Synopsis: Blue Box #73: SIP security issues at IETF 70, Skype security, vulnerabilities in Cisco and Nokia phones, Vietnam's cyberdissidents, VoIP security news, listener comments and more...

---

Welcome to Blue Box: The VoIP Security Podcast #73, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on December 11, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• Voice of VOIPSA: Skype fixes flaw in Windows version
• Cisco 7940 Denial of Service
• Nokia N95 Remote Denial of Service using the SIP Stack
• Network World: VoIP Security Lessons Microsoft OCS Can Learn From Vonage and Others pointing over to series of posts on the Telecosm blog and the start of a series on VoIP security including DoS and anonymity
• VoIP News: Not Waiting For the Big One
• TechWorld: VoIP is the next big hack (follow up on Peter Cox)
• Globe and Mail: Cyberdissidents weaving along new path
• National Security Agency Certifies New Sectra vIPer Phone by General Dynamics for Top Secret Communications (sent in by Peter Thermos)
• Websense Predicts 2008’s Top Ten Security Threats
• International Telephone Services Company Deploys Secure Computing’s Sidewinder to Protect VoIP Communications
• Feature –  IETF 70
  • IETF 70 Agenda
  • Security a major discussion point
  • Media control – requirements and architecture to need more security work
  • SPEERMINT - Saverio Niccolini will bring security document back through
  • SIPPING - Spam Score and SRTP Key Disclosure and Updates to Asserted Identity – also covered in SPITting in your general direction
  • SIP - Media Identity and DTLS Framework
  • MMUSIC - big news was that ICE is now in the queue to be issued as an RFC
  • BEHAVE - TURN
  • P2PSIP – interesting discussion on NAT in P2P SIP and security in P2P SIP
• Comment (email) from Frank Leonhardt
• Comment (email) from Rhodri Davies
• Comment (email) from Peter Thermos
• Comment (email) from Ben Penson
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 44:28 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Interview about SIP NAT Traversal with Dr. Jonathan Rosenberg, Cisco Fellow and author of many RFCs and Internet-Drafts related to SIP for the Internet Engineering Task Force (IETF).

---

Welcome to Blue Box: The VoIP Security Podcast Special Edition #20, a 25-minute interview with Dr. Jonathan Rosenberg about SIP and NAT Traversal.  Recorded at Interop New York in October 2007.

Download the show here (MP3, 13MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

---

Show Content:

In this Special Edition, I sat down with Dr. Jonathan Roseberg at Interop New York in October 2007 to talk about SIP NAT Traversal. Jonathan, a Cisco Fellow, has authored many RFCs related to SIP for the Internet Engineering Task Force (IETF) and in fact was a co-author of RFC 3261, the original specification for the SIP protocol.  He is also the author of "The Hitchhiker's Guide to SIP", a document that aims to help people find their way through all the many documents that today make up what we call "SIP".

For the past few years, Jonathan has been extremely involved in the whole issue of SIP and NAT traversal and has authored several of the major Internet-Drafts on the issue.  In this interview, we discuss:

• What the issue is with SIP and NAT traversal
• How ALGs and SBCs attempt to solve the problem
• Methods that have been developed by the IETF, specifically:
  • STUN
  • TURN
  • ICE
• The role of ICE going forward, who is supporting it, etc.

I believe you will find it a very educational session and very helpful in understanding this major issue with regard to SIP.  We thank Jonathan Rosenberg for his time.

If you enjoy this show, we would also suggest you go back and listen to Blue Box Special Edition #20, our interview with Cullen Jennings about SIP security.  The two shows complement each other extremely well and provide a solid understanding of the current state of SIP security.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Here is our new comment line number: +1-415-830-5439.

Here's the story...

