Monthly Archives: October 2008

I’ll be speaking tomorrow, 1pm US Eastern, in Mitel webinar on Unified Communications Security

What are you doing tomorrow, Tuesday, October 28, 2008, at 1pm US Eastern time? If you are around, you are welcome to join a free webinar I’ll be giving on “Best Practices for Secure Unified Communications“.

From time-to-time, you’ll notice that those of us working with VOIPSA will take part in seminars/webinars offered by members of VOIPSA and we definitely enjoy doing so. For instance, as readers of the blog know, I’ve been speaking at Ingate’s SIP Trunking seminars for quite some time now. We’re generally open to speaking at anyone’s event or webinar – as long as they understand that there is no endorsement of the company/vendors’s products/services and that we are there to provide an industry-neutral point-of-view.

mitel-logo.jpgSo tomorrow at 1pm US Eastern I’ll be speaking as part of Mitel’s “Discovery Series” where they invite in guest speakers from the industry. You can join the webinar for free at Mitel’s site. They asked me to speak about the threats/risks to voice over IP and unified communications and talk about best practices for protecting them. Here’s the abstract:

Discover Best Practices for Secure Unified Communications

Presented by: Dan York, Voice Over IP Security Alliance (VOIPSA)
October 28, 2008, 1:00 PM EDT / 10:00 AM PDT / 5:00PM GMT

With the emergence of Voice-over-IP and Unified Communications, companies now have incredible opportunities to provide a rich communication experience to employees located in a single location or distributed globally. But how does a company do this in a secure manner? How is the confidentiality and integrity of corporate conversations protected? How can a company be sure that its IP phone systems and IP trunks will always be available for usage? What are the issues around protecting SIP trunks or using hosted services?

In this webinar, VoIP Security Alliance Best Practices Chair Dan York will discuss the threats and risks to Voice-over-IP, the tools that are out to test (or attack) VoIP system and solutions and best practices for protecting your systems. He’ll also address concerns around SIP trunking, Spam for Internet Telephony (SPIT) and the move to push voice out into hosted/cloud computing environments and the associated concerns. Come prepared to learn about securing your VoIP system, to ask questions about your deployments and to leave with tips and resources to protect and defend your systems.

The webinar will be recorded and posted for later viewing as well. I’ll note that they also have a nice companion webinar to the one I’ll be giving tomorrow in one that HP representatives recently have on network security as it relates to VoIP.

Anyway, if you are available tomorrow (Oct 28th) at 1pm please do feel free to join into the webinar. I’ll post a note on this site, too, when it is available for later listening.

P.S. And yes, as a couple of people have asked, I do obviously have a closer association with this webinar than I do with some of the other vendors given that I worked at Mitel for 6 years and was their point person on VoIP security issues for much of that time. It will be fun to be speaking with them again.

Technorati Tags:
, , , , , , , , ,

Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

MD_bluebox157-2.jpgThis morning I posted Blue Box Podcast #84 where Jonathan and I discussed the latest round of VoIP security vulnerabilities for Cisco, Avaya and Nortel systems released by VoIPShield systems; talked about the new VoIP security testing tools released by Sipera Systems (UCSniff) and separately from SecureLogix; talked about Skype’s security issues related to their Chinese partner and also discussed a range of other VoIP security issues and news items.

And… we’re delighted to be able to say we’re posting about an episode that was recorded only about 10 days ago, so we’re back on track with getting timely episodes out!

You can listen to the episode now either directly from the website or by downloading.

Technorati Tags:
, , , , , , , ,

Blue Box Podcast #83 – SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more…

MD_bluebox157-2.jpgLast week I posted Blue Box Podcast #83 and you can now either download it or listen to it from the website. In this show where Jonathan and I were catching up on VoIP security topics from over the summer, we talked about SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype and other pieces of VoIP security news. You can listen to it now.

Technorati Tags:
, , , , , , , ,

Internet phone calls, terrorism and finding the balance for law enforcement

The Times of London is out today with a provocatively titled piece: “Internet phone calls are crippling fight against terrorism” and leads with this:

The huge growth in internet telephone traffic is jeopardising the capability of police to investigate almost every type of crime, senior sources have told The Times.

As more and more phone calls are routed over the web – using software such as Skype – police are losing the ability to track who has called whom, from where and for how long.

The key difficulty facing police is that, unlike mobile phone companies, which retain call data for billing purposes, internet call companies have no reason to keep the material.

And goes on to mention issues security officials have with the new world of online communication:

At present security and intelligence agencies can demand to see telephone and e-mail traffic from communication service providers, such as mobile telephone companies. But rapid expansion of new providers, such as gaming, social networking, auction and video sites, and technologies, such as wireless internet and broadband, present a serious problem for the police, MI5, Customs and other government agencies.

