP (also ComputerWeekly.com and news release )

eChannelLine: Ingate launches enhanced security for VoIP and SIP (also Enterprise VoIPPlanet )

Voice of VOIPSA: Hacking Zyxel Gateways

Voice of VOIPSA: Vishing Attacks

Voice of VOIPSA: FBI VoIP Surveillance Requirements Leaked (also in FierceVoIP and Slashdot )

Voice of VOIPSA: Hackers Send Thousands of Fake Calls to Deaf People

SnapVoIP: Unified Communications in Virtual Worlds to Solve ‘Tower of Babel’ for Intelligence Agencies

Israeli-made Cryptophone attracts world spy agencies pointing to product site

BlogInfoSec.com: Save The Whales (about a new form of phishing)

Network Computing: Your Data and the P2P Peril

NetQoS: VoIP Monitor 1.1 released

PC World: FaceTime Security Product Scans Skype’s Encrypted IM and news release

Sipera IPCS Solution for Teleworkers Rated ‘Avaya Compliant’

Extreme Networks Boosts Security for Converged Voice and Data Networks with New Tools

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

32:27 - End of show

Thank you for listening and please do let us know what you think of the show.

Posted by Dan York on June 09, 2008 at 04:30 PM in Blue Box, Podcasts, VoIP Security | Permalink | Comments (0) | TrackBack (0)

Tags: Asterisk, blue box, bluebox, dan york, danyork, eavesdropping, FBI, jonathan zar, P2P, security, VoiceCon, voip, voip security, voipsecurity, VON coverage, ZFone