Ari Takanen starts blogging at ITworld…

aritakanen-itworld.jpgI was pleased to see today that Codenomicon CTO Ari Takanen has started blogging for ITworld with an entry “Greatest Challenge in VoIP Security” in what appears to be a new ITworld blog “VoIP Security: Secrets and Hype“. As that page says:

What is VoIP security all about? After close to ten years of hacking and bashing VoIP, Ari Takanen will finally reveal the secrets and discuss the hype around VoIP security. The discussions in this blog will draw from his book “Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures” co-authored by Peter Thermos, and published by Addison-Wesley. Ari will also answer any questions and comments you might have regarding penetration testing and fuzzing of VoIP and other telephony networks.

Ari’s a great guy who is a member of the VOIPSA Technical Board of Advisor, who I’ve met at a number of shows and who has often shared his insight on the VOIPSEC mailing list. He was also a member of a panel last year that we ran as a Blue Box Special Edition. (There’s also another interview with Ari and his co-author Peter Thermos that’s in the Blue Box post-production queue… soon…)

Anyway, it’s great to see Ari joining the blogging space. In his first post he writes:

Building VoIP security is a team effort. Each of us look at it from a slightly different angle. All opinions are correct. During the future weeks I will share mine in this blog.

I look forward to reading those opinions!

Technorati Tags:
, , , , ,

Highlights From IPTCOMM Heidelberg July 2008

IPTCOMM 2008, held in Heidelberg, was a great event and directly relevant to the VOIPA community.  What made it notable was the success of the organizing committee and venue host in showcasing outstanding new research results for security, performance, and new features in IMS/NGN based technologies.

Much of the work was developed by graduate students and postdocs under sponsorship of senior technical members of our community.   In addition to the technical work the spirit, energy, and enthusiasm of the attendees was a notable pleasure.

The conference program will be published by Springer Lecture Notes in Computer Science; other details available directly at the IPTCOMM site.

An industry talk for VOIPSA identified four new projects necessary to advance research in the market.  I’ll mention details by separate post.

A quick summary of what happened at IPTCOMM follows:

Welcome Note
Saverio Niccolini (NEC Laboratories Europe, DE) and Pamela Zave (AT&T Laboratories, US)

Keynote
Dr. Ralf Steinmetz Professor, Multimedia Communications Lab (TU Darmstadt, DE).
“Real-time Communications and Services in 2018 and Beyond.”

SIP and new service environments
A SIP-based Programming Framework for Advanced Telephony Applications
Wilfried Jouve (INRIA / LaBRI, FR); Nicolas Palix (LaBRI/INRIA, FR); Charles Consel (LaBRI/INRIA, FR); Patrice Kadionik (IMS, University of Bordeaux, FR)

An IMS Based Mobile Podcasting Architecture Supporting Multicast Delivery
Heiko Perkuhn (Ericsson Research, DE)

Generalized Third-Party Call Control in SIP Networks
Eric Cheung (AT&T, US); Pamela Zave (AT&T Laboratories, US)

Attack detection and mitigation in SIP networks
Automatic Adaptation and Analysis of SIP Headers using Decision Trees
Karin Hummel; Michael Nussbaumer; Andrea Hess Helmut Hlavacs (Univ. of Vienna, AT); Karin Hummel (University of Vienna, AT); Michael Nussbaumer (University of Vienna, AT); Andrea Hess (University of Vienna, AT)

A Self-Learning System for Detection of Anomalous SIP Messages
Konrad Rieck (Fraunhofer FIRST, DE); Stefan Wahl (Alcatel-Lucent, DE); Pavel Laskov (Fraunhofer FIRST, DE); Peter Domschitz (Alcatel-Lucent, DE); Klaus-Robert Müller (Technical University of Berlin, DE)

Secure SIP: A scalable prevention mechanism for DoS attacks on SIP based VoIP systems
Gaston Ormazabal (Verizon, US); Henning Schulzrinne (Columbia University, US); Eilon Yardeni (Columbia University, US); Sarvesh Nagpal (Columbia University, US)

Performance management in SIP networks
One Server Per City: Using TCP for Very Large SIP Servers
Kumiko Ono (Columbia University, US); Henning Schulzrinne (Columbia University, US); Erich Nahum (IBM T.J. Watson Research Center)

SIP Server Overload Control: Design and Evaluation
Charles Shen (Columbia University, US); Henning Schulzrinne (Columbia University, US)

