Synopsis:  Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

---

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk.  Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him!  Kudos to Michael for getting it to sound as good as it does.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

If any of you reading this will be out at O'Reilly's OSCON Open Source Convention next week (July 21-25) in Portland, Oregon, I (Dan York) will be there giving a talk on Wednesday on "Mashing Up Voice and the Web Through Open Source and XML". Here's the abstract:

With over 4.5 billion mobile and fixed phones out there as of November 2007, the phone represents the most ubiquitous user interface out there. As “mashups” on the Web let us quickly and easily access information from multiple data sources, how do we extend those mashups to the world of the phone? How do we bring the old world of voice and telephony into the new world of the Web, social networks, and social media? And how do we do that using open source tools and open standards?

If any of you will be attending, please do drop me a note as I always enjoy meeting up with people who read this blog. If you are not attending but are interested, it's not too late... you can still register at the OSCON site. Should be a great convention for those interested in open source development. The schedule is pretty amazing as it truly has a collection of some of the best folks out there in the open source world. (The convention starts on Wednesday with Monday and Tuesday being for tutorials.) I'm definitely looking forward to the event!

Technorati Tags: open source, conferences, oreilly, development, python, voicexml, ccxml, sip, portland, dan york

FYI, I'm currently out at the Asterisk conference, AstriCon, in Phoenix, Arizona through Thursday night. If any listeners are also here at the show, please do drop a note as I'm always interested in meeting listeners face-to-face.

Also, over on the Voice of VOIPSA weblog, I've posted the question: "What would your 'security roadmap' for Asterisk be?" I'm giving a talk on the subject on Thursday and would welcome any feedback.

Technorati Tags: asterisk, astricon, conferences, security, voip, voip security, voipsa

Synopsis: "The Real Risks of VoIP Security" panel session at VON Europe in Stockholm, Sweden, in June 2007.  Moderated by Blue Box contributor Martyn Davies, the panel included Ari Takanen of Codenomicon, Cullen Jennings of Cisco and Akif Arsoy of Verisign.

---

Welcome to Blue Box: The VoIP Security Podcast Special Edition #19, a 55-minute podcast of the panel session "The Real Risks of VoIP Security" from VON Europe 2007 in Stockholm, Sweden, in June 2007.

Download the show here (MP3, 25MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

---

Show Content:

In this Special Edition, we bring you a recording of the panel session at VON Europe in Stockholm, Sweden, in June 2007.  Longtime Blue Box contributor Martyn Davies moderated the panel which included Ari Takanen of Codenomicon, Cullen Jennings of Cisco and Akif Arsoy of Verisign.  Rather than going with canned presentations of slides, the panel was a conversation among the panelists based on questions that Martyn had as well as questions from the audience.  I think you will find it both enjoyable and educational.

The members of the panel are, left-to-right, Martyn Davies (Dialogic), moderator, Ari Takanen (Codenomicon), Cullen Jennings (Cisco) and Akif Arsoy (Verisign):

               

We thank Martyn for contributing this recording and also compliment him on what is one of the best conference recordings we've ever offered as far as audio quality goes.  Dan also thanks Cullen Jennings for standing in for him when Dan was suddenly unable to attend Podcamp Europe.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Are you attending Black Hat next week in Las Vegas (July 29-Aug 2)? Or the Defcon show that follows? If so, would you be willing to provide a report (either audio or written) for us to include in a future Blue Box podcast (or potentially post on the VOIPSA blog)? Neither Jonathan nor I (nor Martyn) are going to be attending Black Hat or Defcon but there do look to be a number of quite interesting talks involving VoIP security.  If you would be willing to send in a report from Black Hat or Defcon just briefly talking about what is discussed at the sessions there, please do drop us an email as we'd love to have such contributions. 

FYI, if you want to try audio, contributions could be either: 1) recorded using something like Audacity and then sent by email; or 2) simply called into our comment line (+1-206-350-2583 or sip:bluebox@voipuser.org).

