Disruptive Telephony

Cross-posted from Voice of VoIPSA:

---

What are you doing tomorrow, Tuesday, October 28, 2008, at 1pm US Eastern time? If you are around, you are welcome to join a free webinar I'll be giving on "Best Practices for Secure Unified Communications".

From time-to-time, you'll notice that those of us working with VOIPSA will take part in seminars/webinars offered by members of VOIPSA and we definitely enjoy doing so. For instance, as readers of the blog know, I've been speaking at Ingate's SIP Trunking seminars for quite some time now. We're generally open to speaking at anyone's event or webinar - as long as they understand that there is no endorsement of the company/vendors's products/services and that we are there to provide an industry-neutral point-of-view.

So tomorrow at 1pm US Eastern I'll be speaking as part of Mitel's "Discovery Series" where they invite in guest speakers from the industry. You can join the webinar for free at Mitel's site. They asked me to speak about the threats/risks to voice over IP and unified communications and talk about best practices for protecting them. Here's the abstract:

Discover Best Practices for Secure Unified Communications

Presented by: Dan York, Voice Over IP Security Alliance (VOIPSA) October 28, 2008, 1:00 PM EDT / 10:00 AM PDT / 5:00PM GMT

With the emergence of Voice-over-IP and Unified Communications, companies now have incredible opportunities to provide a rich communication experience to employees located in a single location or distributed globally. But how does a company do this in a secure manner? How is the confidentiality and integrity of corporate conversations protected? How can a company be sure that its IP phone systems and IP trunks will always be available for usage? What are the issues around protecting SIP trunks or using hosted services?

In this webinar, VoIP Security Alliance Best Practices Chair Dan York will discuss the threats and risks to Voice-over-IP, the tools that are out to test (or attack) VoIP system and solutions and best practices for protecting your systems. He'll also address concerns around SIP trunking, Spam for Internet Telephony (SPIT) and the move to push voice out into hosted/cloud computing environments and the associated concerns. Come prepared to learn about securing your VoIP system, to ask questions about your deployments and to leave with tips and resources to protect and defend your systems.

The webinar will be recorded and posted for later viewing as well. I'll note that they also have a nice companion webinar to the one I'll be giving tomorrow in one that HP representatives recently have on network security as it relates to VoIP.

Anyway, if you are available tomorrow (Oct 28th) at 1pm please do feel free to join into the webinar. I'll post a note on this site, too, when it is available for later listening.

P.S. And yes, as a couple of people have asked, I do obviously have a closer association with this webinar than I do with some of the other vendors given that I worked at Mitel for 6 years and was their point person on VoIP security issues for much of that time. It will be fun to be speaking with them again.

Technorati Tags: voip, voip security, security, voice, voice security, mitel, voipsa, danyork, dan york, unified communications

Earlier this month out at ITEXPO in Los Angeles, I participated in the Ingate SIP Trunking seminars as I have been doing for the last year or so. My talk was "SIP Trunking and Security in an Enterprise Network". The slides are available for viewing or download from my SlideShare account and I'll also embed them here in this post.

I did record the presentation in both audio and video and hope to be making that available as a Blue Box podcast some time soon. I'll then sync the slides to the audio. Meanwhile... enjoy the slides!

Technorati Tags: voip, voip security, sip, sip security, voice, security, dan york, itexpo, commdev, voipsa

Over on the Voice of VOIPSA weblog, I have been tracking a security issue in the iSkoot program that was transmitting your Skype username and password in the clear. The post, its comments, and the corresponding links off of it make for some interesting reading.

It also shows the speed at which the blogosphere can react and potentially help sort things out. In the space of about 48 hours, a problem was found, confirmed, identified by the vendor and apparently will be fixed shortly. I'll be writing more about this later today over on the Voice of VOIPSA weblog, but for now I'll just say that it's great to see that the problem is being dealt with.

