Synopsis:  Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 32-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on March 27, 2008. Yes, that was over two months ago… we know…

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long! 
• MANY thanks for all the offers of audio production assistance
• Dan met with Craig Bowser down at VoiceCon, also David Endler, Mark Collier, etc.
• Jonathan met with Dean Elwood, Martyn Davies, etc.
• Four Asterisk vulnerabilities
• The Economist: Bugging The Cloud
• Forbes: How to Make Your Phone Untappable
• VoIP News: VoIP: Who Might Be Spying on Your Communications? (Hint – It’s Not Just the NSA
• VoIP News: Listen Up: 17 Signs That You Are Being Wiretapped
• eChannelLine: Businesses lagging in securing VoIP (also ComputerWeekly.com and news release )
• eChannelLine: Ingate launches enhanced security for VoIP and SIP (also Enterprise VoIPPlanet )
• Voice of VOIPSA: Hacking Zyxel Gateways
• Voice of VOIPSA: Vishing Attacks
• Voice of VOIPSA: FBI VoIP Surveillance Requirements Leaked (also in FierceVoIP and Slashdot )
• Voice of VOIPSA: Hackers Send Thousands of Fake Calls to Deaf People
• SnapVoIP: Unified Communications in Virtual Worlds to Solve ‘Tower of Babel’ for Intelligence Agencies
• Israeli-made Cryptophone attracts world spy agencies pointing to product site
• BlogInfoSec.com: Save The Whales (about a new form of phishing)
• Network Computing: Your Data and the P2P Peril
• NetQoS: VoIP Monitor 1.1 released
• PC World: FaceTime Security Product Scans Skype’s Encrypted IM and news release
• Sipera IPCS Solution for Teleworkers Rated ‘Avaya Compliant’
• Extreme Networks Boosts Security for Converged Voice and Data Networks with New Tools
• Review of the last week’s traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 32:27 – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Special Edition #24: An Update on Blue Box, upcoming shows and a request regarding production assistance

Welcome to Blue Box: The VoIP Security Podcast Special Edition #24, a 17-minute update on the status of Blue Box episodes, the shows we are attending and a request regarding production assistance.

Download the show here (MP3, 8MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

In this special edition, we provide an update on the status of Blue Box episodes and our travel schedule over the next few weeks.  Specifically:

• IETF-71, March 10-14, Philadelphia, PA, USA
  • Dan will be at IETF 71 next week attending the sessions related to Real-time Applications and Infrastructure (RAI)
  • There will be audio streaming and IM chatrooms if you you would like to listen in to IETF sessions. Watch the VOIPSA blog for more information.

• VON.x, March 17-20, San Jose, CA, USA
  • Jonathan will be attending
  • The will be a dinner on Tuesday evening, March 18th, hosted by Dean Elwood to which Blue Box listeners are invited. Please RSVP by this coming Wednesday, March 12th, preferably in the Facebook event or if you avoid Facebook via email to Dean. Jonathan will be there as well as Martyn Davies and a number of VoIP bloggers and other interesting folks.

• VoiceCon Orlando, March 17-20, Orlando, FL, USA
  • Dan will be attending and moderating two panels (voip security and open source) and participating in a keynote panel on social networking and enterprise communications.
  • Dan is looking to set up a dinner, probably on Tuesday evening. Watch the blog for more info.
  • Longtime listener and commenter Craig Bowser will also be there.

We also discussed the challenges we are experiencing finding the time to do post-production on all the recordings we are making of interviews and panels to turn them into Special Editions. To that end, we are wondering if any listeners would be willing to assist in the post-production of some of these recordings. More information is available on the Blue Box website (and obviously in the podcast).

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Interview with Bob Bradley of Sonus Networks

Welcome to Blue Box: The VoIP Security Podcast Special Edition #23, a 19-minute interview with Bill Bradley, Product Line Manager for Security Solutions at Sonus Networks.  Recorded at Fall VON in Boston at the end of October 2007.

Download the show here (MP3, 9MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

In this Special Edition, I sat down with Bob Bradley, Product Line Manager for Security Solutions at Sonus Networks to talk about their products and how they protect VoIP and other traffic. In particular we discussed the Sonus Network Border Switch including how it fits into network installations and how it is different from other similar products on the market.  We also covered some general issues around SIP security and talked about the company in general.

