http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2015-12-21 20:27:47 - Voice of VOIPSA : Our apologies to anyone looking for the information on this site over the past few days who found the site was not available There was a missed communication somewhere and a configuration change at our hosting provider resulted in our site going offline We ve fixed that and everything should now be back in action http://www.secuobs.com/revue/news/593861.shtmlhttp://www.secuobs.com/revue/news/593861.shtml Secuobs.com : 2015-08-19 22:41:50 - Voice of VOIPSA - It was nice to see this blog included in a recent Top 24 VoIP Blogs on the Internet post put out by Commander, who appears to be a provider of VoIP equipment, services and more http blogcommandercom top-24-voip-blogs-on-the-internet Obviously any list like this is very subjective but we do appreciate the mention, particularly given that the blogging http://www.secuobs.com/revue/news/580756.shtmlhttp://www.secuobs.com/revue/news/580756.shtml Secuobs.com : 2014-12-19 22:06:40 - Voice of VOIPSA - SS7 security issues reported on Techmeme I did a double-take yesterday and, as Jay Cuthrell noted on Twitter, wondered if this was a ThrowbackThursday taken to the extreme But no, there was indeed a report in the Washington Post about German security researchers discovering that aspects of SS7 signaling that could be used to listen http://www.secuobs.com/revue/news/551150.shtmlhttp://www.secuobs.com/revue/news/551150.shtml Secuobs.com : 2014-12-14 04:34:34 - Voice of VOIPSA - Verizon Wireless this week did something that initially seemed quite impressive they launched Voice Cypher , an app available for iOS, Android and Blackberry that promises secure end-to-end encryption It uses VoIP and is an over-the-top OTT app that works on any carrier If you read the marketing material on their web site, it all sounds http://www.secuobs.com/revue/news/550086.shtmlhttp://www.secuobs.com/revue/news/550086.shtml Secuobs.com : 2014-11-21 20:46:32 - Voice of VOIPSA - The Digium Asterisk Security Team has obviously been extremely busy ensuring that Asterisk is as secure as possible given that yesterday they released 7 security advisories, although only one of them AST2014-16 was rated as Critical The others are rated as Moderate or Minor but still are good reasons to upgrade to the latest http://www.secuobs.com/revue/news/546712.shtmlhttp://www.secuobs.com/revue/news/546712.shtml Secuobs.com : 2014-10-31 15:54:26 - Voice of VOIPSA - Olle Johansson is back with another set of excellent slides about VoIP security and the need to have MoreCrypto everywhere It s a great set of slides that talks about where we have come from and where we need to go Definitely check it out on SlideShare at Reboot the Open Realtime Revolution MoreCrypto Fall 2014 or http://www.secuobs.com/revue/news/543363.shtmlhttp://www.secuobs.com/revue/news/543363.shtml Secuobs.com : 2014-09-04 20:17:52 - Voice of VOIPSA - There s a good discussion going on right now September 2014 in the VoiceOps mailing list about how you can mitigate SIP threats by configuring the policies and settings on your session border controller SBC It started out with a detailed question from Robert Nystrom asking about how to configure an Acme Packet SBC in the http://www.secuobs.com/revue/news/533038.shtmlhttp://www.secuobs.com/revue/news/533038.shtml Secuobs.com : 2014-01-07 22:28:23 - Voice of VOIPSA - Happy New Year Welcome to 2014 We re looking forward to more activity happening here at VOIPSA this year stay tuned for more information In the meantime, we hope that you all have a very secure 2014 without any major security issues with your VoIP and other communication systems http://www.secuobs.com/revue/news/490268.shtmlhttp://www.secuobs.com/revue/news/490268.shtml Secuobs.com : 2013-12-18 14:30:04 - Voice of VOIPSA - We are unfortunately aware that the mail archives for the VOIPSEC mailing list have not been functioning for a long time The list still does have occasional active conversations on it and anyone is welcome to subscribe However, the archive on the list page as well as on the VOIPSA site page for the list has http://www.secuobs.com/revue/news/487152.shtmlhttp://www.secuobs.com/revue/news/487152.shtml Secuobs.com : 2013-12-17 15:20:04 - Voice of VOIPSA - The great folks at the Digium Asterisk Security Team have issued two new security advisories that folks running Asterisk should pay attention to They are AST-2013-006 Buffer Overflow When Receiving Odd Length 16 bit SMS Message If you have Asterisk set up to receive SMS messages, it seems that a 16-bit SMS message http://www.secuobs.com/revue/news/486854.shtmlhttp://www.secuobs.com/revue/news/486854.shtml Secuobs.com : 2013-11-25 21:57:02 - Voice of VOIPSA - Are there large-scale attacks happening against VoIP and videoconferencing systems today Or is it limited to one particular system In a posting this morning to the VoiceOps mailing list, J Oquendo wrote We have seen a larger than normal, if not, one of the largest attacks against some of our VoIP and video conferencing systems today Initially, http://www.secuobs.com/revue/news/482982.shtmlhttp://www.secuobs.com/revue/news/482982.shtml Secuobs.com : 2013-10-11 15:19:59 - Voice of VOIPSA - If you are an author here at Voice of VOIPSA and are wondering why you just received an email about a password change, I went through and reset all the passwords on our user accounts There was no security issue I just realized that some of the accounts have not been used for a http://www.secuobs.com/revue/news/474066.shtmlhttp://www.secuobs.com/revue/news/474066.shtml Secuobs.com : 2013-08-30 22:19:21 - Voice of VOIPSA - The great folks on Digium s security team published two security advisories this week that could lead to remote crashes of an Asterisk server The first, AST-2013-004, Remote Crash From Late Arriving SIP ACK With SDP, has this description A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is http://www.secuobs.com/revue/news/465960.shtmlhttp://www.secuobs.com/revue/news/465960.shtml Secuobs.com : 2013-04-22 22:01:07 - Voice of VOIPSA - This week the SIP Network Operators Conference SIPNOC takes place in Herndon, Virginia, and the SIPNOC agenda turns out to have a great focus on security as it relates to VoIP and IP-based communications in general The security-related sessions include The Growth of Robocalling SPIT Communications Service Providers and Threat Intelligence Sharing Panel Discussion http://www.secuobs.com/revue/news/441115.shtmlhttp://www.secuobs.com/revue/news/441115.shtml Secuobs.com : 2013-04-03 14:17:54 - Voice of VOIPSA - The US Department of Homeland Security recently issued a bulletin titled TDoS Attacks on Public Safety Communications and while it was Law Enforcement Use Sensitive For Official Use Only a copy was obtained by Brian Krebs who wrote about it on his site and also published the DHS bulletin publicly This resulted in a small flurry http://www.secuobs.com/revue/news/437358.shtmlhttp://www.secuobs.com/revue/news/437358.shtml Secuobs.com : 2013-03-01 03:20:00 - Voice of VOIPSA - Should we still be talking about VoIP security Or should we be using some other language Back when we started VOIPSA in 2005, voice over IP