Category Archives: VoIP Security Companies

Sipera Systems Relaunches Their Online Presence

Sipera Systems Inc. | Unified Communications Unleashed - Security for IP PBXs, SIP Trunks, VoIP remote users, IMS & UMA-1.jpgWhile I wouldn’t normally write about simply an updated website for a company, this particular company is Sipera Systems, one of the small number of companies focused pretty much entirely on VoIP security… er… “Unified Communications Security”. (And hey, “UC Security” sounds a whole lot better to say!)

Given that part of my regular work is working with web sites, I commend them on their new nice, clean look. They’ve also revamped their blog, as well.

Good to see, and I wish them continued success in this space.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

New Threats, Old Friends

On a lightning visit to the Infosec show in London, I chanced to meet with Ari Takanen of Codenomicon (fuzzing and quality assurance experts). Ari has a new book out: “Fuzzing for Software Security Testing and Quality Assurance”, from Artech House, available at and (as they say) all good bookstores. Of course, just because there’s a credit crunch doesn’t mean that security is any less of a problem, and it doesn’t mean that software defects are any the better. It sounds like Codenomicon have a pretty good market niche.

Enigma Machine

Facetime were talking about their new Unfied Security Gateway. This appliance goes beyond URL blocking and reporting, and implements reporting for VoIP and Skype, and the whole range of IM and P2P applications. In addition they have some pretty granular tools for finding out what the usage of social sites like Facebook (FB) and Myspace, and the resulting bandwidth usage might be. You can even drill down into the subsections being used (apps, music etc), which will be useful as increasingly FB is used for legitimate messaging and networking purposes in business. Facetime’s “special guest” on the stand was an original Engima encryption device, brought down from Bletchley Park (a.k.a “Station X”), the UK’s premier code-breaking museum. This is a refurbished and fully working Enigma, and on the Facetime stand they were even allowing us to have a go. I can report that it is satisfyingly mechanical to use.

AEP were also there showing some high-grade encryption equipment for enabling remote sites with access to secure systems. Law enforcement and government customers have a legal duty to protect the data that they handle, which and even remote users (or temporary sites) must protect data from snooping. Data at rest is a particular risk, and UK government agencies have embarrassingly lost large numbers of laptops and pen drives in recent years. It’s safer to leave the data in the secure site (rather than the USB stick) and access it over secure links when needed. The AEP solution fits into a laptop bag, and enables a team of people to share secure data and VoIP links to a central site, routed over any convenient satellite, 3G or WAN links.

The Infosec show is still on today and tomorrow at Earls Court exhibition centre in London.

Want to learn about voice biometrics? VoiceVerified to be interviewed tomorrow (July 10, 2008)

voiceverifiedlogo.jpgAre you interested in using voice for authentication, also known as voice biometrics? Would you like to know how far voice biometrics has come from that 1992 film “Sneakers” with “My voice is my password”?

If you are free tomorrow, July 10, 2008, at 11am US Eastern time you can join in a conference call/podcast where I’ll be interviewing David Standig with about voice biometrics in general and VoiceVerified’s specific offering. If you can’t join us at 11am, the interview will be available as a “Squawk Box” podcast later in the day.

The deal is that Alec Saunders, the regular host/producer of the daily Squawk Box podcast is away on vacation and I’ve been guest-hosting this week in his absence. The daily shows have been about a range of topics (today was a great one about P2PSIP) and tomorrow’s show actually gets into VoIP security in terms of voice verification/biometrics.

If you would like to join into the show, there are two ways you can do so:

In either case, you’ll get access to the telephone number you need to call and, during the call, will also have access to the live chat session that is used.

If you aren’t able to attend (or don’t want to use the app), you can listen to the show after I post it on Alec’s sometime later tomorrow, probably in the evening.

Also, if you are interested in being on Alec’s Squawk Box show, my guest hosting is done tomorrow but drop me a note and I’ll be glad to suggest your name to Alec after he returns. I frequently participate and they’ve been enjoyable shows to be a part of.

P.S. In the interest of full transparency and disclosure, I should note that VoiceVerified is actually a business partner of my employer, Voxeo, as I outlined in a blog post. That fact, however, did not influence my decision to bring them on the show – I was just looking for interesting companies to interview and they were one that caught my eye.

Technorati Tags:
, , , , , ,

Sipera looking to hire a few good VoIP security researchers…

siperalogo.jpgWant a job in VoIP security? Jason Ostrom, who recently joined Sipera Systems as director of their VIPER Lab, passed along word to us that they are looking to hire two new positions related to VoIP security:

  • VIPER Security Consultant
  • VIPER Vulnerability Research Engineer

Job descriptions and information about applying can be found over on Sipera’s “Careers in VoIP Security” page. (i.e. please do not leave comments here about these jobs or contact us as we have nothing to do with the jobs).