I will candidly admit that I was not very aware of Sonus’ solutions prior to this podcast, but since this time I’ve found their products running in a range of places I had not noticed them before.  I believe you all will find this a useful introduction to an interesting company and useful solutions.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #75: Asterisk vulnerability, SANS paper on VoIP security, SPIT, tons of listener comments and much more…

Welcome to Blue Box: The VoIP Security Podcast #75, a 38-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• AST-2008-001: Remote Crash Vulnerability in SIP channel driver
• Voice of VOIPSA: IETF seeking feedback on ‘Requirements from SIP Session Border Controller Deployments’
• SANS paper on VoIP Security pointing to actual paper
• ComputerWorld: Security dominates 2008 IT agenda
• TechCentral.ie: Coming Together – 8 for 2008
• SecurityPark: IT managers complacent about VoIP infrastructure security threats
• TechRepublic: SPAM and SPIT: what are the dangers? pointing to Does UC present new opportunities for spammers?
• VoIP-News: The VoIP-News Top 25 VoIP Blogs of 2007
• List of VoIP Hacking software
• ITworld.com: IT job skills that matter now (see the first line of the sidebar)
• Comment (audio) from Frank Leonhardt
• Comment (blog) from Raffi
  welcome_to_blue.html#comment-96147586 about Blue Box #73
• Comment (blog) from Aswath
• Comment (email) from Ben Penson
• Comment (email) from Shawn Merdinger
• Comment (email) from Jon Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) from someone seeking assistance in southern California
• Review of the last week’s traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 43:57 – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #74: 2008 Crystal Ball Edition, Asterisk and Trixbox vulnerabilities, top 10 lists, VoIP security trends for 2008 and more….

Welcome to Blue Box: The VoIP Security Podcast #74, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• SE 22 with Jonathan Rosenberg
• Asterisk AST-2007-027: Database matching order permits host-based authentication to be ignored
• Voice of VOIPSA: Trixbox contains ‘phone home’ code to retrieve arbitrary commands to execute
• trixbox CE audit tool official statement and fixes
• Audit Tool Change Plan
• Audit tool ‘fix’ being pushed out tonight
• ComputerWorld: VoIP vulnerabilities increasing, but not exploits
• CRN: Top 9 VoIP Threats and Vulnerabilities (Sipera PR strikes again) – points to CRN article: VoIP Threats, Vulnerabilities Abound which is based on press release Sipera VIPER Lab Reveals Top 5 VoIP Vulnerabilities in 2007
• Voice of VOIPSA: Pointers to any audi methodology for forensic analysis of VoIP systems?
• TMC.net: SIP and Security: Just Do It Right!
• PAETEC, Alcatel-Lucent Deploy Industry Leading Disaster Recovery VoIP Solution
• Feature: top stories of 2007 and trends for 2008
• No comments this week.
• Review of the last week’s traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 43:57 – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Interview about SIP NAT Traversal with Dr. Jonathan Rosenberg, Cisco Fellow and author of many RFCs and Internet-Drafts related to SIP for the Internet Engineering Task Force (IETF).

Welcome to Blue Box: The VoIP Security Podcast Special Edition #20, a 25-minute interview with Dr. Jonathan Rosenberg about SIP and NAT Traversal.  Recorded at Interop New York in October 2007.

Download the show here (MP3, 13MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

In this Special Edition, I sat down with Dr. Jonathan Roseberg at Interop New York in October 2007 to talk about SIP NAT Traversal. Jonathan, a Cisco Fellow, has authored many RFCs related to SIP for the Internet Engineering Task Force (IETF) and in fact was a co-author of RFC 3261, the original specification for the SIP protocol.  He is also the author of "The Hitchhiker’s Guide to SIP", a document that aims to help people find their way through all the many documents that today make up what we call "SIP".

For the past few years, Jonathan has been extremely involved in the whole issue of SIP and NAT traversal and has authored several of the major Internet-Drafts on the issue.  In this interview, we discuss:

• What the issue is with SIP and NAT traversal
• How ALGs and SBCs attempt to solve the problem
• Methods that have been developed by the IETF, specifically:
  • STUN
  • TURN
  • ICE
• The role of ICE going forward, who is supporting it, etc.

I believe you will find it a very educational session and very helpful in understanding this major issue with regard to SIP.  We thank Jonathan Rosenberg for his time.

If you enjoy this show, we would also suggest you go back and listen to Blue Box Special Edition #20, our interview with Cullen Jennings about SIP security.  The two shows complement each other extremely well and provide a solid understanding of the current state of SIP security.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.