Category Archives: VOIPSA

Working On Restoring VOIPSEC Mailing List Archive Functionality

We are unfortunately aware that the mail archives for the VOIPSEC mailing list have not been functioning for a long time.  The list still does have occasional active conversations on it and anyone is welcome to subscribe. However, the archive on the list page as well as on the VOIPSA site page for the list has been broken for a while now.  As part of our work updating the VOIPSA website I’ve been in touch with our hosting vendor to see about getting the archives back in action.  Stay tuned….

Whither VOIPSA? (And How Are YOU Willing To Help?)


Flickr credit: mhartford

What do you think “VOIPSA 2.0” should be? And perhaps more importantly, how are you willing to help?

As Dave Endler wrote in his post last week, five years ago the need for an organization like VOIPSA was very clear. As I’ve often said in my talks, at that time there were security vendors running around saying “VoIP is incredibly insecure… but if you buy our box/service/whatever you’ll be safe! Trust us!” And there were some communications vendors running around effectively saying “All those VoIP security concerns are overblown by paranoid security people… if you just buy our box/service/whatever you’ll be safe! Trust us!

The truth, as we know, is somewhere in between.

And that is the prime value that VOIPSA brings, in my opinion… being an “industry neutral” place were we can lay out that there are very real threats to IP communications security – but that there are also very real solutions.

Over the past 5 years, we’ve started that process with the VoIP Security Threat Taxonomy, the VoiP Security Tools List, the VOIPSEC mailing list, this Voice of VOIPSA blog, the talks and webinars we’ve given, the Ingate SIP Trunking Seminars we’ve participated in, the Blue Box podcasts we created – and so many other ways.

There is a great bit more to do. The original need that spawned VOIPSA is very much alive today. If anything, the need is greater as we’ve moved from being concerned not just with “Voice Over IP”, but even more with the broader “Unified Communications” picture that includes video, chat, presence and other forms of collaboration. The threats, the tools and the solutions all keep evolving.

We all owe Dave Endler a great amount of thanks for all the work he did to bring us together, launch VOIPSA and get it moving. I certainly wish him all the best with his new endeavors and I expect we’ll still see him lurking around watching what’s going on.

Jonathan Zar and I will be posting some thoughts soon on next steps for the organization, but in the meantime I thought I’d just write this post and let you all know that I’d very much like to hear from you all who are reading this. While not formally a “membership” organization (i.e. you can’t become a “member” of VOIPSA), we do have a “community” of people who read and participate in the various mailing lists and other areas.

To all of you who have participated in and/or promoted VOIPSA (or have wanted to do so), what would you like to see the organization do next? How would you like to help?

Please feel free to leave a comment here or send me an email. I’m listening.


It’s been over 5 years since the Voice over IP Security Alliance was born.  A small group of us originally aimed to fill a very large gap in the voip security landscape. Namely that outside of IETF meetings, the thought leaders in the carrier, vendor, and security industries didn’t really have many other vehicles to discuss and address security issues in VoIP.  VOIPSA was and is meant to bring those people together by promoting security research, testing methodologies, tools, and most importantly, discussion.

The need for VOIPSA is greater than ever, and we need fresh input to evolve to the next phase.  My professional interests have changed recently so that I will no longer have the time to devote as Chairman.

It gives me great pleasure (and relief) to announce that Dan York has graciously agreed to step up as our new Chairman and fearless leader. I am also pleased to announce that Jonathan Zar has agreed to continue on in the meantime as Secretary.  Dan and Jonathan have been instrumental since the beginning of VOIPSA in setting up the organization with me and evangelizing many of the issues that still plague VoIP deployments today.  Many of you already know Dan from his podcasts, his conference speaking, and his prolific blogging on, and Jonathan from his industry leadership and venture expertise.

You’ll be hearing from Dan and Jonathan in the near future on the vision and next steps at relaunching VOIPSA.  Thank you to everyone I’ve worked with over the last 5+ years who have given selflessly of their time and effort to VOIPSA.


David Endler

You can now follow VOIPSA on Twitter

Yes, indeed, the VoIP Security Alliance has joined the Twittersphere with:

Feel free to follow us there if you are a Twitter user. The primary reason we are on Twitter is so that Twitter users can follow whatever blog posts we post here on the Voice of VOIPSA blog. We’ve noticed over time on other sites (and in our own actions) that some folks prefer to be notified of new blog posts via Twitter versus a RSS feed. So now you have that choice. Subscribe via RSS or via Twitter. We’ll respond to tweets as well, of course, but our primary goal is to provide another way to consume VOIPSA content.

If you are on Twitter, please do feel free to follow us. Thanks.

Looking for a few good VoIP security writers…

Are you interesting in writing about VoIP security? In providing updates on security news? Product reviews? Threat analyses? Notes about recent security advisories?

Would you like your writing to appear on this blog?

As you have probably noticed, the frequency of our posting here in recent months has dropped a bit. It’s definitely not for lack of content… anyone subscribing to a Google Alert on “voip security” or subscribing to the VOIPSEC mailing list will know that there are definitely ongoing VoIP security issues. But we collectively haven’t been writing all that often about those issues here on this blog. Many reasons… but mostly that those of us who have been writing for the three years since we started this blog have just been finding ourselves insanely busy and not able to make the time to write here frequently. A couple of folks have moved into roles where they no longer work directly with VoIP security. Others have started their own blogs or just gone on to other things.

So we are looking to recharge the “Voice of VOIPSA” writing corps a bit. Our goal all along has been to make this site a portal for news and analysis about “VoIP security” in whatever form that may take. We are looking for people who might be willing to write short notes about news stories related to security of VoIP, Unified Communications, etc. We are also looking for people interested in writing longer pieces like some of the deep analyses we have posted here in the past.

