VOIP Security Alliance (VOIPSA)-All Feeds

Blue Box Podcast #86 out, with an update on the show

Fri, 23 Oct 2009 06:32:22 -0700

After literally a year of being away from the microphone, Jonathan and I posted Blue Box Podcast Episode #86 yesterday. The show is really just an update on what we’ve been doing over the past year, why there haven’t been new shows, what we are thinking about for the future, etc. We had a brief update on the Edwin Pena case and talked about the fact that sadly the VoIP security issues out there really haven’t changed much in the past year.

Jonathan and I have decided that we won’t be returning Blue Box to its original weekly schedule. We’re not sure, honestly, how often we’ll put out new episodes… we will see how schedules and such align. In the meantime, BBP 86 is up there for those who would like an update.

Thanks to all of you who have continued to listen and who also sent notes to us while we were offline wondering how things were going. Thanks.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Fugitive VoIP fraudster Edwin Pena extradited, to be arraigned today in NJ court

Fri, 23 Oct 2009 06:16:04 -0700

Following up on a story we’ve literally been covering for years, SC Magazine reported last week that VoIP fraudster Edwin Pena was to be arrive back in the USA last Friday, October 16. The FBI news release indicates that Pena is to be arraigned today, October 23rd, in New Jersey.

For those not familiar, the story began back in June 2006 with the initial reports that Pena masterminded a scheme to sell phone service and then running that service over other providers networks. We covered this at some length back in Blue Box Podcast #31. Then, in September 2006, Pena fled the country and was a fugitive abroad until he was nabbed in Mexico in February 2009.

Meanwhile, his co-conspirator Robert Moore was convicted and sent to jail. I had a chance to interview Robert in conjunction with the Voice Report folks as part of their Telecom Junkies podcast (also linked here) which provided some insight into how the attack took place.

The good news now is that Pena is back in the US, in jail, and to be arraigned sometime today. Good to see this work by the FBI and other agencies.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Blue Box #86: An Update on Blue Box, One Year Later

Dan York — Thu, 22 Oct 2009 05:47:39 -0700

Synopsis: Blue Box #86: Dan and Jonathan provide an update on what's happened in the year since Blue Box #85 and talk a bit about what's next

Welcome to Blue Box: The VoIP Security Podcast #86, a 19-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 9 MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Dan and Jonathan discuss what has happened in the past year and why there have not been new shows.
Discussion of what some of the main issues in VoIP security have been over the past year.
Mention that fugitive Edwin Pena was extradited back to the US and arraigned in New Jersey court last Friday
Mention of the recent traffic on the VOIPSEC public mailing list
Wrap-up of the show
19:38 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

If you found this post interesting or useful, please consider either subscribing to the RSS feed or following BlueBox on Twitter.

VoIP on the iPhone and iPod Touch – a security warning

Mon, 28 Sep 2009 09:40:11 -0700

At first sight, using any VoIP client on the iPhone or the iPod Touch (a.k.a. iDevices) may seem like a uninteresting thing. The reason for this is that Apple does not allow 3rd party applications to run in the background. So when a user close down his iVoIP Client he will not be able to receive any calls at all, thus defeating the reason for using VoIP on these devices in the first place.

However, if we take a look at some of the VoIP clients offerings available we notice that a few of these clients have the ability to receive incoming calls, even when the software it self is not running.

At first sight this seems to be a Good Thing – however, there are severe security implications by doing this. Users will in fact willingly, put them self under a man-in-the-middle attack.

3rd party proxies

Before continuing, let me use two pretty well known mobile applications as an example: Fring and Nimbuzz. Both applications support a whole slew of different means of communication – but if we take a closer look at the physical size of these program it become quite apparent that these applications does not have all the code for all the various services they let the user access.

The general rule is that these client providers will act as a proxy between the users client and the users service provider. Basically, when setting up your Nimbuzz client for SIP usage – it is not the client that will connect to your SIP server, but a server in the Nimbuzz network.

So in effect, Nimbuzz and Fring does keep a copy of your SIP credentials. It is unclear if they store the credential when the users client is not online.

SIP and the Apple Push Notification Service (APNS)

This is the new kid on the block. For quite some time now, the iDevices have had the ability to receive Push Notifications. This is something that could be of great use, and Apple has on numerous occasions stated how this technology can be used.

