Synopsis: Grand Central’s anti-SPIT initiative, Cisco buys Ironport, Skype targets business, other VoIP security news, listener comments and more… 

Welcome to Blue Box: The VoIP Security Podcast #50, a 26-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions. 

NOTE: This show was originally recorded January 17, 2007. 

Download the show here (MP3, 12MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now: 

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long!  Special welcome to readers who found us through the new Hacking Exposed: VoIP book that was just recently released.
• 01:13 – Programming notes
• 02:34 – Skype Security Blog: Deploying Skype in a Windows domain – and my response on VOIPSA blog
• 06:13 – Voice of VOIPSA: Voice SPAM – The Fightback begins pointing to Grand Central anti-spam page (sent in my Hasan Diwan)
• 07:48 – VoipUser: How To Build A Voip Network: 7 rules for the VoIP entrepreneur in 2007 – note my comment on security
• 10:00 – VoIPNews: VoIP Scams, Phishing, And Denial Of Service Attacks
• 11:10 – Register: Security vendors talk up VoIP threats
• 11:55 – VNUNet: Convergence brings business challenges and companion Tips for securing VoIP
• TechRepublic: Make a SIP-based VoIP network more secure
• 14:42 – CRM Buyer: Cisco Buys IronPort for $830 Million – interesting for Gartner quote at end… and also for potential for VoIP security – see also earthweb
• 17:41 – VoIPNews: Will Vonage Work for Your Business?
• 19:25 – BT announces that consumer VoIP subscribers has hit the one million mark
• 20:38 – And from the alarm department – VoIP Alarm Introduced at CES
• 21:51 – ERF Launches First Secure Wireless VoIP System for Banking Industry
• 23:16 – Sipera IPCS 310 Awarded Internet Telephony Magazine’s 2006 Product of the Year=
• 23:26 – Q1 Labs Announces New Network Security Management Capabilities for VoIP Networks
• 24:10 – Upcoming shows:
• Feb 5-9, 2007, San Francisco, CA, RSA Conference 2007 
• Feb 27-Mar 1, 2007, San Francisco, Emerging Telephony 2007 
• Mar 1-2, 2007, London, EUSecWest 
• Mar 19-21, 2007, San Jose, CA, Spring 2007 VON 
• Mar 23-25, Washington, DC, ShmooCon ‘07 
• Apr 16-20, Vancouver, BC, Canada CanSecWest 2006
• 24:51 – Comments
• 25:85 – Review of the last week’s traffic on the VOIPSEC public mailing list 
• 25:31 – Wrap-up of the show 
  • Thank you to our listeners for staying with us through 50 shows
  • Reminder that you can subscribe to the show via email as well as RSS 
  • Mention of our Frappr map
• 26:39 – End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: SPIT, Skype security, disposable phone numbers, phishing, VoIP security news, listener comments and more…

Welcome to Blue Box: The VoIP Security Podcast #49, a 55-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

NOTE: This show was originally recorded January 5, 2007, and was delayed with production issues.

Download the show here (MP3, 23MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