To my immense annoyance, it seems that we have once again lost our K7.net call-in number for comments: +1-206-350-7280. That isn't the bad part, really... what annoys me most is that the number still appears to work! You can call it up and leave a message, but if it goes anywhere, it is not going to us! In the past, when we've lost our K7 number, the number has been inactive to some period of time, so callers just got a message saying that the number was no longer in use. Now it appears that the number has been reallocated already - or at least is accepting calls.

So please do not call that number!

I'm going to use this failure as an opportunity to completely drop our usage of K7.net. K7.net is a "unified messaging" service that is widely used by podcasters because it provides a very simple and easy - and free - service: Callers call in to a phone number, leave a message, and then you receive an email with the comment attached as a WAV file. It is great for a podcaster. Simple. Easy. Just works.

However, there is this wee minor little detail that is shown in the terms of service at the bottom of the sign-up page:

If a K7 number is inactive for 30 days (use is determined as a voice message or fax message to that number) , we may terminate the account for non-use.

This has been the bane of many podcaster's existence. If you don't get a call in 30 days, you lose your number. This impacts podcasters, especially, because our shows may live on out there on the Internet for an incredibly long time. You can still download Blue Box podcast #1 from two years ago which has the wrong comment line included (in fact, it is 2 or 3 numbers ago). So losing your number is really quite bad from a community-building point-of-view. If you put out frequent shows and get frequent comments, this usually isn't a problem. However, if you are a show like ours where we've been only doing maybe two shows a month it may be more of a challenge. I know that here in New England, the New England Podcasters group was instituting a "reminder day" where it was a monthly day to call your comment line to be sure you kept it. In any event, we seem to have lost our number.

Now, I can't really complain about the service because it is free and the K7 folks have always been very up front about the termination for non-use clause. All I can really do is find another alternative.

I have now done so. My new employer, Voxeo, has a website for developers called evolution.voxeo.com where you can create voice applications in several different XML variants (VoiceXML, CCXML or Voxeo's own CallXML). You can create a free developer account and with that you can create apps that have their own inbound phone number. For free. Anyone can do so. There is, at least currently, no expiration date or termination clause for non-use (although the terms of use do of course indicate that Voxeo can change or revoke the numbers at any time). So what's the catch? Well, Voxeo hopes that you like to develop apps on our platform so much that ultimately you'll need our hosting services for your applications.

So I've created my own little experiment in the form of a new comment line: +1-415-830-5439.

Right now it's just a computer-generated voice but I'll add in my own prompts soon. Interestingly, this number is also reachable via some other phone numbers:

• Skype: +99000936 9992002622
• FWD: **86919992002622
• SIP: sip:9992002622@sip.voxeo.net

And while we are NOT going to switch from using our SIP "bluebox@voipuser.org" address, it's nice to know that it is available.

Since I know many of our listeners like to know the code underneath things, here is the full text of my "application" that does this:

<?xml version="1.0" encoding="UTF-8"?> 
<callxml version="2.0"> 
<block> 
<text> Thank you for the calling the comment line for Blue Box, The Voice over IP Security Podcast.  Please leave your comment after the tone.  Thank you.</text> 
<recordaudio maxtime="3m" value="mailto:blueboxpodcast@gmail.com?subject= 
Voicemail message - listener comment&fromname= 
Voxeo Messaging&fromaddress= 
dyork@lodestar2.com&body= 
Voicemail message&filename=comments.wav"/> 
</block> 
</callxml>

It uses Voxeo's own CallXML language which was developed before VoiceXML and CCXML (Call Control XML) were standardized. Why did I use CallXML versus VoiceXML and CCXML? Primarily because I wanted to learn CallXML - and also, frankly, because it seemed to have the easiest commands to do what I was trying to do. It basically says a piece of text and then records up to 3 minutes of audio and emails it to our standard comment line. Ta da... same thing as I was doing with K7.net, but without the annoying termination after 30 days of non-use.

Anyway, that's the new number and the story behind it. Hopefully I won't be changing it again anytime soon!

