Disruptive Telephony

As I noted in my Voice of VOIPSA post today, Mark Collier (of hackingvoip.com fame) took some time in December to give www.voipsecurityblog.com a graphical makeover. He's got a cute new header image and an updated picture of himself. Although, Mark, I really have to say... you are violating the security "code of dress"! Don't you know that all good security people are supposed to wear black? Preferably a black turtleneck? Come on, now, you're going against the motif!

Ah, well... in any event, if you haven't checked out Mark's blog, it's a good one... even if he is wearing white. :-)

Technorati Tags: security, mark collier, voip, voip security, voipsa, voipsecurity

As I wrote over at Voice of VOIPSA, I was quoted in an article out today at VoIP News: How Secure Are Your VoIP Calls? The Voice of VOIPSA post has my (generally positive) reaction.

Technorati Tags: voip, voip security, voipsa, voipsecurity

Blue Box Podcast #47 is now available for download. In this show, Jonathan and I talk about some of the recent articles and reports hyping VoIP security, recent comments from SANS about the need for better VoIP security training, moves by the Indian government to block Skype and other VoIP services and much, much more. Tons of listener comments in this show... probably the most we've ever had. See the show notes for all the links and info.

Technorati Tags: skype, voipsecurity, voip, voip security, voipsa

(Originally posted at http://dyork.livejournal.com/257414.html)

 

Technorati Tags: blue box, bluebox, security, ken camp, voip, voip security, voipsa, voipsecurity

(Originally posted at http://dyork.livejournal.com/256998.html)

Tom Cross over at Techtionary.com dropped a note to let me know that his team had released a 'fastcast' on the topic of "SIP Essentials". Not having a clue what a "fastcast" was, I found the answer in Tom's news release:

Fastcasts are fast-track audio/video animated 10-60 second advertorials for web, webseminar, PC and iPod formats.

Not sure how much traction the word will really get, but there you have it. Tom's SIP tutorial looked quite interesting in the bit that I explored, with sections on:

• SIP Basics
• SIP Trunking
• SIP QoS
• SIP Firewalls and Security
• SIP Applications
• SIP TCO-Total Cost of Ownership
• Integrated/Converged Access
• Key VoIP Options – IAS, Hosted, Managed
• SIP Total Tutorial with Future Outlook

(Gee, any guesses as to which one I chose first?) Clicking each link takes you to a flash-based tutorial with audio and animation. The ones I looked at were quite good. A nice contribution to the education around SIP... and definitely good for folks trying to figure out what SIP is all about.

Tom's making it available at no cost right now so I'd recommend people check it out.

Just one note of caution... once you enter one of the tutorials, you do need to listen to all of the audio for a page before pressing "Next". If you simply press the Next button to move through the slides, you suddenly find yourself with multiple streams of audio all mashing on top of each other! (And yes, this is the voice of experience writing this...) Kind of neat if you need the effect of people talking over each other, but not terribly helpful otherwise. Outside of that issue, otherwise I found the sessions quite useful. (At least, the ones I went through... I did not go through them all yet.)

Technorati Tags: sip, techtionary, tutorials, voip, voip security

(Originally posted to http://dyork.livejournal.com/254735.html)

Just confirmed late last week that I'll definitely be speaking at O'Reilly's Emerging Telephony Conference (aka "ETel") this coming February 27 - March 1, 2007 in San Francisco. The topic I will be speaking on will, of course, be VoIP security. Two sessions, actually... one a 15-minute plenary session providing an overall view of VoIP security and then the second a 90-minute workshop going into much more detail, providing info about security tools, best practices and much more. Both, of course, will be later put out as part of Blue Box. Should be a lot of fun, and given that it's in the SF area, I'll probably be able to pull Jonathan Zar in as well, which would be cool. Now I just need to put up a picture, bio and session abstracts...

As I've said to a number of folks, ETel 2006 was one of the very best out of all the conferences that I attended all year. No real trade show... just conference sessions full of the "alpha geeks" that O'Reilly conferences tend to attract. People really on the bleeding edge of trying out new and different things with telephony. They had a "fair" at one point that showcased startups that were doing really wacky things... it was all great stuff. Definitely a place to meet the people pushing the true leading edge of IP telephony. Here's a brief part of the promotional material:

ETel captures and telegraphs the excitement around ahead-of-the-curve telephony technologies, bringing together all layers of the telephony community to compare and contrast web telephony technology, business, and culture in a collaborative, spirited environment. ETel highlights the people, projects, and activities pushing the boundaries of what's possible with IP telephony. ETel provides a map of the evolving telephony horizon and gives you the charts you need to navigate the new communication opportunities ahead.

