Synopsis:  Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk.  Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him!  Kudos to Michael for getting it to sound as good as it does.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk.  Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him!  Kudos to Michael for getting it to sound as good as it does.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Well, imagine that. I received this email at 9:31 am yesterday from the marketing folks at Infosecurity Canada.

Sorry Dave…I will make arrangements for a badge to be ready for pick up at pre-registration.

Um, yeah see I was on the other side of the city. At least Myrcurial is on the ground. Maybe he’ll grace us with an update.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Banks slip through virus loophole | The Guardian UK
2. Danish filter catches Romanian child-porn sites | Computer World
3. City officials confident information is secure (This is funny. They’re claiming 15 char password is secure. Sigh)| Belleville Intelligencer
4. Sophos assists Computer Crime Unit in bringing botnet master to justice | Sophos Press
5. U.S. warns on Olympics computer security | UPI
6. Lawmakers accuse China of hacking computers | Reuters
7. China denies hacking into US computers | Associated Press
8. Customer fears grow after mass hacking of retail website | Customer Strategy
9. Online medical records offer convenience, may limit privacy | USA Today

Tags: News, Daily Links, Security Blog, Information Security, Security News

It is perhaps timely that this week three large ISPs in the USA have announced that they have decided to block access to child sexual abuse image newsgroups on Usenet and remove sites hosting this material from their servers. This was initially inaccurately reported so as to imply the installation of blocking systems for other people’s websites; which is unlikely to be especially effective, and may even provide an “oracle” by which the people who seek illegal material can locate new websites to visit.

Our new paper, “The Impact of Incentives on Notice and Take-Down”, examines a number of different types of wicked Internet content and discusses how effective people are at getting the material removed by serving notices upon the website owners who host it. We have a number of interesting results, but perhaps the most striking is that although phishing websites impersonating banks are generally removed in a couple of hours, the mean lifetime for a website hosting child abuse images is almost a month and even the median (the time by which half of the sites are removed) is 12 days.

We believe that the reason that the child abuse image websites are removed so slowly is that the Internet Watch Foundation (IWF), who collate a list of illegal sites, is only prepared to talk directly with the hosting ISPs within the UK. If the site is hosted abroad (which is now 99.8% of all sites) the IWF informs the UK police, who pass the message on to law enforcement in the relevant country, and that clearly leads to considerable delays. Furthermore, the same parochial attitude appears to be taken by similar organisations in other countries.

The IWF are a member of INHOPE, an association of child sexual abuse image reporting hotline organisations operating in 29 countries, and the IWF will also pass reports to the appropriate INHOPE members. However, in the US, which hosts around half of all the illegal sites, IWF tell us that NCMEC the hotline operator there will only pass on notices to their members — and that means that American ISPs do not get a timely notice.

We think it is the close involvement with the police, who have to operate within a particular jurisdiction, which leads the IWF to believe that they would be “treading on other people’s toes” if they contacted ISPs outside the UK. I assume that this is why I was firmly told in an email this week that they “are not permitted or authorised to issue notices to takedown content to anyone outside the UK”. Indeed, this echoed in a letter to The Guardian today by John Carr who says “The IWF cannot issue a notice to a Polish or Irish internet service provider”.

We don’t think there is some magical international permission given to the people who try to take down any of the other types of content we studied — from phishing, to fake escrow sites, to illegal pharmacies. It only seems to be INHOPE members, dealing with child sexual abuse images, who are not prepared to make an attempt!

Besides this issue, we have a number of other interesting results in the paper (so do read it!) For example we looked at “mule recruitment websites” — with job adverts for payment processors who will be conned into handling the proceeds of phishing scams in the belief that they’re handling payments for legitimate companies. These sites are only taken down by volunteer (amateur) efforts — since they don’t attack any particular bank, but the whole industry, no particular bank is prepared to put in any effort to remove them. Unsurprisingly, their average lifetime is 13 days (mean 8 days) — far longer than the phishing websites — which is not good news for gullible consumers.

...a new GPS device enables authorities to remotely control a bus -- slowing it down to 5 mph and preventing it from restarting once it has stopped. The device has been installed on thousands of local commuter and tourist buses.

The technology is designed to prevent a terrorist from ramming a bus filled with people and explosives into buildings or tunnels.

Private bus companies have received millions of dollars from the Department of Homeland Security for the security systems. It costs $1,500 to equip each bus, with $50-per-bus monthly maintenance costs.

Gray Line double-decker tourist buses and Coach USA have spent hundreds of thousands of dollars in federal funds to install 3,000 devices. After receiving a $124,000 federal grant, DeCamp Bus Lines is installing the device on its 80 commuter buses, which travel routes from northern New Jersey to the Port Authority Bus Terminal in Midtown.

New Jersey Transit is currently in the process of equipping all of its roughly 3,000 buses with the technology. NJ Transit Chief of Police Joseph Bober said: "This enhanced technology helps us protect our bus drivers and customers. It's another proactive tool to protect our property, employees and customers."

What a week - it’s like I’m swimming uphill both ways and it’s snowing. An extra large helping of news to make up for being late this morning. And hey - thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. The Attack that made Kevin Rose Cry - Revision3
2. BBC NEWS | Science/Nature | Monkey’s brain controls robot arm Always mount a scratch monkey - seriously.
3. Will your mobile squeal to the police? | The Register Will your mobile find a horse head in it’s bed?
4. Download al Qaeda manuals from the DoJ, go to prison? | The Register Another pair of articles analyzing the somewhat chilling effect of doing research and finding yourself in jail… do we accept this as a society or not?
5. The New Order: When reading is a crime | The Register
6. Facebook mob trashes £4.4m Spanish villa | The Register Anyone else surprised that the girl didn’t claim it was hackers — and faintly reminiscent of the Craigslist “The contents of this house must go” issue.
7. Bletchley Park and the decay of the museum buildings Plcurecuernxf - fcraq n craal ba gur ravtzn naq fnir gur jbeyq sebz Uvgyre ntnva - be gur npnqrzvp trgf vg.
8. 22 French Hackers Arrested 22 SkriptKiddies singing the Jean Valjean lines from Les Miserables… the horror.
9. USA 2008 : Briefings Schedule All your briefs belong to Jeff Moss
10. Rands In Repose: We Travel in Tribes I’m sneaking this one in to see if you are paying attention - which Diamond Age phyle do you belong to?
11. State of the Internet It’s all about the metrics baby.
12. Red Curtain: An Unsung, Free Security Application Anyone willing to sing in the comments?
13. Computer trained to read minds Neo sez - BLUE PILL, take the frakkin blue one!
14. National Journal Magazine - Chinas Cyber-Militia Good catch Matt Franz - is this responsible journalism or just journalistic asshattery.
15. Did Hackers Cause the 2003 Northeast Blackout? Umm, No | Threat Level from Wired.com And 27/b6 weighs in on the issue… with maybe a little more journalistic integrity.

Tags: News, Daily Links, Security Blog, Information Security, Security News