VoIP was the term we all were using, but as we look at what kind of activities come next, we re starting to wonder if we should be talking about http://www.secuobs.com/revue/news/430812.shtmlhttp://www.secuobs.com/revue/news/430812.shtml Secuobs.com : 2012-11-14 15:03:15 - Voice of VOIPSA - This morning The Next Web reported on an exploit where Skype s password reset web page could be used to hijack a user s Skype account using only the password associated with the account So if you could guess someone s email address which can often be found through a Google search , you could effectively take over their http://www.secuobs.com/revue/news/411387.shtmlhttp://www.secuobs.com/revue/news/411387.shtml Secuobs.com : 2012-04-25 17:31:10 - Voice of VOIPSA - This week Digium released three security advisories allowing remote authenticated sessions to either crash an Asterisk server or escalate user privileges The advisories are AST-2012-004 - Asterisk Manager User Unauthorized Shell Access AST-2012-005 - Heap Buffer Overflow in Skinny Channel Driver AST-2012-006 - Remote Crash Vulnerability in SIP Channel Driver In all cases the solution is to upgrade to http://www.secuobs.com/revue/news/371946.shtmlhttp://www.secuobs.com/revue/news/371946.shtml Secuobs.com : 2012-01-25 23:21:49 - Voice of VOIPSA - Want to join in to a free webinar webcast to learn about VoIP and Unified Communications security Tomorrow, Thursday, January 26, 2012, I Dan York will be speaking as part of US Telecom s monthly educational webinar series on the topic of Securing VoIP and Unified Communications Systems The session will be at 1 00pm US Eastern Registration http://www.secuobs.com/revue/news/354130.shtmlhttp://www.secuobs.com/revue/news/354130.shtml Secuobs.com : 2011-12-02 15:15:31 - Voice of VOIPSA - One of the big news items in telecom security this past week was the arrest in Manila of 4 men accused of defrauding AT T of almost 2 million USD and then using those funds to finance a terrorist organization The Philippine National Police issued a statement annoyingly you have to scroll down to the November http://www.secuobs.com/revue/news/345025.shtmlhttp://www.secuobs.com/revue/news/345025.shtml Secuobs.com : 2011-10-17 21:57:08 - Voice of VOIPSA - The folks over at the Digium security team today released security bulletin AST-2011-012 for a remote crash vulnerability in the SIP channel drive For info about the attack, they state only A remote authenticated user can cause a crash with a malformed request due to an uninitialized variable An assumption from this statement would be http://www.secuobs.com/revue/news/335268.shtmlhttp://www.secuobs.com/revue/news/335268.shtml Secuobs.com : 2011-10-04 17:41:17 - Voice of VOIPSA - Fascinating news today that Avaya has acquired Sipera Systems for an undisclosed sum We ve covered Sipera here on this blog any number of times over the past years as they have been one of the few firms very specifically focused on VoIP security , or, to be more appropriately buzzword-compliant in 2011, Unified Communications security In http://www.secuobs.com/revue/news/332615.shtmlhttp://www.secuobs.com/revue/news/332615.shtml Secuobs.com : 2011-09-30 15:15:22 - Voice of VOIPSA - Are you a vendor of SIP software or hardware devices If so, do you support SRTP or SIP over TLS If you do or are thinking about doing so why don t you join Olle Johansson for some interoperability testing at SIPit 29, October 24-28, in Monaco Olle raised just that suggestion today in http://www.secuobs.com/revue/news/331933.shtmlhttp://www.secuobs.com/revue/news/331933.shtml Secuobs.com : 2011-09-20 21:39:04 - Voice of VOIPSA - News from the SUPEREVR security blog is that Skype for iOS is vulnerable to a cross-site scripting XSS attack that allows an attacker to send someone a message and, for instance, capture that user s address book from their iPhone The author of the article posted a video that demonstrates the attack He further states in http://www.secuobs.com/revue/news/330010.shtmlhttp://www.secuobs.com/revue/news/330010.shtml Secuobs.com : 2011-08-02 19:59:23 - Voice of VOIPSA - News out of the CA Security Advisor Blog today is that there is a new piece of Android malware that records phone calls that you make on an Android phone The post author, Dinesh Venkatesan, goes into some detail about what they found and how they found it in testing this malware While http://www.secuobs.com/revue/news/320617.shtmlhttp://www.secuobs.com/revue/news/320617.shtml Secuobs.com : 2011-05-23 23:27:36 - Voice of VOIPSA - News out of the US Federal Bureau of Investigation FBI last week was that a New Jersey man pled guilty to charges that he and his co-conspirators stole over 44 million USD of VoIP services from a range of VoIP service providers including AT T, Verizon and many others Reading through the FBI news release, the http://www.secuobs.com/revue/news/306665.shtmlhttp://www.secuobs.com/revue/news/306665.shtml Secuobs.com : 2011-04-29 22:17:04 - Voice of VOIPSA - This week at the SIPNOC event near DC, an attendee asked if I knew of any hosted services that would scan the external interface of a network to see if the VoIP services were secure He sells SIP connectivity to small businesses, many of whom typically have purchased an IP-PBX from somewhere like a retail http://www.secuobs.com/revue/news/301699.shtmlhttp://www.secuobs.com/revue/news/301699.shtml Secuobs.com : 2011-04-25 15:58:35 - Voice of VOIPSA - Tomorrow I will be in Herndon, Virginia, outside of Washington, DC, at SIPNOC The SIP Network Operators Conference I will be speaking in two sessions details here , one of which is a panel about SIP Adoption and Network Security and will include two other panelists from Acme Packet and Sipera Systems The panel discussion is http://www.secuobs.com/revue/news/300585.shtmlhttp://www.secuobs.com/revue/news/300585.shtml Secuobs.com : 2011-03-31 13:29:44 - Voice of VOIPSA - I recently had the opportunity to sit down with David Cargill, member of the council at the ITSPA trade association wwwitspaorguk David is chairing the VoIP Security committee at ITSPA, and I wanted to ask him about that MD Firstly, tell me something about ITSPA, and its goals DC The Internet Telephony Service Providers Association http://www.secuobs.com/revue/news/295351.shtmlhttp://www.secuobs.com/revue/news/295351.shtml Secuobs.com : 2011-03-30 23:45:25 - Voice of VOIPSA - Is the voice service outage that TelePacific Communications experienced today the result of cybercriminials attacking TelePacific s SIP infrastructure TelePacific offers a service called SmartVoice that appears from their website to be the basic type of SIP service provided by many service providers these days On March 24th, they started experiencing an outage and their Twitter http://www.secuobs.com/revue/news/295228.shtmlhttp://www.secuobs.com/revue/news/295228.shtml Secuobs.com : 2011-03-30 17:06:44 - Voice of VOIPSA - We at SecureLogix are hosting a webinar today to cover the Voice and Unified Communications State of Security Report today at 1 00 CST along with the folks from NoJitter Here is a link to the webinar registration page http://www.secuobs.com/revue/news/295139.shtmlhttp://www.secuobs.com/revue/news/295139.shtml