Synopsis: SPIT, Skype security, disposable phone numbers, phishing, VoIP security news, listener comments and more...
Welcome to Blue Box: The VoIP Security Podcast #49, a 55-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.
NOTE: This show was originally recorded January 5, 2007, and was delayed with production issues.
Download the show here (MP3, 23MB) or subscribe to the RSS feed to download the show automatically.
You may also listen to this podcast right now:
Show Content:
- 00:21 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long! Special welcome to readers who found us through the new Hacking Exposed: VoIP book that was just recently released.
- 03:12 - Programming notes:
- Audio issues with #48 – writing to USB drive
- Dan contributed to Still Secure, After All These Years, Podcast #26 which was a roundup of opinions on security issues from a range of folks
- Show #50 is next week
- 04:37 - VoIP News: How Secure Are Your VoIP Calls – and my response
- 06:07 - Note that Mark Collier has revamped the design of his VoIP Security Blog
- 06:38 - CSO: Security in 2007: Botnets, Threat Convergence and Other Risks – note their casual mention of SPIT and “thousands of messages” – wonder where they got their data from?
- 09:28 - ZDNet: What threats does Skype face? – interview with Skype CSO Kurt Sauer – also Jan Geirnaert’s response
- 15:08 - Jan: How to use the Skype and P2P traffic blocker? Tapping into Skype Traffic with the traffictapper from Lyanda.
- 16:14 - Dark Reading: Voice Cracks
- 18:17 - IT Observer: Voice over IP Under Threat – which was slashdotted
- 20:31 - TechWeb: Phishers’ Latest Platforms: VoIP, SMS
- 21:11 - EnterpriseITPlanet: The Year in Instant Messaging
- 26:28 - Voice of Voipsa: (just quick mentions – we forgot these last week)
- Martyn: Securing the WLAN Link
- Shawn: Skype 3.0 – Your new Romulan phone
- Martyn: Tell Me Your PIN, So I Can Go Shopping
- Dustin: Skype, an Essential Tool for Interrogation (also RealGeek )
- 29:56 - Websense ‘Skype’ Trojan Analysis – followup to our story last week… not VoIP per se but an interesting analysis
- 32:05 - The PhoneBoy Blog: Eating My Words on OpenID
- 34:18 - Zycko: VoIP Security priority for 2007
- 34:50 - Network World: The year ahead: Juggling IT risks, opportunities
- 35:08 - Upcoming shows:
- Jan 23-26, 2007, Ft. Lauderdale, FL, Internet Telephony Conference and Expo – East
- Feb 5-9, 2007, San Francisco, CA, RSA Conference 2007
- Feb 27-Mar 1, 2007, San Francisco, Emerging Telephony 2007
- Mar 1-2, 2007, London, EUSecWest
- Mar 19-21, 2007, San Jose, CA, Spring 2007 VON
- Mar 23-25, Washington, DC, ShmooCon ‘07
- Apr 16-20, Vancouver, BC, Canada CanSecWest 2006
- 35:48 - Comment (audio) about Minnesota Asterisk user group
- 37:36 - Comment (blog) from Aswath Rao
- 39:58 - Comment (blog) from Mark Collier
- 40:07 - Comment (email) from Martyn Davies about ISS report
- 40:34 - Comments-3 (email) from Craig
- 41:52 - Comment (email) from Dave Roper pointing to Disposable Phone Numbers - discussion included Jangl, Private Phone and Craigsnumber
- 48:02 - Comment (email) from Rick McCharles
- 51:32 - Review of the last week's traffic on the VOIPSEC public mailing list
- 52:08 - Wrap-up of the show
- Reminder that you can subscribe to the show via email as well as RSS
- Mention of our Frappr map
- 54:38 - End of show
Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either 
+1-206-350-2583 or via SIP to 'bluebox@voipuser.org' to leave a comment there.
Thank you for listening and please do let us know what you think of the show.
Hi Dan and Jonathan,
First of all thanks a lot for the great podcast, I learned a lot around VoIP security since I started listening to your shows whilst commuting into London.
I would like to comment on what you said concerning SPIT and the fact that PSTN lines are SPIT-safe.
If you consider the fact that lots of SIP operators offer free calls to most countries on landlines without even any need to pay a one-off fee(like internetcalls which by the way can be used as a SIP trunk as the details of their SIP proxy is made available) and if you also consider all the SIP call generators on the market allowing to generate thousands of calls through SIP trunks to lists of consecutive numbers you realise that it does not take much to bring a PSTN concentrator down !
The need to pay is not even a problem as you can generate calls with a duration shorter than a second and repeat it forever......for free.....to thousands of number simultaneously....
I have not heard of such attacks but I have myself tried the concept in my company (late in the evening ;) and been amazed to see how easy it was to make 40 telephones ring at the same time !
I don't want to give any bad ideas to anyone but I would be surprised if there had not been problems already (especially when you see cracks for easy to use commercial call generators on all the cracks websites....).
The question is how to solve that?? I suppose PSTN operators can't do anything as these calls come into their network from the media gateways of these SIP trunks operators. I am not sure if there are policies in place allowing SIP operators to track fraudulous use of SIP trunks like limitation of concurrent sessions or call attempts per seconds or any SPIT pattern but I am sure there are things to do in that field.
Thanks again for the great work podcast.
Posted by: Tonio | February 07, 2007 at 01:19 PM