If you are interested in the bleeding edge of telephony, definitely check out the conference.

 

Technorati Tags: etel, oreilly, security, voip, voip security, voipsa, voipsecurity

(Originally posted at http://dyork.livejournal.com/253120.html)

If you look at the front cover of "Hacking Exposed VoIP" (either click on the small image to the right or follow this link), you will see a review quote from a certain someone:

If you are a security professional charged with protecting a network infrastructure that includes VoIP, you definitely must read this book! Failure to do so will seriously put your VoIP systems - and your network - at risk!"
-Dan York, Producer and Co-Host, Blue Box: The VoIP Security Podcast

McGraw-Hill left out the first part of what I sent them, namely "This is a dangerous book.". (UPDATE: The full quote is on the first page inside the book.) It is a dangerous book, really, because Dave and Mark have brought into one book an amazing amount of information that previously was only found through diligent searching of many places. I stand by my quote - security professionals responsible for the security of VoIP systems really do need to read this book!

On a different note, I have to wonder if this is the first time a review quote from a podcaster has appeared on a published book that does not have anything to do with social media. Quotes from podcasters have been on books about podcasting... and perhaps books on blogging (I don't know, but I could see them there). But I wonder how many review quotes from podcasters have been on books in other fields. There is no way to easily find this info, of course, so I have no clue. Perhaps this book is among the first to feature a podcaster (maybe even the first)... perhaps not. The only reason I mention it is that it really becomes just one more sign of the rise in the recoginition of podcasting and podcasters. Cool to see.

Meanwhile, if you are dealing with VoIP security, you really should buy the book. (And no, I don't receive any income or a kickback for promoting the book. I just think it is an extremely good book.)

 

Technorati Tags: security, hacking voip, voip, voip security, voipsa, voipsecurity

(Originally posted to http://dyork.livejournal.com/251845.html)

I do not know precisely why, but the Australian VoIP media seems to pick up a lot of good news items about VoIP security, if you take a look at any Blue Box episode, you'll often see that many of the news items we talk about come from Down Under. I don't know why, but they seem to have security as a partial focus. It's great to see and they are a very good source of news. One site there, VoIP News, is also the only one I've really seen to write a post about the VOIPSA Best Practices Project. We weren't really expecting people to write about it on news sites... the launch is really more low-key and we didn't do any active PR beyond blog posting and sending to email lists. Now, when we have the finished product that will be a different story.

Of course, to finish one must first start.. hopefully later today... just in time for me to start travelling for a week!

In the meantime, it's great to see this VoIP News site writing about us... I've seen several subscriptions already today from Australia.

Technorati Tags: security, voip, voip security, voipsa, voipsecurity

(Originally posted at http://dyork.livejournal.com/250114.html)

As I wrote about over on Voice of VOIPSA, the Register posted an article yesterday "VoIP - open season for hackers". The article is mostly good PR by a security company promoting itself and doesn't really seem to add anything brilliantly new to what we've already known in the VoIP security field... but the fact that it's posted in the Register pretty much guarantees high visibility.

Another good reason for VOIPSA to get the Best Practices document done soon...

Technorati Tags: security, voip, voip security, voipsa, voipsecurity

(Originally posted at http://dyork.livejournal.com/250011.html)

Publicity helps, of course. Start talking about something and the people start signing up. Overnight the VOIPSA "best practices" mailing list has grown from 26 to 65 subscribers, with more subscription notices coming in each time I look at my email. This certainly reflects the way I distributed the word... I'm sure many people, myself included, route the VOIPSEC mailing list into a folder where they read it when they can. Or at least they read other messages before that of a "mailing list". So I expect I'll continue to see subscriptions coming in over the next couple of days.

As the mailing list administrator, I naturally receive the subscription notifications and I have to say that there are some pretty impressive people and companies among those who have subscribed. I think we now have one or more representatives of basically all of the major IP-PBX vendors, a good number of security vendors, univerisites, US government agencies, a few financial institutions (good to have, given the natural security paranoia of banks)... plus a whole host of people that are using various Gmail, Yahoomail, etc. addresses that give nothing away about their identity. (I would expect nothing less from a group of security professionals! :-) Good number of folks participating from companies around the world. Knowing the caliber of some of the people who have signed up thus far, I'll admit that it could be a bit intimidating.... luckily, for better or worse, I've never been accused of a lack of self-confidence. :-)

A lack of time is a different issue, though, but it looks like things are okay to the point where I can spend the afternoon putting the last pieces together in the wiki to be able to start a discussion tomorrow. We'll see...

Technorati Tags: security, best practices, voip, voip security, voipsa, voipsecurity