Secuobs.com : 2011-03-17 14:59:38 - Voice of VOIPSA - The Digium security team issued two security advisories this week for Asterisk AST-2011-003 Resource exhaustion in Asterisk Manager Interface AST-2011-004 Remote crash vulnerability in TCP TLS server The second one, AST-2011-004, is the far more concerning because it indicates that a remote attacker could connect to an Asterisk system and cause it to crash The solution, http://www.secuobs.com/revue/news/292307.shtmlhttp://www.secuobs.com/revue/news/292307.shtml Secuobs.com : 2011-03-07 18:55:40 - Voice of VOIPSA - Here is a link to the SecureLogix State of Communications Security Report It is currently at the NoJitter site We will post it to our website and here in a couple of weeks https logintechwebcom cas login service http wwwnojittercom sponsoredcontent view cid 3900003 siteId 167601003 successfulLoginRedirect http wwwnojittercom sponsoredcontent view cid 3900003 This is the first time ever that anyone has released a security report that is focused on voice VoIP communications The report describes http://www.secuobs.com/revue/news/289920.shtmlhttp://www.secuobs.com/revue/news/289920.shtml Secuobs.com : 2011-03-07 14:40:03 - Voice of VOIPSA - By way of the Infosthetics site, I learned this morning of a video produced by Dataviz Australia that uses data from a VoIP honeypot server to visualize what the attack looks like The Dataviz Australia blog post has more information about what they are specifically showing here I am always intrigued to see how people http://www.secuobs.com/revue/news/289851.shtmlhttp://www.secuobs.com/revue/news/289851.shtml Secuobs.com : 2011-03-03 03:50:45 - Voice of VOIPSA - If you have been at the Enterprise Connect show this week in Orlando, Florida, one of the perhaps unexpected booths on the exhibit hall floor was that of the National Security Agency NSA The booth was staffed by two great guys who rapidly moved away when I raised my iPhone camera who explained that they http://www.secuobs.com/revue/news/289024.shtmlhttp://www.secuobs.com/revue/news/289024.shtml Secuobs.com : 2011-02-24 03:51:38 - Voice of VOIPSA - Tonight I upgraded Voice of VOIPSA to the shiny new WordPress 31 It looks like there are no issue with our theme or any other part of the site, but if you do see anything funky, please do let me know And if you are one of the bloggers here on the site, you may http://www.secuobs.com/revue/news/287332.shtmlhttp://www.secuobs.com/revue/news/287332.shtml Secuobs.com : 2011-02-21 17:35:38 - Voice of VOIPSA - I was not out at this year s RSA Conference, but was following some of the conversation via Twitter I noticed a number of good videos coming out of the event, and liked this summary video from David Sparks that does give an overview of some of the major themes David was out there on behalf http://www.secuobs.com/revue/news/286634.shtmlhttp://www.secuobs.com/revue/news/286634.shtml Secuobs.com : 2011-02-16 16:57:03 - Voice of VOIPSA - Over on the Tekelec blog today, Dorgham Sisalem writes on DNS and SIP Threats and Protection , an area of discussion that, quite frankly, hasn t really received much attention DNS plays a vital role in VoIP and unified communications, and so the security around DNS and SIP definitely deserves consideration The post is not too long, http://www.secuobs.com/revue/news/285681.shtmlhttp://www.secuobs.com/revue/news/285681.shtml Secuobs.com : 2011-01-30 12:12:34 - Voice of VOIPSA - Can you trust the cloud to be there for communications What about latency issues availability What should you be most concerned about Those are issues that I Dan York will be discussing on a panel on Friday, Feb 4, 2011, at the Cloud Communications Summit in South Beach, Miami The abstract is There s a general http://www.secuobs.com/revue/news/281702.shtmlhttp://www.secuobs.com/revue/news/281702.shtml Secuobs.com : 2011-01-28 18:52:15 - Voice of VOIPSA - Will you be in South Beach, Miami, next week for the collection of conferences around TMC s ITEXPO event If so, I ll be there participating in two sessions in Ingate System s SIP Trunking Workshop First, on Wednesday, February 2nd, I ll be on a panel at 1pm about SIP, UC and Security We ve done this panel at http://www.secuobs.com/revue/news/281447.shtmlhttp://www.secuobs.com/revue/news/281447.shtml Secuobs.com : 2011-01-14 19:17:25 - Voice of VOIPSA - It may be a wee bit of a late notice for folks to join the call live, but in about 50 minutes, the VoIP Users Conference will have their weekly live call talking this week with folks from Humbug Telecom Labs about their tools for detecting and analyzing VoIP fraud You can join the live http://www.secuobs.com/revue/news/278307.shtmlhttp://www.secuobs.com/revue/news/278307.shtml Secuobs.com : 2011-01-03 20:43:23 - Voice of VOIPSA - Last Friday there was news out of the Chaos Computer Club Congress in Berlin that two security researchers, Karsten Nohl and Sylvian Munaut, had successfully cracked the encryption used in the GSM cellular network While not VoIP , per se, this is of interest to any of us working with VoIP as many VoIP clients are http://www.secuobs.com/revue/news/275526.shtmlhttp://www.secuobs.com/revue/news/275526.shtml Secuobs.com : 2010-12-16 21:45:32 - Voice of VOIPSA - Tomorrow Friday, December 17, 2010 I will be participating in a webinar entitled Deployment of Next Generation IP Security for the International Legal Technology Association, an industry organization looking to maximize the value of technology in support of the legal profession It should be fun and I m expecting that the questions I ll receive may indeed http://www.secuobs.com/revue/news/272349.shtmlhttp://www.secuobs.com/revue/news/272349.shtml Secuobs.com : 2010-12-09 19:29:46 - Voice of VOIPSA - The headline news of Wikileaks has drawn considerable attention to the huge, intractable problems of digitized data and how much a single individual can damage an organization, business or nation-state But these issues are not just with Wikileaks, as the recent breach of gaming leader Blizzard resulted in disclosure of business plans and product roadmaps http://www.secuobs.com/revue/news/270611.shtmlhttp://www.secuobs.com/revue/news/270611.shtml Secuobs.com : 2010-12-06 22:55:21 - Voice of VOIPSA - Updating two points from my post last week, WikiLeaks as a Preview of All-Out Cyberwar I wrote On the opposite site, you have the WikiLeaks organization itself moving its content to various places and among various providers desperately seeking a way to keep itself online But even more you have supporters of WikiLeaks downloading all http://www.secuobs.com/revue/news/269769.shtmlhttp://www.secuobs.com/revue/news/269769.shtml Secuobs.com : 2010-12-03 17:03:12 - Voice of VOIPSA - As a network security professional, the ongoing WikiLeaks saga certainly is quite concerning I am not referring to the exposure of documents but rather the all-out effort to completely wipe WikiLeaks off the Internet and what that means for your business and your connectivity to the Internet I m NOT talking here about the politics http://www.secuobs.com/revue/news/269204.shtmlhttp://www.secuobs.com/revue/news/269204.shtml Secuobs.com : 2010-12-01 21:13:08 - Voice of VOIPSA - Welcome to the 3rd post