VOIPSA’s overall mission is to raise the level of discussion about communication security issues in the IP space – and we’re looking for anyone who would like to help us in doing that through this blog.

The only major requirement we have for writers here is that any pieces must be vendor-neutral, i.e. we are not looking for people to write here about how their company’s product will solve all your security woes. We’re not a marketing site for either VoIP or security vendors. However, we do welcome posts from people at those companies that talk about the general state of the industry. We also welcome posts from folks who may not be at any company in the space but are just passionately interested in the topic.

If you are interested in writing for Voice of VOIPSA, please send me an email expressing your interest and providing some background about your connection to VoIP security. If you write at an existing weblog, even on a completely different topic, it would be helpful if you sent along that link as well.

Thanks for continuing to follow this site and after three years of blogging, we’re looking forward to continuing to provide you information and analysis about VoIP/communication security for the next three years… and beyond!

Technorati Tags:
, , , , ,

“UC Security” group now on LinkedIn

linkedin-ucsecurity.jpgIf you are a LinkedIn user (as I am), there is now a “UC Security” group that you can join. The description of the group is:

Unified Communications is blurring the boundaries between Voice, Video and Data networks. As such, security threats that used to be in islands are now easily traversing across the network boundaries. UC Security provides a forum for people to share the common security issues around UC.

I can see that several of the “usual characters” in our security circles are already members of the group.

As we mentioned back in July, there is also a VOIPSA group on LinkedIn which you are welcome to join as well.

I am still not personally entirely sold on the value of LinkedIn groups, but I do have to admit that some of the discussions have in fact been useful and interesting. If you are a LinkedIn user, you may want to check out these groups and join in the discussions (or at least promote the existence of the groups through having them on your LinkedIn profile).

Technorati Tags:
, , , , , ,

“SIP Trunking And Security” workshop coming up at ITEXPO on February 3, 2009

ITEXPO-East-logo-2.jpgIf you will be in Miami at ITEXPO February 2-4 you are welcome to attend a free “SIP Trunking And Security” session I (Dan York) will be doing as part of Ingate Systems’ SIP Trunking Workshops. The SIP trunking workshops are free to all attendees even if you only register for an exhibit pass.

My session will be 11:15-12:30 on Wednesday, February 3rd, and if you do attend please feel free to come up and introduce yourself (or drop me a note in advance to let me know to look out for you). I’ll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.

P.S. If you are attending ITEXPO and your company makes a product or provides a service related to VoIP security, please feel free to let me know and perhaps we can schedule an interview to go out as a Blue Box Special Edition.

Technorati Tags:
, , , , , , , ,

I’ll be speaking tomorrow, 1pm US Eastern, in Mitel webinar on Unified Communications Security

What are you doing tomorrow, Tuesday, October 28, 2008, at 1pm US Eastern time? If you are around, you are welcome to join a free webinar I’ll be giving on “Best Practices for Secure Unified Communications“.

From time-to-time, you’ll notice that those of us working with VOIPSA will take part in seminars/webinars offered by members of VOIPSA and we definitely enjoy doing so. For instance, as readers of the blog know, I’ve been speaking at Ingate’s SIP Trunking seminars for quite some time now. We’re generally open to speaking at anyone’s event or webinar – as long as they understand that there is no endorsement of the company/vendors’s products/services and that we are there to provide an industry-neutral point-of-view.

mitel-logo.jpgSo tomorrow at 1pm US Eastern I’ll be speaking as part of Mitel’s “Discovery Series” where they invite in guest speakers from the industry. You can join the webinar for free at Mitel’s site. They asked me to speak about the threats/risks to voice over IP and unified communications and talk about best practices for protecting them. Here’s the abstract:

Discover Best Practices for Secure Unified Communications

Presented by: Dan York, Voice Over IP Security Alliance (VOIPSA)
October 28, 2008, 1:00 PM EDT / 10:00 AM PDT / 5:00PM GMT

With the emergence of Voice-over-IP and Unified Communications, companies now have incredible opportunities to provide a rich communication experience to employees located in a single location or distributed globally. But how does a company do this in a secure manner? How is the confidentiality and integrity of corporate conversations protected? How can a company be sure that its IP phone systems and IP trunks will always be available for usage? What are the issues around protecting SIP trunks or using hosted services?

In this webinar, VoIP Security Alliance Best Practices Chair Dan York will discuss the threats and risks to Voice-over-IP, the tools that are out to test (or attack) VoIP system and solutions and best practices for protecting your systems. He’ll also address concerns around SIP trunking, Spam for Internet Telephony (SPIT) and the move to push voice out into hosted/cloud computing environments and the associated concerns. Come prepared to learn about securing your VoIP system, to ask questions about your deployments and to leave with tips and resources to protect and defend your systems.

The webinar will be recorded and posted for later viewing as well. I’ll note that they also have a nice companion webinar to the one I’ll be giving tomorrow in one that HP representatives recently have on network security as it relates to VoIP.

Anyway, if you are available tomorrow (Oct 28th) at 1pm please do feel free to join into the webinar. I’ll post a note on this site, too, when it is available for later listening.

P.S. And yes, as a couple of people have asked, I do obviously have a closer association with this webinar than I do with some of the other vendors given that I worked at Mitel for 6 years and was their point person on VoIP security issues for much of that time. It will be fun to be speaking with them again.

Technorati Tags:
, , , , , , , , ,

LinkedIn to VoIPSA

I would like to invite any VoIPSA LinkedIn users to join the new LinkedIn VoIPSA group.  While we already have documentation on the website regarding the Board of Directors and the Technical Board of Advisers, there wasn’t really much in the way of identifying and networking with other members of our organization who are not on either of these boards, other than of course the VoIPSec mailing list (which doesn’t have a public membership roster), so I’ve established this group to fill that void.