Synopsis:  Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities
from VoIPShield, Skype in China, UCSniff and other new tools, news and
more

Welcome to Blue Box: The VoIP Security Podcast #84, a 30-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long!
• Programming notes:
  • Three-year anniversary of Blue Box coming up on October 24th – any thoughts you’d like to share with us? (Please send them to us by October 23rd.)
• VoIPShield announces new vulnerabilities and http://www.voipshield.com/research.php
• http://www.theregister.co.uk/2008/09/30/voip_eavesdropping_tool/
• "Sipera Develops VoIP Spy Program – to Prove a Point" – http://www.voipplanet.com/trends/article.php/3776136
• SecureLogix Announces Free Availability of VoIP Security Tools
• NY Times: Surveillance of Skype Messages Found in China – http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?_r=2&partner=rssnyt&pagewanted=print
• http://securitywatch.eweek.com/privacy/skypechina_breach_is_anyone_really_surprised.html
• http://www.informationweek.com/news/telecom/voip/showArticle.jhtml?articleID=210605439
• Skype CEO’s blog post about the issue: http://share.skype.com/sites/en/2008/10/answers_to_some_commonly_asked.html
• http://www.itbusinessedge.com/blogs/top/?p=398
• http://www.voip-news.com/feature/google-phone-europe-growth-092408/
• http://www.itnewsafrica.com/?p=1269
• http://news.cnet.com/8301-1009_3-10052393-83.html
• http://www.broadbandreports.com/shownews/VoIP-Vulnerabilities-Being-Exposed-Today-98039
• http://www.itbusinessedge.com/blogs/top/?p=402
• http://voipsa.org/blog/2008/10/07/5th-emergency-services-workshop-to-be-held-oct-21-23-in-vienna/
• http://eon.businesswire.com/news/eon/20080924005342/en
• http://www.crn.com/security/210602442
• http://it.tmcnet.com/topics/it/articles/41236-infoblox-unveils-dns-firewall-address-dns-vulnerability-concerns.htm
• http://www.newswire.ca/en/releases/archive/September2008/29/c9005.html
• No comments this week.
• Review of the last week’s traffic on the VOIPSEC public mailing list
• Wrap-up of the show
• 30:26 – End of show 

NOTE: Long-time listeners will note that the show notes above are in a less descriptive form than usual. After almost three years of using one wiki for preparing for our shows, Jonathan and I switched to using a new system and are still working out some of the details that will speed the input into show notes.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more…

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long!
• MANY thanks for all the offers of audio production assistance – getting it organized now
• Ingate SIP Trunking webinar now available (and a note about participating in things like this)
• VOIPSA blog site hacked
• Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary
• VoIPshield list of vulnerabilities
• Cisco Advisory
• Cisco Advisory about Disaster Recovery Framework
• Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video
• CIO
• Washington Post: Reach Out And Hack Someone
• Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers
• VoIP News: The Essential Guide to VoIP Security
• Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier
• Voice of VOIPSA: VoIP and the International Space Station
• Voice of VOIPSA: Xplico Network Forensic Analysis Tool
• Voice of VOIPSA: Australians falling victim to foreign phone hackers
• VoIP News Australia: How ACMA Plans to Regulate VoIP
• Network World: Government agencies rejecting VoIP?
• Linux Professional Institute to develop enterprise-level security exam
• Net neutrality and Bell Canada
• ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?
• Google XSS Attack (interesting as it shows the complexity of such attacks)
• The Economist: Special Report: The New Nomadism
• VoiceBiometrics – May 14-15, New York
• IP Telephony University – June 23-24, Alexandria, VA
• Review of the last week’s traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 44:22 – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #77: Skype security vulnerability, German gov’t looks at trojans, undersea cable cuts, Microsoft and Yahoo, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #76, a 36-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on February 4, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Comment (email) from someone looking for VoIP security professional in Connecticut
• SKYPE-SB/2008-002: Skypefind Cross Zone Scripting Vulnerability with discussion in The Register
• The Register: Skype Trojan wiretap plan leaks onto the net
• PC Pro: VoIP stumps spooks
• Skype Journal: The Bavarian Intercept Proves Skype is Secure
• Voice of VoIPSA: More ETSI Security Workshop presentations now available online
• Voice of VOIPSA: Breaking Ciphers on a 5.8MHz Pentium
• Voice of VOIPSA: Raising a RUCUS at IETF 71
• SearchUC: Early adopters of unified communications need to ask about security
• CNN: Third undersea cable cut in Mideast
• US Transport Security Administration now has a blog called the Evolution of Security
• SecureLogix Receives Thirteenth Patent
• Thomas Porter’s 2006 “Practical VoIP Security” book now available as a free download – such as this
• Microsoft offers to buy Yahoo – “tons of coverage” – interesting piece on ZDNet about Google’s response
• Review of the last week’s traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 36:19 – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #76: Cisco, Skype and BT vulnerabilities, when SIP looks like SPIT, VoIP security threat predictions and the FBI forgets to pay their bills, plus listener comments and more…