in my series of leveraging the power of the Nokia N900 utilizing opensource, cutting-edge security tools for espionage ethical penetration testing As mentioned in my last article, I m continuing to focus on available, easily installed and free tools This post will cover more scary security-related applications for the Nokia N900, in http://www.secuobs.com/revue/news/268675.shtmlhttp://www.secuobs.com/revue/news/268675.shtml Secuobs.com : 2010-11-29 23:49:56 - Voice of VOIPSA - Hey, Jason Ostrom here In the spirit of some of the valuable information being shared on the rising trend of SIP scanning activity and toll fraud, I ve created a Perl script that does GeoIP lookups of potential attackers, sorting them based on scanning activity and country origination The script is free to anyone, and currently http://www.secuobs.com/revue/news/268107.shtmlhttp://www.secuobs.com/revue/news/268107.shtml Secuobs.com : 2010-11-19 22:36:27 - Voice of VOIPSA - Back on October 4, 2010, I spoke at Ingate Systems SIP Trunking and Unified Communications section of TMC s ITEXPO event in Los Angeles I gave an overall summary of issues around VoIP UC security and then joined a large panel of others answering questions from the moderator and the audience The slides I used are now http://www.secuobs.com/revue/news/266193.shtmlhttp://www.secuobs.com/revue/news/266193.shtml Secuobs.com : 2010-11-11 23:16:50 - Voice of VOIPSA - Given that I hold a CISSP certification, I naturally remain connected to the Information Systems Security Certification Consortium ISC2 organization in order to maintain my credentials I hadn t paid much attention to the actual website for a while and only recently noted that there is a ISC2 blog and it s been updated periodically for a http://www.secuobs.com/revue/news/264296.shtmlhttp://www.secuobs.com/revue/news/264296.shtml Secuobs.com : 2010-11-10 19:29:58 - Voice of VOIPSA - While I wouldn t normally write about simply an updated website for a company, this particular company is Sipera Systems, one of the small number of companies focused pretty much entirely on VoIP security er Unified Communications Security And hey, UC Security sounds a whole lot better to say Given that part of my regular work http://www.secuobs.com/revue/news/263969.shtmlhttp://www.secuobs.com/revue/news/263969.shtml Secuobs.com : 2010-11-05 21:06:42 - Voice of VOIPSA - Flickr credit mhartford What do you think VOIPSA 20 should be And perhaps more importantly, how are you willing to help As Dave Endler wrote in his post last week, five years ago the need for an organization like VOIPSA was very clear As I ve often said in my talks, at that time there were http://www.secuobs.com/revue/news/262805.shtmlhttp://www.secuobs.com/revue/news/262805.shtml Secuobs.com : 2010-11-01 12:51:48 - Voice of VOIPSA - I was interested last week to discover that the USA has its own Museum of Cryptography The National Cryptologic Museum is run by the National Security Agency in Fort Meade, Maryland Curiously, the building used to be a motel, quite literally in Fort Meade s backyard, but was annexed by the NSA when it came up http://www.secuobs.com/revue/news/261458.shtmlhttp://www.secuobs.com/revue/news/261458.shtml Secuobs.com : 2010-10-27 03:54:49 - Voice of VOIPSA - It s been over 5 years since the Voice over IP Security Alliance was born A small group of us originally aimed to fill a very large gap in the voip security landscape Namely that outside of IETF meetings, the thought leaders in the carrier, vendor, and security industries didn t really have many other vehicles to http://www.secuobs.com/revue/news/260135.shtmlhttp://www.secuobs.com/revue/news/260135.shtml Secuobs.com : 2010-10-26 04:00:13 - Voice of VOIPSA - This isn t about VoIP, per se, but it is about the threat we ve long talked about of transmitting data over insecure WiFi networks At the Toorcon 12 conference this week, Eric Butler and Ian Gallagher released a Firefox add-on called Firesheep view their Toorcon slides that scans an insecure WiFi network for login credentials passed http://www.secuobs.com/revue/news/259845.shtmlhttp://www.secuobs.com/revue/news/259845.shtml Secuobs.com : 2010-10-11 19:55:18 - Voice of VOIPSA - Have you received a barrage of phone calls to your number If so, you may be in the process of being victimized, according to a Wall St Journal article over the weekend called Preventing a Hack Attack The article outlines how a cyber-theft ring that was broken up last week used automated dialing programs to http://www.secuobs.com/revue/news/255912.shtmlhttp://www.secuobs.com/revue/news/255912.shtml Secuobs.com : 2010-10-05 16:22:39 - Voice of VOIPSA - During that period i started to deeply understand and evaluate matters related to the protection of VoIP related infrastructure against attacks and the diffused technologies for signaling and VoIP encryption I investigated the concept of SIP Firewalls and VoIP Firewalls and found that in this area there s a lot of confusion and misunderstanding among the http://www.secuobs.com/revue/news/254377.shtmlhttp://www.secuobs.com/revue/news/254377.shtml Secuobs.com : 2010-09-29 22:17:17 - Voice of VOIPSA - In my previous post I briefly touched on information that I had been collecting for over 19 months via what began as VoIP Intrusion Detection system I had whipped up from scratch The framework for Arkeos began almost three years ago while working here at an ITSP slash managed service provider One of our services http://www.secuobs.com/revue/news/252877.shtmlhttp://www.secuobs.com/revue/news/252877.shtml Secuobs.com : 2010-09-28 18:44:28 - Voice of VOIPSA - Brief History Throughout the course of three years I have been studying the Voice Over IP attack canvas As a security engineer, I have had the privilege of seeing an enormous amount of attacks while working at a Managed Services Provider Because I have multiple roles in the company I am working at, I get http://www.secuobs.com/revue/news/252475.shtmlhttp://www.secuobs.com/revue/news/252475.shtml Secuobs.com : 2010-09-27 16:48:15 - Voice of VOIPSA - Bringing closure to a case we ve been following literally for years since it was first reported way back in June 2006, fraudster Edwin Pena was sentenced last Friday to 10 years in prison and ordered to repay the 1 million in restitution It appears he also won t be in the US after he serves his http://www.secuobs.com/revue/news/252004.shtmlhttp://www.secuobs.com/revue/news/252004.shtml Secuobs.com : 2010-09-21 16:57:50 - Voice of VOIPSA - While it is not VoIP security, per se, much of the communications market is buzzing this week with news that calls made on Blackberry smartphones can be intercepted by the US government Many stories have been written, but here s one US authorities able to tap BlackBerry messaging While many of us in the security community http://www.secuobs.com/revue/news/250288.shtmlhttp://www.secuobs.com/revue/news/250288.shtml Secuobs.com : 2010-09-21 16:57:50 - Voice of VOIPSA - Risk A Growing And Disturbing Trend Today the Washington Post and WSJ Blog both reported on a decision by the University of Virgina Housing Division to remove phones from student dorm rooms The obvious justification for the decision is the cost associated