[VOIPSEC] SBC Certifications (Court Schuett)

Janne Magnusson janne at ingate.com
Tue Apr 29 08:04:20 CDT 2008 

ICSA have VoIP certification for firewalls, but I don't think any firewall is certified yet. A SBC should probably be able to pass the VoIP tests as well even though the tests are designed for a firewall.

/Janne

> -----Original Message-----
> From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
> Behalf Of ANDRE LUIZ CABRAL DUTRA
> Sent: den 29 april 2008 14:09
> To: voipsec at voipsa.org
> Subject: Re: [VOIPSEC] SBC Certifications (Court Schuett)
> 
> I don't know. But I doubt that it will be one neutral. If there is one
> available it will be for a specific vendor. The way things changes in
> Telecom/IT, I would never take a cert that is vendor restricted.
> 
> André Dutra
> Security Consultant
> 
> 
> 2008/4/29, voipsec-request at voipsa.org <voipsec-request at voipsa.org>:
> >
> > Send Voipsec mailing list submissions to
> >        voipsec at voipsa.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >        http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > or, via email, send a message with subject or body 'help' to
> >        voipsec-request at voipsa.org
> >
> > You can reach the person managing the list at
> >        voipsec-owner at voipsa.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Voipsec digest..."
> >
> >
> > Today's Topics:
> >
> >   1. FYI - iSkoot's exposure of Skype credentials over the     weekend
> >      (now resolved) (Dan York)
> >   2. SBC Certifications (Court Schuett)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Mon, 28 Apr 2008 13:27:17 -0400
> > From: Dan York <dyork at voxeo.com>
> > Subject: [VOIPSEC] FYI - iSkoot's exposure of Skype credentials over
> >        the     weekend (now resolved)
> > To: voipsec at voipsa.org
> > Message-ID: <F21DB8C5-E3A7-4A34-A8B7-57A964530AB1 at voxeo.com>
> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
> >
> > VOIPSEC readers,
> >
> > FYI, if you haven't been following the issue, over the weekend Dameon
> > Welch-Abernathy, a.k.a. PhoneBoy, discovered that the iSkoot program
> > that enables Skype usage from mobile phones was passing Skype user
> > credentials in the clear. I put up a blog post on the VOIPSA blog
> > which has been tracking the various posts, statements and other
> > aspects of the case:
> >
> >
> > http://voipsa.org/blog/2008/04/26/are-your-skype-username-and-password-
> completely-exposed-if-you-use-iskoot/
> >
> > Over the course of the weekend, it turned out that a development/pre-
> > production release of the Symbian version of iSkoot was put up on
> > their site and this version did not have SSL encryption enabled.  The
> > other versions of the iSkoot product for Blackberry, Windows Mobile,
> > etc. were NOT affected by this.  The bad version has been pulled down
> > and a new version will be pushed shortly to all Symbian devices.
> > iSkoot has issued a formal statement that I comment on here:
> >
> >
> > http://voipsa.org/blog/2008/04/28/iskoot-disclosure-of-skype-
> credentials-resolved-new-version-by-wednesday/
> >
> > The issue Dameon discovered will therefore soon be resolved.
> >
> > Overall, it was an interesting process this weekend (which I
> > chronicled here:
> > http://voipsa.org/blog/2008/04/28/chronology-of-the-blogosphere-and-
> iskoot-weekend-response-to-the-iskoot-security-issue/
> > ).  Dameon and I spoke this morning and he did say that he realized
> > after posting that he really did inadvertantly announce a "zero day"
> > vulnerability in iSkoot's product.  He was NOT doing security research
> > at the time but was rather writing up a comparison of iSkoot to
> > Skype's new "Skype for Mobile" product. During the course of
> > researching the two products to write his comparison, he realized that
> > iSkoot was sending everything in the clear... and promptly wrote that
> > up.  Dameon acknowledged that a better process would have been to
> > contact the vendor directly and work with them first.  Although to be
> > honest there was no apparent security contact process at iSkoot and "
> > security at iskoot.com
> > " did not work as an email address. The process might have been long
> > for Dameon.
> >
> > In the end, it all worked out well in this case.  iSkoot responded
> > quickly and a serious potential exposure of information is now on the
> > way to being closed. Kudos to Dameon, the iSkoot team and all involved
> > for bringing about the quick resolution.
> >
> > Regards,
> > Dan
> > --
> > Dan York, CISSP, Director of Emerging Communication Technology
> > Office of the CTO    Voxeo Corporation     dyork at voxeo.com
> > Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
> > Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com
> >
> > Build voice applications based on open standards.
> > Find out how at http://www.voxeo.com/free
> >
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Mon, 28 Apr 2008 15:32:33 -0500
> > From: "Court Schuett" <court.schuett at gmail.com>
> > Subject: [VOIPSEC] SBC Certifications
> > To: voipsec at voipsa.org
> > Message-ID:
> >        <6acecb760804281332o66d8d823r1b26409149c55a9a at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Does anyone know of any security certifications to look for in a Session
> > Border Controller?
> >
> > Thanks!
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> > End of Voipsec Digest, Vol 40, Issue 14
> > ***************************************
> >
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list