Johansson Olle E: MD5 digests and rogue SSL certs - Re: Anyone at the 25th Chaos Communications Congress in Berlin and interested in doing some writeups for the VOIPSA blog?: 30 dec 2008 kl. 17.54 skrev Dan York: <br /> [...] <br /> Yes, many old-bell-type carriers trust IP address as authentication and don't support even the digest auth... <br /> The question remains: How can we in the SIP protocol support switching to SHA digest auth? [...]

Dan York: MD5 digests and rogue SSL certs - Re: Anyone at the 25th Chaos Communications Congress in Berlin and interested in doing some writeups for the VOIPSA blog?: Olle, <br /> On Dec 30, 2008, at 11:20 AM, Johansson Olle E wrote: <br /> [...] <br /> Yes, I saw tweets from http://twitter.com/security4all that were talking about this presentation (I assume) as it was occurring. Sounded quite interesting (and scary). <br /> [...] <br /> Right... [...]

Johansson Olle E: Anyone at the 25th Chaos Communications Congress in Berlin and interested in doing some writeups for the VOIPSA blog?: 30 dec 2008 kl. 16.55 skrev Dan York: <br /> [...] <br /> I just heard that a group was using vulnerabilities in MD5 to crack SSL by using rogue certificates. <br /> It's really high time to move away from MD5 digests in SIP - the problem is how to use another algorithm in the HTTP digest challenge/ response. [...]

Dan York: Anyone at the 25th Chaos Communications Congress in Berlin and interested in doing some writeups for the VOIPSA blog?: VOIPSEC readers, <br /> Are any of you at the 25th Chaos Communication Congress this week in Berlin, Germany? http://events.ccc.de/congress/2008/ <br /> If so, would you be interested in writing up any posts about some of the news coming out of the event for the VOIPSA weblog at http://www.voipsa. [...]

Christopher M. King: help: [...] <br /> (http://www.ipcom.at/index.php?id=565) <br /> [...] <br /> RFC 4474 solves a different problem. <br /> Digest authentication will be used to authenticate the user to the service providers proxy. <br /> RFC 4474 allows to authenticate requests between domains, unless you deploy client certificates. [...]

Klaus Darilion: Voipsec Digest, Vol 48, Issue 12: [...] <br /> RFC 4474 solves a different problem. <br /> Digest authentication will be used to authenticate the user to the service providers proxy. <br /> RFC 4474 allows to authenticate requests between domains, unless you deploy client certificates. <br /> regards klaus [...]

Bggdg at aol.com: Voipsec Digest, Vol 48, Issue 12: <br /> In a message dated 12/29/2008 6:05:20 A.M. Central Standard Time, voipsec-request at voipsa.org writes: <br /> _http://www.ipcom.at/index.php?id=565_ (http://www.ipcom.at/index.php?id=565) <br /> Would rfc 4474 not provide a far more secure authentication than the [...]

accepted thanks: Epic Motivational Links: &lt;a href=&quot;http://www.roflposters.com&quot;&gt;Motivational Posters&lt;/a&gt;

accepted thanks: def not ready: for a global cyber attack <br /> -Jeff

accepted thanks: thanks!: love ya!

Peter Thermos: [Voptalk] U.S. not ready for cyber attack: <br /> [...] <br /> There is always the tendency to sensationalize these type of reports and can be viewed from different angles. Unfortunately there is no public disclosure to understand the areas that were reviewed, scenarios and methodology. <br />

Peter Thermos: Mass scan in search of Open SIP devices for Telephonefraud?: Fabio, see the link below on a case that had similar characteristics. <br /> http://www.nytimes.com/2006/06/08/technology/08voice.html?_r=1&amp;hp&amp;ex=1149739 200&amp;en=8dd3cc2b5a48c640&amp;ei=5094&amp;partner=homepage <br /> Peter <br /> [...] <br />

Peter Thermos: U.S. not ready for cyber attack: <br /> [...] <br /> Indeed, this is mostly related to cyberwarfare and converged networks are (or at least should be) part of this. <br /> My question is geared towards carrier environments since Telecommunications is considred part of the National Critical Infrastructure (tier 1) and many [...]

Alex Eckelberry: U.S. not ready for cyber attack: There are some valid points here, but a lot of it is overblown hysteria. Incidentally, I think if you talk to people in Estonia, the situation over there was also way overblown in the media. <br /> The good news for vendors is that &quot;billions of dollars&quot; is being proposed to upgrade infrastructure. [...]

Hendrik Scholz: Mass scan in search of Open SIP devices for Telephone fraud?: Hi! <br /> Fabio Pietrosanti (naif) wrote: <br /> [...] <br /> What kind of information are you looking for? I believe most ISPs won't disclose this in full without being asked specific questions. <br /> [...] <br /> Do you have a fingerprint (User-Agent, order of headers, specific broken things)? [...]

Fabio Pietrosanti (naif): Mass scan in search of Open SIP devices for Telephone fraud?: Hi all, <br /> does anyone has informations on telephone fraud conducted by mass scanning internet ip addresses space? <br /> I got several SIP mass scan on my networks and i expect them being part of some wider mass scan. <br /> The question is: why they are doing mass SIP scan? How they conduct the fraud? [...]

Peter Thermos: U.S. not ready for cyber attack: For those that haven't seen this. <br /> I'm not sure there is additional information or a report that has been published but the story paints a bleak picture. <br /> &quot;...Dire consequences of a successful attack could include failure of banking or national electrical systems...&quot; http://uk.reuters. [...]

Shawn Merdinger: sipautohack - video demo: fyi, <br /> http://enablesecurity.com/2008/12/17/demontration-of-sipautohack/ <br /> Courtesy of Sandro Gauci of http://enablesecurity.com <br /> Cheers,

Dan York: AST-2008-012: Remote crash vulnerability in IAX2: VOIPSEC readers, <br /> Just to weigh in on this from a VOIPSA point-of-view... we strongly encourage companies to post VoIP-security-related advisories to this mailing list. So we welcome the posts from the folks at Digium and do encourage them to continue posting their security advisories to this list. <br /> We welcome anyone else to post security advisories to this list as well (provided, of course, they are related to VoIP security in some way and are not just general IT security advisories). <br /> Regards, Dan <br /> On Dec 14, 2008, at 1:58 PM, Security Officer wrote: <br /> [...] <br /> Dan York, CISSP, Director of Emerging Communication Technology Office of the CTO Voxeo Corporation dyork at voxeo.com Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com <br /> Build voice applications based on open standards. Find out how at http://www.voxeo.com/free <br />

Security Officer: AST-2008-012: Remote crash vulnerability in IAX2: [...] <br /> Uh, it's a security advisory. As in, there's something wrong, that people should know about, so we publish it widely. If you do not publish the same for your own software, probably most of the members of this (and every other) security community would encourage you to start doing so. [...]