« Blue Box #65: VoIP fraud case revisited, Black Hat and Defcon presentations, VoIP security, listener comments and more.. | Main | Blue Box #66: Cisco/Grandstream/Thomson VoIP security vulnerabilities, Skype outage, VoiceCon coverage, VoIP security news, listener comments and more.. »

August 24, 2007

Blue Box Video Podcast #01 - SIP softphone exploit demonstration by Sipera Systems at VoiceCon San Francisco 2007

Synopsis: Blue Box Video Edition #1: SIP softphone exploit demonstration by Sipera Systems recorded at VoiceCon San Francisco 2007

Welcome to Blue Box: The VoIP Security Podcast Video Edition #1, a 5-minute video podcast from Dan York showing an exploit of a SIP softphone by Sipera Systems.

In this first video podcast, Dan interviewed Sachin Joglekar, Vulnerability Research Lead for Sipera Systems, about the exploit that Sipera first demonstrated at Black Hat USA 2007 last month in Las Vegas. Sachin shows how by sending a specific SIP packet, he can crash the SIP softphone but in doing so have it execute server code to which he can connect via netcat.  He then has a command prompt on the Windows system and can execute arbitrary commands.  In this case he just copied over some files.  He did indicate that they are working with the vendor of the (unnamed) SIP softphone to correct the problem.

The interview was recorded on the show floor of VoiceCon San Francisco 2007.

Download the show here (MP4, 30MB) or subscribe to the RSS feed to download the show automatically. 

You may also view the show here on this page:

Video thumbnail. Click to play
Click To Play

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Given that this is our very first "video edition", comments are definitely appreciated.  We may try to do more of these in the future.

Thank you for listening and please do let us know what you think of the show.

P.S. Those of you wanting to know more about how I recorded the video and the tools I used (hint: I just used my Canon point-and-shoot camera) can read my post over on my Disruptive Conversations blog.

Posted by Dan York on August 24, 2007 at 10:14 PM in Blue Box, Podcasts, Video, VoIP Security, VOIPSA |

Technorati Tags: , , , , , , , , , , , , , , ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341bfc6e53ef00e54ed106ae8833

Listed below are links to weblogs that reference Blue Box Video Podcast #01 - SIP softphone exploit demonstration by Sipera Systems at VoiceCon San Francisco 2007:

» A VoIP Security attack Demo from VoIP IP Telephony
I think it is good to see the demo podcast presented by Dan York of the “Blue Box: The VoIP Security Podcast”. So follow the links and enjoy the Blog and the podcast! [Read More]

Tracked on August 30, 2007 at 01:40 PM

» Sipera VIPER Labs - Blogging, podcast ahead and ITExpo from Realtime Community | Unified Communications
Sipera Systems is one of the premier providers of security solutions in the unified communications space. Last year I had the pleasure of sharing the stage with Micaela Giuhat from Sipera on a security panel at the ITExpo. This year Eric Winsborrow, Si... [Read More]

Tracked on August 30, 2007 at 02:01 PM

Comments

Very interesting. For things like that, Blue Box Video Podcast is a great idea and add visual demo to the Blue Box Podcast ! I'm 100% for Blue Box Video Podcast ! :-)

Posted by: Yann | September 07, 2007 at 10:16 AM

I'm having trouble getting any audio. What should I be using to play it? VLC doesn't seem to have the audio codecs ...

Posted by: Jim | October 09, 2007 at 09:22 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

The Obligatory Photo

Promote Blue Box!

  • Add this graphic to your site!

Contact Information

Full Disclosure

  • Dan York, CISSP, is the Best Practices Chair of the VOIP Security Alliance (VOIPSA) and the Director of Emerging Communication Technology for Voxeo.

    Jonathan Zar is affiliated with Pingalo and is the Secretary of VOIPSA and member of the Board of Directors.

    This is a personal project and neither Voxeo, Pingalo nor VOIPSA have any formal connection to this podcast. In the interest of transparency we just thought you should know our affiliations.

License

Why "Blue Box"?

  • We chose the name "Blue Box" primarily as a nod to the era of phone phreaking in part to illustrate that threats to telephony are not new - they just continue to change and evolve. That and admittedly the name just sounded cool.

Archives

More...

Categories

VoIP Podroll

Blue Box MP3 Files

Search Blue Box Website

  • Google

    WWW
    blueboxpodcast.com

  • Sign up for Dan's ENews
    * Email
    First Name
    Last Name
    * = Required Field

Recent Posts

Recent Comments

VoIP Security Books