Monthly Archives: January 2009

“SIP Trunking And Security” workshop coming up at ITEXPO on February 3, 2009

ITEXPO-East-logo-2.jpgIf you will be in Miami at ITEXPO February 2-4 you are welcome to attend a free “SIP Trunking And Security” session I (Dan York) will be doing as part of Ingate Systems’ SIP Trunking Workshops. The SIP trunking workshops are free to all attendees even if you only register for an exhibit pass.

My session will be 11:15-12:30 on Wednesday, February 3rd, and if you do attend please feel free to come up and introduce yourself (or drop me a note in advance to let me know to look out for you). I’ll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.

P.S. If you are attending ITEXPO and your company makes a product or provides a service related to VoIP security, please feel free to let me know and perhaps we can schedule an interview to go out as a Blue Box Special Edition.

Technorati Tags:
, , , , , , , ,

Truth in Caller ID Act Update

Welcome to the 111th United States Congress!  On January 7th, the bill that never made it through the Senate in the last Congress has been reintroduced as S. 30, the Truth in Caller ID Act of 2009.  It was apparently read twice and referred to the Committee on Commerce, Science, and Transportation.  It’s now got two more years to attempt to make it through the Senate and get signed into law…  Is anyone else as skeptical as I am that it’ll actually happen?  Remember, this bill started as the Truth in Caller ID Act of 2006.

VoIP/Network Security classes at upcoming ITEXPO show

Our friend Craig Bowser recently pointed out that TMC will have a schedule of “Network Security” classes at the upcoming ITEXPO in Miami on February 4th. The three classes are:

  • Security Threat Mitigation in Enterprise UC Environments
  • Securing the SIP Trunk
  • VoIP Security Best Practices

The companies involved are Acme Packet, Sipera and VoIPShield Systems, all of whom we’ve mentioned at various times either on this blog on over on Blue Box. Anyway, if you are heading down to ITEXPO, you may want to check out these session.

P.S. And if you ARE heading down to ITEXPO, please do let me know as I’ll be down there, too.

Fuzzing gets its own blog…

Over in his “Security: Secrets and Hype” blog, our friend Ari Takanen has announced because “Fuzzing Is Still Widely Unknown“, he’s going to evolve his blog there a bit:

Therefore, as a part of my new year resolution to change this blog into more generic fuzzing blog, I will start by sharing my experiences in the current state of fuzzing market. Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing (my comments on it here). But most (even security specialists) still seem to misunderstand what fuzzing really is about. So, I will focus on that here also. Enter the world of fuzzing!

Ari has a wealth of information on the topic of fuzzing (and has written a book on the subject) and so it will be interesting to see where he takes the blog. We’ll see…

Technorati Tags:
, ,

CNET: Why Obama’s cell phone calls will always go through

Interesting piece over on CNET today about “Why Obama’s cell phone calls will always go through“. Here is a snippet:

It may sound a bit like a storyline from the West Wing, but there actually is a branch of the government called the National Communications System tasked with ensuring that telecommunications related to “national security” remain intact and ready to use. President Kennedy created NCS in 1963, and its mandate has expanded to include high-priority Internet and mobile phone calls too.

While I assumed these agencies and systems were in place, I admit I did not know of their names. Browsing through the NCS website, it’s interesting to see the information that is publicly available. And yes, their advisory about the impending inauguration is probably right on… I imagine that cell phone traffic will just be a wee bit elevated over the next few days down in DC! 😉

Technorati Tags:
, , ,

Judge Rejects Feds’ Attempts to Eavesdrop On DTMF Without a Warrant

Score one for sanity.  Apparently the FBI believed that while eavesdropping on the audio of a conversation required a warrant, capturing any DTMF transmissions sent during the call did not.  From the CNet report:

Just about everyone knows that the FBI must obtain a formal wiretap order from a judge to listen in on your phone calls legally. But the U.S. Department of Justice believes that police don’t need one if they want to eavesdrop on what touch tones you press during the call.

Those touch tones can be innocuous (“press 0 for an operator”). Or they can include personal information including bank account numbers, passwords, prescription identification numbers, Social Security numbers, credit card numbers, and so on–all of which most of us would reasonably view as private and confidential.

That brings us to New York state, where federal prosecutors have been arguing that no wiretap order is necessary. They insist that touch tones cannot be “content,” a term of art that triggers legal protections under the Fourth Amendment.

Asterisk Security advisory – Information leak in IAX2 authentication

asterisklogo.jpgIf you are an Asterisk user, you should be aware that Digium has released AST-2009-001 Information leak in IAX2 authentication. The description is:

IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts.

The workaround involves sending back responses that are valid for that particular site. For example, if it were known that a site only uses RSA authentication, then sending back an MD5 authentication request would similarly identify the user as not existing. The opposite is also true. So the solution is always to send back an authentication response that corresponds to a known frequency with which real authentication responses are returned, when the user does not exist. This makes it very difficult for an attacker to guess whether a user exists or not, based upon this particular mechanism.

Digium classifies it as a minor security issue and notes in the advisory that patches are available.

Technorati Tags:
, , , ,

W3C Voice Biometrics workshop coming up in March

Through a colleague of mine, Dan Burnett, I just learned about an upcoming W3C Biometrics workshop in March in California around the subject of “Speaker Identification and Verification (SIV)”. As Dan writes:

To get more information from the knowledgeable public, W3C is holding a workshop to “identify and prioritize directions for SIV standards work as a means of making SIV more useful in current and emerging markets. ” The workshop will be held in early March at SRI in Menlo Park, California.

Although the paper submission deadline has passed, if you were unaware of this workshop and are dying to attend, please email as described in the Call for Participation.

More information can also be found on the W3C Biometrics Workshop site. Sounds like an interesting conference to attend… (Dan Burnett will be there, but I will not).

Technorati Tags:
, , , ,