• 00:21 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long!  Special welcome to readers who found us through the new Hacking Exposed: VoIP book that was just recently released.
• 03:12 – Programming notes:
  • Audio issues with #48 – writing to USB drive
  • Dan contributed to Still Secure, After All These Years, Podcast #26 which was a roundup of opinions on security issues from a range of folks
  • Show #50 is next week
• 04:37 – VoIP News: How Secure Are Your VoIP Calls – and my response
• 06:07 – Note that Mark Collier has revamped the design of his VoIP Security Blog
• 06:38 – CSO: Security in 2007: Botnets, Threat Convergence and Other Risks – note their casual mention of SPIT and “thousands of messages” – wonder where they got their data from?
• 09:28 – ZDNet: What threats does Skype face? – interview with Skype CSO Kurt Sauer – also Jan Geirnaert’s response
• 15:08 – Jan: How to use the Skype and P2P traffic blocker? Tapping into Skype Traffic with the traffictapper from Lyanda.
• 16:14 – Dark Reading: Voice Cracks
• 18:17 – IT Observer: Voice over IP Under Threat – which was slashdotted
• 20:31 – TechWeb: Phishers’ Latest Platforms: VoIP, SMS
• 21:11 – EnterpriseITPlanet: The Year in Instant Messaging
• 26:28 – Voice of Voipsa: (just quick mentions – we forgot these last week)
  • Martyn: Securing the WLAN Link
  • Shawn: Skype 3.0 – Your new Romulan phone
  • Martyn: Tell Me Your PIN, So I Can Go Shopping
  • Dustin: Skype, an Essential Tool for Interrogation (also RealGeek )
• 29:56 – Websense ‘Skype’ Trojan Analysis – followup to our story last week… not VoIP per se but an interesting analysis
• 32:05 – The PhoneBoy Blog: Eating My Words on OpenID
• 34:18 – Zycko: VoIP Security priority for 2007
• 34:50 – Network World: The year ahead: Juggling IT risks, opportunities
• 35:08 – Upcoming shows:
  • Jan 23-26, 2007, Ft. Lauderdale, FL, Internet Telephony Conference and Expo – East
  • Feb 5-9, 2007, San Francisco, CA, RSA Conference 2007
  • Feb 27-Mar 1, 2007, San Francisco, Emerging Telephony 2007
  • Mar 1-2, 2007, London, EUSecWest
  • Mar 19-21, 2007, San Jose, CA, Spring 2007 VON
  • Mar 23-25, Washington, DC, ShmooCon ‘07
  • Apr 16-20, Vancouver, BC, Canada CanSecWest 2006
• 35:48 – Comment (audio) about Minnesota Asterisk user group
• 37:36 – Comment (blog) from Aswath Rao
• 39:58 – Comment (blog) from Mark Collier
• 40:07 – Comment (email) from Martyn Davies about ISS report
• 40:34 – Comments-3 (email) from Craig
• 41:52 – Comment (email) from Dave Roper pointing to Disposable Phone Numbers – discussion included Jangl, Private Phone and Craigsnumber
• 48:02 – Comment (email) from Rick McCharles
• 51:32 – Review of the last week’s traffic on the VOIPSEC public mailing list
• 52:08 – Wrap-up of the show
  • Reminder that you can subscribe to the show via email as well as RSS
  • Mention of our Frappr map
• 54:38 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: The Crystal Ball Edition – Top VoIP Security issues of 2006 and predictions for 2007, Skype worm that wasn’t, drive-by SPIT, OpenID for SIP authentication, poking holes in firewalls, listener comments and more…

Welcome to Blue Box: The VoIP Security Podcast #48, a 50-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

NOTE: For the first time in many shows we had an issue with the recording of the show that introduced gaps and other audio artifacts.  Unfortunately, I was not running my backup recorder and schedules (and holidays) made a retake impractical.  So my apologies… and if you are new to the show, please don’t judge the show by the audio quality of this particular show.

Download the show here (MP3, 23MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

• 00:21 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long!  Special welcome to readers who found us through the new Hacking Exposed: VoIP book that was just recently released.
• 01:50 – Programming notes:
  • sending in ident audio files
  • Dan has launched a new blog – Disruptive Telephony
  • Dan was interviewed by Jon Arnold about VoIP Security for his podcast series
• 04:08 – CNET: Confusion over Skype security threat clears up – all sorts of reports originating from the Websense blog entry – other links: CBC ComputerWorld TechWorld SC: Hackers unleash worm that targets Skype Heise Online – also Earthtimes gets it right
• 06:31 – DarkReading: VoIP More Vulnerable
• 09:09 – McGraw-Hill press release about Hacking Exposed: VoIP and also CRN: VoIP Risks Take Center Stage in 2007
• 09:49 – CNS: Telecom execs conclude enterprise security products insufficient for carrier networks
• 11:14 – Xchange Online: Survey: Security a Concern in Product Rollouts
• 12:44 – Heise Security: The hole trick: How Skype & Co. get round firewalls (tip to 21talks )
• 13:26 – Network Magazine (India): Voice over IP: Security issues to the fore
• 15:50 – Aswath Rao: There is No Money in the Authentication Business with some reaction, particularly from PhoneBoy Kveton and Alec Saunders
• 20:51 – ITBusiness.ca: The pros and cons of having a contractor do security
• 22:22 – VoIP News: Building VoIP Security at the Gateway Level – part of a special on VoIP Gateways
• 23:47 – Greatreporter.com: Hackers ‘can eavesdrop on 70% of web calls’
• 24:44 – LinuxDevices: Belkin WiFi Skype phone based on Linux
• 26:04 – Oral Health & Dental Practice Management: Technology in Tomorrow’s Dental Office
• 27:21 –Bluesocket Achieves VoIP Vocera Certifications
• 28:42 – Feature – Top VoIP security stories from 2006 and predictions for 2007. Some links mentioned in the discussion:
  • RSA Speaking of Security Podcast #42 about phishing war story
  • vnunet.com’s IT security predictions for 2007
  • BCS: MessageLabs: Targeted security attacks to soar in 2007 (also in SC )
• 46:23 – Upcoming shows:
  • Jan 23-26, 2007, Ft. Lauderdale, FL, Internet Telephony Conference and Expo – East
  • Feb 5-9, 2007, San Francisco, CA, RSA Conference 2007
  • Feb 27-Mar 1, 2007, San Francisco, Emerging Telephony 2007
  • Mar 1-2, 2007, London, EUSecWest
  • Mar 19-21, 2007, San Jose, CA, Spring 2007 VON
  • Mar 23-25, Washington, DC, ShmooCon ‘07
  • Apr 16-20, Vancouver, BC, Canada CanSecWest 2006
• 47:26 – Review of the last week’s traffic on the VOIPSEC public mailing list
• 48:04 – No comments other than Aswath’s note about OpenID that we covered earlier.
• 48:45 – Wrap-up of the show
  • Reminder that you can subscribe to the show via email as well as RSS
  • Mention of our Frappr map
• 50:11 – End of show
   

