In the aftermath of the big and controversial voicemail hack starring the NOTW… wait – “controversial”, does anyone think this was OK? Anyway it’s our topic and we hope to gather some knowledgable people to chat about it including Tim Panton, Humbug Telecom’s Boaz Bechar, Truphone’s James Body, Dan York of Voxeo and anyone else ready to “testify”. Be there!

Video of the talking heads is here

Thanks to those who requested this on our mailing list! We have liftoff! (VoIP Security)

VoIP Abuse Project . J. Oquendo

“Arkeos is a program primarily used on Unix based servers running the Asterisk Open Source PBX. The application mimics a valid extension in which an attacker, after bruteforcing an account, attempts to place calls. What the attacker doesn’t know is that their calls go nowhere. The sole purpose of allowing them to perceive they have an account is to track them. Where they come from, what accounts they use, what VoIP account scanners they use, what numbers they try to dial. Because of the flexibility of Asterisk and Unix as a whole, the application does a lot more than stated however, I will not disclose too much otherwise any attackers reading this might catch on. Then I won’t have anyone to play with.”

Friday June 18th we will be extending our recent trend in discussing matters of VoIP security.  This call will feature Ken Kuenzel from Acme Packet. Acme Packet are the leading provider of “Session Border Controllers,” aka SBCs.

What’s an SBC? What does it do?  So glad you asked…as that’s just what we aim to find out on Friday!  Acme has uploaded a slide presentation to follow while listening.

In the mean time, and for the very curious among you, Acme Packet has some great background on the topic amongst their online articles and presentations.

Yes, there’s homework!

Acme products: session border controllers (SBC), session-aware load balancers (SLB), multiservice security gateways (MSG) and session routing proxies (SRP)—operate Acme Packet Net-Net OS.

Among others, Ward Mundy (Nerd Vittles, our guest next week) and many of the VUC regulars join in this violent argument civil discussion about who is responsible for filtering, where it should take place and the how and why of their ideas on the subject.

If you’re into SIP technology, you’ll want to hear this discussion about who should protect people from SIP “CallerID stuffing” among Ward Mundy, Fred Posner (VoIP Tech Chat), Tim Panton, Karl Fife, Leif Madsen and the rest of the great gang of VoIP regulars. This is why you need to join us LIVE every Friday!

Programmers differ enormously over who should filter incoming data and where. There is no right answer, although the main point is to protect your users against whatever possible attacks might come through your system or pbx.

Dan York’s name is certainly familiar to you if you’re a fan of VoIP. He has made a video to explain why he wrote this book. Dan’s credentials are strong and he’s an active community member. You’ve seen him in airports between conferences, or even at one of those Voxeo events.

Dan’s blog (perhaps we should say one of his many blogs) is Disruptive Telephony. Dan can be found on Twitter as @DanYork and he’s on Linkedin, Facebook, etc. Finding those links is left as an exercise for the enthusiastic student.

While I’m not sure what his current role there is, Dan is a part of another effort you should know about, the VoIP Security Alliance aka VOIPSA where he writes on the VOIPSA blog.

EC2 attacks continue with no help from them. Amazon continues its “head in the sand” approach to our community and this is unacceptable. Forgive the intrusion on this page, look below for the VUC sessions.

You can help push this to their attention:

Please make sure you keep this issue visible by voting it up on SlashDot. If you haven’t followed out discussions, see Fred’s story. Asterisk user mailing list has a lot of info on it as well. Post on Twitter, their robot stupidly repeats all comments that contain EC2 so don’t forget to use that mention in anything you post. Post on your blogs and any forums you can.

I expected better from Amazon and I’ll withdraw my significant business from them if they don’t rise up to the challenge.

LINKS

 Next scheduled session in your time zone
Freenode.net IRC web client, just add your pseudo and you're on #vuc
 VUC Google Group

  VUC linkedin group (business contacts)

Links mentioned in IRC Feb 5, 2010

[6:19pm] NerdUno: Here are some good OpenVPN tutorials: http://pbxinaflash.com/forum/showthread.php?t=4856
[6:21pm] steely_glint: ecrist - http://www.phonefromhere.com/vuc/
[6:31pm] ecrist: Why TCP Over TCP Is A Bad Idea:  http://sites.inka.de/~bigred/devel/tcp-tcp.html
[6:32pm] kfife:        http://www.packtpub.com/openvpn/book
[6:34pm] Zeeek:        http://www.linux4afrika.de/vision.html?L=0
[6:40pm] mfeilner:        http://www.linux-magazine.com/Issues/2009/99/SAFE-CALL
[6:41pm] mfeilner:        http://www.feilner-it.net
[6:42pm] mfeilner:        http://www.openvpn.eu
[6:43pm] mfeilner:        http://www.openvpn.eu/index.php?id=23&L=0

[7:39pm] Skibum: BTW more info on Bria 3 is available at: http://www.counterpath.com/bria.html
[8:00pm] mjgraves:        http://gigaset.com/chagall/provider/general/chagall223_02.bin
[8:21pm] JimCifarelli:        http://www.embeddedarm.com/about/resource.php?item=408

Part 2: Bria Tests and more

[audio:http://media.blubrry.com/winelover/recordings.talkshoe.com/TC-22622/TS-198844.mp3]

IRC Transcript 2009-03-27

SIP hacking has escalated and there was a wave of it in recent times. John Todd published a simple common sense set of rules that are worth reading. One of the main risk areas is using user names and secrets that are too easy to guess (such as extension 200, username=2000,password=wakeme).

More on SIP for Skype etc. That looks like it will be an ongiung discussion. See the session with Michael Robertson above.

We briefly reviewed a new book called Asterisk Gateway Interface 1.4 and 1.6 Programming. John Todd and /me have both been looking at it and we both think it looks good. Since the discussion, I’ve read more of it and I will talk more about it in a future session.

Amazon link (beer money!)
Asterisk Gateway Interface 1.4 and 1.6 Programming

We also mentioned AMOOCON where we can meet up for those of you who will be in Europe or are already there. I will be presenting two papers, one on VoicePHP and one on the VoIP community and various social networking tools.