Improving the scalability of an IMS-compliant conferencing framework. Part II: involving mixing and floor control Simon Pietro Romano (University of Napoli Federico II, IT); Alessandro Amirante (University of Napoli Federico II, IT); Tobia Castaldi (University of Napoli Federico II, IT); Lorenzo Miniero (University of Napoli Federico II, IT)

On Mechanisms for Deadlock Avoidance in SIP Servlet Containers
Laura Dillon; Kurt Stirewalt; Yi Huang (Michigan State University, US)

Security, legal and modeling issues of SIP based communications
Lawful Interception in P2P-based VoIP Systems
Jan Seedorf (NEC Europe Ltd., DE)

Security Analysis of an IP Phone: Cisco 7960G
Italo Dacosta (Georgia Institute of Technology, US)

Understanding SIP Through Model-Checking
Pamela Zave (AT&T Laboratories, US)

Next generation services for VoIP
Detecting VoIP Traffic Based on Human Conversation Patterns
Chen-Chi Wu (National Taiwan University, TW); Kuan-Ta Chen (Academia Sinica, TW); Yu-Chun Chang (National Taiwan University, TW); Chin-Laung Lei (National Taiwan University, TW)

Template-based Signaling Compression for Push-To-Talk over Cellular (PoC)
Andrea Forte (Columbia University, US); Henning Schulzrinne (Columbia University, US)

Providing Content Aware Enterprise Communication Services
Xiaotao Wu (Avaya Labs Research, US); K. Kishore Dhara (Avaya Labs Research, US); Venkatesh Krishnaswamy (Avaya Labs Research, US)

Industry talk session
An overview of ETSI standardisation activities in the Information Security arena with a focus on NGNs
Carmine Rizzo, Technical Officer, ETSI Standardisation Projects

Simulating Realistic Metro-area Network Behavior
Darius, Product Manager, Empirix

Process-Based Security Testing in a Carrier Environment
Sven Weizenegger, Lead of Security Testing and Senior Consultant, T-Systems; Heikki Kortti, Senior Security Specialist, Codenomicon

VoIP Security: Do Claims of Threats Justify Continued Research Efforts?
Jonathan Zar, Pingalo, Inc; Eric Y. Chen, NTT Information Sharing Platform Laboratories

Demos
Advanced Structural Fingerprinting in SIP
Humberto J. Abdelnur Radu State, Olivier Festor (INRIA)

Robustness Testing Of SIP, IMS and Of the Underlying IP Infrastructure
Lauri Piikivi (Codenomicon)

Protocol interactions among User Agents, Application Servers andMedia Servers
A. Amirante, T. Castaldi, L. Miniero and S. P. Romano (University of Napoli Federico II)

SOA-Type Service Composition With Reusable Telecommunications Components
Ioannis Fikouras (Ericsson Research), Gregory W. Bond (AT&T Laboratories)

VoIP SEAL 2.0 Security Suite for SIP enabled networks
Thilo Ewald, Nico d’Heureuse, Saverio Niccolini (NEC Laboratories Europe, DE)

On the deployment of Network Processors in Operational and Testing Network Devices
Fabio Mustacchio, Federico Rossi, Francesco Lamonica (NetResults Srl); Andrea Di Pietro, Fabio Vitucci, Domenico Ficara (University of Pisa – Department of Information Engineering)

Vishing Prevention by Authenticated Display-name
Stanley Chow Christophe Gustave Dmitri Vinokurov (Alcatel-Lucent, Bell Laboratories)

Note: This posting is for informative purposes only.  Conference notes are available from Springer LNCS and copyrighted IPTCOMM 2008.

Want to learn about voice biometrics? VoiceVerified to be interviewed tomorrow (July 10, 2008)

voiceverifiedlogo.jpgAre you interested in using voice for authentication, also known as voice biometrics? Would you like to know how far voice biometrics has come from that 1992 film “Sneakers” with “My voice is my password”?

If you are free tomorrow, July 10, 2008, at 11am US Eastern time you can join in a conference call/podcast where I’ll be interviewing David Standig with VoiceVerified.com about voice biometrics in general and VoiceVerified’s specific offering. If you can’t join us at 11am, the interview will be available as a “Squawk Box” podcast later in the day.