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Deflating VoIP security hype, SANS and the need for better VoIP security training, India moves to block Skype and other VoIP,  Skype security, tutorials, listener comments and more…

Welcome to Blue Box: The VoIP Security Podcast #47, a 69-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 32MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long!  Special welcome to readers who found us through the new Hacking Exposed: VoIP book that was just recently released.
• 02:20 – Programming notes:
  • sending in ident audio files
  • SanDisk Cruzer disks (with U3 software)
  • Blue Box dinner – photo by Martyn Davies
  • Security Podcast Network
  • SE #14- Interview with Ken Camp
• 09:19 – VoIP News: Voip Security ‘Best Practices’ Project Launches
• 09:41 – Voice of VOIPSA: The Register – Open Season for hackers
• 11:08 – SearchSecurity.com: Better VoIP training needed, SANS director says – see also Eric Chamberlin at Voxilla: VoIP Security: Stop Everything – also launched a VoIP security forum
• 18:30 – Economic Times (India): Illegal Web calls by BPOs face axe – see also 21Talks: India outlaws Skype, Yahoo and others
• 22:13 – British Computer Society: Skype – How safe is it? (sent in by both Martyn Davies and Rhodri Davies)
• 24:01 – Electronic Engineering Times: IP phone providers must focus on security, says report pointing to In-Stat report – VoIP Security: Preparing for the Evolving Threat – it can be yours for only $2,995  – see also In-Stat press release: Business VoIP Users Must Focus on Security
• 27:28 – b5media: Interview with PGP founder Phil Zimmermann: Zfone, secure VoIP media encryption software
• 29:41 – eWeek: Outlook 2007:VoIP
• 31:22 – The Age (Australia): Hackers ‘to target VoIP users’
• 32:39 – Greatreporter.com: VoIP wiretapping widespread, warns Scanit
• 34:16 – TMC.net: SPIT: Bringing Spam to Your Voicemail Box (by Bogdan Materna)
• 37:18 – Image and Data Manager (Australia): IM and VoIP Still Not On Security Radar
• 38:17 – InfoWorld ZeroDaySecurity Blog: Is social engineering always used to commit fraud?
• 45:16 – ZDNet UK: Weigh the pros and cons of VoIP over wireless
• 45:42 – Voice of VOIPSA: Security through Obscurity by Martyn Davies about the conf he attended
• 46:09 – Voice of VOIPSA: Cell phones, GPS location and Amber Alerts by Shawn Merdinger
• 47:28 – Voice of VOIPSA: IronGeek Hacking Tutorial Videos by Shawn Merdinger
• 48:32 – Enterprise VoIPPlanet: The VoIP Peering Puzzle: The IETF SPEERMINT Architecture
• Dialogic Expands IP Media Gateway Product Line (Martyn Davies works there… note the VoIP security mention later in the release)
• 51:24 – comment (audio) from “the man from California” about Click-to-Call
• 54:01 – comment (email) from Shawn Merdinger about Click-to-Call
• 56:20 – comment (email) from Raul Siles (just about BP project)
• 57:06 – comment (email) from Yiannis Miliaresis  about podcast in Greece and iptelephony.gr
• 58:27 – comment (email) from Julien Goodwin about CBR article
• 58:57 – comment (email) from Alan Garwood about mini-poll on Infosecurity Europe web page
• 60:16 – comment (email) from Shlomo Dubrowin about BP project
• 61:19 – comment (blog) from Mark Collier
• 62:29 – comment (email) from Frank Leonhart about BBP dinner
• 63:29 – comment (email) from Mike Bailey asking a question about Skype installation
• 64:20 – comment (email) from Dion Rowney about recorder
• 67:30 – Review of the last week’s traffic on the VOIPSEC public mailing list
• 68:23 – Wrap-up of the show
  • Reminder that you can subscribe to the show via email as well as RSS
  • Mention of our Frappr map
• 69:49 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

