[SecurityRatty] tag: mp3

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 15:53:18 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Tue, 26 Aug 2008 16:16:43 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the hiatus
Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
Voice of VOIPSA: Chronology
Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls

Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable

IT Business Edge: Pay Attention to VoIP Security Before The Storm

NetworkWorld: Business Guide to VoIP Security

Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article

Network World: Security and management considerations when deploying OCS

LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative

[H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=

VoIP News: The Essential Guide to VoIP Privacy

Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security

eWeek: VoIP Security through Responsible Software Development

Microsoft gives back door keys to Vista to police

Comment (blog) from Martyn Davies

Comment (email) from Detlef

Comment (email) from Dan McGinn-Combs

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

41:43 - End of show

Thank you for listening and please do let us know what you think of the show.

Quick thoughts on using the iPhone 3G

Tue, 22 Jul 2008 05:36:00 +0000

So I got my iPhone 3G on Friday morning and have been using it for a few days now. I have never used one before, don't use an iPod or even a Mac computer. The iPhone was incredibily easy to use and without using and manuals quickly had a most everything working and downloaded a bunch of apps from the app store.

Over all, the iPhone just is really nice to use and in many ways very easy, polished and intuitive. In other ways, it is still missing some key features in my book:

Sort and filter email be date, sender, etc.
Select more than one mail at a time to delete, move, copy. Yes I know you can go to edit and select messages to work on, but you still have to select them one at a time. In Windows Mobile you can just run your finger over multiple messages to complete this.
Deleting duplicate contacts in bulk. Doing them one at a time is just painful
A task manager. I would like to see some list that shows me which apps are running, how many resources they are using, battery usage and stuff like that. Also to shut down running apps
Better calendar integration. I tried to click on and open calendar items, but just does not seem to work.
The battery sucks! I am not getting more than about 6 to 7 hours of battery time. I think I have to turn off the push for my Exchange email. This is much less that I was getting on my Windows Mobile phone.

I do like the phone, the iPod MP3 and camera and the overall "feel" of the phone. Went to the Apple store in the maill (which was jam packed) and bought a rubberized case, but was unable to get a phone car charger for it yet. I ordered one for 5 bucks on Amazon and will see it if works.

All in all, things are OK but I am going to withhold my final verdict for a while yet.

Quick thoughts on using the iPhone 3G

Tue, 22 Jul 2008 04:36:00 +0000

Over all, the iPhone just is really nice to use and in many ways very easy, polished and intuitive. In other ways, it is still missing some key features in my book:

Sort and filter email be date, sender, etc.
Select more than one mail at a time to delete, move, copy. Yes I know you can go to edit and select messages to work on, but you still have to select them one at a time. In Windows Mobile you can just run your finger over multiple messages to complete this.
Deleting duplicate contacts in bulk. Doing them one at a time is just painful
A task manager. I would like to see some list that shows me which apps are running, how many resources they are using, battery usage and stuff like that. Also to shut down running apps
Better calendar integration. I tried to click on and open calendar items, but just does not seem to work.
The battery sucks! I am not getting more than about 6 to 7 hours of battery time. I think I have to turn off the push for my Exchange email. This is much less that I was getting on my Windows Mobile phone.

All in all, things are OK but I am going to withhold my final verdict for a while yet.

Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Tue, 15 Jul 2008 13:20:45 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance – getting it organized now

Ingate SIP Trunking webinar now available (and a note about participating in things like this)

VOIPSA blog site hacked

Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary

VoIPshield list of vulnerabilities

Cisco Advisory

Cisco Advisory about Disaster Recovery Framework

Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video

Washington Post: Reach Out And Hack Someone

Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers

VoIP News: The Essential Guide to VoIP Security

Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier

Voice of VOIPSA: VoIP and the International Space Station

Voice of VOIPSA: Xplico Network Forensic Analysis Tool

Voice of VOIPSA: Australians falling victim to foreign phone hackers

VoIP News Australia: How ACMA Plans to Regulate VoIP

Network World: Government agencies rejecting VoIP?

Linux Professional Institute to develop enterprise-level security exam

Net neutrality and Bell Canada

ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?