The deal is that Alec Saunders, the regular host/producer of the daily Squawk Box podcast is away on vacation and I’ve been guest-hosting this week in his absence. The daily shows have been about a range of topics (today was a great one about P2PSIP) and tomorrow’s show actually gets into VoIP security in terms of voice verification/biometrics.

If you would like to join into the show, there are two ways you can do so:

In either case, you’ll get access to the telephone number you need to call and, during the call, will also have access to the live chat session that is used.

If you aren’t able to attend (or don’t want to use the app), you can listen to the show after I post it on Alec’s Saunderslog.com sometime later tomorrow, probably in the evening.

Also, if you are interested in being on Alec’s Squawk Box show, my guest hosting is done tomorrow but drop me a note and I’ll be glad to suggest your name to Alec after he returns. I frequently participate and they’ve been enjoyable shows to be a part of.

P.S. In the interest of full transparency and disclosure, I should note that VoiceVerified is actually a business partner of my employer, Voxeo, as I outlined in a blog post. That fact, however, did not influence my decision to bring them on the show – I was just looking for interesting companies to interview and they were one that caught my eye.

Technorati Tags:
, , , , , ,

Sipera looking to hire a few good VoIP security researchers…

siperalogo.jpgWant a job in VoIP security? Jason Ostrom, who recently joined Sipera Systems as director of their VIPER Lab, passed along word to us that they are looking to hire two new positions related to VoIP security:

  • VIPER Security Consultant
  • VIPER Vulnerability Research Engineer

Job descriptions and information about applying can be found over on Sipera’s “Careers in VoIP Security” page. (i.e. please do not leave comments here about these jobs or contact us as we have nothing to do with the jobs).

Technorati Tags:
, , , ,

Avaya, Cisco and Nortel VoIP security vulnerabilities to be announced today

News reports are coming out now (FierceVoIP, Network World and others) that in about 30 minutes or so, Avaya, Cisco, Nortel and VoIPShield Systems will be jointly announcing VoIP security vulnerabilities – and corresponding fixes.

We are delighted to see that in contrast to the previous announcement of vulnerabilities discovered by VoIPshield Systems, all three major vendors will be participating in today’s announcement.

Stay tuned… and if you are an Avaya, Cisco or Nortel user, you should probably be standing by to allocate some time to patching.

Technorati Tags:
, , , , , , ,

Nortel launches Voice Security Technology Blog

nortelvoicesecurityblog.jpgI recently learned that Nortel has launched their “Voice Security Technology Blog“. Their initial post outlines their goals for the blog. They only have two posts up so far but we’ll be interested to watch the blog and see what they do with it.

Technorati Tags:
, , , , ,

Variable Bitrate Compression Flawed

Some researchers over at Johns Hopkins University have discovered that due to the way Variable Bitrate Compression does it’s thing, even if the audio stream is encrypted it is still possible to determine entire words and phrases based on the lengths of the packets with a high degree of accuracy.

According to the article referenced above it appears that the proof of concept tool is fairly limited, but given a little time and additional effort it’s capabilities could be greatly expanded, potentially to the point of transcribing entire conversations.

The researchers’ paper was presented at the 2008 IEEE Symposium on Security and Privacy a few weeks ago.

iSkoot disclosure of Skype credentials resolved – new version by Wednesday

If you have been following this weekend’s discovery by Dameon Welch-Abernathy, a.k.a. PhoneBoy, of the iSkoot program disclosing Skype usernames and passwords (see also the chronology), you will know that the problem has been fixed and a formal statement from iSkoot would be forthcoming. That statement from iSkoot CEO Mark Jacobstein has now been issued on their blog. The key part related to the vulnerability is this:

A recent build allowed a development/pre-production version of the Symbian client to be downloaded in place of our production version, which did indeed produce the issue Phoneboy reported. We have checked our other platforms (Blackberry, J2ME, Windows Mobile, etc.) and fortunately this issue impacted only Symbian devices. We’ve pulled the development/pre-production build and fixed the bug and will be doing a forced upgrade to every Symbian user no later than Wednesday (4/30).

The folks at iSkoot are definitely to be applauded for their quick response. The incorrect build has been pulled from their site and, as stated, they intend to have a new version out no later than Wednesday. In the meantime, I would personally suggest that iSkoot users on Symbian devices simply stop running the application until the new build has been downloaded.

Good outcome, all in all.

Technorati Tags:
, , , , , ,