Disruptive Telephony

Is Craigslist really blocking phone numbers from VoIP service providers or pre-paid cell phones as an anti-spam measure?

Last night over on the VoIPinsider blog, Cory Andrews wrote that Craigslist is apparently blocking VoIP or prepaid cellular numbers as part of their anti-spam measures. Now I'm a huge fan of Craigslist and we've sold lots of items (including, now, our house) via Craigslist. But we've also seen the spam out there and personally been contacted in response to one of our ads by a sleazy individual who was trying to scam us out of money. Techdirt, in fact, says that the battle has been lost and that the spammers are taking over Craigslist. While it wasn't that dreadful in the Vermont Craigslist area, there certainly was some spam and you can understand the folks there wanting to do all they can to block spammers.

But to block VoIP service providers? Just as increasingly large numbers of users move over to VoIP services?

THE APPARENT ACTIONS

It seems a rather draconian - and misguided - measure. As the VoIP Insider article states:

A few months back, Craiglist instituted a telephone verification process that places an automated outbound call to a user placing a classified ad in certain categories. The call delivers a unique code using text to speech, which is then used by the poster to authenticate the ad they are placing.

This is an effective measure for dealing with spam, and a great thing for legitimizing the Craigslist user experience….but not so great if you are a Craigslist user and you also happen to be a VoIP or prepaid cellular user.

The problem is that Craigslist is categorically blocking legitimate VoIP and Pre-paid cellular users from authenticating themselves.

While I've not encountered the phone verification process in any posting I've done to Craigslist (but have seen CAPTCHA images all the time), I can see how the process would be useful in combatting spammers. The article goes on:

Craig’s uses a 3rd party service, ReduceFraud.com to screen out VoIP and Pre-paid cellular numbers, and will not deliver an automated verification call to a number that is determined to be such. (Since only SPAMMERS use VoIP and Pre-Paid Cellular!!!) What sophisticated algorithm does ReduceFraud.com use to identify VoIP numbers, you ask? They check the DID number to see who owns the NPA NXX X number block, and if the DID number is owned by Level 3 Communications, they classify it as VoIP of course. Whizbang!

Oops.

My immediate question was whether this is for all VoIP service providers. This BroadbandReports.com forum thread would seem to indicate that "fixed lines", even fixed VoIP lines, would come up as okay. So phone numbers from VoIP services from telephone carriers or cable providers would probably be okay. So it may just be the phone numbers of VoIP service providers who are not tied to a fixed infrastructure (and who provide connectivity to so many of the innovative services out there today!).

THE PROBLEM

There are, though, some fairly obvious problems with this approach to blocking phone calls:

1. LOCAL NUMBER PORTABILITY - Here in North America, phone numbers are "portable" (to a degree) via "Local Number Portability" (LNP) between carriers. So a phone number that may come up as "fixed" may in fact go to a VoIP service (and possibly to a spammer) due to LNP. Now perhaps the third-party service used by Craigslist is doing LNP database lookups.

2. FORWARDING SERVICES - There are plenty of services (including one identified in the VoIP Insider article) that will forward calls to another phone number. I could even do this easily with something like Asterisk running on my (fixed) home phone number that then forwarded the call out via SIP.

It seems to me that it would be relatively trivial for any serious spammer to obtain a "fixed" phone number that would defeat this blocking mechanism. Certainly this would block some of the less savvy spammers who are just trying to use disposable phone numbers... but in the meantime it may well block legitimate posters who happen to use telephone numbers from VoIP service providers.

THE ANSWERS?

So is Craigslist really blocking VoIP phone numbers? Garrett Smith (from VoIP Insider) indicated in an email that someone there was in touch with Craig and Craig indicated he was not personally aware of the blocking. Obviously, someone within the Craigslist organization has engaged this external company, ReduceFraud.com, in their ongoing efforts to fight spam. The blocking seems to lie in there. What needs to happen now is some conversation with those folks to understand what exactly it is they are doing.

We'll have some conversation, in any event, about this issue on today's Squawk Box at 11am US Eastern Time. Feel free to join us if you would like (you need to login via Facebook).

It's an interesting question - in the era when people can obtain cheap (even free) "disposable" phone numbers, how do you balance providing access to legitimate users while blocking using those numbers as a way to spam or perform other malicious actions?

Technorati Tags: craigslist, voip, spam, fraud

I was rather surprised but pleased to see that my "Black Back Security Review" was on the list of the "Top Ten IT Conversations Shows for March 2008". My "surprise" was mostly because that particular talk is over a year old and was given at the ETel 2007 show back at the end of February 2007.

To be honest, I was not actually aware (or didn't remember, anyway) that the IT Conversations Network had distributed my talk but I'm guessing they did so with a number of the ETel sessions.

Unfortunately, they don't include the slides, which I put up in the Blue Box posting and also just generally made available on SlideShare. Without the slides, I suppose it works perfectly fine.. I've just never listened to it that way. It was still one of the most fun presentations I've ever given. Also took a ton of time to prepare. 243 slides in 14 minutes... :-) (I did write up some notes about the presentation and the style, etc.)

Anyway, it's cool to see people discovering that session again. Nice surprise!