Communications data is now a key weapon in securing convictions of both terrorists and serious criminals. It also plays a central role in investigations into kidnappings and inquiries into missing and vulnerable people.

It is indeed a challenging problem. How do government security services exercise their legitimate need to have access to some communications-related data in the pursuit of a crime when the communications providers are no longer easy to identify?

In the old days of just the PSTN, the communications carriers were easy to identify and easy to work with… in the sense that jurisdiction was usually rather clear since the provider was based in the country where the communication was taking place. Government security services could work with those companies to be able to do lawful intercept and other such actions.

VoIP changes all of that. From a technical perspective, geography goes out the window. You can use a software product created by a company from anywhere in the world to communicate with someone else. It can be encrypted. It can use different protocols. It can be unencrypted yet go over an encrypted VPN.


And without central control, there is no central way for a government agency to be able to easily obtain that communications data.

So what do you do? Do you create (and somehow futilely attempt to enforce?) draconian and Orwellian legislation that gives government agencies extremely broad powers to access Internet-carried information? (As it sounds like is happening in the UK?) Do you try to have industry entities voluntarily assist security agencies? Do you give up and admit that it’s next to impossible to really get all this kind of information?

There’s a balance to be struck somewhere in there – and finding that balance is going to be one of the toughest policy issues we all will confront over the next few years.

I can see both sides… as a strong privacy advocate, I do not want the government to have broad powers to intercept and view Internet traffic – the potential for abuse and mis-use is far too high in my opinion. Yet at the same time as a father and husband I can assure you that if something were ever to happen to any of my family, I would want law enforcement to have access to every tool imaginable to track down the perpetrators and bring them to justice.

Where’s the line? What’s the right approach?

No easy answers…

Technorati Tags:
, , , , , ,

China’s TOM-Skype Surveillance

According to a report published on October 1st by Citizen Lab, full chat text messages from TOM-Skype users were found on publicly-accessible web servers as well as the encryption key required to decrypt the data.  Additional data such as millions of IP address, user names, and land-line phone numbers, and records of international users who regularly communicated with Chinese users were found alongside the chat logs.

From an Ars Technica article about the report:

Clearly, there are a number of problems with this discovery, starting with security. Villeneuve notes that the information contained on the servers could be used to exploit the TOM-Skype server network, and an attacker can access detailed user profiles. “In fact, evidence suggests that the servers used to store captured data have been compromised in the past and used to host pirated movies and torrents (for peer-to-peer file sharing),” reads the report. Clearly, crafty hackers already know where these servers are and how to get into them.

While troubling from an overall Skype security standpoint, it’s not much of a surprise that the Chinese government had a way to monitor their Skype users, especially with Skype being partnered with TOM Online, a Chinese company.

Since around September 2005, Chinese users attempting to download the Skype client were blocked from doing so, instead being redirected to a modified Chinese version hosted by TOM.  Did anyone really think that this modified version wasn’t backdoored?  Who wants to bet that they have keys to decrypt the voice channels as well?

5th Emergency Services Workshop to be held Oct 21-23 in Vienna

How does an emergency call to 9-1-1 or 1-1-2 (or whatever your local emergency number may be) work in a world of voice-over-IP?

It’s not a topic we cover hardly at all here on this blog, yet it’s definitely one of the security and social/cultural aspects of our migration to IP that we definitely have to get right. If we as an industry don’t, people can die. (Or the migration to VoIP will be significantly delayed.)

To that end, a number of emergency services experts are meeting to discuss ongoing work on IP-based emergency services in Vienna, Austria on 21st to 23rd October 2008. The first workshop day is focusing on tutorials to help those interested in the classical 1-1-2 (or 9-1-1) emergency call to get up-to-speed with architectures and standards developed for next generation emergency calling. During the second day various recent activities of standardization organizations around the world will be presented. The third workshop day is dedicated to early warning standardization efforts and the outlook to future emergency services activities.

Participation from those working in standardization organizations as well as persons with interest into the subject is highly appreciated. The event is open to the public and anyone may attend.
For socializing an evening program has been organized. There is a nominal fee of 120 Euros charged to cover the facilities cost, food, drinks, etc. Arrangements are also being made for participants to join remotely.

More information about the workshop can be found behind the following link:

This page also points to previous workshops that took place in New York, Washington, Brussels and Atlanta.

(Thanks to Hannes Tschofenig for providing the majority of this text.)

Technorati Tags:
, , , , ,