[SecurityRatty] tag: spies

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 16:53:17 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel?? to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 15:53:18 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Thank you for listening and please do let us know what you think of the show.

Adware company refines opt-out, notification technology

Mon, 07 Jul 2008 20:00:00 +0000

Facing heat over privacy worries, NebuAd said Tuesday it has a new notification and opt-out system for its targeted advertising system that critics say is invasive and spies on users.

Spies Want a Second Life of Their Own

Thu, 03 Jul 2008 06:09:00 +0000

First, American spooks said they wanted to scour Second Life and other virtual worlds for terrorists. Now, the country's spies want to build a Second Life of their own. And they want it to have a time machine.

Nation's Spies Say Climate Change Could Spark War

Mon, 23 Jun 2008 17:30:00 +0000

Environmental groups have been warning for years that global climate change could make already-tense parts of the world even worse, and even spark whole new conflicts. Now, in a classified national document, the nation's spies are saying pretty much the same thing.

Groups: Ad firm used by ISPs spies on users

Tue, 17 Jun 2008 20:00:00 +0000

A targeted advertising vendor being used by several U.S. broadband providers hijacks browsers, spies on users and employs man-in-the-middle attacks, according to a report released Wednesday by two advocacy groups.

PCI compliance, building the base

Thu, 12 Jun 2008 07:54:22 +0000

Blogger: Randall Gamby

An alarming trend is beginning to surface within SMB “PCI compliant” companies, like Hannaford Brothers (http://www.networkworld.com/news/2008/031708-hannaford-data-breach.html), Okemo Mountain Resort (http://www.okemo.com/okemowinter/security_update.asp), etc. Credit data is being stolen! While this is exceedingly bad, I have a theory on why this is happening.

Before I get into my theory I’d first like to talk about military bases. As we all know, the military contains a lot of top secret information. So how does, say the U.S. Army, protect it? First, they classify what information needs to be protected. Next they find a piece of property that they can physically secure. Once the property has been thoroughly checked (no listening devices or mines buried in the ground) they construct a series of secure buildings to house the data. They then put up a fence with a limited number of gates with guard houses and guards to protect it. Then, most importantly, after certifying the security of the base, they use sentries to periodically patrol the perimeter of the grounds to ensure unauthorized access is not gained by spies sneaking in under the fence.

So what does this have to do with PCI compliance for SMBs? Well the process of PCI certification is similar to what a military branch would do to secure their information. Enterprises identify and classify what data falls under PCI compliance. They validate that the systems that contain the information are controlled properly and are locked down through processes and technologies. Then they build a fence of security around the systems to ensure only properly authorized personnel have access to them. Finally they certify that the protections meet PCI compliance requirements. But unlike the military, I theorize that a lot of SMBs, short on personnel and resources, quit here. In exploring the topic I’ve found that there’s an attitude by some executives that PCI compliance is a gate. Once SMB organizations achieve PCI compliance, some move on to the next pressing security problem. But this is the wrong attitude. Just as the military found out eons ago, they must be constantly on guard because spies are always looking for kinks in the defense perimeter in order to slip in and gain access to information without authorization.

It seems that SMBs are the most at risk of not having “guard patrols” constantly patrolling the perimeter due to the cost and resources needed to monitor and report on the security’s on-going effectiveness and the bad guys are now sneaking in stealing the very data they created these defenses to protect.

So what’s the warning? Whether you’re a SMB or Global Enterprise, PCI compliance is a gate, that’s pretty much a fact, but it can’t be left unguarded. Time, money and resources must be allocated on an on-going basis else the bad guys will sneak in undetected and you may find yourself making a breach disclosure that wasn’t detected until it was too late.

PCI compliance, building the base

Thu, 12 Jun 2008 07:54:22 +0000

Blogger: Randall Gamby

An alarming trend is beginning to surface within SMB ???PCI compliant??? companies, like Hannaford Brothers (http://www.networkworld.com/news/2008/031708-hannaford-data-breach.html), Okemo Mountain Resort (http://www.okemo.com/okemowinter/security_update.asp), etc. Credit data is being stolen! While this is exceedingly bad, I have a theory on why this is happening.

Before I get into my theory I???d first like to talk about military bases. As we all know, the military contains a lot of top secret information. So how does, say the U.S. Army, protect it? First, they classify what information needs to be protected. Next they find a piece of property that they can physically secure. Once the property has been thoroughly checked (no listening devices or mines buried in the ground) they construct a series of secure buildings to house the data. They then put up a fence with a limited number of gates with guard houses and guards to protect it. Then, most importantly, after certifying the security of the base, they use sentries to periodically patrol the perimeter of the grounds to ensure unauthorized access is not gained by spies sneaking in under the fence.

So what does this have to do with PCI compliance for SMBs? Well the process of PCI certification is similar to what a military branch would do to secure their information. Enterprises identify and classify what data falls under PCI compliance. They validate that the systems that contain the information are controlled properly and are locked down through processes and technologies. Then they build a fence of security around the systems to ensure only properly authorized personnel have access to them. Finally they certify that the protections meet PCI compliance requirements. But unlike the military, I theorize that a lot of SMBs, short on personnel and resources, quit here. In exploring the topic I???ve found that there???s an attitude by some executives that PCI compliance is a gate. Once SMB organizations achieve PCI compliance, some move on to the next pressing security problem. But this is the wrong attitude. Just as the military found out eons ago, they must be constantly on guard because spies are always looking for kinks in the defense perimeter in order to slip in and gain access to information without authorization.

It seems that SMBs are the most at risk of not having ???guard patrols??? constantly patrolling the perimeter due to the cost and resources needed to monitor and report on the security???s on-going effectiveness and the bad guys are now sneaking in stealing the very data they created these defenses to protect.

So what???s the warning? Whether you???re a SMB or Global Enterprise, PCI compliance is a gate, that???s pretty much a fact, but it can???t be left unguarded. Time, money and resources must be allocated on an on-going basis else the bad guys will sneak in undetected and you may find yourself making a breach disclosure that wasn???t detected until it was too late.

Declassified NSA Document Reveals the Secret History of TEMPEST

Wed, 30 Apr 2008 00:00:00 +0000

The secret history of how the nation's spies discovered that their ace equipment was leaking data into the ether has never been told before. But now a declassified NSA document tells how a Bell Telephone engineer stumbled onto a problem that vexes the agency to this day.

U.S. Spies Use Custom Videogames to Learn How to Think

Wed, 23 Apr 2008 23:30:00 +0000

The U.S. Defense Intelligence Agency commissions three custom games to teach new recruits critical thinking skills, while the Army builds its own simulator to instruct intelligence officers in the art of interrogation. No virtual waterboarding allowed.