Technorati Tags: voip, voip security, dan york, etel

I'm down in Orlando this week for VoiceCon Orlando and will be part of three sessions. Tomorrow, I'm moderating a panel at 8am on VoIP security and on Thursday I'm moderating a panel on open source telephony. On Wednesday, I'll be part of a keynote panel with Irwin Lazar on "Social networking and enterprise communication", which should be quite fun. I'll include below the full descriptions of the various sessions. If you are attending VoiceCon and want to connect, please do contact me.

---

Session Title: Top VOIP Security Threats
Date: 3/18/2008
Time: 8:00 AM
Room: Osceola B
Session Description: There's been a lot of concern about voice over IP security, but have there been many actual exploits? This session will inform you about the state of VOIP security. You'll learn about generalized IP attacks that have affected IP telephony systems deployed on IP networks, and you'll also find out what VOIP-specific attacks have actually been observed "in the wild"--and what to expect in the future.
KEY QUESTIONS: * What are the most serious voice-oriented attacks that are actually being carried out? What potential attacks haven't occurred yet but probably will before long? * How do you protect your VOIP systems against these attacks? * What types of equipment and technologies must you implement to stop voice-oriented attacks? * What specific kinds of damage can these attacks cause?
Moderator(s): Dan York - Dir of Emerging Comm Tech - Voxeo
Panelist(s): Sachin Joglekar - Vulnerability Research Lead - Sipera Systems
David Endler - Director of Security Research - TippingPoint
Mark Collier - CTO - SecureLogix

---

Session Title: Open Source for Enterprise Voice: How Much, How Soon?
Date: 3/20/2008
Time: 11:45 AM
Room: Sun C
Session Description: Open source PBXs are gaining a higher profile: Asterisk and other open-source PBX software packages continue to gain acceptance, and some traditional PBX vendors have implemented open source code for their products. But these efforts still aim mainly at smaller implementations. In this session, you'll learn why open source PBX software has growing appeal, and whether it will appeal to larger customers as the market progresses.
KEY QUESTIONS: * What level of market share and acceptance has open source PBX software attained? What is expected? * Which products use open source PBX software? * What are the most compelling reasons for choosing open source PBX software? What are the greatest areas of concern in making this choice? * What are the technical challenges of an open-source PBX deployment, and how are these overcome? * What are some real-world customer experiences with open source PBX software?
Moderator(s): Dan York - Dir of Emerging Comm Tech - Voxeo
Speaker(s): M Raza - Product Management - 3Com
Bill Miller - VP, Prod Mgt & Mktg - Digium
Tony Pereira - Business Leader Business Communications - Nortel

---

Session Title: Social Networking Meets Enterprise Communications
Date: 3/19/2008
Time: 10:30 AM
Room: Osceola C
Session Description: It?s no secret that world of enterprise communications is undergoing a transformation; IP Telephony and Unified Communications are changing the nature of the game. Now new forms of interaction, which began in the consumer/personal communications market -- blogs, wikis and online services like Facebook ? are migrating into the enterprise. Where do these social networking systems ? and mindset ? fit into the enterprise communications landscape? Join us for a discussion about what?s real today and what?s likely to happen in the future.
Panelist(s):
Dan York - Dir of Emerging Comm Tech - Voxeo
Irwin Lazar - Principal Analyst & Program Director, Collaboration & Convergence - Nemertes Research

Technorati Tags: voicecon, voiceconorlando, asterisk, opensource, socialnetworking, communications, danyork, irwinlazar

Over the weekend, Pat Phelan posted about a sign in the UK that asks "What if someone with several (mobile phones) seems suspicious?" (Click on the image to the right to see the sign larger.) The paragraph then reads:

Terrorists need communication. They often collect and use many anonymous pay-as-you-go phones, as well as swapping SIM cards and handsets. If you're suspicious of the number of phones someone has, we need to know. Let experienced officers decide what action to take.

On one level, I do understand the point they are trying to make. But on another level, I just think of all the people I know who travel to trade shows and conferences with a whole range of cell phones!

Technorati Tags:
security, mobile phones, terrorism, UK

Over on the Voice of VOIPSA blog today I posted about a new session has been approved for the IETF 71 meeting coming up in Philadelphia in March called "Reducing Unwanted Communications using SIP" a.k.a. "RUCUS".Hannes Tschofenig, who submitted the proposal, has created a RUCUS web page and is looking for feedback. I'm planning to be at the RUCUS session at IETF 71 and would encourage others who want to talk about voice spam / SPIT to join in as well!

Technorati Tags: rucus, spit, spam, voice spam, voip, voip security, security, ietf, standards

If any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA's behalf at Ingate's SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled "Seminar/myth 1: VoIP is not secure".

If you are going to be down at IT Expo, do check out the full schedule for Ingate's SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I'm always interested in meeting readers.

