Category: VoIP Security
-
/
Can We Create A “Secure Caller ID” For VoIP? (Join Tomorrow’s STIR BOF To Learn More)
Continue Reading: Can We Create A “Secure Caller ID” For VoIP? (Join Tomorrow’s STIR BOF To Learn More)Can we create a “secure Caller ID” for IP-based communications, a.k.a. voice-over-IP (VoIP)? And specifically for VoIP based on the Session Initiation Protocol (SIP)? Can we create a way to securely identify the origin of a call that can be used to combat robocalling, phishing and telephony denial-of-service (TDOS) attacks?
That is the challenge to be undertaken by the “Secure Telephone Identity Revisited (STIR)” group meeting tomorrow morning, July 30, 2013, at 9:00 am in Berlin, Germany, as part of the 87th meeting of the Internet Engineering Task Force (IETF). The meeting tomorrow is a “Birds Of a Feather (BOF)”, which in IETF language is a meeting to determine whether there is sufficient interest to create a formal “working group” to take on a new body of work within the IETF. The proposed “charter” for this new work begins:
Over the last decade, a growing set of problems have resulted from the lack of security mechanisms for attesting the origins of real-time communications. As with email, the claimed source identity of a SIP request is not verified, and this permits unauthorized use of source identities as part of deceptive and coercive activities, such as robocalling (bulk unsolicited commercial communications),…
-
/
At SIPNOC 2013 This Week Talking About VoIP And IPv6, DNSSEC … and Security, Of Course
Continue Reading: At SIPNOC 2013 This Week Talking About VoIP And IPv6, DNSSEC … and Security, Of CourseOne of the conferences I’ve found most interesting each year is the SIP Network Operators Conference (SIPNOC) produced by the SIP Forum, a nonprofit industry association. Part of my interest is that it is only an educational conference, i.e. there’s no massive exhibit floor or anything… it’s all about education. It also brings together pretty much all the major players in the “IP communications” space – certainly within North America but also from around the world.
I’ll be there this week in Herndon, Virginia, talking about how VoIP can work over IPv6 and how DNSSEC can make VoIP more secure. The sessions I am directly involved with include:
- Panel Discussion: Anatomy of a VoIP DMZ
- VoIP Security BOF
- Panel Discussion: IPv6 and SIP – Myth or Reality?
- Who Are You Really Calling? How DNSSEC Can Help
There are quite a range of other topics on the SIPNOC 2013 agenda, including a number of other talks related to security.
It should be quite a good show and I’m very much looking forward to it. I’m particularly looking forward to my “DNSSEC and VoIP” talk on Thursday as that is a topic I’ve not presented on before… but I think…
-
/
Video Interview: Emil Ivov about how the Jitsi softphone works with IPv6 and DNSSEC
Continue Reading: Video Interview: Emil Ivov about how the Jitsi softphone works with IPv6 and DNSSECHow does the Jitsi softphone work with IPv6? And what role could DNSSEC play with VoIP? At IETF86 earlier this month, I sat down with Emil Ivov, project leader of the Jitsi Project to talk about a wide range of topics including how Jitsi got started and why it does so much with IPv6 (interesting reason!), what they are looking to do with Jitsi now, the role of DNSSEC and why they added that support to Jitsi… and much, much more… I quite enjoyed talking to Emil and the Jitsi project is certainly one that I will continue to watch – and use!If you found this post interesting or useful, please consider either:
-
/
Oracle Buys Acme Packet For $2 Billion To Gain SIP Session Border Controllers (SBCs) And More
Continue Reading: Oracle Buys Acme Packet For $2 Billion To Gain SIP Session Border Controllers (SBCs) And MoreFascinating news today out of Oracle that they have purchased Acme Packet in a transaction estimated to be around $2 billion US. For those of you not really tracking the VoIP security space, Acme Packet is probably the world’s largest vendor of “session border controllers (SBCs)“, devices that are used to securely and reliable interconnect VoIP networks. SBCs also provide a very important role in helping with interoperability of Session Initiation Protocol (SIP) signaling between the SIP products and networks of different vendors.As Andy Abramson writes, the fascinating aspect of this acquisition is this:
This is an interesting grab by one of the tech world’s true giants because it sqaurly puts Oracle into a game where they begin to compete with the giants of telecom, many of whom run Oracle software to drive things including SBC’s, media gateways and firewall technology that’s sold.
