Voice of VOIPSA

Yes, indeed, the VoIP Security Alliance has joined the Twittersphere with:

http://twitter.com/voipsa

Feel free to follow us there if you are a Twitter user. The primary reason we are on Twitter is so that Twitter users can follow whatever blog posts we post here on the Voice of VOIPSA blog. We’ve noticed over time on other sites (and in our own actions) that some folks prefer to be notified of new blog posts via Twitter versus a RSS feed. So now you have that choice. Subscribe via RSS or via Twitter. We’ll respond to tweets as well, of course, but our primary goal is to provide another way to consume VOIPSA content.

If you are on Twitter, please do feel free to follow us. Thanks.

Are you interesting in writing about VoIP security? In providing updates on security news? Product reviews? Threat analyses? Notes about recent security advisories?

Would you like your writing to appear on this blog?

As you have probably noticed, the frequency of our posting here in recent months has dropped a bit. It’s definitely not for lack of content… anyone subscribing to a Google Alert on “voip security” or subscribing to the VOIPSEC mailing list will know that there are definitely ongoing VoIP security issues. But we collectively haven’t been writing all that often about those issues here on this blog. Many reasons… but mostly that those of us who have been writing for the three years since we started this blog have just been finding ourselves insanely busy and not able to make the time to write here frequently. A couple of folks have moved into roles where they no longer work directly with VoIP security. Others have started their own blogs or just gone on to other things.

So we are looking to recharge the “Voice of VOIPSA” writing corps a bit. Our goal all along has been to make this site a portal for news and analysis about “VoIP security” in whatever form that may take. We are looking for people who might be willing to write short notes about news stories related to security of VoIP, Unified Communications, etc. We are also looking for people interested in writing longer pieces like some of the deep analyses we have posted here in the past.

VOIPSA’s overall mission is to raise the level of discussion about communication security issues in the IP space – and we’re looking for anyone who would like to help us in doing that through this blog.

The only major requirement we have for writers here is that any pieces must be vendor-neutral, i.e. we are not looking for people to write here about how their company’s product will solve all your security woes. We’re not a marketing site for either VoIP or security vendors. However, we do welcome posts from people at those companies that talk about the general state of the industry. We also welcome posts from folks who may not be at any company in the space but are just passionately interested in the topic.

If you are interested in writing for Voice of VOIPSA, please send me an email expressing your interest and providing some background about your connection to VoIP security. If you write at an existing weblog, even on a completely different topic, it would be helpful if you sent along that link as well.

Thanks for continuing to follow this site and after three years of blogging, we’re looking forward to continuing to provide you information and analysis about VoIP/communication security for the next three years… and beyond!

Technorati Tags:
voipsa, voip, voip security, voipsecurity, security, blogging

If you are a LinkedIn user (as I am), there is now a “UC Security” group that you can join. The description of the group is:

Unified Communications is blurring the boundaries between Voice, Video and Data networks. As such, security threats that used to be in islands are now easily traversing across the network boundaries. UC Security provides a forum for people to share the common security issues around UC.

I can see that several of the “usual characters” in our security circles are already members of the group.

As we mentioned back in July, there is also a VOIPSA group on LinkedIn which you are welcome to join as well.

I am still not personally entirely sold on the value of LinkedIn groups, but I do have to admit that some of the discussions have in fact been useful and interesting. If you are a LinkedIn user, you may want to check out these groups and join in the discussions (or at least promote the existence of the groups through having them on your LinkedIn profile).

Technorati Tags:
security, uc, unifiedcommunications, voip, voipsecurity, voipsa, linkedin

If you will be in Miami at ITEXPO February 2-4 you are welcome to attend a free “SIP Trunking And Security” session I (Dan York) will be doing as part of Ingate Systems’ SIP Trunking Workshops. The SIP trunking workshops are free to all attendees even if you only register for an exhibit pass.

My session will be 11:15-12:30 on Wednesday, February 3rd, and if you do attend please feel free to come up and introduce yourself (or drop me a note in advance to let me know to look out for you). I’ll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.

P.S. If you are attending ITEXPO and your company makes a product or provides a service related to VoIP security, please feel free to let me know and perhaps we can schedule an interview to go out as a Blue Box Special Edition.

Technorati Tags:
danyork, itexpo, miami, voipsa, voip security, sip trunking, sip, sip security, security

What are you doing tomorrow, Tuesday, October 28, 2008, at 1pm US Eastern time? If you are around, you are welcome to join a free webinar I’ll be giving on “Best Practices for Secure Unified Communications“.

From time-to-time, you’ll notice that those of us working with VOIPSA will take part in seminars/webinars offered by members of VOIPSA and we definitely enjoy doing so. For instance, as readers of the blog know, I’ve been speaking at Ingate’s SIP Trunking seminars for quite some time now. We’re generally open to speaking at anyone’s event or webinar – as long as they understand that there is no endorsement of the company/vendors’s products/services and that we are there to provide an industry-neutral point-of-view.