with providing phone infrastructure residence halls, in UVa s case over 500K annually http://www.secuobs.com/revue/news/250287.shtmlhttp://www.secuobs.com/revue/news/250287.shtml Secuobs.com : 2010-09-21 16:57:50 - Voice of VOIPSA - Just a quick administrivia note this site is now running the latest and greatest WordPress software at version 301 In my testing, everything looks perfectly fine, but if you see anything strange on the site in terms of display issues, please do let us know Thanks and thanks for continuing to read and http://www.secuobs.com/revue/news/250286.shtmlhttp://www.secuobs.com/revue/news/250286.shtml Secuobs.com : 2010-09-21 16:57:50 - Voice of VOIPSA - I m sorry to say so But, sadly it s true That bang-ups and hang-ups Can happen to you Dr Seuss, Oh, the places you ll go 1990 Back in January 2010, I wrote a short blog post about Shodan and VoIP devices and mentioned that it s a site well worth revisiting Well, that time has come, http://www.secuobs.com/revue/news/250285.shtmlhttp://www.secuobs.com/revue/news/250285.shtml Secuobs.com : 2010-09-21 16:57:50 - Voice of VOIPSA - I have a bit of history in attacking VoIP phones, specifically VoIP Wifi phones Way back in 2005-2006 I purchased several VoIP Wifi phones and conducted very basic security analysis to demonstrate a commonality of vulnerabilities, most notably that many of them had a number of open ports and extraneous services This research resulted in http://www.secuobs.com/revue/news/250284.shtmlhttp://www.secuobs.com/revue/news/250284.shtml Secuobs.com : 2010-09-21 16:57:50 - Voice of VOIPSA - If you use Twitter and would like to stay up on the latest news from the VOIPSA blog, one easy way you can do that is to follow us at twittercom voipsa We promote any blog posts out to that Twitter account as well as through the usual RSS feed If you re on Twitter, please do http://www.secuobs.com/revue/news/250283.shtmlhttp://www.secuobs.com/revue/news/250283.shtml Secuobs.com : 2010-09-21 16:57:50 - Voice of VOIPSA - You too could be a corporate green killer, bean spiller'Gangster of Love' just like Steve MillerThey wear skivvies that's made of chinchillaFactory in Mexico, bought a spring villa --The Coup Welcome to the 2nd post in my series of leveraging the power of the Nokia N900 handheld using opensource, cutting-edge security tools for ethical penetration http://www.secuobs.com/revue/news/250282.shtmlhttp://www.secuobs.com/revue/news/250282.shtml Secuobs.com : 2010-07-22 20:24:07 - Voice of VOIPSA - In the 80s movie The Color of Money there s a great scene where a player challenges Tom Cruise s character to a game He strolls up to Vincent and says So what you got in there to which Vincent replies Doom This is akin to how I felt a few weeks ago after I finally http://www.secuobs.com/revue/news/242969.shtmlhttp://www.secuobs.com/revue/news/242969.shtml Secuobs.com : 2010-07-15 19:11:09 - Voice of VOIPSA - If any of you will be at the SpeechTEK conference in New York August 2-4, I ll be there and giving a presentation on Monday, August 2nd, at 4 15 about Unified Communications security The panel abstract is As applications move into the multichannel and interconnected world, what are the security concerns you need to consider Aaron http://www.secuobs.com/revue/news/240894.shtmlhttp://www.secuobs.com/revue/news/240894.shtml Secuobs.com : 2010-07-09 22:37:20 - Voice of VOIPSA - Very interesting news Apple s new iPhone4 application, Facetime, is a VoIP and IP Video application using SIP signaling and RTP media Security researcher and SANS Instructor Josh Wright has posted a very interesting and comprehensive analysis of the Facetime application on Packetstan, a new blog developed by his other SANS and InGuardians colleagues A http://www.secuobs.com/revue/news/239259.shtmlhttp://www.secuobs.com/revue/news/239259.shtml Secuobs.com : 2010-07-09 16:16:08 - Voice of VOIPSA - The big news circulating through the Internet right now related to Skype is that someone may have reverse-engineered part of Skype s encryption Two posts of note TechCrunch Skype s Innermost Security Layers Claimed To Be Reverse-Engineered Heise Security Skype s encryption procedure partly exposed The comments on the TechCrunch article are particularly worth reading as a number of security-related http://www.secuobs.com/revue/news/239124.shtmlhttp://www.secuobs.com/revue/news/239124.shtml Secuobs.com : 2010-07-08 01:58:00 - Voice of VOIPSA - I assume most everyone has seen the FBI press release on Telephony Denial of Service TDoS For those who have not, see http newarkfbigov pressrel pressrel10 nk051110htm I am also seeing the term used to describe enterprise-directed DoS, where an attacker typically floods a contact center with calls I have recently worked with both enterprises, service providers, and hosted IVR companies http://www.secuobs.com/revue/news/238533.shtmlhttp://www.secuobs.com/revue/news/238533.shtml Secuobs.com : 2010-07-02 03:30:37 - Voice of VOIPSA - Oops To make a long story short, the voipsaorg domain was set to auto-renew on a credit card that was cancelled between renewals and email notifications went to an incorrect address It s all better now Life is good Sorry about that and thanks to the multiple people who pinged us about it http://www.secuobs.com/revue/news/237057.shtmlhttp://www.secuobs.com/revue/news/237057.shtml Secuobs.com : 2010-06-07 22:00:10 - Voice of VOIPSA - I don t travel nearly as as much as I used to, yet when I do I always keep a sharp eye out for the technical glitches in devices around me in travel environments What can I say It provides me endless amusement While Linux boxes crashing in airlines on-board entertainment systems are nothing new, http://www.secuobs.com/revue/news/229254.shtmlhttp://www.secuobs.com/revue/news/229254.shtml Secuobs.com : 2010-05-20 17:33:53 - Voice of VOIPSA - As some readers may already know, Syngress has now published a book I wrote, Seven Deadliest Unified Communications Attacks that dives into the threats to communications systems and the strategies to protect your systems It is part of a series of Seven Deadliest Attacks books that have come out over the past couple http://www.secuobs.com/revue/news/224046.shtmlhttp://www.secuobs.com/revue/news/224046.shtml Secuobs.com : 2010-05-18 22:35:22 - Voice of VOIPSA - The security weaknesses of VLANs have been known for years Recent case studies have highlighted the potential risk of using Voice VLANs together with VoIP in an infrastructure absent of properly configured security controls While visiting Europe just recently, I was reminded of this issue for a couple http://www.secuobs.com/revue/news/223288.shtmlhttp://www.secuobs.com/revue/news/223288.shtml Secuobs.com : 2010-05-15 15:44:30 - Voice of VOIPSA - Earlier this week, several news outlets including Wiredcom reported on a new Telephony Denial-of-Service attack that's becoming more widespread In this attack scenario, hundreds or thousands of PSTN calls are launched to the victim's phone in order to prevent financial institution notifications from arriving while the attacker drains accounts http://www.secuobs.com/revue/news/222519.shtmlhttp://www.secuobs.com/revue/news/222519.shtml Secuobs.com : 2010-05-08 18:44:43 - Voice