In practice a service provider can use the APNS to send out notifications to a specific iDevice. As far as I know, Apple has put no restriction on the content of such notifications.

What is happening behind the scene, is that SIP credentials stored in the iVoIP Client are transferred over to the client providers infrastructure (CPI). A server in the CPI will then re-register itself as a SIP client to your SIP server, with your SIP credentials.

When an incoming calls are present, the SIP signaling will be sent to the server in the CPI – and this server will then send out a Push Notification over the APNS netowrk, ending up in your iDevice. When the device receive the notification, it will display some information to the user. If the user confirm the notification – the VoIP Client is started, registering to your SIP server and will then accept the call.

In my opinion, giving away your SIP credentials to a 3rd party you have no control of, seems like a very bad idea. I also suspect that most service providers Acceptable End User Policy prohibit a user to give away his SIP credentials.

None of the companies providing 3rd party proxy solutions as their core business have, as far as I have found, publicly shown any documentation from a 3rd party stating that they do have a well funded security policy that is being upheld.

I do suspect that these companies are prime target for Black Hat telecom hackers. Just getting access to thousands of thousands SIP accounts which can be resold IS a tempting target.

Possible solutions

The easiest way out of this mess if of course not to enable the client to use the APNS network. However, this defeat using a iVoIP Client efficiently.

A much better solution would be for the CPI to offer a WebService solution.

When a call comes into the switch/PBX, the switch could then do a WebService call to the CPI, and the CPI would then issue the Push Notification message over the APNS.

This is a clean and efficient solution that will have the same result for the end user, without compromising security: A Push Notification message of a incoming call – enabling the iDevice to start up the iVoIP Client and let the client handle the call.

Another solution could be to let companies with their own APNS agreement, send out their own Push Notifications. I have not spent too much time with the rules that Apple have for the APNS, so I can not say if this is in fact possible.

Added RSS Cloud plugin to this site (and what that means)

Fri, 11 Sep 2009 12:38:45 -0700

For those interested in the underlying plumbing of this site, today I added the RSS Cloud plugin for WordPress to this site that is described in more detail in this post: “RSSCloud for WordPress”

What does this mean for you as readers?

In the short term, not much. The only RSS Cloud-enabled reader right now is Dave Winer’s River2.

However, both RSS Cloud and PubSubHubbub are moving us closer to a “realtime” web where you as a reader can “subscribe” to feeds and receive updates as soon as those feeds are updated. Currently, when you “subscribe” to our RSS feed, you only see updates when your news reader polls the feeds to which you are subscribed. Given that a good number of feeds may not have changed since the last polling interval this process is also quite a waste of packets.

So the idea is to move from a “polling” paradigm to one of “subscribe/notify”. Much more will be happening in this space in the time ahead. In the meantime, if you do use River2 or any of the other readers that may support the RSSCloud tag, you’ll be able to interact with the Voice of VoIPSA blog in that model.

P.S. Yes, I’m also working to add the PubSubHubbub plugin for WordPress to this blog, but I’ve run into a technical issue I’m trying to debug.

Stoned Bootkit

Wed, 09 Sep 2009 07:22:04 -0700

Typically I don’t follow the deluge of Windows rootkits available because the sheer number and variety make diligently understanding all of them more than fairly daunting. After all, given limited resources, one must choose their battles and specialties in the security field.

That said, occasionally a Windows rootkit surfaces that is so mean, nasty and downright cool, that it becomes a must-know. Such is the case with the newest release of Stoned Bootkit. Be sure to go to their site and check it out, along with the paper, but here are a few highlights:

Attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record Attacks TrueCrypt full volume encryption Has integrated FAT and NTFS drivers Has an integrated structure for plugins and boot applications (for future development

Understanding the threats that Windows rootkits like this pose to VoIP security, especially on end users, is key.

Home Medical Devices and VoIP Security

Wed, 02 Sep 2009 10:10:57 -0700

With all the hubbub surrounding medical insurance reform, town hall meetings, and other ~~distractions~~ events it’s worthwhile looking at some of the technical medical devices coming into the marketplace to be placed in patients’ homes, connected to their broadband internet connection.

