Category: VoIP Security
-
/
Shawn Merdinger – The Top 11 VoIP security issues you need to discuss with your vendor
Continue Reading: Shawn Merdinger – The Top 11 VoIP security issues you need to discuss with your vendorOver on the Voice of VOIPSA weblog, security researcher Shawn Merdinger is 2/3 of the way through a series of posts on the “top 11 VoIP security issues you need to discuss with potential vendors”. His posts are:
- Pucker Up – Intimate VoIP Phone Security Questions, Part 1 of 3 (1-5)
- Pucker Up – Intimate VoIP Phone Security Questions, Part 2 of 3 (6-8)
with the third post coming at some point soon to cover points 9-11. Shawn’s posts are definitely “required reading” for anyone working on or concerned about issues around VoIP security. He’s done a great job bringing into one place the many questions that you should be asking VoIP/IP telephony/IP communications vendors about the security of the systems you are considering (or have already deployed).
Technorati tags: voipsa, voip security, security, voip -
/
Ranting about how very wrong ComputerWorld.au is about enterprises avoiding IP telephony for teleworkers
Continue Reading: Ranting about how very wrong ComputerWorld.au is about enterprises avoiding IP telephony for teleworkersComputerWorld in Australia came out with an article today headlined “Enterprises must avoid IP telephony for teleworkers or face attack“. Given that I use a secure teleworker phone on a daily basis, I was immediately struck by the headline and felt compelled to write a response over on Voice of VOIPSA: “Why Computerworld.au is dead wrong about… “. I think you can gather my opinion from the title. It will be interesting to see if there is any response from ComputerWorld (I’ve emailed them the link).
The sad thing is that outside of the headline, the rest of the article was more or less okay. Just a bad headline…
Technorati tags: Voip security, voip, ip telephony, teleworker, security, computerworld -
/
ETEL – Black Bag Security Presentation, 243 slides, Lessig connection, errata… slides available
Continue Reading: ETEL – Black Bag Security Presentation, 243 slides, Lessig connection, errata… slides availableSo “the talk” finished around 11:15am this morning… I’ve just been straight out and unable to blog until now. The “Black Bag Security Review” was fun to do and I’ve been receiving a great amount of positive feedback and kind words from folks here. As you’ll see below, I’m going to include the slides here in Flash (I finally get a reason to experiment with SlideShare!). I’ll put a PDF up here as well once I get back to Vermont. It seems that after my laptop was reformatted, I never re-installed Acrobat to do PDF exports.
However, the slides aren’t really that much use without the audio, but I’ll be putting the audio up on Blue Box sometime in the next week or so and will post an update here with a link.
Had a couple of interesting questions and points of feedback about the talk (and things I noticed):
- Yes, there were actually 243 slides and yet it came in a hair under 15 minutes. This is a very different way of presenting than a “traditional” deadly PowerPoint presentation. More slides… minimal text… fast transitions. The point is to accent your story and leave the focus on you and what you are…
-
/
And so ETel begins…
Continue Reading: And so ETel begins…Today starts the first day of ETel, a.k.a. O’Reilly’s Emerging Telephony conference. ETel is not one of the giant conferences… unlike one of the VONs, Internet Telephony or VoiceCon there will probably only be 500-1000 people here. But that is part of the charm, really (and this is only the second year)… it’s a place for the VoIP alpha-geeks to network, promote their visions, combine their visions, socialize and otherwise just learn a heck of a lot from each other. The schedule is packed with great info… the speaker roster is a veritable “Who’s Who” of people playing in the “Voice 2.0” or “Telephony 2.0” (or <pick your cliche term>) space. All in all, it’s one conference I’ve been very much looking forward to. Just in town last night, I’ve already run into Alec Saunders, Brad Templeton, Bruce Stewart, Surj Patel… had dinner with Blue Box podcast co-host Jonathan Zar and security researcher Shawn Merdinger… I know Ken Camp is around, Andy Abramson, Om Malik and so many others… it should be a great and fun conference.
For my part, I am doing two sessions. First, today at 1:30pm Pacific, Jonathan, Shawn and I will be doing a 90-minute workshop…
-
/
Tom Keating reviews "pbxnsip", an inexpensive IP-PBX based on Windows with a focus on security
Continue Reading: Tom Keating reviews "pbxnsip", an inexpensive IP-PBX based on Windows with a focus on securityNoticed today that Tom Keating has a review up on “pbxnsip“, which has the interesting twist of being a low-cost PBX solution running on Microsoft Windows. Most other inexpensive or open-source software-only PBX solutions tend to run on Linux, and indeed, pbxnsip does have Linux versions (and apparently NetBSD although they are not listed… perhaps they just run the Linux version). I first actually learned of pbxnsip some time ago at one of the various VoIP tradeshows when I was struck by the fact that they were advertising security as the main point in big letters on the background to their booth. In fact, security is #2 on their list of “reasons to buy”:
It addresses security. The pbxnsip PBX uses https, sips, SRTP and sdes to make the communication to your PBX secure. Using sdes-capable devices, your voice calls will stay as secure as your https traffic.
