Category: Security
-
/
Shawn Merdinger – The Top 11 VoIP security issues you need to discuss with your vendor
Continue Reading: Shawn Merdinger – The Top 11 VoIP security issues you need to discuss with your vendorOver on the Voice of VOIPSA weblog, security researcher Shawn Merdinger is 2/3 of the way through a series of posts on the “top 11 VoIP security issues you need to discuss with potential vendors”. His posts are:
- Pucker Up – Intimate VoIP Phone Security Questions, Part 1 of 3 (1-5)
- Pucker Up – Intimate VoIP Phone Security Questions, Part 2 of 3 (6-8)
with the third post coming at some point soon to cover points 9-11. Shawn’s posts are definitely “required reading” for anyone working on or concerned about issues around VoIP security. He’s done a great job bringing into one place the many questions that you should be asking VoIP/IP telephony/IP communications vendors about the security of the systems you are considering (or have already deployed).
Technorati tags: voipsa, voip security, security, voip -
/
Is OpenID really secure? Can you trust it? A Security Round Table podcast explores the issue… and provides a ton of links
Continue Reading: Is OpenID really secure? Can you trust it? A Security Round Table podcast explores the issue… and provides a ton of linksWhat is OpenID? What are the security issues around it? Should you trust using it? What do you have to be worried about? What are the main security threats to it?
While I’ve written about OpenID here, I really wanted to understand more about the security issues around OpenID, so I got together with two other members of the Security Round Table, Michael Santarcangelo and Martin McKeay, to explore the issues around OpenID and security to a far greater degree.
We have shared the resulting conversation as a SRT podcast, and have also published as the show notes the large body of links that we accumulated during our preparation for the show. I’d encourage you to check out the SRT site purely for the links alone, as I think we pulled together one of the more comprehensive lists of links I’ve seen related to OpenID.
In the end, the three of us came aware quite impressed with the possibilities of OpenID with regard to the specific piece of the identity puzzle that it is aiming to solve. We hope this podcast helps people understand both the potential benefits as well as a few potential challenges with regard to security and OpenID. Comments…
-
/
Ranting about how very wrong ComputerWorld.au is about enterprises avoiding IP telephony for teleworkers
Continue Reading: Ranting about how very wrong ComputerWorld.au is about enterprises avoiding IP telephony for teleworkersComputerWorld in Australia came out with an article today headlined “Enterprises must avoid IP telephony for teleworkers or face attack“. Given that I use a secure teleworker phone on a daily basis, I was immediately struck by the headline and felt compelled to write a response over on Voice of VOIPSA: “Why Computerworld.au is dead wrong about… “. I think you can gather my opinion from the title. It will be interesting to see if there is any response from ComputerWorld (I’ve emailed them the link).
The sad thing is that outside of the headline, the rest of the article was more or less okay. Just a bad headline…
Technorati tags: Voip security, voip, ip telephony, teleworker, security, computerworld -
/
AOL & OpenID – 63 million AIM users are now OpenID-enabled! And perhaps a slight security problem…
Continue Reading: AOL & OpenID – 63 million AIM users are now OpenID-enabled! And perhaps a slight security problem…UPDATE: O’Reilly now points over to the post from AOL’s John Panzer about this with more details. It’s funny… I read that post yesterday from John, but I don’t think the enormity of it sank in until about 5am this morning when I read the post from Fred Stutzman that I reference below.
Wow! Talk about a major boost for OpenID… continuing my OpenID research, I learned from reading Fred Stutzman (also here) that all 63 million users of AOL Instant Messenger can now use their AIM account for OpenID! Now, I don’t actually use my AIM account all that much these days (my IMs of preference are Skype, Jabber and MSN/WLM)[1], but I had to try it out, so I headed over to stickis.com and logged in using my AIM screen name – as shown in the image to the right. Simple. Easy.
Okay, that’s fairly cool. My OpenID is simply:
http://openid.aol.com/dyorkottawa
Now the only peculiar thing was that I never saw this screen to grant or deny the access to the site. The only reason I have this screen capture is because I pressed the Back arrow on my browser because I wanted a screen capture of the…
-
/
Doing a "deep dive" on OpenID…
Continue Reading: Doing a "deep dive" on OpenID…I have to blame Aswath. Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication. He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it on Blue Box #48 (at 15:50 in the show) and basically said “well, it’s interesting, but there’s no trust model so we can’t see how it would really work”. I had some further brief email exchange with Aswath, and then somewhere in there he came out with his proposal for extending OpenID use into communication systems. Again he dropped us a note, and again, even with posts like that of phoneboy, I still hadn’t gotten over my concern about trust – and we discussed it again in the soon-to-be-issued Blue Box #51, along with a comment from a listener.
But there was something there that kept nagging at the back of my brain… and then as Microsoft announced support for OpenID out at RSA… and then as AOL is talking about their plans… along with a hundred other smaller indicators… all of it has made me realize that I’ve needed to “go deeper” on what OpenID is all about and how…
-
/
In the service of the CISSP for another three years… (resetting CPEs to 0!)
