Blue Box SE #19: “The Real Risks of VoIP Security” panel at VON Europe 2007 in Stockholm, Sweden, featuring Martyn Davies, Ari Takanen, Cullen Jennings and Akif Arsoy

Synopsis: "The Real Risks of VoIP Security" panel session at VON Europe in Stockholm, Sweden, in June 2007.  Moderated by Blue Box contributor Martyn Davies, the panel included Ari Takanen of Codenomicon, Cullen Jennings of Cisco and Akif Arsoy of Verisign.

Welcome to Blue Box: The VoIP Security Podcast Special Edition #19, a 55-minute podcast of the panel session "The Real Risks of VoIP Security" from VON Europe 2007 in Stockholm, Sweden, in June 2007.

Download the show here (MP3, 25MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

In this Special Edition, we bring you a recording of the panel session at VON Europe in Stockholm, Sweden, in June 2007.  Longtime Blue Box contributor Martyn Davies moderated the panel which included Ari Takanen of Codenomicon, Cullen Jennings of Cisco and Akif Arsoy of Verisign.  Rather than going with canned presentations of slides, the panel was a conversation among the panelists based on questions that Martyn had as well as questions from the audience.  I think you will find it both enjoyable and educational.

The members of the panel are, left-to-right, Martyn Davies (Dialogic), moderator, Ari Takanen (Codenomicon), Cullen Jennings (Cisco) and Akif Arsoy (Verisign):

   
   
   
   

We thank Martyn for contributing this recording and also compliment him on what is one of the best conference recordings we’ve ever offered as far as audio quality goes.  Dan also thanks Cullen Jennings for standing in for him when Dan was suddenly unable to attend Podcamp Europe.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Telecom Junkies podcast: Interview with a VoIP Hacker (Robert Moore of the Pena/Moore voip fraud case)

imageRemember the Pena/Moore voip fraud case back in June 2006? Would you like to know how the attacks were done?  And how you can protect your network?

First, for those who don’t recall, this was a case where Edwin Pena was alleged to have set himself up as a voice service provider and then, with the assistance of a developer named Robert Moore, routed his customer’s calls across the networks of other VoIP service providers.  Pena is alleged to have stolen at least 10 million minutes from other voice service providers and made in excess of $1 million dollars. Pena subsequently fled the country (and remains even today a fugitive).  We wrote about it here and also covered it in Blue Box podcasts #31 and #33 and I was a guest on a Telecom Junkies podcast back in July 2006 discussing the case.

In any event, one year later Robert Moore has been convicted for his part in the scheme and on July 24th was sentenced to a two-year term in prison, 3 years probation and a $150+K fine.  

Before he reports to prison in about 6 weeks, though, Moore got in contact with Jason Huffman from The Voice Report to ask if Jason was interested in an interview.  Given my prior involvement with the Telecom Junkies podcast, Jason contacted me to see if I would also be interested in coming onto the show.  Both he and I were concerned about interviewing someone recently convicted (i.e. not wanting to glorify the crime or criminal), but I shared Jason’s view that if we could obtain information about how the attacks were done we could potentially help people protect their systems against these type of attacks.  (Jonathan was also invited and provided great feedback but was unable to attend due to scheduling issues.)

The result is a new Telecom Junkies podcast: “Interview with a VoIP Hacker” which is available for download.

As we’d discussed in our previous coverage of the case, there were really two different types of systems that were attacked:

  1. Voice gateways of VoIP service providers
  2. Servers/routers of other businesses that were compromised to hide the source of traffic going to the voice gateways

In the interview, Robert Moore confirms that all the voice gateway attacks were H.323 (no SIP was involved) and they weren’t terribly sophisticated because the VoIP service providers didn’t have all that much security in place.

Moore also indicates that all the other boxes (#2) were compromised primarily by easy means such as weak and easily guessable passwords – or even worse, unchanged default passwords.  In some cases, there were boxes on the Internet with exposed SNMP ports that then let the attackers learn all about the box so that they could then research potential vulnerabilities.  This part really had nothing whatsoever to do with VoIP but instead with really just basic IT security practices which were (and undoubtedly still are) very obviously not being followed by many folks out there. 

In any event, the interview is now available for listening.  Meanwhile, Moore is soon heading off to prison and Pena is still somewhere out there…

P.S. If anyone listening can identify the name of the second switch vendor that Moore indicates he went after, neither Jason nor I could identify it despite my request for the name to be repeated.

UPDATE: Thank you to all who responded (including Robert’s sister here in the comments). The other switch was a Quintum Tenor – http://www.quintum.com/

Anyone attending Black Hat or Defcon interested in providing reports into the Blue Box podcast?

imageAre you attending Black Hat next week in Las Vegas (July 29-Aug 2)? Or the Defcon show that follows? If so, would you be willing to provide a report (either audio or written) for us to include in a future Blue Box podcast (or potentially post on the VOIPSA blog)? Neither Jonathan nor I (nor Martyn) are going to be attending Black Hat or Defcon but there do look to be a number of quite interesting talks involving VoIP security.  If you would be willing to send in a report from Black Hat or Defcon just briefly talking about what is discussed at the sessions there, please do drop us an email as we’d love to have such contributions. 

FYI, if you want to try audio, contributions could be either: 1) recorded using something like Audacity and then sent by email; or 2) simply called into our comment line (+1-206-350-2583 or sip:bluebox@voipuser.org).

