Monthly Archives: April 2010

Want to learn about voice biometrics? Attend Voice Biometrics Conf – May 4-5, 2010 – NY City area

voicebiocon2010.jpgWant to learn about how voice biometrics are being used today in real deployments? Want to learn what advances have been made in the technology? Want to find out how people are using it for voice authentication, identification and more?

If so, consider attending the Voice Biometrics Conference taking place next week, May 4th and 5th, in the New York City area. It’s got a packed agenda and a great list of speakers who really represent the leading edge of what people are doing with voice biometrics. (And yes, I’m one of the speakers and yes, my employer Voxeo is one of the sponsors of the event.)

The organizers of the event, Opus Research, have also really tried to focus the event on showing real-world examples of biometrics deployments. Here is a message that organizer Dan Miller sent out yesterday:

The conference agenda is now packed with use cases across many applications, verticals and government functions. Here’s the list from today’s e-mail:

T-Mobile – Deutsche Telekom’s T-Mobile is developing fast authentication to focus on building a better customer experience.

Bell Canada – The largest customer-facing deployment of voice verification with more than two million customers enrolled.

Bank Leumi (Israel) – Will present how it successfully deployed multiple applications for voice-based user authentication for customers and employees.

I DRIVE SAFELY – Hear how the company implemented a voice-based solution for enrolling students in its online drivers’ education program.

Atos Origin – IT services provider Atos Origin incorporates voice authentication into its “Help Desk” and holds promise for multiple applications inside enterprises around the world.

Centrelink – Australian social services agency who deployed a speaker verification system to authenticate access to welfare services.

Federal Government of Mexico – Learn how the federal government of Mexico has implemented a speaker identification program for use in law enforcement.

If you’re looking for a way to network with the people who have lessons to share regarding strategic, tactical, technical, organizational or even social issues that arise as they specify solutions, analyze vendors, define their projects and carry out their plans, attending Voice Biometrics 2010 will be rewarding.

If you can get to the New York area, do check out the event… registration information can be found on the event page. And if you are attending… I’ll see you there!

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Chisco: Welcome To The Hunan Network?


On NPR’s ‘Fresh Air’ this week, Richard Clarke made some great points, in particular with the logic bomb scenarios of sneaking in code and untrustworthy hardware. While this is old news, it’s still a very real threat — recall that Chisco devices were discovered on US government networks and disclosed back in 2008.

With Richard Clarke’s story in mind, I think it’s worth re-visiting the “Chisco” problem. This article below is from three years ago, yet this same Chisco eBay seller mentioned, “Sincere Networking” is still up and running (ya gotta love that name, no?). Bear in mind this is just one of many Chisco eBay stores — that is, there are plenty of others moving all types of Chisco gear on eBay, including routers, firewalls, switches. We are way beyond WAN NIC interfaces folks.

Why can’t these get shut down?

Network World: “eBay ‘Chisco’ stores are selling fake Cisco products originating in China”

This counterfeit gear has already landed on plenty of networks, and it’s likely to continue. Just like the FBI’s conclusion on slide 10, I agree that a huge risk in this area stems from small ‘mom n’ pop’ subcontractor outfits that choose to purchase this gear on the cheap from eBay, and then charge-back their own clients for the list price on CCO. Of course, that dirty network engineer in your organization could do a swap-out with Chisco gear during your next change management window — and in these economic times perhaps merely to re-sell the valuable real card rather than backdoor the organization’s network.

That said, recent security conference presentations, such as CanSecWest’s “Can you still trust your network card” should be at the forefront of the discussion when this Chisco topic comes up.

I know this is a dirty subject. It’s so dirty that very few folks even want to discuss it. It’s a nightmare. But like it or not, it’s going to be up to you to make sure that your gear is legitimate, especially if you’re on a US government network as according to the FBI’s presentation on slide 40, “Cisco’s Brand Protection does NOT coordinate with Cisco’s Government Sales”

Here’s a few links to hopefully get you started on the right path.

Comments with additional resources are most welcome.

  • Brad Reese — most outspoken person about this issue
  • FBI OMB Presentation: 2008-01-11
  • Cisco Statement on Counterfeit Goods
  • Cisco Blog: Protecting Against Gray Market and Counterfeit Goods
  • The Truth in Caller ID Act

    Well, it only took about five years and three sessions of Congress to finally pass this thing in both the House and the Senate.  The Senate passed their version of the bill (S. 30) on February 23rd and the House passed their version of the bill (H.R. 1258) on April 14th.  All that remains now is for any differences in the two bills to be reconciled and sent to the President for a signature.

    eBay: a hacker’s source for acquiring remote monitoring medical devices for security testing?


    Awhile back I blogged on VOIPSA about medical devices using VoIP. This is a follow-up to that post, and is a bit more tangible in that these devices are showing up on the auction sites.

    I typically check eBay weekly for medical devices showing up, with an eye for anything with a network interface.

    Bluetooth-enabled devices abound, but the (mis-perception) that an attacker must be physically close decreases popular interest from a security testing perspective. In contrast, it’s a box “on the wire” that enables an attacker in say, Palau, to to reach out and provide what I’d call a “negative home medical monitoring experience.”

    So what’s on eBay?

    Here’s a ViTel (now owned by Bosch) device and blood pressure monitor on eBay that’s a few years old, but has the ability “…to communicate via standard telephone line, broadband, or cellular and does not interfere with existing telephone service.”

    ViTel Net Turtle 400 & A&D UA-767PC Blood Pres. Monitor
    eBay Link:

    Suggested for discussion:

    1. Should vendors of these devices be concerned about their sale on site like eBay? Why or why not?

    2. Are there any available business services that monitor the after-market sale of these devices?

    3. Would/should vendors care about re-acquiring these devices?

    4. How interesting / valuable would it be to conduct a security analysis on this device, report the findings to CERT, and publish at DefCon or BlackHat?

    5. Does a diagram like the one below concern anyone?


    UC Federation and VoIP/UC Security

    An emerging trend among Unified Communications vendors these days is support for federation between UC systems in different organizations. Perhaps the first to market was Microsoft OCS Federation which allows two enterprises with Office Communications Servers to share presence, instant messaging, voice, and video.  Google Wave launched last June with support for Wave Federation Protocol which allows wavelets in a wave to be hosted across different organizations.  In November, Cisco launched their Intercompany Media Exchange product which uses a protocol called VIPR (Verification Involving PSTN Reachability) for opportunistic federation between participating organizations.  Avaya, Cisco/Jabber, Reuters Messaging, Google, and others also support XMPP federation which enables presence and instant messaging to be directly shared between organizations.

    What VoIP/ UC Security issues come into play with UC Federation schemes like these?  For starters, trust needs to be established between federation partners – this is typically done via digital certificates. But from there we have many policy and identity questions to address, such as:

    • Who in my federation partner organization gets to know about my CEO’s presence and availability?
    • What thresholds can be set to prevent a federation from becoming the conduit for a Denial of Service attack?
    • How does a given E.164 (telephone) number get mapped to the right user@domain handle?
    • Is there any way for a federation partner to use my VoIP system for their toll calls (toll fraud)?

    During the next few weeks, I’m going to be exploring some of these UC Federation security questions here on the VOIPSA blog along with others raised by you, our loyal readers. Has your organization implemented any UC federation yet? What are the security issues around federation that concern you the most?