Of several products in the patient home monitoring space, the Intel Health Guide PHS 6000 is perhaps one of the better positioned to garner marketshare because of several factors: including the size of Intel, on-going placement of the PHS 6000 in settings, and FDA approval in July, 2008.

Of the many PHS 6000 features, the device also supports two-way video conferencing between patient and caregiver. As this communication takes place over the broadband connection, it’s reasonable to assume that some sort of VoIP software is in place. Of course, details at this point are thin, and it’s even hard to get a real handle on what the PHS 6000 operating system really is, with some reports indicating Microsoft Windows XP, and others indicating a embedded Linux derivative. Still, it looks like there is a VoIP stack, and it’s likely SIP-based.

Clearly, the importance of the security of devices like the Intel PHS 6000 is apparent. And with the growing interest and funding towards cost-reduction and tele-health, we can expect to see these types of devices deployed widely. But what of the security posture? Sure, there’s boasting of encryption for the connection, but features like SSL mean little in the face of real attacks and vulnerabilities — think SSL encryption downgrade attacks, spoofing and man-in-the-middle vectors to start.

To get the word out, I’ve started a LinkedIn group called MedSec to get together like-minded, talented security people with an interest in medical device security. I’ve been chumming the waters with this approach in the hopes that the right people with the right connections conduct proper security evaluations of this PHS 6000 device, and it’s back-end management system as well. Of course, if approached, I’m interested in some hand’s on time too

Skype Trojan Records Your Calls

Mon, 31 Aug 2009 13:34:36 -0700

Apparently there’s a new piece of malware floating around that targets audio processors like Skype:

The Trojan has the ability to record audio from the computer — including any Skype calls in progress — and store the files locally in an encrypted MP3 file, where they can later be transmitted to the attacker.

The Trojan, which Symantec calls Trojan.Peskyspy, can be downloaded to a computer by tricking the user with an email scam or other social engineering tactic, Symantec says. Once a machine has been compromised, the threat can exploit an application that handles audio processing within a computer and save the call data as an MP3 file.

Something Old, Something New: Nmap’s VoIP Fingerprinting

Wed, 12 Aug 2009 14:53:51 -0700

Over time, it’s easy to become a bit out of touch with security tools. With new tools arriving on the scene daily, and updates to established tools occurring frequently, the deluge of information can be overwhelming; not to mention all of the other security fodder we process.

That said, I find it encouraging to revisit some of the really established tools to see what changes and improvements are in place. Nmap is without a doubt the classic security tool in every aspect, from quality, to longevity, to street credibility. Even Hollywood has clue when it comes to Nmap, as evidenced in Matrix, Bourne, and Die Hard films with Nmap showing up on someone’s computer screen!

One of my favorite Nmap features is the OS Identification and Application Fingerprinting capabilities. In part, this type of identification relies on the Nmap community scanning known devices and submitting signatures to be added to the Nmap databases (service probes, OS, etc.).

As of 21 July, 2009, the Nmap OS database has the following VoIP device Fingerprints:

Also, it’s well worth taking a look at the VoIP devices identified in the Nmap Service Probes database as services that identify a VoIP device do not necessarily mean that the VoIP device has a fingerprint. In other words, there are VoIP devices in the Service Probes database that are not in the OS Fingerprint database, so look carefully!

For even more coolness, be sure to check out the NSE.

Wrapping-up, I’ve nothing less than mad props for Fyodor and all of the other folks who’ve contributed to this fantastic tool. Nmap was one of the first tools I used 10 years ago when first cutting my teeth in security, and remarkably, is a tool that I continue to use almost daily.

First 911 Center to support SMS

Fri, 07 Aug 2009 13:32:01 -0700

Recently multiple news outlets reported on Waterloo, Iowa’s Black Hawk County 911 center’s new SMS capability.

While this subject is not specifically VoIP security, considering the blending of communications methods and the importance of 911 call centers I figure that SMS in this context is fair game for a VOIPSA Blog post.

Several security implications surrounding this new 911 SMS capability come to mind:

Time Delays in SMS transmissions – we’ve all experienced some delay, from marginal to extended, when it comes to sending and receiving SMS messages. What remains unclear from reports is if the carriers supporting 911 SMS in Black Hawk County give SMS to 911 communication priority network access, either initially and/or throughout the entire SMS dialog.

