Synopsis: Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news, listener comments and more
Welcome to Blue Box: The VoIP Security Podcast #78, a 40-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.
Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically.
NOTE: This show was originally recorded on February 25, 2008. Yes, that was two months ago… we know!
You may also listen to this podcast right now:
Show Content:
- 00:20 – Intro to the show, contact information and how to provide comments. Welcome to all the new listeners – and to all those listeners who have been here for so long!
- new comment line +1-415-830-5439
- Special Edition #23 with Sonus Networks
- Squawk Box podcast about voice phishing – also this article Vishing: The Latest, and Greatest, Security Concern
- Cisco: Cisco Unified IP Phone Overflow and DoS Vulnerabilities and Dustin Trammell’s coverage
- ZDNet: Design flaw in wireless VoIP handsets endanger the enterprise followed by Cisco confirms vulnerability in 7921 WiFi IP phone
- Voice of VOIPSA: Slides about P2PSIP security new available
- Voice of VOIPSA: RUCUS mailing list & BOF
- Voice of VOIPSA: End-to-end VoIP security using DTLS-SRTP
- Also a whole bunch on SIP Identity
- SIP Torture Tests for IPv6 now out in RFC 5118
- SIP Usage Scenarios Similar to SPIT
- SPEERMINT Security BCPs
- SIP Identity Baiting Attack
- Concerns around Applicability of RFC 4474
- VoIP Hopper 0.9.9 released (site ) – Thanks to Frank Leonhardt for the info.
- VoIP News: Is Someone Listening to Your VoIP Calls? (linked to from ZDNet )
- ZDNet: Cracking GSM
- TMCnet- Practicing Safe OCS
- TMCnet- Security Attack of the Day (Tom Cross starts blogging for TMCnet)
- Speaking of Tom, Techtionary.com Releases SIP Security Checklist
- Voice of VOIPSA: SIPTap Author forms VoIP Security Company (by Craig Bowser!)
- Voice of VOIPSA: Underpowered Hardware
- Project Spider – about SPIT
- CBC: Bell recovers stolen data on 3.4 million customers
- Comment (email) from Larry Farmer
- Comment (email) from Shlomo Dubrowin
- Comment (email) about SE #23
- Review of the last week’s traffic on the VOIPSEC public mailing list
- Wrap-up of the show
- 40:01 – End of show
Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.
Thank you for listening and please do let us know what you think of the show.
Your ID on legitimate traffic that resembles SPIT points out the ironic situation that vocal proponents of “Stupid Network” are in the process of introducing intelligence in the Middle. My position is that it should be handled only at the ends. If you take the recommendation of RFC 5039, we need three things – strong authentication, white list and an “external” introduction scheme. I recommend that we use OpenID for authentication and request those ID providers to mediate “letters” like iName providers do. For quick reference if you want to send an email to me when you know only my iName, then you send the note via a web page to my provider who will ensure that it is not from a bot and will forward it to me; I can send my reply via the provider as well. This way the dependence on the Middle is sufficiently minimized and there is no concern about the Middle being over eager and impacting legitimate scenarios that you identify. We have implemented such a scheme in EnThinnai.