Technorati Tags: sip, sip trunking, ingate, itexpo, conferences

In a few hours I'll be boarding a plane back to New York where I'll be attending Interop New York this afternoon and tomorrow. If any of you reading this will be there, please do drop an email. Tomorrow, I'll be on a panel at 2:45pm with Jonathan Rosenberg about "Voice-oriented Attacks". (Side note to Interop: Please make it so that we can link to individual sessions instead of having to link to the entire list of "security"-related sessions!) If you aren't aware of who Jonathan Rosenberg is, he works for Cisco and is a huge contributor to IETF efforts related to SIP and in fact was one of the co-authors of RFC 3261 which is the primary RFC defining SIP. He's also the author of "The Hitchhiker's Guide to SIP" which aims to help guide people through the maze of the many, many documents that now are part of "SIP". More relevant to tomorrow's session, he's also the author of a series of NAT traversal protocols for SIP, namely STUN, TURN and now ICE. Eric Krapf, the moderator of the session, is aiming to make it a more interactive and discussion-focused session (i.e. no slideware-to-death)... we'll see if we can make it fun as well. I've also asked Interop for permission to record it and run it as a Blue Box podcast - we'll see if they give me permission.

Note that if you are a CISSP, the ISC2 is holding a member reception today (Wednesday October 24, 2007) starting at 5:30 PM in Jacob Javits Center Room 1EO2 - LEVEL 1. Assuming that everything works with my flights today, I'll be there.

I'll even have some new business cards to give out... ;-)

Technorati Tags: cisco, conferences, danyork, interop, jonathanrosenberg, voip, voip security, voipsa, voxeo

To my immense surprise, my article yesterday about my challenges with Skype and my hotel Internet connection just hit TechMeme today, so welcome, anyone who is coming my way from there. But that also prompted me to want to offer up some additional thoughts on the subject.

First, I'm actually quite annoyed at the Best Western here in Ontario, CA, for essentially blocking Skype by virtue of their network security traffic policies. If travel shall bring me to Ontario, CA, again, you can be pretty sure that I will not be staying here. Skype has become an important communication tool for me and <cue violins>was the way I was intending to call home and stay in touch with my family</violins>. Skype has worked great at the hotel I was at earlier in the week in Phoenix and in fact at every other hotel I've been at lately. I do intend to contact Best Western to express my dissatisfaction at being unable to use the program.

Having said that, as a security professional I do understand WHY the security team at the Internet provider to this Best Western hotel has the policies in place that they do. As Phil Wolff commented, Skype's launch "can look like the beginning of port scanning or a bot-gone-wild". Given that this provider is dealing with hotel rooms where random strangers are connecting who-knows-what onto the network, they have to be extremely vigilant (especially because customers like me while complain quickly if Internet access is slow/unavailable). The more I think about it, hotel networks are really an absolute nightmare from a security point-of-view. You have no way to enforce virus protection, people can put all sorts of machines in all sorts of states onto the network, systems with spyware can easily be scanning/attacking your network -it's really pretty crazy and I'm glad that I'm not involved with running such a network! (Although the security geek in me would admit that the aggregate data they must get from network traffic would probably be fascinating.) However, there is probably a compromise out there where the ISP can tune its filtering rules so that if it sees such traffic and can identify it as Skype traffic, it can not trigger the MAC lock-out.

Which brings me to the final point that there's a lesson here for anyone developing P2P apps, or I suppose any other apps that have a similar traffic profile. If the apps generates traffic that looks like a bot or port scan, odds are that it will be blocked in some places like this one (and the hotel Phil was at). It would be great if developers could take that into account and either: a) naturally put in some kind of rate throttling; or b) perhaps provide a "hotel mode" where it throttles back the number of sessions to some (perhaps user-settable but with a default) value. This of course would make it longer for things like presence information to appear, but would at least let you continue to operate the program without triggering the network security alarms. Of course, you'd have to change to that mode, which many people would forget to do and wind up being locked out, but it might be an interesting "advanced" option for those who know what to do with it.

Any other "lessons learned" you see here?

Technorati Tags: P2P, security, skype

UPDATE: I have now posted some additional thoughts about this issue.

---

It's been a frustrating time here at the hotel in Ontario, CA, where all I've been trying to do is use the Internet connection. I'm staying at the Best Western and did so largely because they advertised free high-speed Internet (they were also cheaper than others). First annoyance was discovering that I was too far away from their APs to use wireless, but since I had an ethernet cable I just plugged into the wall jack and expected to get access. The very first time I connected, I did get an IP address and could see an entry in my routing table for the default gateway. However, I couldn't ping it.

Being rather used to network troubleshooting, I did the usual things... bringing the interface up and down, disconnecting and re-connecting the cable. I even went to the hotel lobby and got a new cable in case the issue was with my portable/retractable cable.

Nothing. No net.

In desperation I did the thing that tech support always tells you to do but I avoid... reboot. Nothing.

So finally this morning I got on the phone to the Best Western tech support and after waiting, oh, 20 minutes or so I got through to a tech and ultimately we figured out the problem:

Skype!

More specifically, all the bizillion connections that Skype was making out into the P2P cloud. The tech reset the switch and asked me to connect again and his immediate response was "Whoa! Something on your computer is generating an incredible number of sessions out to the Internet! You are tripping our filters and it is blocking out your MAC address." With him on the phone, we tried some experimentation. I shut down Skype, at which point he said I was generating much more normal traffic. As soon as I launched it again, he noticed a very large jump in the number of session connections I was establishing. He said it was something like 396 sessions he was seeing coming from my computer. He also said that I'll keep being locked out of their system if I keep Skype running.

So I shut down Skype. Which, of course, is annoying. Part of why I wanted to use the high-speed Internet is to use Skype for IM and for voice/video calls.

