Synopsis:  Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• MANY thanks for all the offers of audio production assistance – getting it organized now


• Ingate SIP Trunking webinar now available (and a note about participating in things like this)


• VOIPSA blog site hacked
• Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary


• VoIPshield list of vulnerabilities


• Cisco Advisory


• Cisco Advisory about Disaster Recovery Framework


• Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video


• CIO


• Washington Post: Reach Out And Hack Someone


• Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers


• VoIP News: The Essential Guide to VoIP Security


• Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier


• Voice of VOIPSA: VoIP and the International Space Station


• Voice of VOIPSA: Xplico Network Forensic Analysis Tool


• Voice of VOIPSA: Australians falling victim to foreign phone hackers


• VoIP News Australia: How ACMA Plans to Regulate VoIP


• Network World: Government agencies rejecting VoIP?



• Linux Professional Institute to develop enterprise-level security exam


• Net neutrality and Bell Canada


• ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?


• Google XSS Attack (interesting as it shows the complexity of such attacks)
• The Economist: Special Report: The New Nomadism


• VoiceBiometrics – May 14-15, New York


• IP Telephony University – June 23-24, Alexandria, VA


• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 44:22 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Stephouse steps into Portland, Ore., void: Local firm Stephouse has built out 5 sq mi of business-grade wireless availability in downtown Portland and 2 sq mi in an underserved part of north Portland using Proxim gear for both Wi-Fi and WiMax service. Wi-Fi use is $20 per month or 1 free hour per day up to 10 free hours per month. The offering seems to focus on the business side, though, in competition with services like Towerstream. Prices aren't listed on the company's site.

Hartford drops Wi-Fi effort: Connecticut's trouble capital city has given up on city-wide Wi-Fi. No surprise. No firms ready to build for free, no money, no tangible goals. My wife grew up in the suburb to the west--West Hartford, prosaically enough--and speculates that the lack of county-oriented government in Connecticut has doomed Hartford to be a civic wasteland. It's recovering a bit as housing affordability goes up, and there's more going on in the city than there used to be. But there won't be Wi-Fi. Incidentally, the Mark Twain House & Museum in Hartford, home of one of the world's first bloggers, is near financial ruin. It's a great piece of American history; I'm hoping it's saved again--it's had many lives since Twain built it and went bankrupt.

The same key points of that presentation are still relevant today:

1. Event-Decision Processing is Computationally Intensive

2. CEP requires a Number of Technologies:

• Distributed Computing, Publish/Subscribe and SOA
• Hierarchical, Cooperative Inference Processing
• High Speed, Real Time Processing with State Management
• Event-Decision Architecture for Complex Situations and Events
• There is no single “CEP Solution” or “CEP Product” (in the market place then, and today)

3. CEP needs a Common Vocabulary and Functional Architecture based on Mature, Industry-Standard Inference Models

4. Processing and Integration Patterns for CEP need to be Developed and Formalized

Since March of 2006 a number of other challenges has surfaced.  I will elaborate on this challenges in a future post.

Back in the saddle again. It’s a short week for both sides of the border here in North America. Happy post Canada Day to my brethren and a Happy (and approaching) July 4th to our cousins to the south.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. 2600 HOPE conference bringing hacking to New York City (and we’ll see you there) | CNET
2. FBI Investigating Major ATM Hacking Ring | Las Vegas Now
3. Study: Unpatched Web Browsers Prevalent on the Internet | PC World
4. Netherlands man arrested for hacking 50,000 credit cards | Security Pro Portal
5. Vint Cerf Says Government Needs To Encourage Internet Competition | Information Week
6. The Government’s Top Hackers? | Veracode
7. HSBC sites vulnerable to XSS flaws, could aid phishing attacks | ZDNet
8. HMRC goes cap-in-hand to Americans for help with fraud | The Independent

Tags: News, Daily Links, Security Blog, Information Security, Security News

OK, the database cluster is back up and playing nice after its petulant episode.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. MoD implements new data security measures | PC Advisor
2. Do natural human traits make us more vulnerable to computer malware? | Hexus
3. The staff, the thief, the device and its data | Network World
4. Credit card firms wave stick at retailers | The Australian
5. Merchants call credit card industry’s bluff on compliance | The Register
6. Chairman: Computer Hacking ‘Much More Widespread’ | WYFF 4
7. Fired Houston organ bank worker accused of hacking into system | Houston Chronicle
8. PCI standard ‘ignores’ insider threat | vnunet
9. Student suspended after hacking emails | Stuff NZ

Tags: News, Daily Links, Security Blog, Information Security, Security News

Another day, another coffee.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Former SEMO Employee Found with Data Files of Personal Information of Students | KFVS 12
2. Ruby flaws send security researchers into shock | The Register
3. WhiteHat Secures $7 Million Round of Funding | Earth Times
4. UK firm offers web-based software audit | vnunet
5. Educating Employees Reduces Security Breaches | Small Business Computing
6. New Trojan Leverages Unpatched Mac Flaw | Washington Post
7. Secrecy an effective legal tool The Star

Tags: News, Daily Links, Security Blog, Information Security, Security News

Not bad. I actually managed to get a good night sleep.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Google and Wildcard Domains | GNUCITIZEN
2. Trojan plays anti-China games for hacking | The Economic Times
3. Villains Getting Smarter: Are We, Too? | Korea Times
4. Agency Sees Theft Risk for ID Card in Medicare | NY Times
5. Universities urged to tighten computer security | The Arizona Daily Star
6. Organised e-crime targets students for recruitment | ZDNet UK
7. Time to dismount the hamster security wheel of pain | The Regsiter
8. New security awareness posters aid the battle | Cambridge Network

Tags: News, Daily Links, Security Blog, Information Security, Security News

Friday is upon us and I can see light at the end of the tunnel.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Computer with software stolen from RIDC Park Company (SCADA management software) | Pittsburgh Tribune-Review
2. Staff ignore data security, surveys say | IT PRO
3. Lessons from the Verizon 2008 Data Breach Investigations Report | InfoWorld
4. Microsoft’s critical Bluetooth patch didn’t work on XP | Network World
5. Sweden passes eavesdropping law | International Herald Tribune
6. From zero day exploit to zero day fix | IT Director
7. Briton searched web for ways to kill, court told | The Guardian
8. FaceTime Security Program Locks out MySpace Applets | PC World
9. Security breach hits DivShare, unauthorized access to its database | ZDNet

Tags: News, Daily Links, Security Blog, Information Security, Security News

Making lists of things to remember as I scramble to keep my focus in the face of a lack of sleep. Next thing you know I’ll be putting sticky notes on things. “Coffee cup”, “Door”, “Advil” and “C-61 / bad joke”.

You get the idea.

Click here to subscribe to Liquidmatrix Security Digest!. Welcome to the new subscribers who joined us yesterday! Thanks!

And now, the news…

1. Copyright Bill’s Fine Print Makes For a Disturbing Read | Michael Geist
2. A Week in the Life of the Canadian DMCA: Part Two | Michael Geist
3. DMC-eh? Why Canada’s new Copyright law is a mistake | Mang Bat
4. E-Mail: To Encrypt or Not to Encrypt? | NPR
5. Hazel Blears’s stolen laptop was not encrypted | Information Age
6. Encryption: DLP’s Newest Ingredient | Dark Reading
7. Merchant Securities’ stock broking firm fined for poor data security procedures | RTT News
8. State computers headed for sale had private information | The Topeka Capital-Journal
9. Fed slammed over internal controls | Houston Chronicle

Tags: News, Daily Links, Security Blog, Information Security, Security News