This acquisition does put Oracle VERY firmly into the telecom sector at a carrier / large enterprise level, as Acme Packet’s products are widely used within that tier of companies. As the news release notes:
“The company’s solutions are deployed by more than 1,900 service providers and enterprises globally, including 89 of world’s top 100…
-
/
Speaking Next Week on IPv6 and VoIP Security at 7th Real-Time Communications Conference in Chicago
Continue Reading: Speaking Next Week on IPv6 and VoIP Security at 7th Real-Time Communications Conference in ChicagoIf any of you will be in Chicago next week, October 4-6, 2011, for the 7th Annual Real-Time Communications Conference & Expo, I’ll be there on the 5th and 6th as a speaker.I’ll be speaking twice. First on Wednesday the 5th at 4pm on “The Current State of VoIP Security“, wearing my VOIPSA hat and leading off a series of talks about security. I’ll be providing an overview of the main threats to VoIP and communications security in general, leading the way into the two more specific talks following mine.
I’m rather excited that my second session will be my first public appearance wearing my new Internet Society hat (if you are not aware, I’ve posted details about my recent move) and will of course be about IPv6… more specifically “How IPv6 Will Impact SIP And Telecom“.
Due to ongoing events on the personal front, I wasn’t sure that I was going to make it out there… and quite frankly there’s still a chance that I won’t… but I should be out there.
If you look at the conference schedule, the speakers include outstanding people involved with so many different aspects of real-time communications. It should be truly an…
-
/
Skype Issues 2nd Mac 5.1 Hotfix for “Security Issues” – But What Are Those Issues?
Continue Reading: Skype Issues 2nd Mac 5.1 Hotfix for “Security Issues” – But What Are Those Issues?Today, Skype issued a new Skype 5.1 for Mac “hotfix” for more “security issues”. The problem?We don’t know what those “security issues” are?
We don’t know, for instance:
- Are they related to the remote exploit that was publicly disclosed on Friday? Or to related attacks on the same theme? (as discussed on SecNiche today)
- What is the severity of these “security issues”? Remote compromise? Denial of service? What?
- What is the priority that we should place on getting this update in place? Is it a “UPDATE NOW!” kind of priority? or a “Update when you can”?
- What kind of mitigating circumstances are there for these security fixes?
- Are there any workarounds that could be put in place at a network layer (or any other layer) to prevent attacks on individual systems? (i.e. as a safety measure until the individual clients are all updated?)
We need to know this kind of information.
Particularly as Skype looks to try to move more into the “business” or “enterprise” market space, this level of NON-disclosure is unacceptable.
In comparison, take a look at any of the recent Microsoft security bulletins, like, oh, this one, and you can see the kind of information that…
- Are they related to the remote exploit that was publicly disclosed on Friday? Or to related attacks on the same theme? (as discussed on SecNiche today)
-
/
Skype’s Security Communication FAIL – Why Issue a HotFix If You Don’t Tell Anyone?
Continue Reading: Skype’s Security Communication FAIL – Why Issue a HotFix If You Don’t Tell Anyone?What is the point in issuing a hotfix that addresses a security vulnerability… if you don’t tell anyone that the hotfix is available?Tonight Skype published a blog post saying that back on April 14th they released a “hotfix” for this problem in Skype for Mac version 5.1.0.922. That’s great… it’s good that the fix is out there, but…
how were we Mac users supposed to know about it?
Hmmm… let’s see… Could we find out about the Skype for Mac hotfix…
- … using the “Check for Updates” feature? Nope, doesn’t work for me. Maybe it works for others out there, but not for me.