P.S. We didn’t mention the "upcoming shows", but here is the list we have been maintaining:

• Jan 23-26, 2007, Ft. Lauderdale, FL, Internet Telephony Conference and Expo – East
• Feb 5-9, 2007, San Francisco, CA, RSA Conference 2007
• Feb 27-Mar 1, 2007, San Francisco, Emerging Telephony 2007
• Mar 1-2, 2007, London, EUSecWest
• Mar 19-21, 2007, San Jose, CA, Spring 2007 VON
• Mar 23-25, Washington, DC, ShmooCon ‘07
• Apr 16-20, Vancouver, BC, Canada CanSecWest 2006

Synopsis: Google click-to-call, Bluetooth, Skype secuity, VOIPSA Best Practices project, VoIP security news, listener comments and more

Welcome to Blue Box: The VoIP Security Podcast #46, a 49-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 23MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners – and to all those listeners who have been here for so long!
• 02:09 – Programming notes and discussion of Blue Box Dinner in London on Dec 7th.
• 03:45 – Voice of VOIPSA: Click to Harrass (Dustin Trammell about Google Click-to-call and then my response)
• 12:25 – Voice of VOIPSA: Mobile phone insecurities and snakes on a plane (Shawn Merdinger)
• 14:09 – Voice of VOIPSA: Security meets flexibility  (Martyn Davies)
• 14:32 – Network World: Secure caller ID for VoIP (by Jonathan Rosenberg of IETF fame)
• 15:34 – SearchSMB.com: Secure VoIP in simple steps (From Rodri Davies)  Note that article author has security blog.
• 16:40 – ITwire Australia: Skype bugging your network? Here’s how to squash it
• 17:31 – Ken Camp: Skype on the Thumbdrive? Not When it Violates Company Policy
• 21:39 – Jan in Malaysia: How to log your local Skype  (Jan continues his Skype security explorations)
• 22:28 – Dangerously Irrelevant: Advising, webcams and Skype (about a UMinn prof who runs into uni policy about using Skype)
• 24:30 – SouthBendTribune.com: New bait for ‘phishing’ scams
• 25:21 – ComputerWorld New Zealand: Bank of America rolls out VoIP – with some pain
• 27:14 – ZDNet India: Juniper and NEC announce joined network solutions
• 28:15 -The Register: Computer Misuse Act could ban security tools
• 28:43 –VONaLink ScreenPop – New VoIP Caller ID Software Released
• 29:18 –Irdeto IPTV security solution successfully completes rigorous audit by respected security experts
• 30:21 – Telecoms Korea: VoIP susceptiple to Spam (subscription required)
• 31:08 – Upcoming shows:
  • Dec 4-6, Atlanta, GA, VON Enterprise
  • Dec 5, London, UK, Secure Mobile Computing
  • Jan 23-26, 2007, Ft. Lauderdale, FL, Internet Telephony Conference and Expo – East
  • Feb 5-9, 2007, San Francisco, CA, RSA Conference 2007
  • Feb 27-Mar 1, 2007, San Francisco, Emerging Telephony 2007
  • Mar 1-2, 2007, London, EUSecWest
  • Mar 19-21, 2007, San Jose, CA, Spring 2007 VON
  • Mar 23-25, Washington, DC, ShmooCon ‘07
  • Apr 16-20, Vancouver, BC, Canada CanSecWest 2006
• 32:25 – Feature segment – impending launch of VOIPSA Best Practices project page
  • More on the impending launch
• 37:14 – comment (audio) from Jamie Brody (?) from Truphone
• 39:53 – comment (email) from Richard who writes hi2005.wordpress.com and has excellent acronym lists: Resources, Security Acronyms and Telecom Acronyms
• 40:52 – comment (email) from Ross Chason about two-factor identification in phones
• 42:10 – comment (email) from Simon Wood ho points to list of spoken phrases for speech quality at the Open Speech Repository
• 43:46 – comment (email) from Paul Asadoorian about pen-test email list discussion
• 45:04 – comment (email) from Rhodri Davies
• 46:08 – comment (email) about how to protect a network
• 47:30 – Review of the last week’s traffic on the VOIPSEC public mailing list
• 48:09 – Wrap-up of the show
  • Reminder that you can subscribe to the show via email as well as RSS
  • Mention of our Frappr map
• 49:14 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-2583 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.