Lingo – SMS messages are limited to 160 characters. As a result, acronyms and texting lingo are pervasive. Reports say the 911 operators are brushing up on their texting lingo in preparation. I sure do hope they are using decent resources, such as TLLTMSIFW, so when HIOOC comes in IDGARA is the right response.

Flooding – sending mass amounts of SMS messages could adversely affect the call center’s operations. Using pre-paid phones, bluetooth dongles and simple software, an attacker with marginal resources could initiate this kind of attack with ease. How will 911 call centers handling SMS handle floods of SMS messages? The nuisance facter here should not be underestimated; here’s some good anecdotal experience

SMS Spoofing – with the advent of various spoofing services, we’ve seen the types of attacks that can leverage spoofing. SpoofCard time and again has unauthorized access to voicemail, and still an issue with some carrier’s default user settings. We can expect to see the same issues with SMS spoofing.

SMS Swatting – will likely be a byproduct of spoofing SMS messages to 911 call centers. However, the use of SMS brings a new twist to Swatting, since the spoofed SMS message will be tied to a cellular phone, rather than a fixed landline number, perhaps leading to mobile Swatting as law enforcement will need to track the mobile phone (GPS, triangulation) to gain physical proximity the the SMS origin.

MMS – while no mention is made in the news reports about MMS support at 911 call centers, I think it’s reasonable to assume that ability to handle multimedia messages is in the works. The implications of moving from 160 characters of text to multimedia messaging with attached video/photos are dramatic. Further, this opens new attack vectors in terms of how these multimedia files are processed and accessed (think trojan Flash, PNG, etc.).

I’ve only scratched the surface here of course, but hopefully this provides some food for thought — as always, comments welcome

Google Trends on VoIP Security

Tue, 28 Jul 2009 14:22:40 -0700

I’ve recently been using Google Trends for some research, and find it an interesting tool for, well, trending. Doing a Google Trends profile of VoIP Security shows an interesting tailing-off. So what’s the story? Is this just another case of “it’s all the same, nobody cares” in action?

Testing twitter integration with TypePad

Dan York — Tue, 07 Apr 2009 02:21:14 -0700

Just testing Twitter integration... I have a growing suspicion that TypePad only notifies Twitter if you write your post online using TypePad's interface. But of course, I don't. I write almost all my posts offline using the MarsEdit editor. Let's see if this shows up in http://twitter.com/blueboxpodcast

Blue Box is now on Twitter... and new shows are coming...

Dan York — Tue, 07 Apr 2009 01:54:08 -0700

FYI, if you use Twitter, you can now find out when new shows are out and/or interact with Jonathan and I by following us at:

http://twitter.com/blueboxpodcast

And yes, new shows are on the way. I've been a wee bit busy with a recent job role change and Jonathan's had some crazy times on his end as well... but soon... real soon...

eComm 2009: Dan, Jonathan and Martyn together for the first time

Dan York — Mon, 09 Mar 2009 01:45:04 -0700

Last week at the Emerging Communications Conference (eComm) 2009 in San Francisco, a remarkable event happened: Jonathan Zar, Martyn Davies, and I (Dan York) all wound up at the same place at the same time. Over the 3.5 years since we started Blue Box back in October 2005, Jonathan and I have met at events, Martyn and I have met and Jonathan and Martyn have met. But the three of us had never been together at the same place.

Now the particular place we met was a "Dev Dinner" hosted by (my employer) Voxeo after the end of eComm - and we had some great conversations along with the food. Martyn produced his camera and we did record the actual event:

Alas, it was too noisy there for us to do any actual recording, but it was great to have all three of us there. For those who may not recall the history, Martyn was one of our earliest listeners and is the person who provided both the image that we use for Blue Box (in iTunes, in the MP3 file, etc.) and also the music that we use for the intro and outro. He's also guest-hosted several times and contributed a couple of interviews over the years.

P.S. And yes, Jonathan and I will be getting some more shows out...

Technorati Tags: bluebox, blue box, danyork, dan york, jonathan zar, martyn davies, ecomm, ecomm09

Speaking on "SIP Trunking and Security" at ITEXPO in Miami Feb 3rd

Dan York — Fri, 23 Jan 2009 00:51:13 -0800

If you will be in Miami at ITEXPO February 2-4 you are welcome to attend a free "SIP Trunking And Security" session I (Dan York) will be doing as part of Ingate Systems' SIP Trunking Workshops. The SIP trunking workshops are free to all attendees even if you only register for an exhibit pass.

