I attended and spoke at the the summer VoiceCon. Voice/VoIP security was a big topic at the show and there were 2 tutorials, 1 panel, and 1 general session. David Endler of TippingPoint and I presented a general VoIP security tutorial on Monday the 20th. We had a decent turnout. I took the following picture of the room:
I also moderated a panel with David Endler and Krishna Kurapati of Sipera on Tuesday the 21st. Again, this session was well attended. The format involved me asking questions and then one or more of us providing answers (as opposed to using presentations). We left about 20 minutes for questions and got some good questions from the audience.
I also participated in the VoiceCon "Morning Call", where Eric Krapf spent 15 minutes discussing issues, including VoIP Security. This was a good opportunity to address the entire audience (although the session was at 8:00, so a lot of people were still in bed). Here are a couple of pictures from this sessions:
Here is a VoIP security course. I looked at the outline and it looks like they use a number of the tools we released with our book. I am sure there are other VoIP security courses out there. If anyone knows of any others, please send them to me and I will add a list to this blog.
Here is an article with an excerpt from a new VoIP security book. The article covers a summary taxonomy provided in the book, which the authors offer as superior to the VoIPSA Threat Taxonomy, because of its simplicity.
A key point here is the how simple the attacks were. This wasn't a sophisticated VoIP attack, rather exploitation of VoIP systems, through some basic security issues, like bad passwords, unpatched systems, etc.