of VOIPSA - Practical challenges that still remain on a protocol-by-protocol basis for ensuring integrity when binding a certificate to a domain for a given protocol http://www.secuobs.com/revue/news/220246.shtmlhttp://www.secuobs.com/revue/news/220246.shtml Secuobs.com : 2010-04-28 21:32:04 - Voice of VOIPSA - Want to learn about how voice biometrics are being used today in real deployments Want to learn what advances have been made in the technology Want to find out how people are using it for voice authentication, identification and more If so, consider attending the Voice Biometrics Conference taking place next week, May 4th http://www.secuobs.com/revue/news/217009.shtmlhttp://www.secuobs.com/revue/news/217009.shtml Secuobs.com : 2010-04-22 20:18:55 - Voice of VOIPSA - On NPR s Fresh Air this week, Richard Clarke made some great points, in particular with the logic bomb scenarios of sneaking of code and untrustworthy hardware While this is old news, it s still a very real threat recall that more than 3500 Chisco devices were discovered on US government networks back in 2008 With http://www.secuobs.com/revue/news/215042.shtmlhttp://www.secuobs.com/revue/news/215042.shtml Secuobs.com : 2010-04-17 01:00:40 - Voice of VOIPSA - Well, it only took about five years and three sessions of Congress to finally pass this thing in both the House and the Senate The Senate passed their version of the bill S 30 on February 23rd and the House passed their version of the bill HR 1258 on April 14th All that remains now http://www.secuobs.com/revue/news/213230.shtmlhttp://www.secuobs.com/revue/news/213230.shtml Secuobs.com : 2010-04-14 00:58:09 - Voice of VOIPSA - Awhile back I blogged on VOIPSA about medical devices using VoIP This is a follow-up to that post, and is a bit more tangible in that these devices are showing up on the auction sites I typically check eBay weekly for medical devices showing up, with an eye for anything with a network interface Bluetooth-enabled devices http://www.secuobs.com/revue/news/211753.shtmlhttp://www.secuobs.com/revue/news/211753.shtml Secuobs.com : 2010-04-08 17:27:02 - Voice of VOIPSA - An emerging trend among Unified Communications vendors these days is support for federation between UC systems in different organizations Perhaps the first to market was Microsoft OCS Federation which allows two enterprises with Office Communications Servers to share presence, instant messaging, voice, and video Google Wave launched last June with support for Wave Federation Protocol http://www.secuobs.com/revue/news/210179.shtmlhttp://www.secuobs.com/revue/news/210179.shtml Secuobs.com : 2010-03-04 19:17:51 - Voice of VOIPSA - Remember the cyberattacks against Google and other businesses back in China Google blogged about A new approach to China and it was all over the news everywhere for a while Well, this week security firm Damballa released a detailed look into the Aurora botnet that was apparently responsible for these attacks The 31-page http://www.secuobs.com/revue/news/198083.shtmlhttp://www.secuobs.com/revue/news/198083.shtml Secuobs.com : 2010-02-20 00:45:42 - Voice of VOIPSA - Updating a story we have literally been following for years ever since it broke back in July 2006, the FBI recently issued a news release indicating that Edwin Pena pled guilty in what we have been calling the Pena Moore VoIP fraud case From the news release Edwin Pena, 27, a Venezuelan citizen, pleaded guilty before US http://www.secuobs.com/revue/news/193709.shtmlhttp://www.secuobs.com/revue/news/193709.shtml Secuobs.com : 2010-02-19 16:20:50 - Voice of VOIPSA - Olle Johansson recently alerted us that there is a dialstring injection vulnerability in Asterisk As Olle notes in his post about the vulnerability, this is similar to a SQL injection attack against a database where there is not enough filtering being done on strings that are being input to the system Olle writes Many VoIP http://www.secuobs.com/revue/news/193559.shtmlhttp://www.secuobs.com/revue/news/193559.shtml Secuobs.com : 2010-02-01 18:07:03 - Voice of VOIPSA - While this isn t about VoIP, per se, there s a new version of an Internet-Draft out, draft-ietf-tcpm-icmp-attacks, about how ICMP can be used to attack TCP The abstract is This document discusses the use of the Internet Control Message Protocol ICMP to perform a variety of attacks against the Transmission Control Protocol TCP http://www.secuobs.com/revue/news/187362.shtmlhttp://www.secuobs.com/revue/news/187362.shtml Secuobs.com : 2010-01-25 02:49:45 - Voice of VOIPSA - To most in the security industry these words bring to mind attack and defense of the electronic communications and control of military assets and sensitive government institutions and information Government vs government The US government recognizes this as a developing threat and has undertaken steps to prepare for possible cyber war scenarios But recent press http://www.secuobs.com/revue/news/184964.shtmlhttp://www.secuobs.com/revue/news/184964.shtml Secuobs.com : 2010-01-09 01:31:58 - Voice of VOIPSA - The holidays are over, time to focus on the new year ahead For some the holidays provide a little more time as others are busy preparing for the holidays to research, review and catch up on security news and trends from around the industry I have always been an advocate for security awareness in http://www.secuobs.com/revue/news/179782.shtmlhttp://www.secuobs.com/revue/news/179782.shtml Secuobs.com : 2010-01-07 20:44:41 - Voice of VOIPSA - Most of us are familiar with the information disclosure risks associated with devices like phones and ATAs on the Internet, and this has been mentioned in presentations like Endler Collier at BlackHat in 2006 However, the recent emergence of Shodan significantly raises the exposure of these devices, especially embedded systems Shodan bills itself as a Computer Search http://www.secuobs.com/revue/news/179287.shtmlhttp://www.secuobs.com/revue/news/179287.shtml Secuobs.com : 2009-12-04 20:52:45 - Voice of VOIPSA - Earlier this week, the security team at Digium released Asterisk Projects Security Advisory AST-2009-010 identifying an interesting attack where an attacker can send a malformed RTP packet within the RTP stream and crash the Asterisk system The fix identified is to upgrade to the latest version of Asterisk My one bit of feedback to the http://www.secuobs.com/revue/news/168699.shtmlhttp://www.secuobs.com/revue/news/168699.shtml Secuobs.com : 2009-10-23 19:33:46 - Voice of VOIPSA - Following up on a story we ve literally been covering for years, SC Magazine reported last week that VoIP fraudster Edwin Pena was to be arrive back in the USA last Friday, October 16 The FBI news release indicates that Pena is to be arraigned today, October 23rd, in New Jersey For those not familiar, the story http://www.secuobs.com/revue/news/153494.shtmlhttp://www.secuobs.com/revue/news/153494.shtml Secuobs.com : 2009-10-23 19:33:46 - Voice of VOIPSA - After literally a year of being away from the microphone, Jonathan and I posted Blue Box Podcast Episode 86 yesterday The show is really just an update on what we ve been doing over the past year, why there haven t been new shows, what we are thinking about for the future, etc We