[VOIPSEC] SBC Certifications (Court Schuett)

ANDRE LUIZ CABRAL DUTRA andred at superig.com.br
Tue Apr 29 07:08:37 CDT 2008 

I don't know. But I doubt that it will be one neutral. If there is one
available it will be for a specific vendor. The way things changes in
Telecom/IT, I would never take a cert that is vendor restricted.

André Dutra
Security Consultant


2008/4/29, voipsec-request at voipsa.org <voipsec-request at voipsa.org>:
>
> Send Voipsec mailing list submissions to
>        voipsec at voipsa.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> or, via email, send a message with subject or body 'help' to
>        voipsec-request at voipsa.org
>
> You can reach the person managing the list at
>        voipsec-owner at voipsa.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Voipsec digest..."
>
>
> Today's Topics:
>
>   1. FYI - iSkoot's exposure of Skype credentials over the     weekend
>      (now resolved) (Dan York)
>   2. SBC Certifications (Court Schuett)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 28 Apr 2008 13:27:17 -0400
> From: Dan York <dyork at voxeo.com>
> Subject: [VOIPSEC] FYI - iSkoot's exposure of Skype credentials over
>        the     weekend (now resolved)
> To: voipsec at voipsa.org
> Message-ID: <F21DB8C5-E3A7-4A34-A8B7-57A964530AB1 at voxeo.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> VOIPSEC readers,
>
> FYI, if you haven't been following the issue, over the weekend Dameon
> Welch-Abernathy, a.k.a. PhoneBoy, discovered that the iSkoot program
> that enables Skype usage from mobile phones was passing Skype user
> credentials in the clear. I put up a blog post on the VOIPSA blog
> which has been tracking the various posts, statements and other
> aspects of the case:
>
>
> http://voipsa.org/blog/2008/04/26/are-your-skype-username-and-password-completely-exposed-if-you-use-iskoot/
>
> Over the course of the weekend, it turned out that a development/pre-
> production release of the Symbian version of iSkoot was put up on
> their site and this version did not have SSL encryption enabled.  The
> other versions of the iSkoot product for Blackberry, Windows Mobile,
> etc. were NOT affected by this.  The bad version has been pulled down
> and a new version will be pushed shortly to all Symbian devices.
> iSkoot has issued a formal statement that I comment on here:
>
>
> http://voipsa.org/blog/2008/04/28/iskoot-disclosure-of-skype-credentials-resolved-new-version-by-wednesday/
>
> The issue Dameon discovered will therefore soon be resolved.
>
> Overall, it was an interesting process this weekend (which I
> chronicled here:
> http://voipsa.org/blog/2008/04/28/chronology-of-the-blogosphere-and-iskoot-weekend-response-to-the-iskoot-security-issue/
> ).  Dameon and I spoke this morning and he did say that he realized
> after posting that he really did inadvertantly announce a "zero day"
> vulnerability in iSkoot's product.  He was NOT doing security research
> at the time but was rather writing up a comparison of iSkoot to
> Skype's new "Skype for Mobile" product. During the course of
> researching the two products to write his comparison, he realized that
> iSkoot was sending everything in the clear... and promptly wrote that
> up.  Dameon acknowledged that a better process would have been to
> contact the vendor directly and work with them first.  Although to be
> honest there was no apparent security contact process at iSkoot and "
> security at iskoot.com
> " did not work as an email address. The process might have been long
> for Dameon.
>
> In the end, it all worked out well in this case.  iSkoot responded
> quickly and a serious potential exposure of information is now on the
> way to being closed. Kudos to Dameon, the iSkoot team and all involved
> for bringing about the quick resolution.
>
> Regards,
> Dan
> --
> Dan York, CISSP, Director of Emerging Communication Technology
> Office of the CTO    Voxeo Corporation     dyork at voxeo.com
> Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
> Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com
>
> Build voice applications based on open standards.
> Find out how at http://www.voxeo.com/free
>
>
>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 28 Apr 2008 15:32:33 -0500
> From: "Court Schuett" <court.schuett at gmail.com>
> Subject: [VOIPSEC] SBC Certifications
> To: voipsec at voipsa.org
> Message-ID:
>        <6acecb760804281332o66d8d823r1b26409149c55a9a at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Does anyone know of any security certifications to look for in a Session
> Border Controller?
>
> Thanks!
>
>
> ------------------------------
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> End of Voipsec Digest, Vol 40, Issue 14
> ***************************************
>

More information about the Voipsec mailing list