Continue Reading: In the service of the CISSP for another three years… (resetting CPEs to 0!)Received a nice email from ISC2 this morning confirming that my Certified Information Systems Security Professional (CISSP) certification is all set for another three years. Having been involved with creating a certification, I find ISC2’s process quite interesting. First, obviously, there is the barrier of obtaining the CISSP credential. The 6-hour exam is certainly not an easy one as it encompasses an extremely wide area in the 10 domains of the Common Body of Knowledge. Then there is the professional experience requirement and then the requirement to be endorsed by another CISSP. Add to that the fact that the exams are not computer-based but rather proctored… and are therefore only scheduled an infrequent intervals. All in all, it winds up not being terribly easy to obtain the CISSP credential. Which is part of the point, really. There have been too many certification mills out there.
Anyway, once you obtain the CISSP, the next part is to maintain the credential. There’s an Annual Maintainence Fee to pay, but that’s <$100 and not really a big deal. Much harder is the Continuing Professional Education (CPE) requirement which is that over three years you have to obtain 120 CPEs. If you fail…
-
/
Richard Zhao’s new blog URL – sbin.con/blog – telecom and voip with a Chinese view…
Continue Reading: Richard Zhao’s new blog URL – sbin.con/blog – telecom and voip with a Chinese view…I’ve long enjoyed Richard Zhao’s posts at “Telecom, Security and P2P” because, living in Beijing and working for Lenovo, he brings a distinctly different view into the global conversation. For instance, earlier this year he posted about Chinese security standards, something that few of us outside the country would probably have noticed or commented on. However, as he mentions over on his Chinese language blog (in English), access to Wordpress.com, where he previously had the blog, is apparently being blocked or degraded in China. So he has now moved his blog to:
As the title states, he covers primarily telecom and security. Do check him out…
Technorati tags: voip, security, voip security, telecommunications, china, lenovo -
/
Will sex and secret liaisons sell VoIP?
Continue Reading: Will sex and secret liaisons sell VoIP?I have to admit that I laughed a good bit when reading Om Malik’s post about “ShadowNumber” last week, which actually turns out to be an alter-ego for VoIP startup TalkPlus. The point appears to be that you can preserve a degree of anonymity through giving out essentially a disposable phone number. It’s just interesting to see what companies will do to differentiate themselves. And I completely agree with Om’s statement:
Many new technologies — like VHS and DVDs, and more recently Video over the Internet — owe no small part of their early success to adult entertainment, which spurred people to jump through technological hoops they might not have otherwise.
Adult “entertainment” and gaming are two areas that have pushed technology in many areas and yet have not always been credited with doing so.
As to ShadowNumber, their pitch doesn’t appeal to me at all (I’m with Om in finding it a bit distasteful), but it’s at least something a bit novel. It will be interesting to see if it works out for them.
Technorati tags: voip, shadownumber, om malik, talkplus -
/
Blue Box Podcast #48 out with our predictions for 2007, VoIP security news, etc. – and the frustrating audio issues in post-production
Continue Reading: Blue Box Podcast #48 out with our predictions for 2007, VoIP security news, etc. – and the frustrating audio issues in post-productionEarlier this week I uploaded Blue Box Podcast #48, where Jonathan and I go beyond just talking about the news to also review the “top VoIP security news stories of 2006” and also get into our predictions for 2007. My prediction #1 will be fairly obvious for anyone who has listened to the show for a while. We also cover the typical range of VoIP security stories, talk about OpenID for caller authentication and many more things.
This was a bit frustrating of a show to post-produce. Post-production is always a somewhat lengthy process, anyway, because I want the enhanced audio that you get from a wideband codec, which means that we use Skype. However, Skype creates its own challenges with voice that will simply fade away or get garbled. It’s fairly routine that we have to disconnect and reconnect a time or two within the space of the hour in which we are recording the show. (That’s actually apparent in this show where Jonathan’s voice is at a lower level and then suddenly is much louder. After the reconnect, he wound up with more volume.) If I could get the audio quality in a softphone without the fade outs,…
-
/
Mark Collier’s “VoIP Security Blog” gets a new makeover…
Continue Reading: Mark Collier’s “VoIP Security Blog” gets a new makeover…As I noted in my Voice of VOIPSA post today, Mark Collier (of hackingvoip.com fame) took some time in December to give www.voipsecurityblog.com a graphical makeover. He’s got a cute new header image and an updated picture of himself. Although, Mark, I really have to say… you are violating the security “code of dress”! Don’t you know that all good security people are supposed to wear black? Preferably a black turtleneck? Come on, now, you’re going against the motif!
Ah, well… in any event, if you haven’t checked out Mark’s blog, it’s a good one… even if he is wearing white. 🙂
Technorati Tags: security, mark collier, voip, voip security, voipsa, voipsecurity
