Synopsis:  Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Note about the production team – new special editions coming soon.
  • Note about URLs for the media files
• AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
• AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
• Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability
• New version of SIPvicious


• Sipflanker – tool to find SIP devices with web GUIs




• Discussion about VoIP Steganography (pointed to by Craig Bowser)


• Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register


• FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call



• The Register: ‘Untraceable’ phone fraudsters eye your credit card



• SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP



• Secure Computing: Voice tools under enemy fire



• VNUnet: A good VoIP application is worth paying for



• Ofcom confirms VoIP providers must provide access to 999 and 112



• Bogdan Materna’s blog is live
• Realtime Community: The Essentials Series:
  Messaging and Web Security
  Volume III


• Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )


• SearchSecurity: The threats to telcos and how they can repel them


• TMCnet: Balancing Issues in World of Telepresence


• Network World: VoIP Security Buying Guide
• Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )


• Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security


• VIVOphone Deploys Paradial RealTunnel?? to Solve NAT Traversal Challenges for VoIP Services


• Audiocodes joins the ranks of SBC vendors


• SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)


• The Hindu Business News: Serious about Security


• Shows:
  
  
  
  • IP Telephony University – June 23-24, Alexandria, VA
  
  
  • IPTComm 2008 – July 1-2, Heidelberg, Germany
  
  
  • The Last H.O.P.E. – July 18-20, New York
  
  
  • SpeechTek – August 18-20, New York
  
  
  
  
• Call for papers for Hack-in-the-box Malaysia ends June 30th



• SchmooCon 2008 videos available – several dealing with VoIP
• No comments this week.
  
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 47:09 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

]]> Wed, 27 Aug 2008 16:53:17 +0000 voip security voip security news voip voip security tools voip steganography voip services security skype security vulnerabilities voip security podcast Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more... http://securityratty.com/article/48c1a58b9d39348008877ad191ffcfea http://securityratty.com/article/48c1a58b9d39348008877ad191ffcfea

Synopsis:  Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

---

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Note about the production team – new special editions coming soon.
  • Note about URLs for the media files
• AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
• AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
• Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability
• New version of SIPvicious


• Sipflanker – tool to find SIP devices with web GUIs




• Discussion about VoIP Steganography (pointed to by Craig Bowser)


• Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register


• FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call



• The Register: ‘Untraceable’ phone fraudsters eye your credit card



• SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP



• Secure Computing: Voice tools under enemy fire



• VNUnet: A good VoIP application is worth paying for



• Ofcom confirms VoIP providers must provide access to 999 and 112



• Bogdan Materna’s blog is live
• Realtime Community: The Essentials Series:
  Messaging and Web Security
  Volume III


• Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )


• SearchSecurity: The threats to telcos and how they can repel them


• TMCnet: Balancing Issues in World of Telepresence


• Network World: VoIP Security Buying Guide
• Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )


• Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security


• VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services


• Audiocodes joins the ranks of SBC vendors


• SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)


• The Hindu Business News: Serious about Security


• Shows:
  
  
  
  • IP Telephony University – June 23-24, Alexandria, VA
  
  
  • IPTComm 2008 – July 1-2, Heidelberg, Germany
  
  
  • The Last H.O.P.E. – July 18-20, New York
  
  
  • SpeechTek – August 18-20, New York
  
  
  
  
• Call for papers for Hack-in-the-box Malaysia ends June 30th



• SchmooCon 2008 videos available – several dealing with VoIP
• No comments this week.
  
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 47:09 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.




]]> Wed, 27 Aug 2008 15:53:18 +0000 voip security voip security news voip voip security tools voip steganography voip services security skype security vulnerabilities voip security podcast Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more... http://securityratty.com/article/d6159c811142ec79b33df332f183115d http://securityratty.com/article/d6159c811142ec79b33df332f183115d Tue, 26 Aug 2008 20:00:00 +0000 usb drive remote nortel hopes link stick information tackle office session Nortel uses USB drive to secure remote work http://securityratty.com/article/326ad9fa86f8b197526c63bb8e1ba4e2 http://securityratty.com/article/326ad9fa86f8b197526c63bb8e1ba4e2 Thu, 31 Jul 2008 20:00:00 +0000 news bad news enterprise business network infrastructure nortel quarter company supply Nortel wins Olympic gold, but reports Q2 loss http://securityratty.com/article/da6b0b3ea9868c8cef5c92bbfb027515 http://securityratty.com/article/da6b0b3ea9868c8cef5c92bbfb027515