had http://www.secuobs.com/revue/news/153493.shtmlhttp://www.secuobs.com/revue/news/153493.shtml Secuobs.com : 2009-09-28 20:41:14 - Voice of VOIPSA - At first sight, using any VoIP client on the iPhone or the iPod Touch aka iDevices may seem like a uninteresting thing The reason for this is that Apple does not allow 3rd party applications to run in the background So when a user close down his iVoIP Client he will not be able to http://www.secuobs.com/revue/news/145157.shtmlhttp://www.secuobs.com/revue/news/145157.shtml Secuobs.com : 2009-09-12 00:22:47 - Voice of VOIPSA - For those interested in the underlying plumbing of this site, today I added the RSS Cloud plugin for WordPress to this site that is described in more detail in this post RSSCloud for WordPress What does this mean for you as readers In the short term, not much The only RSS Cloud-enabled reader right now is Dave http://www.secuobs.com/revue/news/140157.shtmlhttp://www.secuobs.com/revue/news/140157.shtml Secuobs.com : 2009-09-02 22:22:17 - Voice of VOIPSA - With all the hubbub surrounding medical insurance reform, town hall meetings, and other distractions events it s worthwhile looking at some of the technical medical devices coming into the marketplace to be placed in patients homes, connected to their broadband internet connection Of several products in the patient home monitoring space, the Intel Health Guide PHS 6000 http://www.secuobs.com/revue/news/137069.shtmlhttp://www.secuobs.com/revue/news/137069.shtml Secuobs.com : 2009-09-01 03:43:53 - Voice of VOIPSA - Apparently there s a new piece of malware floating around that targets audio processors like Skype The Trojan has the ability to record audio from the computer including any Skype calls in progress and store the files locally in an encrypted MP3 file, where they can later be transmitted to the attacker The Trojan, which http://www.secuobs.com/revue/news/136325.shtmlhttp://www.secuobs.com/revue/news/136325.shtml Secuobs.com : 2009-08-08 04:45:12 - Voice of VOIPSA - Recently multiple news outlets reported on Waterloo, Iowa s Black Hawk County 911 center s new SMS capability While this subject is not specifically VoIP security, considering the blending of communications methods and the importance of 911 call centers I figure that SMS in this context is fair game for a VOIPSA Blog post Several security implications http://www.secuobs.com/revue/news/129115.shtmlhttp://www.secuobs.com/revue/news/129115.shtml Secuobs.com : 2009-07-29 00:59:11 - Voice of VOIPSA - I ve recently been using Google Trends for some research, and find it an interesting tool for, well, trending Doing a Google Trends profile of VoIP Security shows an interesting tailing-off So what s the story Is this just another case of it s all the same, nobody cares in action http://www.secuobs.com/revue/news/125938.shtmlhttp://www.secuobs.com/revue/news/125938.shtml Secuobs.com : 2009-07-19 10:06:57 - Voice of VOIPSA - We all know the bad ugly truth Most people do not update their PBX software to handle the latest security vulnerabilities As long as your PBX can receive incoming client connections you are at risk Not because you have given your user weak user name password combinations, but because your PBX has a security http://www.secuobs.com/revue/news/122269.shtmlhttp://www.secuobs.com/revue/news/122269.shtml Secuobs.com : 2009-07-06 16:55:55 - Voice of VOIPSA - Last week we discovered that messages to the VOIPSEC mailing list werenot being distributed to all recipients Dave Endler has raised aticket with our hosting provider and hopes to have it resolved soonI’ll update the ticket here once I have more informationhttp://www.secuobs.com/revue/news/117186.shtmlhttp://www.secuobs.com/revue/news/117186.shtml Secuobs.com : 2009-07-02 00:09:03 - Voice of VOIPSA - This is a guest post from Andy Zmolek, Senior Manager, Security Planningand Strategy at Avaya, and past participant in VOIPSEC mailing listdiscussions and other VOIPSA activities Andy asked if I couldpublicize this because he believes it is a discussion which we in thesecurity community need to have Text by Andy Zmolek of http://www.secuobs.com/revue/news/116030.shtmlhttp://www.secuobs.com/revue/news/116030.shtml Secuobs.com : 2009-07-01 19:48:21 - Voice of VOIPSA - Our apologies for the outage of both this blog and the main VOIPSA website over the last weekend - and many thanks to all of you who wrotein to let us know We recently moved the site to a new hostingprovider and unfortunately it seems that in the initial move theyhttp://www.secuobs.com/revue/news/115911.shtmlhttp://www.secuobs.com/revue/news/115911.shtml Secuobs.com : 2009-06-04 07:58:30 - Voice of VOIPSA - Cisco Press and Patrick Park released, “Cisco: IP Communications, Voiceover IP Security” in the beginning of 2009 There is a good knowledgetransfer in this book for newcomers and I suspect a bit of review forseasoned practitioners Nonetheless, you’ll be given a nice primer toVoIP security from the packet level, all the http://www.secuobs.com/revue/news/105693.shtmlhttp://www.secuobs.com/revue/news/105693.shtml Secuobs.com : 2009-05-08 03:33:04 - Voice of VOIPSA - Two new versions of existing open source VoIP software were recentlyreleased and deserve mention Last week, the folks at SIPfoundryreleased the 40 version of their SIP server, sipXecs I don’t hear alot of talk about sipXecs so let me say a few things about it here: *it’s a great SIP software proxy/registrar package, with http://www.secuobs.com/revue/news/93343.shtmlhttp://www.secuobs.com/revue/news/93343.shtml Secuobs.com : 2009-04-29 15:31:27 - Voice of VOIPSA - On a lightning visit to the Infosec show in London, I chanced to meetwith Ari Takanen of Codenomicon fuzzing and quality assuranceexperts Ari has a new book out: “Fuzzing for Software SecurityTesting and Quality Assurance”, from Artech House, available atAmazoncom and as they say all good bookstores Of course, justbecause http://www.secuobs.com/revue/news/89866.shtmlhttp://www.secuobs.com/revue/news/89866.shtml Secuobs.com : 2009-04-27 02:48:37 - Voice of VOIPSA - /* Style Definitions */tableMsoNormalTable {mso-style-name:”Table Normal”;mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0;mso-style-noshow:yes; mso-style-parent:”"; mso-padding-alt:0in 54pt0in 54pt; mso-para-margin:0in; mso-para-margin-bottom:0001pt;mso-pagination:widow-orphan; font-size:100pt; font-family:”Times NewRoman”; mso-ansi-language:#0400; mso-fareast-language:#0400;mso-bidi-language:#0400;} Verizon recently released its data breachreport for http://www.secuobs.com/revue/news/88438.shtmlhttp://www.secuobs.com/revue/news/88438.shtml Secuobs.com : 2009-04-21 15:22:45 - Voice of VOIPSA - Of course you can’t stop criminals from stealing mobile phones; they’resmall, they’re expensive and there are many channels online andoffline for selling the handsets on However, it should be possibleto make the things useless once stolen, to make resale difficult orimpossible, ultimately reducing the demand for theft The Design http://www.secuobs.com/revue/news/86036.shtmlhttp://www.secuobs.com/revue/news/86036.shtml Secuobs.com : 2009-04-10 18:32:43 - Voice of VOIPSA - I’m very pleased to say that the response has been great to my requestfor new