Synopsis:  Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #81, a 42-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on May 21, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Note about the hiatus
• Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
• Voice of VOIPSA: Chronology
• Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
• Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
• MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls
• Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable


• IT Business Edge: Pay Attention to VoIP Security Before The Storm
• NetworkWorld: Business Guide to VoIP Security


• Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article


• Network World: Security and management considerations when deploying OCS


• LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative



• [H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=



• VoIP News: The Essential Guide to VoIP Privacy



• Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security


• eWeek: VoIP Security through Responsible Software Development


• Microsoft gives back door keys to Vista to police


• Comment (blog) from Martyn Davies


• Comment (email) from Detlef


• Comment (email) from Dan McGinn-Combs


• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 41:43 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on April 21, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Note about the hiatus
• Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
• Voice of VOIPSA: Chronology
• Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
• Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
• MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls
• Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable


• IT Business Edge: Pay Attention to VoIP Security Before The Storm
• NetworkWorld: Business Guide to VoIP Security


• Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article


• Network World: Security and management considerations when deploying OCS


• LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative



• [H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=



• VoIP News: The Essential Guide to VoIP Privacy



• Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security


• eWeek: VoIP Security through Responsible Software Development


• Microsoft gives back door keys to Vista to police


• Comment (blog) from Martyn Davies


• Comment (email) from Detlef


• Comment (email) from Dan McGinn-Combs


• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 41:43 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Faith in the (UK) gov’s ability to securely manage personal data is out the window.

From Reuters:

The inquiries followed Britain’s biggest data loss scandal, when two discs containing child benefit records, including names, addresses and bank details, of some 25 million people, went missing after being put in the post by a junior employee.

The reports concluded that it wasn’t individuals who were to blame - some 30 were officials played some role in events leading to the loss of the discs - but institutional and systematic failures at Britain’s tax authority.

But the HMRC is not alone in such security breaches. A separate report into a stolen laptop containing the details of 600,000 potential recruits revealed similar failings at the Ministry of Defence. In all, four MoD computers had been stolen since 2004 and the report said the MoD was probably in breach of several principles set out in the Data Protection Act.

Well, where do you stand? Do you trust your respective government not to punt on data security?

Read on.

Article Link

Well, imagine that. I received this email at 9:31 am yesterday from the marketing folks at Infosecurity Canada.

Sorry Dave…I will make arrangements for a badge to be ready for pick up at pre-registration.

Um, yeah see I was on the other side of the city. At least Myrcurial is on the ground. Maybe he’ll grace us with an update.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Banks slip through virus loophole | The Guardian UK
2. Danish filter catches Romanian child-porn sites | Computer World
3. City officials confident information is secure (This is funny. They’re claiming 15 char password is secure. Sigh)| Belleville Intelligencer
4. Sophos assists Computer Crime Unit in bringing botnet master to justice | Sophos Press
5. U.S. warns on Olympics computer security | UPI
6. Lawmakers accuse China of hacking computers | Reuters
7. China denies hacking into US computers | Associated Press
8. Customer fears grow after mass hacking of retail website | Customer Strategy
9. Online medical records offer convenience, may limit privacy | USA Today

Tags: News, Daily Links, Security Blog, Information Security, Security News

The statement from Starbucks reads: "T-Mobile, AT&T and Starbucks have entered into a memorandum of understanding to resolve their disputes and are committed to providing a high quality WiFi experience for customers, including Starbucks Rewards Customers, at Starbucks locations nationwide."

My interpretation is Starbucks said, oops, our bad, and they're figuring out the dollars and cents. Sometimes companies move too rapidly. T-Mobile is a quasi-jilted suitor, although they get something out of AT&T transition, too, so they're not likely to cut any slack.

Reuters confirms that AT&T confirms the statement. I separately confirmed with T-Mobile that the statement is accurate as well.

The lawsuit, which I've read, says that T-Mobile never agreed to nor was compensated for providing free service in stores. A link to AT&T's network in all markets except San Antonio, Tex., and Bakersfield, Calif., is handled on the backend entirely by T-Mobile. The suit notes, "If AT&T or Starbucks wanted to offer 'free' Wi-Fi in non-transitioned stores for Starbucks customers, as they are now doing, they should have--and, indeed, were contractually required to--negotiate such an arrangement with T-Mobile."

The crux is that while T-Mobile did agree to provide free roaming to AT&T subscribers, as defined in a bilateral roaming agreement the two firms signed, T-Mobile states the agreement doesn't allow other parties to roam for free. (That's most likely why we haven't seen AT&T's roaming partners, like Boingo and iPass, appear in the login menu, too.)

Representatives of Starbucks immediately available on a Friday night. A Reuters report quotes a Starbucks spokesperson who doesn't comment directly on the suit.

An AT&T spokesperson said via email that the company doesn't comment on other companies' lawsuits. AT&T is not a party to the suit, although it is mentioned throughout.

The lawsuit provides quite a bit of previously private detail about the transition agreement. T-Mobile says that the transition contract signed by all three parties, T-Mobile still had responsibility for and ownership of a market until all equipment in all stores in a defined market belong to AT&T. The agreement also called for exclusive roaming only for each party's existing subscribers in markets that were converted or still under T-Mobile's control until 4-Jan-2009.

T-Mobile states in the suit that they didn't learn of the planned launch of the free Wi-Fi service until 30-May-2008.

T-Mobile wants money, release from current obligations, and other damages. I expect that things have gone quite far for them to file a suit.

"We hope to come to an amicable solution, and sometimes you do have to file a complaint in order to make that happen," T-Mobile's Dobrow said. "It's easy to give something away for free if it's not yours."

Working form the home office this morning. The best kind of commute. Now, back to my research.

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. Google to allow third party code in Gmail? | Builder AU
2. Skype patches security policy bypassing vulnerability | ZDNet
3. Experts warn of security-dodging Trojans | vnunet
4. Microsoft Patch Tuesday promises seven fixes | The Register
5. 6 burning questions about network security | Network World
6. ArcSight and VeriSign Enterprise Security Services Launch Global Business Relationship | Compliance Home
7. EU gives mixed response to new U.S. travel laws | Reuters
8. Conroy launches service to warn of e-crimes | Australian IT
9. Are you a computer security professional? | InfoWorld

Tags: News, Daily Links, Security Blog, Information Security, Security News

This is reminiscent of another recent story in which an Apple Store employee was able to use Mac OS X 10.5 Leopard's Back to My Mac remote access software to connect to a laptop that was stolen from her apartment to grab images and screenshots of the two men alleged to have taken the laptop and other gear.