- … from the Skype for Mac Release Notes page? Nope, that page STILL hasn’t been updated, three weeks later, to indicate that a new version is out. Nothing on there at all about 5.1.0.922.
- … from Skype’s Twitter account? Nope, no mention of a hotfix back on April 15th, although they did talk about the fact that Skype was mentioned twice on 30 Rock and that there was Skype call on the Rachael Ray show.
- … from Skype’s skypesecurity Twitter account? Nope, no mention.
- … on Skype’s Mac blog? Nope. Last post there was April…
- … using the “Check for Updates” feature? Nope, doesn’t work for me. Maybe it works for others out there, but not for me.
-
/
UPDATED: Skype for Mac Has Dangerous Security Vulnerability… and There’s No Public Word From Skype
Continue Reading: UPDATED: Skype for Mac Has Dangerous Security Vulnerability… and There’s No Public Word From SkypeUPDATE: Skype has now published a blog post indicating that a Skype 5.1 update is available for download. As I noted separately, the auto-update process is NOT working for me. It appears that I will need to download the new version directly from Skype’s website.Separately, Skype PR indicated to me that version 2.8 is not vulnerable – although I note that this information is not in Skype’s security blog post. (Skype has now confirmed in a tweet that Skype 2.x is not vulnerable.)
It’s great that Skype claims they fixed this in mid-April… but if they didn’t tell anyone – including, apparently, the security researcher who reported the issue – what value is it that they fixed the issue?
I have a longer piece that I need to write on this… but I’ll leave that for another post.
Meanwhile, we finally do have some information and a fix – many hours after it would have been helpful to have had it.
The original post remains below… From the Can-We-Please-Communicate-Better Department… there is apparently an open vulnerability in the Skype for Mac client that lets an attacker send a message to a Skype user and gain remote access. As reported…
-
/
I’ll be in Miami next week speaking at ITEXPO, Cloud Communications Summit, etc.
Continue Reading: I’ll be in Miami next week speaking at ITEXPO, Cloud Communications Summit, etc.If any of you will be in South Beach, Miami, next week I’ll be there speaking as part of the Cloud Communications Summit and SIP Trunking Workshops. I’ve got a page up on Voxeo’s site that shows my schedule at:http://blogs.voxeo.com/events/itexpo-east-2011/
I know a good number of other folks from the VoIP/UC/Cloud Telecom/Voice Mashups/SIP/etc. world are all going to be down there, so I’m looking forward to catching up with some folks there.
If you are down in Miami for ITEXPO, the Cloud Communications Summit, Digium/Asterisk World or any of the other events, please do stop by and say hello… or find me down at one of the sessions I’m in (my schedule is online). You can always email me or ping me on Twitter.
If you found this post interesting or useful, please consider either:
-
/
Speaking at Voice Biometrics Conf next Tues, Weds, May 4-5, in NY
Continue Reading: Speaking at Voice Biometrics Conf next Tues, Weds, May 4-5, in NYIf any of you will be at the Voice Biometrics Conference next week (May 4-5) in the New York area (Jersey City, actually), I’ll be there speaking on Wednesday about ‘Seeding the Cloud – Authentication as a Service’. I’m arriving Monday evening and will be there through early Thursday morning.“Voice Bio Con”, as it is called, is a rather comprehensive gathering of the major players in the voice biometrics / voice authentication / voice verification space. Great agenda with some excellent speakers (and yeah, I’m on that list, too). I wrote over on the VOIPSA blog about the number of case studies and real world deployments that will be discussed.
It should be a great event… I’m on that panel and will also be talking about Voxeo’s voice biometric partner program where you can try out voice biometric solutions for free using our hosted platform and the hosted services from four of the major voice biometric vendors. I’m looking forward to meeting up with some friends there and undoubtedly having some great conversations and learning a good bit.
If you are at the event, please do say hello! If you want to go and haven’t registered yet, there’s a…