My session will be 11:15-12:30 on Wednesday, February 3rd, and if you do attend please feel free to come up and introduce yourself (or drop me a note in advance to let me know to look out for you). I'll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.

P.S. If you are attending ITEXPO and your company makes a product or provides a service related to VoIP security, please feel free to let me know and perhaps we can schedule an interview to go out as a Blue Box Special Edition.

Technorati Tags: danyork, itexpo, miami, voipsa, voip security, sip trunking, sip, sip security, security

FYI - "Security Bloggers Network" in transition... stay tuned...

Dan York — Tue, 18 Nov 2008 11:22:12 -0800

For those of you who may be used to reading this blog through the "Security Bloggers Network" set up originally by Alan Shimel, you need to be aware that the "SBN" is going through a transition. As Alan details on his blog, Google is in the process of shutting down the "Network" feature of Feedburner and as a result the page and feed for the SBN will be going away.

Alan is working on a new solution but in the meantime you may want to grab the OPML file for the Security Bloggers Network (you should then be able to import this into most feed readers). There are a lot of great security blogs out there.

Stay tuned for more information - once Alan has another solution in place I'll post an update.

RSS feed back...

Dan York — Sun, 26 Oct 2008 20:24:16 -0700

It looks like FeedBurner finally refreshed its DNS info and the RSS feed is back in action. My apologies for the interruption. Please do let me know if there is anything else strange going on with the website or feed. Thanks.

Blue Box RSS feed dead - waiting for Feedburner to update its DNS

Dan York — Sun, 26 Oct 2008 01:24:43 -0700

Ah, the joys of switching domain name providers. I transferred blueboxpodcast.com from one registrar to another last week shortly before the domain name was set to expire. Unfortunately, I made one serious mistake - I didn't check the DNS nameservers for the domain at the new registrar (GoDaddy) to ensure they were pointing to the new nameservers. They weren't... they will still pointing to the old nameservers. As a result, when the domain name expired at the end of the day on Friday, the web site was no longer available and had the message that the domain name had expired.

MANY THANKS to the couple of you who contacted me on Saturday to let me know about this!

So I fixed the web site yesterday morning so that "www.blueboxpodcast.com" pointed over to TypePad, where I host this site, and that all seems to be back in action. If you type in "blueboxpodcast.com" without the "www", it was going to a generic GoDaddy page but I've set up the forwarding now so that this should now redirect you to www.blueboxpodcast.com once the DNS propagation occurs.

What is still dead, though, is the RSS feed... which is rather annoying since that is what podcast subscription tools like iTunes use! In working through the issues this morning, it appears to be the issue that

Feedburner is not using the updated DNS information.

The Blue Box RSS feed, which is http://feeds.feedburner.com/BlueBox is somehow pointing over to the old page. Yet the base feed for this site, http://www.blueboxpodcast.com/atom.xml resolves perfectly fine and does have the RSS information. (Please don't switch to subscribe to that one... I do like the stats I get through Feedburner.)

So it appears that I'm waiting for FeedBurner to update its DNS. I've tried all sorts of options in the FeedBurner settings, including the "Resync Feed" but nothing works because it seems that it is unable to get to the new site (because of DNS).

I've filed a help request in the FeedBurner Google Group (which appears to be the only way to get help). Hopefully FeedBurner will age out its DNS info soon and the feed will be back in action.

What I find strange, though, is that I'm 99% sure that all the DNS records had a TTL of 1 hour (and I'm 100% positive the new ones do). So my question to FeedBurner is - if that is the case, why aren't they respected the TTL settings of the domains?

I'll update this post once I have more information.

Technorati Tags: feeds, rss, feedburner, google, dns, bluebox

Three years of Blue Box podcasts....

Dan York — Fri, 24 Oct 2008 15:35:20 -0700

Today is a special day for me. It was three years ago on October 24, 2005, that Blue Box Podcast #1 was uploaded. It was an 11-minute episode where I talked about... Skype security, SIP security, IETF, VOIPSA and some other VoIP security news..... (Hmmm... sounds lot like our recent shows, too, eh?)