contributors to this site and over the past few days I’vegiven author credentials to nine new authors They represent a greatrange in experience and geography A couple are seasonedVoIP/communication security professionals who have been around http://www.secuobs.com/revue/news/81986.shtmlhttp://www.secuobs.com/revue/news/81986.shtml Secuobs.com : 2009-04-07 08:49:59 - Voice of VOIPSA - Yes, indeed, the VoIP Security Alliance has joined the Twitterspherewith: http://twittercom/voipsa Feel free to follow us there if youare a Twitter user The primary reason we are on Twitter is so thatTwitter users can follow whatever blog posts we post here on the Voiceof VOIPSA blog We’ve noticed over time on other http://www.secuobs.com/revue/news/80446.shtmlhttp://www.secuobs.com/revue/news/80446.shtml Secuobs.com : 2009-04-06 17:18:07 - Voice of VOIPSA - Are you interesting in writing about VoIP security In providing updateson security news Product reviews Threat analyses Notes about recentsecurity advisories Would you like your writing to appear on thisblog As you have probably noticed, the frequency of our posting herein recent months has dropped a bit http://www.secuobs.com/revue/news/80038.shtmlhttp://www.secuobs.com/revue/news/80038.shtml Secuobs.com : 2009-03-31 21:47:32 - Voice of VOIPSA - This is a neat trick By doing a little up-front scanning and/orguesswork, an attacker can send an INVITE directly to a SIP useragent, causing the device to ring Then, when the user agent issuesthe BYE message to hang-up, the attacker can respond with a 407 Proxyauthorization required message, causing the endpoint http://www.secuobs.com/revue/news/77533.shtmlhttp://www.secuobs.com/revue/news/77533.shtml Secuobs.com : 2009-03-11 12:00:12 - Voice of VOIPSA - If you are a LinkedIn user as I am, there is now a “UC Security” groupthat you can join The description of the group is: UnifiedCommunications is blurring the boundaries between Voice, Video andData networks As such, security threats that used to be in islandsare now easily traversing across the network boundaries http://www.secuobs.com/revue/news/70040.shtmlhttp://www.secuobs.com/revue/news/70040.shtml Secuobs.com : 2009-02-26 22:17:43 - Voice of VOIPSA - As some of you may have noticed, our servers were offline for the past 24hours due to unforeseen circumstances It seems the recent globaleconomic turmoil has not left VOIPSA unscathed Turns out our hostingprovider was delinquent on paying their bills to their upstream datacenter provider Supposedly, the hosting provider’s management ishttp://www.secuobs.com/revue/news/65662.shtmlhttp://www.secuobs.com/revue/news/65662.shtml Secuobs.com : 2009-02-17 05:01:52 - Voice of VOIPSA - It appears that there is a new book out on VoIP security named, rathersimply, “Voice over IP Security“ It’s from Cisco Press and written bya Patrick Park I haven’t seen the book yet but ITworld has aninterview with the author Amazoncom of course has some user reviewsas well Good to http://www.secuobs.com/revue/news/62379.shtmlhttp://www.secuobs.com/revue/news/62379.shtml Secuobs.com : 2009-02-17 03:29:09 - Voice of VOIPSA - Over the past three years, we’ve covered at great length the case ofEdwin Pena and Robert Moore where Pena created a scheme where heapparently represented himself as a legitimate VoIP service provider -and then routed calls over other people’s networks When last we leftthe story, Pena’s co-conspirator Robert Moore was http://www.secuobs.com/revue/news/62333.shtmlhttp://www.secuobs.com/revue/news/62333.shtml Secuobs.com : 2009-01-23 15:55:00 - Voice of VOIPSA - If you will be in Miami at ITEXPO February 2-4 you are welcome to attenda free “SIP Trunking And Security” session I Dan York will be doingas part of Ingate Systems’ SIP Trunking Workshops The SIP trunkingworkshops are free to all attendees even if you only register for anexhibit pass My http://www.secuobs.com/revue/news/54484.shtmlhttp://www.secuobs.com/revue/news/54484.shtml Secuobs.com : 2009-01-20 22:06:56 - Voice of VOIPSA - Welcome to the 111th United States Congress On January 7th, the billthat never made it through the Senate in the last Congress has beenreintroduced as S 30, the Truth in Caller ID Act of 2009 It wasapparently read twice and referred to the Committee on Commerce,Science, and Transportation It’s now got http://www.secuobs.com/revue/news/53290.shtmlhttp://www.secuobs.com/revue/news/53290.shtml Secuobs.com : 2009-01-20 04:38:05 - Voice of VOIPSA - Back in August, the folks at Sipera’s VIPER Lab released a free testtool, XTest, that tests how well or not 8021X with EAP-MD5 protectsIP phones and the overall VoIP infrastructure You can get it athttp://xtestsourceforgenet/ And yes, I’ve been meaning to writeabout this since back in August… and was intending to http://www.secuobs.com/revue/news/53011.shtmlhttp://www.secuobs.com/revue/news/53011.shtml Secuobs.com : 2009-01-20 04:38:05 - Voice of VOIPSA - For those of you who may be used to reading this blog through the“Security Bloggers Network” set up originally by Alan Shimel, you needto be aware that the “SBN” is going through a transition As Alandetails on his blog, Google is in the process of shutting down the“Network” feature of Feedburner http://www.secuobs.com/revue/news/53010.shtmlhttp://www.secuobs.com/revue/news/53010.shtml Secuobs.com : 2009-01-20 04:38:05 - Voice of VOIPSA - Through a colleague of mine, Dan Burnett, I just learned about anupcoming W3C Biometrics workshop in March in California around thesubject of “Speaker Identification and Verification SIV” As Danwrites: To get more information from the knowledgeable public, W3C isholding a workshop to “identify and prioritize directions for SIVstandards work as a http://www.secuobs.com/revue/news/53009.shtmlhttp://www.secuobs.com/revue/news/53009.shtml Secuobs.com : 2009-01-20 04:38:05 - Voice of VOIPSA - If you are an Asterisk user, you should be aware that Digium has releasedAST-2009-001 Information leak in IAX2 authentication The descriptionis: IAX2 provides a different response during authentication when auser does not exist, as compared to when the password is merely wrongThis allows an attacker to scan a host to find specific http://www.secuobs.com/revue/news/53008.shtmlhttp://www.secuobs.com/revue/news/53008.shtml Secuobs.com : 2009-01-20 04:38:05 - Voice of VOIPSA - Score one for sanity Apparently the FBI believed that whileeavesdropping on the audio of a conversation required a warrant,capturing any DTMF transmissions sent during the call did not Fromthe CNet report: Just about everyone knows that the FBI must obtain aformal wiretap order from a judge to listen in on your phone http://www.secuobs.com/revue/news/53007.shtmlhttp://www.secuobs.com/revue/news/53007.shtml Secuobs.com : 2009-01-20 04:38:05 - Voice of VOIPSA - Our friend Craig Bowser recently pointed out that TMC will have aschedule of “Network Security” classes at the upcoming ITEXPO in Miamion February 4th The three classes are: Security Threat Mitigation inEnterprise UC Environments Securing the SIP Trunk VoIP Security BestPractices The companies involved are Acme Packet, Sipera andVoIPShield Systems, all of whom http://www.secuobs.com/revue/news/53006.shtmlhttp://www.secuobs.com/revue/news/53006.shtml