By now you have probably heard that Brocade is making a big push from storage networking switches into Ethernet switches by buying Foundry Networks for almost 3 billion in cash.  Actually the deal is valued at about 2.8 billion.  However, Foundry has about 800 million or so in cash and liquid assets.  So taking that into account, the deal is for about 2 billion really, according to the San Jose Mercury News. Still that is quite a number when you consider that $18.50 of the $19.25 price per share is in cash.  That works out to about 2.7 billion.  Considering Brocade only had about 700 to 800 million in cash itself, that means someone is lending them about a billion and half.  Again according the Mercury News, it is Bank of America and Morgan Stanley. This is a 41% premium over Foundry's closing price.  Pretty sweet!

The real question is what does Brocade do with this.  With all of that debt, do they have what it takes to go on and take on Cisco now?  The highways and byways of Silicon Valley are littered with companies that have tried to take Cisco out of this market.  What about the 7 dwarfs who currently compete in this market.  Companies like HP ProCurve, Extreme Networks, Nortel, Enterasys, Alcatel-Lucent and Force 10 are not small little companies. These are companies with 100's of millions, if not billions of dollars of market cap themselves.  They are not going to roll over and die here. Will this set off a round of consolidation for these players to bulk up in order to compete in this brave new world of networking? I think so. What about next gen secure switches like ConSentry, Nevis and Napera? Or some of the other smaller switch vendors like D-link?  Do they view this a a good opportunity to get bought by one of the giants or do they think they can run through the legs of these giants?  I don't know but it is going to be a high barrier of entry into this market.

Ultimately though I don't think Cisco will lose its place of dominance very easily. Brocade will be another competitor among the other switch vendors fighting over 25% of the market. But it sure will be interesting in the switch market for a while.

Related articles by Zemanta
• Brocade swinging for the fences with switching
• Brocade to Acquire Foundry for $3 Billion
• Brocade to acquire Foundry Networks
• Brocade Buying Foundry for $3 Billion

]]> Mon, 21 Jul 2008 20:03:53 +0000 foundry foundry networks acquire foundry networks acquire foundry brocade billion market switch market market cap Foundry Networks - Brocade's 3 billion dollar baby http://securityratty.com/article/43c764744c98d93d29fa47b5a823b26f http://securityratty.com/article/43c764744c98d93d29fa47b5a823b26f

By now you have probably heard that Brocade is making a big push from storage networking switches into Ethernet switches by buying Foundry Networks for almost 3 billion in cash.  Actually the deal is valued at about 2.8 billion.  However, Foundry has about 800 million or so in cash and liquid assets.  So taking that into account, the deal is for about 2 billion really, according to the San Jose Mercury News. Still that is quite a number when you consider that $18.50 of the $19.25 price per share is in cash.  That works out to about 2.7 billion.  Considering Brocade only had about 700 to 800 million in cash itself, that means someone is lending them about a billion and half.  Again according the Mercury News, it is Bank of America and Morgan Stanley. This is a 41% premium over Foundry's closing price.  Pretty sweet!

The real question is what does Brocade do with this.  With all of that debt, do they have what it takes to go on and take on Cisco now?  The highways and byways of Silicon Valley are littered with companies that have tried to take Cisco out of this market.  What about the 7 dwarfs who currently compete in this market.  Companies like HP ProCurve, Extreme Networks, Nortel, Enterasys, Alcatel-Lucent and Force 10 are not small little companies. These are companies with 100's of millions, if not billions of dollars of market cap themselves.  They are not going to roll over and die here. Will this set off a round of consolidation for these players to bulk up in order to compete in this brave new world of networking? I think so. What about next gen secure switches like ConSentry, Nevis and Napera? Or some of the other smaller switch vendors like D-link?  Do they view this a a good opportunity to get bought by one of the giants or do they think they can run through the legs of these giants?  I don't know but it is going to be a high barrier of entry into this market.

Ultimately though I don't think Cisco will lose its place of dominance very easily. Brocade will be another competitor among the other switch vendors fighting over 25% of the market. But it sure will be interesting in the switch market for a while.