Jonathan Zar joined me a week later on Blue Box Podcast #2 and we've been going ever since. We've now produced over 112 episodes, had close to 245,000 downloads of our various shows, met some amazing people, learned a lot along the way... and hopefully helped you all learn a lot out there as well.

Thank you to all of you who have joined with us on this journey... whether you've listened to our show from the very beginning (and we know of a couple of you who have) or have only recently joined in... thank you!

And now... on to the next three years... :-)

Technorati Tags: blue box, bluebox, dan york, danyork, jonathan zar, security, voip, voip security, voipsa

Blue Box #85: Internet phone calls and terrorism, Georgia Tech report on Emerging Cyber Security Threats, phone jamming, 802.1X-REV, 802.1AE, VoIP security news and more

Dan York — Thu, 23 Oct 2008 08:42:11 -0700

Synopsis: Blue Box #85: Internet phone calls and terrorism, Georgia Tech report on Emerging Cyber Security Threats, phone jamming, 802.1X-REV, 802.1AE, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #85, a 32-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 15 MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
The Times: "Internet phone calls are crippling fight against terrorism" - and my response on the Voice of VOIPSA blog
FierceVoIP: "UK crimefighting concern over VoIP calls, social networks"
BBC: Data powers behind the times
GA Tech Survey (PDF) (link about the GA conference )
Dark Reading: Cellphone Botnets, Blackmailing VOIP & a Healthy Cybercrime Economy
bMighty.com: Georgia Tech Security Report Scarier Than Its Football Team
cNet: Botnets on cell phones in 2009?
telecoms.com: Smartphone is a hotbed of security issues
VNUnet: Security industry falling behind hackers
AP: Phone Jamming in NH
GigaOm: EEF Challenges Telco Immunity in Court
Information Week: New Protocols Secure Layer 2
Voice of VOIPSA: Asking The Cisco Systems IPICS and JPS Raytheon ACU-2000 Experts: Questions 36-40
Other Voice of VOIPSA articles
snom technology AG: snom 820 combines mature VoIP technology with exclusive design
IDC Finds Increasing Hype Around Unified Communications Is Affecting How Customers Select Telephony Systems and Services (interesting movement in the top vendors used - Nortel out and IBM in)
Peerless VoIP Peering
Comment (IM) from Christian Wieser
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
32:10 - End of show

Thank you for listening and please do let us know what you think of the show.

Blue Box's 3-year anniversary coming up on Friday...

Dan York — Mon, 20 Oct 2008 13:22:21 -0700

It was three years ago Friday, on October 24, 2005, that I uploaded Blue Box Podcast #1, an 11-minute show where I introduced the show, talked about VoIP security news (To no surprise, I was talking about Skype security!), some projects of VOIPSA and some other podcasts people might find interesting. A week later, on Halloween 2005, Jonathan joined me in Blue Box Podcast #2 and we were off and running...

Three years later... 84 main Blue Box episodes (with one more recorded) .... 26 Special Editions (with about 10 in the queue)... almost 250,000 downloads... we're still here and, with an admitted bit of a rough patch this summer, are still going along creating shows and enjoying what we do.

Jonathan and I are planning to record a 3-year show on this coming Friday, October 24th, and if you have any comments you would like us to include in that show, please do get them to us by the end of the day on Thursday, October 23rd. You can send them to us via:

Email to blueboxpodcast@gmail.com
Phone to +1-415-830-5439
Phone via SIP to sip:bluebox@voipuser.org

The show started out 3 years ago as really an experiment in seeing whether or not podcasting could be used to reach out to very specific audiences... and it's been both fun, amazing and interesting to see how well it's done.

Thank you to all of you who have continued to listen and contribute over the years!

