Synopsis:  Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Welcome to Blue Box: The VoIP Security Podcast #84, a 30-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
• VoIPShield announces new vulnerabilities and http://www.voipshield.com/research.php
• http://www.theregister.co.uk/2008/09/30/voip_eavesdropping_tool/
• "Sipera Develops VoIP Spy Program - to Prove a Point" - http://www.voipplanet.com/trends/article.php/3776136
• SecureLogix Announces Free Availability of VoIP Security Tools
• NY Times: Surveillance of Skype Messages Found in China - http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?_r=2&partner=rssnyt&pagewanted=print
• http://securitywatch.eweek.com/privacy/skypechina_breach_is_anyone_really_surprised.html
• http://www.informationweek.com/news/telecom/voip/showArticle.jhtml?articleID=210605439
• Skype CEO's blog post about the issue: http://share.skype.com/sites/en/2008/10/answers_to_some_commonly_asked.html
• http://www.itbusinessedge.com/blogs/top/?p=398
• http://www.voip-news.com/feature/google-phone-europe-growth-092408/
• http://www.itnewsafrica.com/?p=1269
• http://news.cnet.com/8301-1009_3-10052393-83.html
• http://www.broadbandreports.com/shownews/VoIP-Vulnerabilities-Being-Exposed-Today-98039
• http://www.itbusinessedge.com/blogs/top/?p=402
• http://voipsa.org/blog/2008/10/07/5th-emergency-services-workshop-to-be-held-oct-21-23-in-vienna/
• http://eon.businesswire.com/news/eon/20080924005342/en
• http://www.crn.com/security/210602442
• http://it.tmcnet.com/topics/it/articles/41236-infoblox-unveils-dns-firewall-address-dns-vulnerability-concerns.htm
• http://www.newswire.ca/en/releases/archive/September2008/29/c9005.html
• No comments this week.
  
• Review of the last week's traffic on the VOIPSEC public mailing list
  
• Wrap-up of the show
  
• 30:26 - End of show 

NOTE: Long-time listeners will note that the show notes above are in a less descriptive form than usual. After almost three years of using one wiki for preparing for our shows, Jonathan and I switched to using a new system and are still working out some of the details that will speed the input into show notes.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

“Complex Event Processing (CEP) is a technology which has been used for many years in the Aerospace and Defence Industry for Situational Awareness and Data Fusion modules in Command, Control, Communications, Computing and Intelligence Systems (aka C4I).

Currently CEP is being rediscovered as a foundation for new class of extremely effective Business Intelligence, Security and System/Network/SCADA Monitoring solutions in industries like Financial Services, Telecommunications, Oil and Gas, Manufacturing, Logistics etc. The increasing connectivity and processing power of the modern IT and Telecom technologies lead to increasing speed and volume of the dataflow available to the organisations. By using CEP solutions companies can gain competitive advantage by achieving real-time situational awareness and tapping the information value that is hidden within the streams of real-time event data that are coming from a variety of sources such as enterprise applications, financial transactions, sensor networks and supply chains.”

Unfortunately, the author does not cite references in the paper.

Espin references Joe Sharkey's excellent column on in-flight calling in Sunday's New York Times: Sharkey, a veteran travel writer, who survived a mid-air collision over the Brazilian Amazon a few years ago, looks at varying attitudes about calls made during flights. He quotes Aircell's Jack Blumenstein saying what I've telling folks for months: Aircell has a lot of techniques to block VoIP calls already, and "as we identify new ways that people are trying to do voice calls on the airplane, we just kind of zero in and knock those off." Many geeks have assumed Aircell is a bunch of unsavvy folks who wouldn't be able to figure out how to disrupt their clever workarounds for making VoIP. (I keep noting that introducing jitter for suspicious data connections wouldn't disrupt legitimate applications, but would destroy VoIP call quality.)

This is a critical distinction. Telecoms are covered under the Telecom Act of 1996 that requires non-discriminatory access to utility poles to avoid incumbent local exchange carriers (ILECs) and utilities from being gatekeepers that prevent competitive service from emerging. There are a series of tests in the law and local qualifications, too, that allow a firm to be a registered telecom. An FCC decision last year ruled that companies that mix telecom and unregulated information services on the same wires aren't disqualified from getting the Telecom Act deal, however.

But E-Path seems to meet none of the criteria except their desire to pay $10 instead of $50 per year per pole. Utility poles have held up many other municipal networks. We're not hearing more about them these days because such networks are now being built on a smaller scale for different purposes, where the number of nodes and their placement is rather different than networks built with the intent of providing indoor coverage.

Cablevision, by the way, qualifies as a telecom, this article states, which helps them in placing nodes for their planned $300m network across their coverage territory. They can also mount nodes in-line with their cable lines, using power from their cable plant on the lines already.

E-Path appears to have a variety of communication problems as well. The article notes, "Tortoretti said his Washington, D.C., attorneys disagree with LIPA's interpretation. But the attorney Tortoretti said represents E-Path, Charles Rohe, said he couldn't speak about the company or the dispute."

Later, E-Path's "chief executive said he hopes the county will help with his LIPA dispute." But an aide to the Suffolk County executive said, "That's not really our issue. That's out of our control."

Correspondent Craig Plunkett, quoted near the end, points out that if the counties were to change their minds and want to buy services on the network, the proposal would have to be rebid (appears as the sound-alike "rebuild" by accident in the online article at this moment).