Well, gee, given my background, it’s not hard to imagine that any vendor that basically leads with security gets some extra points in my book. (Especially since doing so has the potential to paint a big red target on your back to all the attackers out there who like to debunk claims…
-
/
Doing a "deep dive" on OpenID…
Continue Reading: Doing a "deep dive" on OpenID…I have to blame Aswath. Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication. He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it on Blue Box #48 (at 15:50 in the show) and basically said “well, it’s interesting, but there’s no trust model so we can’t see how it would really work”. I had some further brief email exchange with Aswath, and then somewhere in there he came out with his proposal for extending OpenID use into communication systems. Again he dropped us a note, and again, even with posts like that of phoneboy, I still hadn’t gotten over my concern about trust – and we discussed it again in the soon-to-be-issued Blue Box #51, along with a comment from a listener.
But there was something there that kept nagging at the back of my brain… and then as Microsoft announced support for OpenID out at RSA… and then as AOL is talking about their plans… along with a hundred other smaller indicators… all of it has made me realize that I’ve needed to “go deeper” on what OpenID is all about and how…
-
/
Blue Box Podcast #50 finally hits the feed…
Continue Reading: Blue Box Podcast #50 finally hits the feed…Fans of Blue Box have to be aware that I’m a wee bit behind in posting episodes… so I was delighted to finally get Blue Box #50 uploaded yesterday. I still need to finish putting the show notes up there, but at least the show is out so that people can listen to it. Given that we recorded it January 17th, it has already aged a bit. Tonight or tomorrow I’m hoping to get #51 up… and then #52 has already been recorded as well… I’d like to get caught up before going out to ETel where I’m undoubtedly going to get more recordings for special editions.
Technorati tags: voip security, voip, security, bluebox, voipsa -
/
Richard Zhao’s new blog URL – sbin.con/blog – telecom and voip with a Chinese view…
Continue Reading: Richard Zhao’s new blog URL – sbin.con/blog – telecom and voip with a Chinese view…I’ve long enjoyed Richard Zhao’s posts at “Telecom, Security and P2P” because, living in Beijing and working for Lenovo, he brings a distinctly different view into the global conversation. For instance, earlier this year he posted about Chinese security standards, something that few of us outside the country would probably have noticed or commented on. However, as he mentions over on his Chinese language blog (in English), access to Wordpress.com, where he previously had the blog, is apparently being blocked or degraded in China. So he has now moved his blog to:
As the title states, he covers primarily telecom and security. Do check him out…
Technorati tags: voip, security, voip security, telecommunications, china, lenovo -
/
Special "Still Secure" podcast episode offers 2006 review and 2007 predictions
Continue Reading: Special "Still Secure" podcast episode offers 2006 review and 2007 predictionsRight before the holidays I had sent in to Alan Shimel a contribution for a special episode 26 of his “Still Secure After All These Years” podcast. In this episode, he asked a number of us in security field to give their thoughts on major issues of 2006 and predictions for 2007. Mine were predictably about VoIP…. but many others ran across the whole field of information security.
Kudos to Alan for pulling it all together and producing the episode. Makes for interesting listening.
Technorati tags: voip security, security, podcasts -
/
Blue Box Podcast #48 out with our predictions for 2007, VoIP security news, etc. – and the frustrating audio issues in post-production
Continue Reading: Blue Box Podcast #48 out with our predictions for 2007, VoIP security news, etc. – and the frustrating audio issues in post-productionEarlier this week I uploaded Blue Box Podcast #48, where Jonathan and I go beyond just talking about the news to also review the “top VoIP security news stories of 2006” and also get into our predictions for 2007. My prediction #1 will be fairly obvious for anyone who has listened to the show for a while. We also cover the typical range of VoIP security stories, talk about OpenID for caller authentication and many more things.
This was a bit frustrating of a show to post-produce. Post-production is always a somewhat lengthy process, anyway, because I want the enhanced audio that you get from a wideband codec, which means that we use Skype. However, Skype creates its own challenges with voice that will simply fade away or get garbled. It’s fairly routine that we have to disconnect and reconnect a time or two within the space of the hour in which we are recording the show. (That’s actually apparent in this show where Jonathan’s voice is at a lower level and then suddenly is much louder. After the reconnect, he wound up with more volume.) If I could get the audio quality in a softphone without the fade outs,…