Voice of VOIPSA

Blue Box Podcast #56 was posted yesterday with a look at the recent Skype worm, a comparison of ZFone and PKI, McAfee’s Sage Journal, VoIP security news and more. With this show, Jonathan and I also began a series of mini-tutorials we will be doing on VoIP security issues. In this episode we talked about voice encryption - why it is important and what the major methods are. Next time we’ll talk about call signaling encryption. See the detailed show notes for a full description of what was discussed.

Blue Box Podcast #55 was posted today with a look at recent vulnerabilities in IP phones, VoIP security news and a feature section about the IETF meeting and the discussion there around SRTP key exchange, ZRTP, etc.  A great amount of listener comments and much more.  See the detailed show notes for a full description of what was discussed.

Blue Box Podcast #54 was posted about a week ago but with travel I didn’t cross-post it here… in this show, Jonathan and I talked a good bit about the new VoIP security tools list released by VOIPSA, the IETF meeting in Prague, Phil Zimmerman and ZRT, SPIT, the ETel conference and also talked a good bit about some articles circulating around about “how VoIP shouldn’t be used for teleworkers because of security”. Detailed show notes and links are available over on the Blue Box website.

Blue Box podcast #53 is now available covering a range of topics, including a listener’s suggestion for the Skype multiple login issue, Cisco’s IP phone security advisories, network neutrality, EU privacy legislation and, yes, we covered that wacky story about smokers being a threat to VoIP because we just had to… plus the usual listener comments, VOIPSEC review and other VoIP security news. Detailed show notes, links and more over at the Blue Box site.

At O’Reilly’s 2007 Emerging Telephony conference last week in San Francisco, I had the opportunity to give a 15-minute presentation to all attendees about VoIP security. Rather than doing the traditional slideware outlining the threats, tools, best practices, etc., I tried to do something very different and simply tell a story of what could happen if a VoIP system were installed in an insecure manner - and how to go about securing that system. I tried to make it interesting and humorous (something not often tied to VoIP security) and the feedback at the show was quite positive. The audio and slides are now available over at Blue Box and I’d definitely be interested in any feedback you all have about the presentation, either in content or style.

Another podcast to note… Canadian analyst Jon Arnold interviewed me for his Canadian thought leaders podcast series all about… gee… VoIP security! (Yes, okay, so I no longer live in Canada, but I did live there for most of 5 years and I still work for a Canadian company.) We had a great chat about VoIPSA, Blue Box, VoIP security in general and my views on some of the current vulnerabilities to VoIP. It runs about 19 minutes or so and you can get it from the link on Jon’s blog.

Blue Box Podcast #47 is now available for download. In this show, Jonathan and I talk about some of the recent articles and reports hyping VoIP security, recent comments from SANS about the need for better VoIP security training, moves by the Indian government to block Skype and other VoIP services and much, much more. Tons of listener comments in this show… probably the most we’ve ever had. See the show notes for all the links and info.

Blue Box Podcast #44 is now available for download. In this show, we cover the new SIP attack tools released by Mark Collier and Dave Endler, talk about the IETF meeting, ZRTP and Phil Zimmermann’s patent disclosure, Skype security issues, a war dialling script for Asterisk, listener comments and much more. Feedback is, as always, welcome.

At the IP’06 event in London recently, I heard Tom Cross of Internet Security Solutions present on VoIP Security, and some of types of threats to VoIP phones.  Those of you that have listened to the Bluebox Podcast will have heard Dan York, Jonathan Zar and Shawn Merdinger talk about the threats to phone handsets before.  Some of these devices ship from the factory in an unsafe state, with security holes like remote configuration backdoors and TFTP servers running on the phone.  Often if there are usernames and passwords they can be weak combinations like ‘1′ and 1′ or ‘root’ with no password.  Often users do not know that these back doors are open, and the software does not force you to change from default or factory passwords.

The cost of not closing these security holes is that someone could remotely hack into the phone, and once in control of the phone could trace or record phone calls; mount a denial-of-service attack such as repeatedly reboot the phone; or hijack the phone in order to make calls at your cost.  So Tom’s advice was to make sure that VoIP phones are not accessible to the Internet, so they can’t be attacked from outside.

In many ways the PBX is a dinosaur these days, since it is solving problems we no longer have.  For example VoIP phones have built in dialling directories, so we don’t need a special abbreviated dialling system inside the company; VoIP softphones can have their own voicemail functionality, so we don’t need the PBX to do that.  Also traditionally, the PBX has been the device that shares out and manages the expensive, limited resources, the telco trunk lines, and increasingly PBXes don’t need to do that either, often sitting just on a LAN or LANs.  However, thinking about Tom’s words, the security aspect is a whole new reason to buy PBXes, as any device that can limit the exposure of SIP phones to attack is going to be of benefit.

 

 

 

Back in July, I participated in a Telecom Junkies podcast discussing the then-current Pena/Moore VoIP fraud case. At the time, the Voice Report team had a website that only showed the current episode, i.e. if you missed the appearance of the episode on the home page, there was no easy way to go back and listen to older episodes.That is changed now. They do have permalinks for episodes and you can get an archive of older episodes. And so… ta da… you can now listen to the episode that we did back in July about the VoIP fraud case. Check it out if you are interested in that case. (Which we have subsequently discussed in a Blue Box episode where we recounted that Edwin Pena is now a fugitive on the run!)