Related articles by Zemanta
• Brocade swinging for the fences with switching
• Brocade to Acquire Foundry for $3 Billion
• Brocade to acquire Foundry Networks
• Brocade Buying Foundry for $3 Billion





]]> Mon, 21 Jul 2008 19:04:10 +0000 foundry foundry networks acquire foundry networks acquire foundry brocade billion market switch market market cap Foundry Networks - Brocade's 3 billion dollar baby http://securityratty.com/article/4b72816b4ab5098febf61ab4b095ad5f http://securityratty.com/article/4b72816b4ab5098febf61ab4b095ad5f
]]> Wed, 25 Jun 2008 09:00:00 +0000 affect voice servers voip pbxes softphone software issues laptops runs patches desktops Avaya, Cisco and Nortel face VoIP vulnerabilities http://securityratty.com/article/2cc3c6ac52f74a78ad04c52b9fb0cb82 http://securityratty.com/article/2cc3c6ac52f74a78ad04c52b9fb0cb82

Read an interesting article by Sean Michael Kerner today in eSecurityplanet.com.  Sean talks about the fact that both Juniper and Nortel are both OEM'ing the Q1's Radar product to help them compete against Cisco's MARS solution.  Of course Juniper and Nortel compete against each other and the logical question is how can they compete against each other with both offering an OEM of the same product.  I thought the answer by both the Juniper and Nortel folks were great and shows the strength of an OEM strategy, much like we have pursued here at StillSecure. 

Sean says that technology vendors who need to fill a need in their product line can build, buy or partner to fill that need.  It is right on.  But as Sanjay Kapoor at Juniper points out, Juniper takes the Q1 product as a starting point and builds functionality on top of that.  Nortel's Shmulik Nehama makes another point about competitors OEM'ng the same product when he says, "... this validates our choice of technology and choice of partner".  A great point.  If one of your competitors have vetted the solution and picked it over the competition, there is probably a good reason they did so. If your own analysis shows that this solution is superior, you should not "settle" for second best because a competitor is using it as well.  I think you look at how you can add value over and above the base solution.  If you are going to compete with Cisco, you are going to need the best product you can have.  Not choosing the best product because someone else has is just not a smart move! 

At StillSecure we have OEM partners in the same situation and they have arrived at the same conclusion.  Of course we have had some folks who did not OEM our solutions because of this, but at the end of the day, they wind up with a solution that is at best second rate.  Moral of the story, pick the best product you can.

]]> Tue, 11 Mar 2008 08:17:25 +0000 competitors oem oem product nortel folks radar product nortel product line nortel compete oem strategy Competitors OEM'ing the same product http://securityratty.com/article/91cbb614cbc44e03d26c3ec95aed5395 http://securityratty.com/article/91cbb614cbc44e03d26c3ec95aed5395

Read an interesting article by Sean Michael Kerner today in eSecurityplanet.com.  Sean talks about the fact that both Juniper and Nortel are both OEM'ing the Q1's Radar product to help them compete against Cisco's MARS solution.  Of course Juniper and Nortel compete against each other and the logical question is how can they compete against each other with both offering an OEM of the same product.  I thought the answer by both the Juniper and Nortel folks were great and shows the strength of an OEM strategy, much like we have pursued here at StillSecure. 

Sean says that technology vendors who need to fill a need in their product line can build, buy or partner to fill that need.  It is right on.  But as Sanjay Kapoor at Juniper points out, Juniper takes the Q1 product as a starting point and builds functionality on top of that.  Nortel's Shmulik Nehama makes another point about competitors OEM'ng the same product when he says, "... this validates our choice of technology and choice of partner".  A great point.  If one of your competitors have vetted the solution and picked it over the competition, there is probably a good reason they did so. If your own analysis shows that this solution is superior, you should not "settle" for second best because a competitor is using it as well.  I think you look at how you can add value over and above the base solution.  If you are going to compete with Cisco, you are going to need the best product you can have.  Not choosing the best product because someone else has is just not a smart move! 

At StillSecure we have OEM partners in the same situation and they have arrived at the same conclusion.  Of course we have had some folks who did not OEM our solutions because of this, but at the end of the day, they wind up with a solution that is at best second rate.  Moral of the story, pick the best product you can.




]]> Tue, 11 Mar 2008 07:17:25 +0000 competitors oem oem product nortel folks radar product nortel product line nortel compete oem strategy Competitors OEM'ing the same product