Google XSS Attack (interesting as it shows the complexity of such attacks)

The Economist: Special Report: The New Nomadism

VoiceBiometrics – May 14-15, New York

IP Telephony University – June 23-24, Alexandria, VA

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

44:22 - End of show

Thank you for listening and please do let us know what you think of the show.

Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Tue, 15 Jul 2008 12:22:35 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance – getting it organized now

Ingate SIP Trunking webinar now available (and a note about participating in things like this)

VOIPSA blog site hacked

Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary

VoIPshield list of vulnerabilities

Cisco Advisory

Cisco Advisory about Disaster Recovery Framework

Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video

Washington Post: Reach Out And Hack Someone

Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers

VoIP News: The Essential Guide to VoIP Security

Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier

Voice of VOIPSA: VoIP and the International Space Station

Voice of VOIPSA: Xplico Network Forensic Analysis Tool

Voice of VOIPSA: Australians falling victim to foreign phone hackers

VoIP News Australia: How ACMA Plans to Regulate VoIP

Network World: Government agencies rejecting VoIP?

Linux Professional Institute to develop enterprise-level security exam

Net neutrality and Bell Canada

ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?

Google XSS Attack (interesting as it shows the complexity of such attacks)

The Economist: Special Report: The New Nomadism

VoiceBiometrics – May 14-15, New York

IP Telephony University – June 23-24, Alexandria, VA

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

44:22 - End of show

Thank you for listening and please do let us know what you think of the show.

The Angry Spamtool...

Tue, 01 Jul 2008 15:29:27 +0000

Here's a spamming program that targets Xfire users, with a particularly distasteful name. If you're under 16, you'll probably find the name incredibly lulzy (or whatever it is that kids under 16 are saying at the moment). Open up the zip the program comes in, and you'll see that it's called...er...

...yeah, charming. Note that it also comes bundled with a solitary MP3, presumably to rock out to over and over again while you get your fill of spamming chatboxes for a small portion of eternity.

Here's the application in action - there seems to be an abundance of angry, red shouty faces with this one, doesn't there?

Click to Enlarge

Hit the "Bomb Em" button, and the program rather helpfully asks you how many times you want to nuke your victim. For no real reason, I went for a comic reference and selected 52:

But wait! One more charming popup box awaits:

Click to Enlarge

.....anyone think the creator needs anger management classes yet?

StillSecure, After all these years, #55 - JJ in the house

Fri, 20 Jun 2008 06:01:37 +0000

Episode 55 of SSAATY is a fun one. Mitchell and I are joined by JJ, Jenifer Jabbusch of Security Uncorked blog. JJ is someone I have gotten to know over the last year or so and she is a lot of fun. On top of that she is very technical and huge supporter of 802.1x, NAC and security in general.

JJ, Mitchell and I talk abour Rohati, NAC, 802.1x and a bunch of other stuff in our usal rambling, stream of consciousness style. It is about 40 minutes of informative good times.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Or download here:

mp3

StillSecure, After all these years, #55 - JJ in the house

Fri, 20 Jun 2008 05:02:02 +0000

JJ, Mitchell and I talk abour Rohati, NAC, 802.1x and a bunch of other stuff in our usal rambling, stream of consciousness style. It is about 40 minutes of informative good times.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Or download here:

mp3

Blue Box SE#025 - An interview with Eric Hernaez about Solegy and the OpenSBC Project

Tue, 10 Jun 2008 18:53:28 +0000

Synopsis: Blue Box Special Edition #25: An interview with Eric Hernaez, CEO of Solegy, about the OpenSBC project

Welcome to Blue Box: The VoIP Security Podcast Special Edition #25, a 13-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

In this interview, I sat down with Eric Hernaez, CEO of Solegy, to talk about the OpenSBC Project and how it provides an open source implementation of a session border controller (SBC). We talked about how OpenSBC came about, who is using it, how scalable it is and where users can learn more. We also discussed Solegy, the company supporting the open source OpenSBC project and what they are doing. It was an enjoyable talk that really came about randomly when I met Eric near the press room at IT Expo in Los Angeles back in September 2007. We had been wanting to learn more about the OpenSBC project so I put my recorder on a table and we started talking.

More information about the OpenSBC project and other open source SIP-related projects can be found at opensourcesip.org.

Production assistance on this Special Edition was provided by Sergio Meinardi.

Thank you for listening and please do let us know what you think of the show.