Technorati Tags: blue box, bluebox, k7.net, voxeo

Synopsis: Blue Box #72: Asterisk security vulnerabilities, Skype and the German government, VoIP security news, listener comments and more

---

Welcome to Blue Box: The VoIP Security Podcast #72, a 25-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 11MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on November 30, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• - AST-2007-025 – Asterisk – SQL Injection issue in res_config_pgsql
• - AST-2007-026 – Asterisk SQL Injection issue in cdr_pgsql
• - TechWorld: Expert scares world with VoIP hacking proof pointing to SIPtap - Articles also in ComputerWorld
• - Wired: Skype encryption baffles German police – also in The Register and TechDirt
• - VoIP News: Why Nobody’s VoIP is Secure
• - PC World: ‘Swatters’ Trick AT&T’
• - Comment (email) from Shawn Merdinger
• - Comment (email) from Yann Cloatre
• - Comment (email) from Miguel Garcia
• - Comment (email) from Roel Villarius about Dutch spam filter
• - Review of the last week's traffic on the VOIPSEC public mailing list 
• - Wrap-up of the show
• 25:27 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

In preparing for an upcoming Blue Box episode, I happened to come across an article on the IEEE Security & Privacy site which pointed me to an interesting new security podcast called "The Silver Bullet Security Podcast with Gary McGraw". It is apparently a joint project of security firm Cigital and the IEEE Security & Privacy Magazine. The regular show page is at www.cigital.com/silverbullet/ and includes a place there for comments and feedback. They just rolled out episode 20 and in looking back through the episodes they seem to have interviewed some great folks in the security space. Some of the predictable "big names" like Dan Geer, Marcus Ranum, Eugene Spafford and Bruce Schneier, but also folks like Dorothy Denning whose name was quite popular in the Clipper Chip days but then of whom I personally had heard little else since. Also folks from companies like Cisco and Microsoft and a number of professors from academic institutions. Looks to be a nice addition to the range of security podcasts out there and it has joined my subscription list.

Synopsis: Blue Box #71: VLAN Hopping, SIP Digest vulnerability, VoIP security hype, Skype security, Google's latest moves, listener comments and much more...

---

Welcome to Blue Box: The VoIP Security Podcast #71, a 51-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on November 8, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• SIP Digest Access Authentication RELAY-ATTACK for Toll-Fraud
• VoiceCon ENews: VoIP Security Update (about my talk at Interop)
• Telecom Junkies episode about VLAN Hopping
• Network World: VoIP security notices show security remains a multi-vendor issue – also TechRepublic article about VoIP Hopper
• Network World: VoIP security industry: Guilty as charged (Plus, 10 nasty questions to ask your VoIP supplier)
• VoIP-News.com: Vonage Security Problems May Be Just the Start
• The Ethical Hacker Network: Fun with Online VoIP Hacking
• SearchVoIP: Unified communications security vulnerabilities
• SecurityPark: Seeing through the VoIP security hype
• The Guardian: Why VoIP is the next target for spammers
• Skype Blog: Skype for Mac on Leopard (note comments about embracing security)
• Voice of VOIPSA: Isolation vs. Integration (Dustin Trammell)
• Converge!Network Digest: The Future IC/UC Net Will Be Federated (by Acme Packet)
• TMCNet: Telecom Italia Sparke Enhances VoIP Services with Acme Packet
• Mark Collier: VoIP Training Courses – he also has made available his presentation on security that he recently gave at AT&T’s Focus Conference.
• InfoWorld: Vetting the quality of VoIP (follow-on to The lie that is Voice over IP )
• Comment (email) from Matt Hillman about http://www.podcastersmeetup.com/ at ShmooCon Feb 15-17 in DC
• Comment (audio) from Mohammad Halawah
• Comment (email) from Frank Leonhardt
• Comment (email) from Josef Janitor
• - Review of the last week's traffic on the VOIPSEC public mailing list 
• - Wrap-up of the show
• - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.