Welcome to Blue Box: The VoIP Security Podcast #76, a 38-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Cisco: Cisco Unified Communications Manager CTL Provider Heap Overflow
• Skype: SKYPE-SB/2008-001: Skype Cross Zone Scripting Vulnerability – coverage in Skype blog and ComputerWorld article
• GNUcitizen: BT Home Call Jacking also mentioned in VOIPSEC message – coverage in PC World and The Register
• Voice of VOIPSA: SIP Security slides at ETSI event
• Voice of VOIPSA: How do you differentiate between legitimate SIP usage and SPIT? pointing to Dan’s Internet-Draft document
• RFC 5039 on SIP and Spam
• Sipera “news release on Top 5 VoIP Threat Predictions of 2008 – coverage in The Register: 2008 – the year VoIP gets hacked? and IT Business Edge: VoIP Security Still Falling Short
• SearchSecurity.com: Enterprise security in 2008: Addressing emerging threats like VoIP and virtualization
• C|Net blogs: Can terrorists use the Net to avoid wiretaps?

FBI Wiretaps dropped due to unpaid bills

• CityCell joins rivals forced to pay up for VoIP infringements
• Comment (email) from someone looking for VoIP security professional in Connecticut
• Comment (email) from Shlomo Dubrowin
• Review of the last week’s traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 38:09 – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #73: SIP security issues at IETF 70, Skype security, vulnerabilities in Cisco and Nokia phones, Vietnam’s cyberdissidents, VoIP security news, listener comments and more…

Welcome to Blue Box: The VoIP Security Podcast #73, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on December 11, 2007.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long! 
• Voice of VOIPSA: Skype fixes flaw in Windows version
• Cisco 7940 Denial of Service
• Nokia N95 Remote Denial of Service using the SIP Stack
• Network World: VoIP Security Lessons Microsoft OCS Can Learn From Vonage and Others pointing over to series of posts on the Telecosm blog and the start of a series on VoIP security including DoS and anonymity
• VoIP News: Not Waiting For the Big One
• TechWorld: VoIP is the next big hack (follow up on Peter Cox)
• Globe and Mail: Cyberdissidents weaving along new path
• National Security Agency Certifies New Sectra vIPer Phone by General Dynamics for Top Secret Communications (sent in by Peter Thermos)
• Websense Predicts 2008’s Top Ten Security Threats
• International Telephone Services Company Deploys Secure Computing’s Sidewinder to Protect VoIP Communications
• Feature –  IETF 70
  • IETF 70 Agenda
  • Security a major discussion point
  • Media control – requirements and architecture to need more security work
  • SPEERMINT – Saverio Niccolini will bring security document back through
  • SIPPING – Spam Score and SRTP Key Disclosure and Updates to Asserted Identity – also covered in SPITting in your general direction
  • SIP – Media Identity and DTLS Framework
  • MMUSIC – big news was that ICE is now in the queue to be issued as an RFC
  • BEHAVE – TURN
  • P2PSIP – interesting discussion on NAT in P2P SIP and security in P2P SIP
• Comment (email) from Frank Leonhardt
• Comment (email) from Rhodri Davies
• Comment (email) from Peter Thermos
• Comment (email) from Ben Penson
• Review of the last week’s traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 44:28 – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #71: VLAN Hopping, SIP Digest vulnerability, VoIP security hype, Skype security, Google’s latest moves, listener comments and much more…

Welcome to Blue Box: The VoIP Security Podcast #71, a 51-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on November 8, 2007.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long! 
• SIP Digest Access Authentication RELAY-ATTACK for Toll-Fraud
• VoiceCon ENews: VoIP Security Update (about my talk at Interop)
• Telecom Junkies episode about VLAN Hopping
• Network World: VoIP security notices show security remains a multi-vendor issue – also TechRepublic article about VoIP Hopper
• Network World: VoIP security industry: Guilty as charged (Plus, 10 nasty questions to ask your VoIP supplier)
• VoIP-News.com: Vonage Security Problems May Be Just the Start
• The Ethical Hacker Network: Fun with Online VoIP Hacking
• SearchVoIP: Unified communications security vulnerabilities
• SecurityPark: Seeing through the VoIP security hype
• The Guardian: Why VoIP is the next target for spammers
• Skype Blog: Skype for Mac on Leopard (note comments about embracing security)
• Voice of VOIPSA: Isolation vs. Integration (Dustin Trammell)
• Converge!Network Digest: The Future IC/UC Net Will Be Federated (by Acme Packet)
• TMCNet: Telecom Italia Sparke Enhances VoIP Services with Acme Packet
• Mark Collier: VoIP Training Courses – he also has made available his presentation on security that he recently gave at AT&T’s Focus Conference.
• InfoWorld: Vetting the quality of VoIP (follow-on to The lie that is Voice over IP )
• Comment (email) from Matt Hillman about http://www.podcastersmeetup.com/ at ShmooCon Feb 15-17 in DC
• Comment (audio) from Mohammad Halawah
• Comment (email) from Frank Leonhardt
• Comment (email) from Josef Janitor
• – Review of the last week’s traffic on the VOIPSEC public mailing list 
• – Wrap-up of the show
• – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.