Have you ever wished you could know when the slides are being changed when you listen to one of our Special Edition podcasts?  Well, now you can courtesy of a new "slidecasting" interface made available from the folks at SlideShare.net.  I have now made available synced versions of Blue Box SE#15 and Blue Box SE#16 as shown in the embedded objects below.  SE#15 is, to me, a great example of the power of SlideShare's syncing interface.  It is about 243 slides in 15 minutes and without the sync, it's not as easy to see how the slides are used to support the story.  SE#16 is the much-longer 90-minute workshop that Jonathan, Shawn Merdinger and I did which again shows how the slide sync can be used in a longer setting.  In any event, you can check them out in the embedded shows below.  First the 15-minute "Black Back Security Review":

And then here our 90-minute workshop:

We would naturally love to hear your feedback about whether you find this useful.  We anticipate putting up future presentations in this fashion.  What do you think?

Well, sometimes "life" intervenes in the best of plans.  As I wrote on my Disruptive Telephony blog, I will now very unfortunately NOT be attending VON Europe in Stockholm.  However, the Blue Box dinner planned for tonight will go ahead with Martyn Davies, Dean Elwood and about a dozen others.  I've already let Martyn know that I expect to get a good recorded segment out of it for inclusion in a future podcast!  :-)  

As for my Thursday panel on VoIP security that Martyn is moderating, Cullen Jennings from Cisco has agreed to step in.  Cullen is the IETF Area Director for real-time applications.. so essentially everything related to SIP rolls up to him, including VoIP security in the standards world.  I know from our many discussions that Cullen has a very strong interest in security, so the panel discussion should be quite a good one.   

I'm very disappointed that I won't be able to be there to be part of the dinner or panel, but I'm looking forward to hearing how they all go.

If any Blue Box listeners are going to be at the InfoSec 2007 conference this week in London,  Frank Leonhardt will be there on Wednesday and Martyn Davies will be there on Thursday. If you would like to connect with either Frank or Martyn, leave a message here and we'll be sure they get it.

Synopsis: Interview with Saverio Niccolini from NEC about efforts to combat SPIT.

---

Welcome to Blue Box: The VoIP Security Podcast Special Edition #17, a 9-minute podcast of an interview by Martyn Davies of Saverio Niccolini from NEC about efforts to combat Spam-for-Internet-Telephony (SPIT). The interview took place at the 3GSM World Congress 2007 held February 12-15, 2007, in Barcelona, Spain.

Download the show here (MP3, 4MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

---

Show Content:

At the 3GSM World Congress 2007, Blue Box contributor Martyn Davies had a chance to record an interview with Saverio Niccolini about NEC's efforts to combat Spam for Internet Telephony (SPIT).  Specifically, they discussed NEC's new program VOIPSEAL, the prototype of which was unveiled at the 3GSM conference. Saverio is a Senior Research Staff Member in the Network Laboratories at NEC (www.netlab.nec.de)

Saverio has provided the following links for additional information about the VOIP SEAL solution:

• NLE-SPIT-public-07-01.pdf
• VoIP_SEAL-PR-ENG-20070126.pdf
• VoIP_SEAL_Flyer.pdf

We thank Martyn for contributing this interview and Saverio for his participation.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Emerging Telephony 2007 Workshop by Blue Box co-hosts Dan York and Jonathan Zar and security researcher Shawn Merdinger called the "Black Bag Security Briefing" covering VoIP security threats, tools and best practices.

---

Welcome to Blue Box: The VoIP Security Podcast Special Edition #16, a 91-minute podcast of a workshop presentation by Blue Box co-hosts Dan York and Jonathan Zar along with security researcher Shawn Merdinger called the "Black Bag Security Briefing" at O'Reilly's Emerging Telephony Conference on February 27, 2007.

Download the show here (MP3, 43MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

---

Show Content:

At O'Reilly's 2007 Emerging Telephony conference last week in San Francisco, Jonathan, Shawn Merdinger and I presented a 90-minute workshop in which we discussed the threats to VoIP security, the tools out there to test/defend your network and the best practices for securing VoIP systems.  We had a great audience that also included folks like blogger/podcaster Ken Camp and IETF RAI Area Director Cullen Jennings. This is a recording of the full session including the Q&A.

Slides will be available soon.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.