Voice of VOIPSA

Blue Box Podcast #47 is now available for download. In this show, Jonathan and I talk about some of the recent articles and reports hyping VoIP security, recent comments from SANS about the need for better VoIP security training, moves by the Indian government to block Skype and other VoIP services and much, much more. Tons of listener comments in this show… probably the most we’ve ever had. See the show notes for all the links and info.

Blue Box Podcast #44 is now available for download. In this show, we cover the new SIP attack tools released by Mark Collier and Dave Endler, talk about the IETF meeting, ZRTP and Phil Zimmermann’s patent disclosure, Skype security issues, a war dialling script for Asterisk, listener comments and much more. Feedback is, as always, welcome.

At the IP’06 event in London recently, I heard Tom Cross of Internet Security Solutions present on VoIP Security, and some of types of threats to VoIP phones.  Those of you that have listened to the Bluebox Podcast will have heard Dan York, Jonathan Zar and Shawn Merdinger talk about the threats to phone handsets before.  Some of these devices ship from the factory in an unsafe state, with security holes like remote configuration backdoors and TFTP servers running on the phone.  Often if there are usernames and passwords they can be weak combinations like ’1′ and 1′ or ‘root’ with no password.  Often users do not know that these back doors are open, and the software does not force you to change from default or factory passwords.

The cost of not closing these security holes is that someone could remotely hack into the phone, and once in control of the phone could trace or record phone calls; mount a denial-of-service attack such as repeatedly reboot the phone; or hijack the phone in order to make calls at your cost.  So Tom’s advice was to make sure that VoIP phones are not accessible to the Internet, so they can’t be attacked from outside.

In many ways the PBX is a dinosaur these days, since it is solving problems we no longer have.  For example VoIP phones have built in dialling directories, so we don’t need a special abbreviated dialling system inside the company; VoIP softphones can have their own voicemail functionality, so we don’t need the PBX to do that.  Also traditionally, the PBX has been the device that shares out and manages the expensive, limited resources, the telco trunk lines, and increasingly PBXes don’t need to do that either, often sitting just on a LAN or LANs.  However, thinking about Tom’s words, the security aspect is a whole new reason to buy PBXes, as any device that can limit the exposure of SIP phones to attack is going to be of benefit.

 

 

 

Back in July, I participated in a Telecom Junkies podcast discussing the then-current Pena/Moore VoIP fraud case. At the time, the Voice Report team had a website that only showed the current episode, i.e. if you missed the appearance of the episode on the home page, there was no easy way to go back and listen to older episodes.That is changed now. They do have permalinks for episodes and you can get an archive of older episodes. And so… ta da… you can now listen to the episode that we did back in July about the VoIP fraud case. Check it out if you are interested in that case. (Which we have subsequently discussed in a Blue Box episode where we recounted that Edwin Pena is now a fugitive on the run!)

Blue Box Podcast #42 is now available and covers a range of topics, including the security (or lack thereof) of VoIP service providers, news from the Internet Telephony conference, Skype security and the usual other VoIP security news, listener comments, etc.

Over at Blue Box, I have just uploaded a podcast of the “Intro to VoIP Security” panel at the Internet Telephony conference last week in San Diego, CA. Moderated by Ken Camp, the panel provided a good introduction to the basic issues related to VoIP security.

This is the first of several panel sessions related to VoIP security that we will be making available through the podcast feed. We thank Rich Tehrani and the rest of the TMCNet staff for allowing us to record the sessions. Thanks also to Ken Camp for his assistance and to all the panelists who gave their permission to be recorded as well.

I was the guest on the recent Security Roundtable podcast #5 focused on VoIP security.  I gave an overview of VoIP security issues, discussed some best practices and answered numerous questions from the group of hosts.  It was a wide-ranging discussion that covered enterprise VoIP issues, Skype, recent legislation, enterprise network issues and much more.  It was a fun podcast to be part of and I do appreciate the SRT team inviting my participation.  If you are new to VoIP security issues in general, do give it a listen.

Blue Box Podcast #39 and Podcast #40 were both made available for download last week. Both cover the usual recent VoIP security news, listener comments, etc., but Blue Box #39 discusses my recent trip to Fall VON 2006 and also gets into a discussion around 802.11i and why wireless VoIP doesn’t work now with a full PKI. Blue Box #40 also covers the continued VoIP fraud case that we started covering back in June or so. Skype security, of course, also gets more coverage in #40 as well. Please do give a listen – and comments and feedback are definitely welcome.

We have been a wee bit busy over at Blue Box in recent weeks, but the results are now appearing. I’ve uploaded three shows in recent days:

• Blue Box Podcast #38 is perhaps the only place you can hear about fugitive CEOs, Phil Zimmermann, Paris Hilton, Skype security, Asterisk, SIP and the IETF all in one place!
• Blue Box Special Edition #10 provides a great interview with Gary Miliefsky of Netclarity where we explore his views on the future of VoIP security, NIST and CVEs related to VoIP, his company’s tools and much more
• Blue Box Special Edition #11 dives into IMS security through an interview with Morgan Stern from Lucent who had just been on a panel at Fall VON 2006 on securing IMS. We cover his views on the challenges ahead for IMS, the various standards bodies involved, how to address lawful intercept and much more. Morgan also provided a copy of his presentation and links to a webinar on IMS that he recently gave.

All that and more is available… please do give a listen and let us know what you think.

Martin Geddes recently reflected on the use of Skype as a tool for recording podcasts with two people in different locations.  This is a technique that is used on many podcasts now, including Blue Box, the VoIP Security Podcast.  But as Geddes says, sometimes the quality is not all it should be, and it would be useful to be able to record in top quality, and in some way transmit this out-of-band, while using the inferior, real-time audio between the two podcasters.  Sometimes this technique (called double-ending, or a “double ender”) is done manually today in podcasting and in radio: each person records their end of the conversation locally, then the files get spliced together at the end to make a broadcast quality programme.  The telephone call only needs to be good enough for the two people to understand each other while the interview is taking place.

But adding double-ending functionality in Skype has interesting possibilities, apart from the podcasting one.  In some areas human speech needs to be understood by less tolerant parties than humans, for example in the areas of automatic speech recognition, or speaker verification.  Given that VoIP streams can be of cellphone quality (or lower), it could be useful for a computer system to be able to play back a passage of speech it was having trouble with.  For example, a speaker verification system might listen to the live VoIP speech, perhaps match with a certainty of 20%, then after a few tens or hundreds of milliseconds it could try again using extra hi-fidelity information that came in while it was processing the first time.  Much better than forcing the user to re-speak their passphrase over and over until the computer figures it out.

On the subject of Dan York (of Blue Box) and Martin Geddes, you can almost see them in this photograph from Fall VON.  York is moving at speed, presumably in order to eclipse Geddes.