So tomorrow at 1pm US Eastern I’ll be speaking as part of Mitel’s “Discovery Series” where they invite in guest speakers from the industry. You can join the webinar for free at Mitel’s site. They asked me to speak about the threats/risks to voice over IP and unified communications and talk about best practices for protecting them. Here’s the abstract:

Discover Best Practices for Secure Unified Communications

Presented by: Dan York, Voice Over IP Security Alliance (VOIPSA)
October 28, 2008, 1:00 PM EDT / 10:00 AM PDT / 5:00PM GMT

With the emergence of Voice-over-IP and Unified Communications, companies now have incredible opportunities to provide a rich communication experience to employees located in a single location or distributed globally. But how does a company do this in a secure manner? How is the confidentiality and integrity of corporate conversations protected? How can a company be sure that its IP phone systems and IP trunks will always be available for usage? What are the issues around protecting SIP trunks or using hosted services?

In this webinar, VoIP Security Alliance Best Practices Chair Dan York will discuss the threats and risks to Voice-over-IP, the tools that are out to test (or attack) VoIP system and solutions and best practices for protecting your systems. He’ll also address concerns around SIP trunking, Spam for Internet Telephony (SPIT) and the move to push voice out into hosted/cloud computing environments and the associated concerns. Come prepared to learn about securing your VoIP system, to ask questions about your deployments and to leave with tips and resources to protect and defend your systems.

The webinar will be recorded and posted for later viewing as well. I’ll note that they also have a nice companion webinar to the one I’ll be giving tomorrow in one that HP representatives recently have on network security as it relates to VoIP.

Anyway, if you are available tomorrow (Oct 28th) at 1pm please do feel free to join into the webinar. I’ll post a note on this site, too, when it is available for later listening.

P.S. And yes, as a couple of people have asked, I do obviously have a closer association with this webinar than I do with some of the other vendors given that I worked at Mitel for 6 years and was their point person on VoIP security issues for much of that time. It will be fun to be speaking with them again.

Technorati Tags:
voip, voip security, security, voice, voice security, mitel, voipsa, danyork, dan york, unified communications

I would like to invite any VoIPSA LinkedIn users to join the new LinkedIn VoIPSA group.  While we already have documentation on the website regarding the Board of Directors and the Technical Board of Advisers, there wasn’t really much in the way of identifying and networking with other members of our organization who are not on either of these boards, other than of course the VoIPSec mailing list (which doesn’t have a public membership roster), so I’ve established this group to fill that void.

How can you make SIP trunking secure? Is there such a thing as “secure SIP trunking”? Can SIP trunks and VoIP actually be more secure than the PSTN?

All those questions and more will be the subject of a webinar next week sponsored by Ingate Systems (and announced today) in which I will be a participant called “Secure SIP Trunking: What You Need to Know“. The webinar will cover:

• Security misconceptions, challenges and requirements

• VoIP vs. PSTN: How SIP Trunks and VoIP can be more secure than traditional telephony
• The security measures you need; and those you don’t
• The basics of enterprise security and VoIP: SRTP, TLS and NAT traversal
• New security technologies
• Future-proofing your network for new security threats

Now, obviously this webinar is sponsored by Ingate so the solutions offered will involve their products. My role will be to talk about VoIP security in general and issues around securing SIP trunks. It should be an interesting session and you can easily register if you would like to attend. There is no charge.

The webinar will be on Thursday, April 10th, at 2:00pm US Eastern time, 11:00am US Pacific time.

NOTE: VOIPSA does not directly endorse, recommend, or promote products from any vendors. Our mission is to raise the level of discussion around VoIP security issues and so we are glad to participate in any relevant educational efforts such as webinars, conferences or other events. We are participating in this and other events sponsored by Ingate simply because they asked us and the events seemed in line with our overall mission. If you would like VOIPSA participation in an event you are sponsoring, please contact a VOIPSA Board Member about the possibility.

Technorati Tags:
voip security, voip, sip, sip security, sip trunking, sip trunking security, ingate, voipsa

Blue Box Podcast #76 is now available discussing Cisco, Skype and BT
vulnerabilities, when SIP looks like SPIT, VoIP security threat
predictions and the FBI forgets to pay their bills, plus listener
comments and more…

Jonathan and I recorded the show on January 22nd and I’m now *almost*
caught up with 1 main show still in the production queue (and about
10 special editions!)

Technorati Tags:
bluebox, blue box, voip, voip security, security

If any of you reading this are at the Mobile World Congress (formerly “3GSM”) in Barcelona, Spain, this week, VOIPSA Secretary (and Blue Box co-host) Jonathan Zar is there as well. If you are there, please do drop him an email as (schedule permitting) he is always interested to meet up with others interested in VoIP security.

Technorati Tags:
mobile world congress, 3gsm, jonathan zar, voip, voip security, voipsa

After a bit of a production hiatus, Jonathan and I are back with Blue Box Podcast #75 where we talk about the VoIP security news back in early January. We talked about the Asterisk vulnerability out then, the SANS white paper on VoIP security, several other news items and a ton of listener comments. More information is available in the show notes.