Technorati tags: , ,

Blue Box #63: Cisco and Asterisk VoIP vulnerabilities, the "Athens affair" (Greek wiretapping), iPhones and Duke, IETF and SPIT, SunRocket flares out, Skype phishing, VoIP security news and more…

Synopsis: Blue Box #63: Cisco and Asterisk VoIP vulnerabilities, the “Athens affair” (Greek wiretapping), iPhones and Duke, IETF and SPIT, SunRocket flares out, Skype phishing, VoIP security news and more…

Welcome to Blue Box: The VoIP Security Podcast #63, a 38-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 18MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

ETel "Black Bag" Security presentations now available with audio synced to slides (through "slidecasting")…

Have you ever wished you could know when the slides are being changed when you listen to one of our Special Edition podcasts?  Well, now you can courtesy of a new “slidecasting” interface made available from the folks at SlideShare.net.  I have now made available synced versions of Blue Box SE#15 and Blue Box SE#16 as shown in the embedded objects below.  SE#15 is, to me, a great example of the power of SlideShare’s syncing interface.  It is about 243 slides in 15 minutes and without the sync, it’s not as easy to see how the slides are used to support the story.  SE#16 is the much-longer 90-minute workshop that Jonathan, Shawn Merdinger and I did which again shows how the slide sync can be used in a longer setting.  In any event, you can check them out in the embedded shows below.  First the 15-minute “Black Back Security Review”:

And then here our 90-minute workshop:

We would naturally love to hear your feedback about whether you find this useful.  We anticipate putting up future presentations in this fashion.  What do you think?

Blue Box #62: CAPTCHA for SPIT, covert channels, SIP Identity, is VoIP safe?, Fiji, Google, VoIP security news and more

Synopsis: Blue Box #62: CAPTCHA for SPIT, covert channels, SIP Identity, is VoIP safe?, Fiji, Google, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #62, a 41-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Note: Originally recorded back on July 6th.  There were some, well, "challenges" with the quality of the recording and so post-production took far longer than usual and you will still hear some audio artifacts every once in a while when Jonathan is speaking.

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Blue Box Special Edition #18: Session Border Controllers (SBCs) – Interviews with Covergence and Borderware about the SBC

Synopsis: Session Border Controller (SBC) Special – Martyn Davies interviews Rod Hodgman from Covergence and Jeff Carr from Borderware about their products and the role of the SBC.

Welcome to Blue Box: The VoIP Security Podcast Special Edition #18, a 33-minute podcast of interviews by Martyn Davies of Rod Hodgman from Covergence and Jeff Carr from Borderware about their products and the role of the SBC and the question "Do SBCs break the rules of SIP?"

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

This Session Border Controller (SBC) special
features two back-to-back interviews with Rod Hodgman from Covergence (www.covergence.com) and Jeff Carr from
Borderware (www.borderware.com).

In the first interview, Martyn Davies speaks
to Rod Hodgman, VP of Marketing at Covergence, about their SBC product
line, Eclipse.  Rod talks about SBCs that support peering and access edge
applications, and then focuses on access edge features such as NAT traversal and
DoS protection.  The discussion also covers software vs. appliance; OS
hardening, ATCA and media acceleration.  Rod answers the question "do SBCs
break the rules of SIP?", and tells us a user story.

In the second part, Martyn speaks to Jeff Carr, VP of the SIP Solutions Group at Borderware, about their software SBC, SIPAssure.  Jeff talks about the access edge, SPIT (Internet Telephony SPAM): content filtering and reputation management; firewall vs. SBC.  He also tackles the question "do SBCs break the rules of SIP?", and goes on to tell us a story about one of their OEM customers.

We thank Martyn for contributing these interviews.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

(P.S. In the spirit of full disclosure, I’ll note that one of the customer stories turns out to be my employer, but I had no clue about that as this was entirely Martyn’s production.)

Blue Box #61: IETF framework to fight SPIT, VoIP security video, new tools, voip security news, listener comments and only a brief mention of the iPhone

Synopsis: Blue Box #61: IETF framework to fight SPIT, VoIP security video, new tools, voip security news, listener comments and only a brief mention of the iPhone

Welcome to Blue Box: The VoIP Security Podcast #61, a 29-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Brief Break in Blue Box Schedule

Blue Box listeners – I’m on vacation this coming week and Jonathan has been travelling, so we’re taking a brief break. We’ll be back the week of June 25th with a regular show. We’ve also got some great Special Editions in the queue:

  • Martin Davies has put together a great interview show about Session Border Controllers (SBCs). I think you’ll definitely enjoy this one!
  • New contributor Frank Leonhardt has an interview with some of the folks involved with Facetime about their new firewall that includes Skype management.
  • Martyn Davies also received permission to run the audio of the panel on VoIP security that he moderated at VON Europe last week in Stockholm.

I think you should enjoy them all and I’m looking forward to making them available once I’m back from vacation.

Talk to you soon…

Update: Dan is NOT at VON Europe in Stockholm – but the Blue Box dinner will go ahead

Well, sometimes “life” intervenes in the best of plans.  As I wrote on my Disruptive Telephony blog, I will now very unfortunately NOT be attending VON Europe in Stockholm.  However, the Blue Box dinner planned for tonight will go ahead with Martyn Davies, Dean Elwood and about a dozen others.  I’ve already let Martyn know that I expect to get a good recorded segment out of it for inclusion in a future podcast!  🙂  

As for my Thursday panel on VoIP security that Martyn is moderating, Cullen Jennings from Cisco has agreed to step in.  Cullen is the IETF Area Director for real-time applications.. so essentially everything related to SIP rolls up to him, including VoIP security in the standards world.  I know from our many discussions that Cullen has a very strong interest in security, so the panel discussion should be quite a good one.   

I’m very disappointed that I won’t be able to be there to be part of the dinner or panel, but I’m looking forward to hearing how they all go.