Technorati Tags:
, , , ,

Information Week interviews SecureLogix about VoIP security

While I was sick at VoiceCon and didn’t record any of the videos I was planning to do, it’s great to see that Fritz Nelson over at Information Week did capture this video of Mark Collier of SecureLogix:

The TechWeb folks did a nice job on the video, particularly in cutting in to some of the slides explaining what Mark was talking about. Fritz has an article accompanying the video as well.

Oh, yeah, Mark was great, too! 🙂

P.S. For those who don’t know, Mark has been involved with VOIPSA and in fact was on a panel I moderated on VoIP security there at VoiceCon.

Technorati Tags:
, , , ,

Hackers Attack International Space Station Email — Let’s Hope VoIP Isn’t Next

On April 1st VuNet reported that hackers had taken down the International Space Station’s email capabilities.

So, this was a good April Fool’s joke, right?

Three astronauts onboard the Space Station reported last night that email was no longer working.
Hackers are thought to have planted a Trojan in the computer systems at Houston and used the infection to ride the satellite uplink to the Space Station.

What is especially troubling is the email system’s reliance upon older Microsoft operating systems that are no longer supported by Microsoft.

“I am sorry but there is nothing we can do. It is past its deadline, said Professor Brian Offin, Microsoft’s head of obsolete operating systems.

Again, a good April Fool’s joke, right?

However, this false article brings to light the fact that as newer technologies replace legacy systems, we must bear in mind that the new technology changes will, over time, themselves become legacy systems and subject to the same outdated, unsupported and insecurities that plagued the very legacy systems they replaced.

So what’s this have to do with VoIP and the International Space Station? Well, details are thin, but way back in 2000 VoIP Group Inc. was awarded a contract to provide a VoIP replacement for the ISS to “bring about significant cost reductions as it supplements and then replaces an existing legacy system.”

Initially deployed at NASA’s Marshall Space Flight Center in Huntsville, Alabama, and later at other International Space Station operations centers, the solution will consist of VoIP Group’s gateways connected to the Internet and to Raytheon voice switches and CUseeMe conference servers to support voice conferencing. The system is designed to link together researchers, NASA operations personnel, and potentially ISS crew, to support collaboration during Space Station experiment planning and operations. Because users can access the system using a standard Internet browser on an inexpensive multimedia PC, they can be located at NASA centers, universities, and companies throughout the world, and still connect in real-time, 24 x 7.

iss voip

I hope that the sharp folks at NASA and VoIPgroup are taking the proactive steps to avoid security problems with critical communications with the ISS.

SIPTap Author forms VoIP Security Company

Some of you may remember Peter Cox who put out an eavesdropping tool SIPTap last November.

For those who have a short memory, SIPTap monitors “multiple voice-over-IP call streams, listening in and recording them for remote inspection as .wav files.”

At the time, however, the tool didn’t appear to me to be much of a threat because it only worked on the VLAN it was attached to and only if it saw the traffic. Meaning that if you weren’t attached to a span port, a hub or used another tool such as Ettercap, you wouldn’t be able to do much recording.

BUT the tool served Peter Cox’s purpose. Apparently for some time now, Peter Cox has been preaching VoIP security to anyone who will listen… and if he’s like most IA people I know, anyone who doesn’t want to listen, but needs to. The tool, therefore, appeared to be aimed at educating people outside the IA world about the importance of VoIP security and how easy it is to eavesdrop on calls.

Now Peter Cox has started a new company UM Labs where his goal is to develop and deliver products that provide VoIP security in a world where the traditional security foundation of voice and data separation no longer apply.

They are already announcing three products described on the company’s website and here

New VoIP security products are always welcome and UM Labs appears to be looking towards the future to find ways to meet some of the upcoming security challenges of unified networks.

Phil Zimmermann’s “Zfone Project” has new website and new beta release

Perhaps it has been up for a while, but I just noticed today the new Zfone Project Home Page. Previously Phil Zimmermann had Zfone as a subset of his website, but now it’s off on its own sharp-looking site. There’s also news of a new beta for download as of February 9th. Kudos to Phil and his team for launching the new site and, as always, we’re definitely interested in hearing what people think (okay, at least I am).

What’s all the Fuzz about?

I’m guessing there’s going to be a resurgence soon in protocol fuzzing against different VoIP phones, PBXs, and especially VoIP softphones. The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol.

The prize for the most prolific university fuzzing results to date belongs to the PROTOS project of Oulu University’s Secure Programming Group. Through various incarnations of student projects, the PROTOS group has been faithfully discovering vulnerabilities in a variety of protocol implementations, including SIP and H.323. Ari Takanen of that group eventually graduated and went on to cofound a commercial fuzzing tool company called Codenomicon, along with others from Oulu. In just the last year alone, the market has seen several other new commercial fuzzing entrants including:

Today, VoIP is starting to become a more interesting target for security researchers as the technology becomes more affordable and popular among enterprise customers. While it would be ideal if all VoIP vendors tested their own products internally for security bugs, the reality is that not all of them have the time, resources, or even the security DNA to find them all ahead of time.

For a great list of other fuzzing tools and presentations, check out Matthew Franz’s wiki.