[SecurityRatty] tag: sip

Blue Box SE#026 - Astricon 2007 presentation on VoIP security and Asterisk

Wed, 03 Sep 2008 15:54:03 +0000

Synopsis: Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk. Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

Hacking and Attacking VoIP Systems - What You Need To Know

View SlideShare presentation or Upload your own. (tags: voip voipsecurity)

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him! Kudos to Michael for getting it to sound as good as it does.

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Blue Box SE#026 - Astricon 2007 presentation on VoIP security and Asterisk

Wed, 03 Sep 2008 14:54:03 +0000

Synopsis: Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

The slides for this talk are available from Slideshare:

Hacking and Attacking VoIP Systems - What You Need To Know

View SlideShare presentation or Upload your own. (tags: voip voipsecurity)

(And yes, at some point I'll sync the audio with the slides.)

Thank you for listening and please do let us know what you think of the show.

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 16:53:17 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel?? to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Thank you for listening and please do let us know what you think of the show.

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 15:53:18 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Thank you for listening and please do let us know what you think of the show.

Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Tue, 26 Aug 2008 17:16:43 +0000

Synopsis: Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #81, a 42-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on May 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the hiatus
Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
Voice of VOIPSA: Chronology
Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls

Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable

IT Business Edge: Pay Attention to VoIP Security Before The Storm

NetworkWorld: Business Guide to VoIP Security

Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article

Network World: Security and management considerations when deploying OCS

LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative

[H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=

VoIP News: The Essential Guide to VoIP Privacy

Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security

eWeek: VoIP Security through Responsible Software Development

Microsoft gives back door keys to Vista to police

Comment (blog) from Martyn Davies

Comment (email) from Detlef

Comment (email) from Dan McGinn-Combs

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

41:43 - End of show

Thank you for listening and please do let us know what you think of the show.

Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Tue, 26 Aug 2008 16:16:43 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the hiatus
Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
Voice of VOIPSA: Chronology
Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls

Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable

IT Business Edge: Pay Attention to VoIP Security Before The Storm

NetworkWorld: Business Guide to VoIP Security

Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article

Network World: Security and management considerations when deploying OCS

LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative

[H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=

VoIP News: The Essential Guide to VoIP Privacy

Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security

eWeek: VoIP Security through Responsible Software Development

Microsoft gives back door keys to Vista to police

Comment (blog) from Martyn Davies

Comment (email) from Detlef

Comment (email) from Dan McGinn-Combs

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

41:43 - End of show

Thank you for listening and please do let us know what you think of the show.

Wee-Fi: Meraki Modifies, Drops Standard; Tempe's Phoenix?; Remote Wake, Wi-Fi Need Not Apply

Thu, 14 Aug 2008 06:32:51 +0000

Meraki reworks product line, drops new sales of community flavor: The cheap mesh router company has mutated slightly once again. The partly-Google-backed firm founded by MIT RoofNet "graduates" built the company on the notion that they could sell $50 routers that could mesh with each other, and use a robust central management system they developed. Over time, the $50 price didn't hold up for commercial networks of scale. Last October, the company mishandled a change in its business model when they abruptly announced a $100 increase in price for newly purchased nodes under their Meraki Pro level for any network that wanted to control whether or not ads appeared, have user accounts, and charge for service. (They eventually recovered, apologized, and reworked some of the transition details.) The company continued to offer a $50 indoor and $100 outdoor Standard level nodes for networks that required ads and had other limits. As of a few days ago, Standard is dead, and the Meraki mini has been upgraded to the Meraki Indoor ($150). The Indoor has signal strength LEDs on the side for better help in placing units, an internal antenna, and better resilience against power fluctuations. The company explains its move in eliminating Standard by noting that most customers moved to Pro. It's not precisely the end of idealism (nor did that happen last October), as Meraki is still one of the major commercial mesh vendors, and their products are still vastly easier and a fraction of the cost of higher-end competitors.

New life for dead Tempe network? Another firm has expressed interest in buying the pennies on the dollar assets that remain of the former Kite Networks installation in Tempe from the firm that financed the venture as long as they can negotiate a new, more favorable deal with the city for mounting and removal rights. CTC, Inc., which the East Valley Tribune reports runs networks in the Kansas City, Mo., area, thinks there's an opportunity. The article notes that reception problems were due in part to the prevalence of stucco in Tempe, common in the southwest. Stucco walls layer plaster or other materials on a wire mesh for strength that turns a house into a bit of an accidental Faraday cage, partially shielding the home from electromagnetic radiation. (Could I go so far to say that Tempe's network could be a phoenix? Ouch.)

Wake up, you darn computer: Intel's new Remote Wake motherboards won't work with Wi-Fi, it's important to note. The feature, announced today, will let an incoming VoIP call (the articles all say "phone call over the Internet") to wake a computer, as long as the call comes from a particular source. Of course, the standard SIP protocol for VoIP doesn't have the kind of security and integrity that would allow this; Intel has to overcome the problem with network address translation that renders most computer unreachable from outside the local network without a separate service like GoToMyPC or LogMeIn; and it will only work for computers connected via Ethernet to a local network, because Wi-Fi is off when a computer sleeps, while Ethernet can remain lightly active. I don't have the protocol details yet, but there's long been a Wake on LAN protocol that required support in a router, operating system, and Ethernet card; Intel may be leveraging this.

What are critical issues with VoIP service?

Wed, 30 Jul 2008 20:00:00 +0000

A look at the VoIP industry's most pressing issues, including SIP interoperability, TDM-to-SIP transition services and VoIP security issues.

How to reveal blocked caller ID info

Tue, 22 Jul 2008 00:00:03 +0000

Let's say for some reason someone has his or her caller ID blocked and is calling you all the time. Let's then say you really want to know who that person is for whatever reason -- not that we'd know anything about that. Some crafty phreaker types have come up with a way to do this using an enterprise-spec asterisk box and a SIP trunk provider.

Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Tue, 15 Jul 2008 13:20:45 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance – getting it organized now

Ingate SIP Trunking webinar now available (and a note about participating in things like this)

VOIPSA blog site hacked

Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary

VoIPshield list of vulnerabilities

Cisco Advisory

Cisco Advisory about Disaster Recovery Framework

Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video

Washington Post: Reach Out And Hack Someone

Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers

VoIP News: The Essential Guide to VoIP Security

Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier

Voice of VOIPSA: VoIP and the International Space Station

Voice of VOIPSA: Xplico Network Forensic Analysis Tool

Voice of VOIPSA: Australians falling victim to foreign phone hackers

VoIP News Australia: How ACMA Plans to Regulate VoIP

Network World: Government agencies rejecting VoIP?

Linux Professional Institute to develop enterprise-level security exam

Net neutrality and Bell Canada

ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?

Google XSS Attack (interesting as it shows the complexity of such attacks)

The Economist: Special Report: The New Nomadism

VoiceBiometrics – May 14-15, New York

IP Telephony University – June 23-24, Alexandria, VA

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

44:22 - End of show

Thank you for listening and please do let us know what you think of the show.