I find it a bit odd that Skype was generating so much extra traffic, but then again I am pretty much always connected into several persistent group chats and had maybe 8 or 10 individual chat windows still open that I'd left open from when I'd last been chatting with the person. (The Mac Skype client makes this easy to do, but I'll write about that sometime.) The persistent group chats, especially, do generate a good number of connections as they link out into the P2P cloud. Perhaps if I closed all of those windows and killed off all my individual chat windows Skype might have behaved better. (Or perhaps not, I might have had to leave the persistent chats in order for Skype to stop making those connections.) I don't want to try it out, because I do want to keep my Internet connection up right now.

In any event, should you be at a hotel and find yourself unable to connect... it might be a P2P app like Skype tripping off the hotel's filters and blocking your access. Fun, fun, fun....

Over on Blue Box, I uploaded on Friday what I consider one of the best overviews about SIP security that we've done: Blue Box Special Edition #20.  I recorded the interview out at VoiceCon San Francisco in August and it's with Cullen Jennings who is a Distinguished Engineer at Cisco Systems, but more relevant to SIP is one of the Area Directors for the Real-time Applications and Infrastructure (RAI) area within the IETF.  Basically all of the proposals for RFCs relating to SIP roll up under the RAI area.  Cullen's also quite interested in and knowledgeable about security and in fact several of the security-related RFCs related to SIP include Cullen as one of the authors (as do a number of the current proposed Internet-Drafts). 

So he knows his stuff... and being a frequent presenter, he's also good at distilling complex things down into more simple descriptions, so it was an enjoyable interview that I think you will also find quite educational.  If you're working with SIP, or considering it, I'd highly recommend you listen to the show.

FYI, for those of you attending the Internet Telephony Conference & Expo in Los Angeles on September 10-12, I'll be participating in a panel session that is part of Ingate's SIP Trunking Seminar Series.  I expect it will surprise no one to learn that I'll be on the panel about "Enterprise Security and VoIP" wearing my VOIP Security Alliance hat.  My particular session is Tuesday, September 11, 2007, from 9:30-11:00 am.  (And yes, I guess it is appropriate in a way to be talking about security on 9/11!)   More details and the schedule are available online.

The sessions are free and open to anyone to attend.  Simply fill out the pre-registration form.

Just out yesterday, TMC.Net published an interview with me titled, "Security and Disaster Recovery for IP Telephony Systems", by Mae Kowalke, where I talk about general VoIP security issues and then get into specifics about Mitel solutions.  Given that the author nicely gave me the chance to review the text and offer feedback before she published it, I have to say I'm pleased with how it came out. :-)

(And yes, I normally blog about VoIP security over on the Voice of VOIPSA weblog, but I just field weird about posting something like this over on that site.)

FYI, on the week of July 29th - August 2nd, I'll be down in Hollywood, Florida, at the annual conference of the Association for Communications Technology Professionals in Higher Education (ACUTA).  I will be speaking on... surprise!... VoIP security!  There look to be a great number of interesting talks on the schedule, and so I'm looking forward to wearing my CTO Office hat (versus my pure "VoIP security" hat) and listening to and learning from what many of the folks involved with deploying leading-edge IP communications technologies in the education space are doing.   There will, of course, also be some security talks of interest.

If any of you reading this weblog will be down there at the ACUTA conference, please do feel free to drop me a note, as I definitely do enjoy meeting with others who connect through the social media space.

P.S. And yes, Florida in late July/early August is definitely not my idea of a fun place to be... good news is that we'll be indoors!

Since I've been writing about botnets (here and here), I just had to mention that the FBI announced yesterday some arrests of botherders as part of "Operation Bot Roast" (what a great name, eh?).  More coverage is available on ZDNet's Government blog and also the Washington Post's Security Fix blog.  It's interesting (but not surprising) to note that one of the three arrests is of Robert Soloway, the "spam king" currently in jail awaiting trial related to sending spam.  The botnet saga continues...

 Since Skype has an open client-side API, why not use it as a transport to tunnel VPN traffic and blow through firewalls to connect you to a remote system?  That's the idea raised by Peeter P. Mõtsküla in his Skype Developer Blog entry: "Idea: skypetunnel".    For instance, have a Skype client running on your home machine logged in as one account.  Have Skype on your laptop on another account.  Initiate a connection between the two of them and wind up with secure, encrypted access through the firewall from wherever you are.  Being peer-to-peer, there  would be no central servers or infrastructure required (outside the usual Skype p2p cloud.) This would require, of course, a yet-to-be-created "extra" that connected into the Skype client API and was installed on both systems... but that was the point of the article - to suggest that something like this could be done (and perhaps inspire someone to write one).

It's an interesting idea, although as one commenter noted, it has already been done in a p2p fashion by Hamachi.  I don't know how large Hamachi's p2p cloud (i.e. userbase) is compared to Skype and whether or not that even makes a difference, but the point is that if you are already a Skype user, this would be a way to make use of your existing tools without using another tool.

This whole concept, though, is part of the side of Skype that is admittedly a bit scary for those of us in security, and specifically corporate security.  The client-side API can be accessed by whatever extras a user installs.  All Skype traffic is encrypted, naturally, so a corporate IT security person has no way to know what is going across that connection. Whatever the user installs and allows to access the API gets to use that encrypted Skype connection. If a user installs this fictional VPN Skype extra, the user could then access their corporate desktop from wherever they are - without going through the "approved" VPN gateways... and at the mercy of the security of that fictional VPN "extra".  How well is that "extra" secured?  Could someone else using the extra connect to your corporate desktop PC and initiate a VPN?  What kind of authentication is part of it?

Yes, with Skype's business version, you can use Windows' registry settings to control access to the API, but this means that: a) the company would need to essentially "endorse" Skype usage by promoting the Skype for Business edition; and b) the company would need to somehow block all installations of the "regular" version of Skype.  I guess I don't see that happening - yet - in many corporations.  I expect they will probably continue to take the very black and white approach of attempting to block Skype entirely from their corporate LAN... or just ignoring the issue and letting Skype be installed if users do so.  This latter case is where the Skype client API gets a bit scary.

We'll see.  I agree with the article author that it's a rather logical extension of the Skype p2p cloud.... it will be interesting to see if someone does come up with a VPN "extra" for Skype.

With my post earlier this month about the possibility of SIP botnets, I've had a number of people asking about more information and wondering about the possible impacts.  And while I will write more on botnets in general, as far as the potential impact of "botnets" in general, one need only look over at the current situation in Estonia:

• Washington Post: "Cyber Assaults on Estonia Typify a New Battle Tactic"
• CNN: "Estonia suspects Kremlin in Web attacks"
• BBC: "Estonia hit by 'Moscow cyber war'"

Now, perhaps Russia is behind the attack... perhaps not. There are obviously much larger political issues going on between the two states.  In the end it doesn't really matter on one level who exactly is behind it... the net of it is that Estonian entities are being attacked in a massive Distributed DoS (DDoS) brought about in part by botnets. For anyone doubting the potential threat, you need only to read through those news articles to understand what can happen.

In fact, I found it interesting that the UK's Centre for the Protection of National Infrastructure (CPNI) issued an advisory today about the DDoS attacks against Estonia, mostly to reassure people in the UK that no attacks were currently being seen against UK businesses.  It also included two links to previous papers written by NISCC (one of the predecessors to the CPNI) about:

• Distributed DoS Attacks
• Botnets - the threat to Critical National Infrastructure

Both make for interesting reading and give some suggestions for how to prepare.

So what does this have to do with telephony?  Well, for starters I'll admit to knowing nothing of Tallinn, Estonia, before Skype entered the picture.  Skype is, of course, headquarted in Tallinn and through things like their Life at Skype blog have provided a view of Skype as a company, but also of Tallinn and Estonia.   Since then I have also learned of other companies coming out of Estonia... certainly seems like an interesting hi-tech place these days.  Now I don't know what, if any, disruption Skype has been seeing from these attacks.  The distributed p2p nature of Skype would argue for there not being much of an impact (except, obviously, to those right in Estonia), but I don't know.

On a larger level, though, it's just a powerful reminder that the botnet threat is very real out there.  And the question is... could your IP telephony infrastructure withstand a botnet attack?  Is your larger IT infrastructure up to withstanding some degree of an attack?  Do you have multiple VoIP gateways?  Could you route around points on your infrastructure that were being attacked?  Do you (gasp) have TDM trunks that could work as backups? 

I don't know if anyone in Estonia has had their IP telephony disrupted by botnets, but odds are if the attacks are as bad as being reported, some companies probably did.  What will you do to ensure your company's IP communication isn't disrupted should botnets come calling?

P.S. For another view on the larger conflict between Estonia and Russia, here's an article (and comments) I found interesting in John Robb's "Global Guerillas" blog: "Russia vs. Estonia: 21st Century State vs State Conflict".

In a few short hours, I will be catching a plane heading out to Fort Huachuca, Arizona, to swim in an alphabet soup of very different acronyms and jargon than my normal work - the "OSD-Sponsored, JITC-Hosted DOD Telecommunications Services Information Conference".  As noted on the page:

The purpose of the conference is to provide an open forum where DOD and vendor representatives can discuss issues related to interoperability of systems providing DOD Telecommunications Switched Services.

The conference will present the current program and discuss ongoing developments to the interoperability certification and information assurance procedures and test documentation. Other topics for discussion include emerging technologies, standards and their integration into the systems providing DOD Telecommunications Services.

I attended last year as well and it's definitely an interesting experience.  The US DoD is really doing some intriguing things with how they make use of VoIP / IP Telephony.  Obviously security is rather important.  They are also driving IPv6 adoption into their infrastructure and so, with the June 2008 mandate only a year away, it will be quite interesting to hear where they are with regard to IPv6 adoption.  Obviously, their huge size and buying power is of strong interest, so the number of vendors will no doubt be high.  Also, and I would think "obviously", I won't exactly be writing about things that I hear or learn there.

If any of you reading this happen to be out there at the conference, do drop me a note as I'm always interested in meeting readers or listeners.

Over on the Voice of VOIPSA weblog, I just posted "Ready or not... here come the IRC-controlled SIP/VoIP attack bots!" Given the sheer number of VoIP security tools out there, I think I and most others involved with VOIPSA figured it was only a matter of time before someone automated the attacks.  Did I hope that the creation of "bots" could have held off for a bit longer?  Definitely... but we have to play with the cards we are dealt.

I tried in the article not to hype the threat... that we are aware of, there are not massive botnets out there waiting to attack VoIP systems.  But there is now a proof-of-concept "bot" out there and those of us dealing with VoIP security have to look at how that could impact us.

And it's definitely a sign that we as an industry really have to get security locked down on SIP systems!

I posted Blue Box Podcast #56 tonight and with it Jonathan and I are beginning a series of mini-tutorials on subjects related to VoIP security.  In this show, we talked about voice encryption. In the next show (already recorded) we will talk about signaling encryption.  The idea is to cover some basic ground so that people not familiar with the area can have a basic understanding.

Just glad to get that one up - tomorrow I'm going to work on #57 to see if I can get it online for Wednesday.  We're trying hard to get back on a weekly schedule.  (#56 was intended to go up last week.)

I just realized that I never wrote here that an article I wrote recently came out online.  Published in Mitel's "Presence" magazine, it's titled "Using IP Communications as a Tool for Disaster Recovery and Business Continuity".  Okay, so the title's not overly catchy, but here's the first paragraph:

If a hurricane devastated your main office, how rapidly could you restore telephone connectivity? If a branch office had a fire or other disaster, how soon could you connect back into the main office? Or if Avian flu or some other pandemic created a situation where you needed to stay out of the office, could you access remote phone capabilities equal to that at the office? How long would it take your business to recover? How much (and how many customers) could you afford to lose in the process?

I go on to talk about why IP communications/IP telephony/VoIP fundamentally changes the traditional way you might address these issues and offers tremendous benefits.  In fact, to me, the ability to put an IP phone pretty much anywhere you can get an IP address remains one of the major - if not the single biggest - disruptive aspect of IP telephony/communications.  Remove geography as an issue and suddenly things like disaster recover and business continuity take on a whole different view.

While it's in a Mitel publication, there's nothing in the article that is really Mitel-specific.  Listeners to Blue Box or readers of Voice of VOIPSA probably won't find it terribly new since I've been talking about this before in those sites... but for those of you not familiar with DR and BCP and how VoIP can change that, I think you'll find it a useful read.

Over on the Voice of VOIPSA weblog, security researcher Shawn Merdinger is 2/3 of the way through a series of posts on the "top 11 VoIP security issues you need to discuss with potential vendors".  His posts are:

• Pucker Up - Intimate VoIP Phone Security Questions, Part 1 of 3 (1-5)
• Pucker Up - Intimate VoIP Phone Security Questions, Part 2 of 3 (6-8)

with the third post coming at some point soon to cover points 9-11.  Shawn's posts are definitely "required reading" for anyone working on or concerned about issues around VoIP security.  He's done a great job bringing into one place the many questions that you should be asking VoIP/IP telephony/IP communications vendors about the security of the systems you are considering (or have already deployed).

What is OpenID? What are the security issues around it? Should you trust using it? What do you have to be worried about? What are the main security threats to it?

While I've written about OpenID here, I really wanted to understand more about the security issues around OpenID, so I got together with two other members of the Security Round Table, Michael Santarcangelo and Martin McKeay, to explore the issues around OpenID and security to a far greater degree.

We have shared the resulting conversation as a SRT podcast, and have also published as the show notes the large body of links that we accumulated during our preparation for the show.  I'd encourage you to check out the SRT site purely for the links alone, as I think we pulled together one of the more comprehensive lists of links I've seen related to OpenID.

In the end, the three of us came aware quite impressed with the possibilities of OpenID with regard to the specific piece of the identity puzzle that it is aiming to solve.  We hope this podcast helps people understand both the potential benefits as well as a few potential challenges with regard to security and OpenID.  Comments and feedback are very definitely welcome.

ComputerWorld in Australia came out with an article today headlined "Enterprises must avoid IP telephony for teleworkers or face attack".  Given that I use a secure teleworker phone on a daily basis, I was immediately struck by the headline and felt compelled to write a response over on Voice of VOIPSA: "Why Computerworld.au is dead wrong about... ".  I think you can gather my opinion from the title.  It will be interesting to see if there is any response from ComputerWorld (I've emailed them the link).

The sad thing is that outside of the headline, the rest of the article was more or less okay. Just a bad headline...

UPDATE: O'Reilly now points over to the post from AOL's John Panzer about this with more details.  It's funny... I read that post yesterday from John, but I don't think the enormity of it sank in until about 5am this morning when I read the post from Fred Stutzman that I reference below.

---

Wow!  Talk about a major boost for OpenID... continuing my OpenID research, I learned from reading Fred Stutzman (also here) that all 63 million users of AOL Instant Messenger can now use their AIM account for OpenID!  Now, I don't actually use my AIM account all that much these days (my IMs of preference are Skype, Jabber and MSN/WLM)[1], but I had to try it out, so I headed over to stickis.com and logged in using my AIM screen name - as shown in the image to the right.  Simple.  Easy.

Okay, that's fairly cool. My OpenID is simply:

http://openid.aol.com/dyorkottawa

Now the only peculiar thing was that I never saw this screen to grant or deny the access to the site.  The only reason I have this screen capture is because I pressed the Back arrow on my browser because I wanted a screen capture of the login page.  In actual operation, once I was logged into the AOL OpenID page I went directly to the stickis.com page... without actually granting the site access to my OpenID.

Hmmmmmmm...

This happened in Firefox 2, so just to verify the issue, I flipped over to IE7 and tried the same procedure.  Again, I was asked for my AIM password and then... bang... I was logged into the site (without seeing the Grant/Deny screen).  Note that I am not running any AIM client on this PC right now.

Now at the second site I tried this at, schtuff.com (a wiki provider that allows OpenId login), I was prompted to Grant/Deny access... but I was apparently already logged in to AOL's OpenID server.  Of course, I can't figure out how to log out of the AOL "Screen Name Service"... I guess I have to close out all my browser windows.    So given that I can't figure out how to log out, I can't replicate this procedure again (sorry, AOL, but I am not going to exit all my browser windows right now)... so I'd be curious to know if anyone else experiences this.  If you get a OpenID login screen, do you then just go right in?

I'm not sure there is a huge issue... I mean, you are going to the site to login... to a certain degree the Grant/Deny screen seems redundant in this instance.  You still have to go through one screen to allow the relying site access to your ID.  And with subsequent sites it seems to do the right thing and pop up the Grant/Deny screen.  Is the skipping of the initial Grant/Deny screen really a security issue?  (if it turns out to be more than just me?)  I don't know yet...

Anyway, kudos to AOL for OpenID-enabling their system... even if there might still be a few bugs to iron out.

This does raise a larger question, too... who do you use as your ID provider?  There's a long list of OpenID providers, but if you use AOL most of the time for IM, might it not make sense to use them as your OpenID provider?  Or do you want the more granular control provided by some of the others?  Where do you establish your online identity?   It shall be an interesting question to continue to ponder.

[1] My AIM name might give a clue as to why I don't use it as well... I took it out during the 5 years we lived in Ottawa, and, well, I've just never gotten around to getting a new one now that left there 1.5 years ago...

I have to blame Aswath.  Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication.  He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it on Blue Box #48 (at 15:50 in the show) and basically said "well, it's interesting, but there's no trust model so we can't see how it would really work".  I had some further brief email exchange with Aswath, and then somewhere in there he came out with his proposal for extending OpenID use into communication systems.  Again he dropped us a note, and again, even with posts like that of phoneboy, I still hadn't gotten over my concern about trust - and we discussed it again in the soon-to-be-issued Blue Box #51, along with a comment from a listener.

But there was something there that kept nagging at the back of my brain... and then as Microsoft announced support for OpenID out at RSA... and then as AOL is talking about their plans...  along with a hundred other smaller indicators... all of it has made me realize that I've needed to "go deeper" on what OpenID is all about and how it works... and how maybe, just maybe, there might be a role for it in VoIP.

I'm not there yet, but I'm definitely in the middle of the deep dive.  I've told Aswath that I'd get him a longer response - and I will - once the journey has gone a bit further.  In the meantime, those of you who want to follow along can watch my del.icio.us trail on openid... it keeps getting longer.

If you have no idea what OpenID is about at all... think about all the websites you go to and all the different usernames and passwords you have.  What if there was a way to have just one identity you could use everywhere?  That's one of the ideas behind OpenID.  Here's some good places to start if you know nothing about it:

• Screencast on how to use OpenID
• Video from ETech 2006 - "Who is the Dick on your site?" by Dick Hardt of Sxip Identity (nice history of identity efforts)

Lots to learn out there...

Received a nice email from ISC2 this morning confirming that my Certified Information Systems Security Professional (CISSP) certification is all set for another three years. Having been involved with creating a certification, I find ISC2's process quite interesting.  First, obviously, there is the barrier of obtaining the CISSP credential.  The 6-hour exam is certainly not an easy one as it encompasses an extremely wide area in the 10 domains of the Common Body of Knowledge.  Then there is the professional experience requirement and then the requirement to be endorsed by another CISSP.  Add to that the fact that the exams are not computer-based but rather proctored... and are therefore only scheduled an infrequent intervals.  All in all, it winds up not being terribly easy to obtain the CISSP credential.  Which is part of the point, really.  There have been too many certification mills out there.

Anyway, once you obtain the CISSP, the next part is to maintain the credential.   There's an Annual Maintainence Fee to pay, but that's <$100 and not really a big deal.  Much harder is the Continuing Professional Education (CPE) requirement which is that over three years you have to obtain 120 CPEs.  If you fail to do so after 3 years, you lose your CISSP and have to retake the exam!  Now, it's not overly difficult to obtain CPEs.  You can get them for attending conferences, webcasts, training courses... even, once per year, for reading a security book.  You can also get more for providing training or serving on the board of a local security association.  Really, it's nothing for the normal security professional who is keeping up on the current state of the profession.  And that's the point, really.  ISC2 wants to ensure that someone representing themself as a CISSP does in fact have relatively current security knowledge.  The main issue, I find, is remembering to record CPEs with ISC2!  If I attend a conference or webinar or something like that, I try to remember to go and record that soon thereafter.

In any event... I've blown past the required CPEs... now the counter gets reset and I'll have to start again to have them in place before 2010!  :-)

P.S. Wikipedia, of course, also has more info on the CISSP.

I've long enjoyed Richard Zhao's posts at "Telecom, Security and P2P" because, living in Beijing and working for Lenovo, he brings a distinctly different view into the global conversation.  For instance, earlier this year he posted about Chinese security standards, something that few of us outside the country would probably have noticed or commented on.  However, as he mentions over on his Chinese language blog (in English), access to Wordpress.com, where he previously had the blog, is apparently being blocked or degraded in China.  So he has now moved his blog to:

http://sbin.cn/blog/

As the title states, he covers primarily telecom and security.  Do check him out...

I have to admit that I laughed a good bit when reading Om Malik's post about "ShadowNumber" last week, which actually turns out to be an alter-ego for VoIP startup TalkPlus.   The point appears to be that you can preserve a degree of anonymity through giving out essentially a disposable phone number.  It's just interesting to see what companies will do to differentiate themselves.  And I completely agree with Om's statement:

Many new technologies — like VHS and DVDs, and more recently Video over the Internet — owe no small part of their early success to adult entertainment, which spurred people to jump through technological hoops they might not have otherwise.

Adult "entertainment" and gaming are two areas that have pushed technology in many areas and yet have not always been credited with doing so.

As to ShadowNumber, their pitch doesn't appeal to me at all (I'm with Om in finding it a bit distasteful), but it's at least something a bit novel.  It will be interesting to see if it works out for them.

Earlier this week I uploaded Blue Box Podcast #48, where Jonathan and I go beyond just talking about the news to also review the "top VoIP security news stories of 2006" and also get into our predictions for 2007. My prediction #1 will be fairly obvious for anyone who has listened to the show for a while. We also cover the typical range of VoIP security stories, talk about OpenID for caller authentication and many more things.

This was a bit frustrating of a show to post-produce. Post-production is always a somewhat lengthy process, anyway, because I want the enhanced audio that you get from a wideband codec, which means that we use Skype. However, Skype creates its own challenges with voice that will simply fade away or get garbled. It's fairly routine that we have to disconnect and reconnect a time or two within the space of the hour in which we are recording the show. (That's actually apparent in this show where Jonathan's voice is at a lower level and then suddenly is much louder. After the reconnect, he wound up with more volume.) If I could get the audio quality in a softphone without the fade outs, I'd probably drop my post-production time by a good bit.

However, this week I couldn't blame Skype. I record the show in Audacity and it appears that because I had been previously editing a file located over on a USB hard drive, Audacity started writing its files for the new episode over on that hard drive. As anyone using Audacity will know, it writes a huge number of files to disk. Basically many, many little files with small pieces of audio in them. What seems to have happened is that periodically parts of the audio didn't get written. Or the files got destroyed. Or who knows what. Perhaps I had too many other apps running on the older computer I'm using for recording and Audacity couldn't keep up with what was being sent to it. Perhaps there was too much latency going to the USB hard drive. I don't know, but the end result was that there were gaps in the audio that got worse as the show went on. Just missing pieces of audio.

Unfortunately, I discovered it after the holidays were already underway and I couldn't really reconnect with Jonathan to rerecord. And also unfortunately, I wasn't running a backup record as I have in the past.

Given that my goal is high-quality audio production, this was a rather disappointing turn of events, but in the end I did put it out there with a big caveat in the show notes.

We just recorded show #49 today and I made sure to have nothing else running on the PC, to be writing to the main hard drive and to have a backup recorder. Hopefully I'll not experience the issue again.

Technorati Tags: security, skype, skype security, openid, voip, voip security, voipsa, voipsecurity

As I noted in my Voice of VOIPSA post today, Mark Collier (of hackingvoip.com fame) took some time in December to give www.voipsecurityblog.com a graphical makeover. He's got a cute new header image and an updated picture of himself. Although, Mark, I really have to say... you are violating the security "code of dress"! Don't you know that all good security people are supposed to wear black? Preferably a black turtleneck? Come on, now, you're going against the motif!

Ah, well... in any event, if you haven't checked out Mark's blog, it's a good one... even if he is wearing white. :-)

Technorati Tags: security, mark collier, voip, voip security, voipsa, voipsecurity

As I wrote over at Voice of VOIPSA, I was quoted in an article out today at VoIP News: How Secure Are Your VoIP Calls? The Voice of VOIPSA post has my (generally positive) reaction.

Technorati Tags: voip, voip security, voipsa, voipsecurity

(Originally posted to http://dyork.livejournal.com/254735.html)

Just confirmed late last week that I'll definitely be speaking at O'Reilly's Emerging Telephony Conference (aka "ETel") this coming February 27 - March 1, 2007 in San Francisco. The topic I will be speaking on will, of course, be VoIP security. Two sessions, actually... one a 15-minute plenary session providing an overall view of VoIP security and then the second a 90-minute workshop going into much more detail, providing info about security tools, best practices and much more. Both, of course, will be later put out as part of Blue Box. Should be a lot of fun, and given that it's in the SF area, I'll probably be able to pull Jonathan Zar in as well, which would be cool. Now I just need to put up a picture, bio and session abstracts...

As I've said to a number of folks, ETel 2006 was one of the very best out of all the conferences that I attended all year. No real trade show... just conference sessions full of the "alpha geeks" that O'Reilly conferences tend to attract. People rea