Technorati Tags: voip, voip security, voipsecurity, security, skype, iskoot, symbian, phoneboy

FYI, I will be down at VoiceCon Orlando on March 17-20, 2008. I'm moderating two panel sessions (see the schedule). First, up, bright and early at 8am on Tuesday, March 18th, I'll be moderating a panel on "Top VoIP Security Threats". This should be a fun one as it has VOIPSA Chair Dave Endler, Mark Collier of SecureLogix and Sachin Joglekar of Sipera Systems. I know all three of the guys, particularly Dave and Mark who have both worked on VOIPSA matters, and this session should be a good bit of fun. I'm planning on making it a rather interactive session. :-)

At the other end of the show, on Thursday, March 20th, at 11:45am, I'll be moderating a panel "Open Source for Enterprise Voice: How Much, How Soon?". This would should be interesting because it has Bill Miller from Digium (makers of Asterisk), who I know well, and M Raza from 3Com... and then Tony Pereira from Nortel! 3Com's presence on the panel isn't particularly surprising given their relationship with Digium, but it will be interesting to see Nortel's view on the matter.

All in all it should be quite an interesting show. Lots of good sessions and, I'm sure, interesting people to meet. If you're going to be down there, please do drop an email as I'm always interesting in meeting readers of the blog.

Technorati Tags: voicecon, voxeo, voipsa, securelogix, sipera, 3com, digium, asterisk, voip security, open source

If any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA's behalf at Ingate's SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled "Seminar/myth 1: VoIP is not secure".

If you are going to be down at IT Expo, do check out the full schedule for Ingate's SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I'm always interested in meeting readers.

Technorati Tags: sip, sip trunking, ingate, itexpo, conferences

I'm in Boston this week at Fall VON. I'll be speaking on Thursday at 12:45 on (predictably) " Strategies for Solving Security". If any readers are at VON, feel free to drop a note. I'm always interested in connecting with readers.

Technorati Tags: conferences, fallvon, voip security, voipsa, von

Well, I just confirmed my travel schedule - I'm going to go have a bit of fun out at AstriCon 2007. AstriCon, for those who aren't aware, is pretty much the premiere event for Asterisk developers. I'm scheduled to speak on Thursday about (surprise!) VoIP security. My talk is an "industry perspective" in my capacity as a board member of the VOIP Security Alliance and won't be specifically Asterisk-focused, although I will include a few pieces about what you need to think about with Asterisk and the holes that Asterisk still needs to fill (like, oh, SRTP, which I know is coming). I know Mark Spencer and a good bit of the Digium crowd, so it will be fun to hang out with them (especially given my new independent status).

If any of you reading will be out there, please do feel free to drop me a line so that we can connect.

P.S. After AstriCon, I'll be heading over to the Podcast and New Media Expo in Ontario, CA. If any of you will be there, please do drop a note as well.

Technorati Tags: asterisk, astricon, voip

Over on Blue Box, I uploaded on Friday what I consider one of the best overviews about SIP security that we've done: Blue Box Special Edition #20.  I recorded the interview out at VoiceCon San Francisco in August and it's with Cullen Jennings who is a Distinguished Engineer at Cisco Systems, but more relevant to SIP is one of the Area Directors for the Real-time Applications and Infrastructure (RAI) area within the IETF.  Basically all of the proposals for RFCs relating to SIP roll up under the RAI area.  Cullen's also quite interested in and knowledgeable about security and in fact several of the security-related RFCs related to SIP include Cullen as one of the authors (as do a number of the current proposed Internet-Drafts). 

So he knows his stuff... and being a frequent presenter, he's also good at distilling complex things down into more simple descriptions, so it was an enjoyable interview that I think you will also find quite educational.  If you're working with SIP, or considering it, I'd highly recommend you listen to the show.

FYI, for those of you attending the Internet Telephony Conference & Expo in Los Angeles on September 10-12, I'll be participating in a panel session that is part of Ingate's SIP Trunking Seminar Series.  I expect it will surprise no one to learn that I'll be on the panel about "Enterprise Security and VoIP" wearing my VOIP Security Alliance hat.  My particular session is Tuesday, September 11, 2007, from 9:30-11:00 am.  (And yes, I guess it is appropriate in a way to be talking about security on 9/11!)   More details and the schedule are available online.

The sessions are free and open to anyone to attend.  Simply fill out the pre-registration form.

I posted Blue Box Podcast #56 tonight and with it Jonathan and I are beginning a series of mini-tutorials on subjects related to VoIP security.  In this show, we talked about voice encryption. In the next show (already recorded) we will talk about signaling encryption.  The idea is to cover some basic ground so that people not familiar with the area can have a basic understanding.

Just glad to get that one up - tomorrow I'm going to work on #57 to see if I can get it online for Wednesday.  We're trying hard to get back on a weekly schedule.  (#56 was intended to go up last week.)