Technorati Tags: blue box, bluebox, voip, voip security, security, dan york, jonathan zar, voipsa

Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Dan York — Mon, 20 Oct 2008 02:32:18 -0700

Synopsis: Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Welcome to Blue Box: The VoIP Security Podcast #84, a 30-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
VoIPShield announces new vulnerabilities and http://www.voipshield.com/research.php
http://www.theregister.co.uk/2008/09/30/voip_eavesdropping_tool/
"Sipera Develops VoIP Spy Program - to Prove a Point" - http://www.voipplanet.com/trends/article.php/3776136
SecureLogix Announces Free Availability of VoIP Security Tools
NY Times: Surveillance of Skype Messages Found in China - http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?_r=2&partner=rssnyt&pagewanted=print
http://securitywatch.eweek.com/privacy/skypechina_breach_is_anyone_really_surprised.html
http://www.informationweek.com/news/telecom/voip/showArticle.jhtml?articleID=210605439
Skype CEO's blog post about the issue: http://share.skype.com/sites/en/2008/10/answers_to_some_commonly_asked.html
http://www.itbusinessedge.com/blogs/top/?p=398
http://www.voip-news.com/feature/google-phone-europe-growth-092408/
http://www.itnewsafrica.com/?p=1269
http://news.cnet.com/8301-1009_3-10052393-83.html
http://www.broadbandreports.com/shownews/VoIP-Vulnerabilities-Being-Exposed-Today-98039
http://www.itbusinessedge.com/blogs/top/?p=402
http://voipsa.org/blog/2008/10/07/5th-emergency-services-workshop-to-be-held-oct-21-23-in-vienna/
http://eon.businesswire.com/news/eon/20080924005342/en
http://www.crn.com/security/210602442
http://it.tmcnet.com/topics/it/articles/41236-infoblox-unveils-dns-firewall-address-dns-vulnerability-concerns.htm
http://www.newswire.ca/en/releases/archive/September2008/29/c9005.html
No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
30:26 - End of show

NOTE: Long-time listeners will note that the show notes above are in a less descriptive form than usual. After almost three years of using one wiki for preparing for our shows, Jonathan and I switched to using a new system and are still working out some of the details that will speed the input into show notes.

Thank you for listening and please do let us know what you think of the show.

Blue Box #83: SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more…

Dan York — Thu, 16 Oct 2008 04:10:43 -0700

Synopsis: Blue Box #83: SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more…

Welcome to Blue Box: The VoIP Security Podcast #83, a 39-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 18MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was recorded on September 4, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
Remote DoS in reSIProcate
Remote root shell in Trixbox
Second route of VoIPShield Cisco/Avaya/Nortel vulnerabilities
AST-2008-010 – IAX2 ‘POKE’ Resource Exhaustion
AST-2008-011 – IAX2 Firmware Provisioning System
Saunderslog: Squawk Box – July 10, 2008: Voice biometrics and VoiceVerified.com
Saunderslog: Squawk Box – July 9, 2008: P2PSIP
IETF: P2PSIP Security Requirements
Voice of VOIPSA: “Aircell blocking VoIP on a plane” – part 1 , part 2 and an update
Voice of VOIPSA: Shawn Merdinger’s series on “Asking The Cisco IPICS Expert” – Questions 1-5 – 6-10 – 11-15 – 16-20 – 21-25
Voice of VOIPSA: Asterisk ‘hack’ to show blocked Caller-ID points to larger trust issues with SIP (and SpeechTEK speech)
NetworkWorld: Georgia student arrested for hacking grades, VoIP
CRN: Analysis: Hacking VoIP as easy as 1-2-3
Ari Takanen starts blogging at InfoWorld
InfoWorld: Motivation for VoIP Fuzzing
TMCnet: How to keep your tech career afloat
New analyst report: Security Threats Loom Over Unified Communications pointing to Light Reading report and article
VoIP Companies to Fight For Market Share
IEEE approves 802.11r standard
Google Chrome – upgrading the web to be application-centric
Items on my DisruptiveTelephony blog… Skype 5th birthday, Asterisk future, Digium/Nortel
No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
39:08 - End of show

Thank you for listening and please do let us know what you think of the show.

Blue Box SE#026 - Astricon 2007 presentation on VoIP security and Asterisk

Dan York — Wed, 03 Sep 2008 12:54:03 -0700

Synopsis: Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk. Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

Hacking and Attacking VoIP Systems - What You Need To Know

View SlideShare presentation or Upload your own. (tags: voip voipsecurity)

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him! Kudos to Michael for getting it to sound as good as it does.

Thank you for listening and please do let us know what you think of the show.

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Dan York — Wed, 27 Aug 2008 13:53:17 -0700

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content: