Security Chipmunks

Episode 5 - Adventures in VOIP - Always be learning

Edna Season 1 Episode 5

Share episode

Send us a text

Welcome to Security Chipmunks podcast where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.

Today we are joined by special guest Barry Pittman.

Conference:

BSides Boulder

https://twitter.com/BSidesBoulder/status/1387473418526752768

https://www.eventbrite.com/e/bsides-boulder-2021-tickets-142039511001

June 12th FREE

Scholarship:

https://www.lockheedmartin.com/en-us/who-we-are/communities/stem-education/lockheed-martin-vocational-scholarship.html 

  • Scholarship recipients are selected based on consideration of academic performance, demonstrated leadership and participation in school and community activities, work experience, a statement of career and educational goals and objectives, unusual personal or family circumstances and an outside appraisal.
  • Preference will be given to applicants enrolled or planning to enroll at one of Lockheed Martin’s priority institutions. It is not mandatory to attend one of the priority institutions to be eligible for the scholarship.

Interview notes:

Primary Rate Interface (PRI)
https://en.wikipedia.org/wiki/Primary_Rate_Interface

Session Initiation Protocol (SIP)
https://en.wikipedia.org/wiki/Session_Initiation_Protocol

SIP Trunking
https://en.wikipedia.org/wiki/SIP_trunking

Time-division multiplexing (TDM )
https://en.wikipedia.org/wiki/Time-division_multiplexing

Private Branch Exchange (PBX)
https://en.wikipedia.org/wiki/Business_telephone_system#Private_branch_exchange


Cisco CallManager
https://www.cisco.com/c/en/us/products/unified-communications/unified-communications-manager-callmanager/index.html

Cisco training
https://www.cisco.com/c/en/us/training-events/training-certifications/certifications.html#~certifications

Avaya training
https://www.avaya.com/en/services/avaya-learning-services/

BroadSoft
https://en.wikipedia.org/wiki/BroadSoft

Direct Inward Dialing (DID)
https:/

Socials

UNKNOWN:

Thank you.

SPEAKER_03:

Welcome to Security Chipmunks podcast, where we talk about the development of cybersecurity skills. To stay up to date in today's world, you need to be resilient. That's why as advanced persistent chipmunks, we keep chipping away at it. My name is Meg Sedna Johnson. My co-host is Neil Smalley. And today we are joined by our special guest, Barry Pittman. Welcome, Barry.

SPEAKER_00:

Hey, how you doing?

SPEAKER_03:

I'm doing great. Glad to have you here.

SPEAKER_00:

Awesome.

SPEAKER_03:

Alright. So before jumping into the interview, we are going to talk about the conferences and some scholarships for our listeners. So today's conference that we are highlighting is the B-Sides Boulder Conference. It is happening on June 12th, and admission is free. It is an online conference, so make sure that you check that out. And the scholarship that we are highlighting is the Lockheed Martin Community STEM Education Scholarship. This is a vocational scholarship that you can use at community colleges and for certification programs. This scholarship is for recipients based on their, takes into consideration their academic performance, demonstrated leadership and participation in school and community activities, work experience, and statement of career and education. And preferences will be given to applicants enrolled or planning to enroll at one of Lockheed Martin's priority institutions. However, it is not mandatory to attend one of the priority institutions to be eligible for a scholarship.

SPEAKER_02:

All right. So would you like to tell us a little bit about yourself, Barry, and what you do?

SPEAKER_01:

I'm Barry Pittman. I am a voice network work engineer by trade and I've been doing that for going on 20 years now

SPEAKER_03:

oh wow that's really neat what got you started in voice uh

SPEAKER_01:

uh It's kind of, it was a weird story actually. Um, my, my dad, my late father had retired from, uh, AT&T back in the day and the particular position that he had, uh, at some point they had replaced him with another guy, obviously when he retired. Well, that particular person, unfortunately had to go out on a disability and they needed to fill that position quickly. So they called my dad back and said, Hey, you want to come out of retirement, go back to work, blah, blah, blah. And he's like, heck no I'm enjoying retirement I'm not going back to work and they're like we have to have someone in this position immediately anybody technically minded you know do you have any idea of someone because you know I'm in a very rural state and so it's not always easy to find a tech person especially 20 years ago so anyway he suggested me long story short they called me and I interviewed did some tests got hired

SPEAKER_03:

nice okay So your father did it and then they needed somebody to step in and you were there available. Right. And you like it?

SPEAKER_01:

Yeah, yeah. Learned a lot. Actually, he taught me most of what I knew early on anyway.

SPEAKER_03:

Oh, that's great.

SPEAKER_02:

Very cool. So for the listeners who might not know, what is VoIP exactly and roughly how does it work?

SPEAKER_01:

VoIP is another one of those many millions of IT acronyms is short for voice over IP and basically it is how we communicate today pretty much just about any phone call these days at some point traverses a an IP network to get from point A to point B and at that point it's converted to IP obviously and therefore it's VoIP it's some little segment along the way some networks are obviously VoIP end to end you know like where I work now if I pick up the phone and call the guy two cubicles over it's all void but if I call my wife's cell phone it's obviously void then it gets converted to either a PRI or a SIP trunk and then ultimately to the cellular which is again another quasi IP format

SPEAKER_02:

so definitely lots of different abbreviations I don't want to learn yep

SPEAKER_03:

All right. So with all of these networks using VoIP, what are some security issues that you come across using VoIP?

SPEAKER_01:

Oh, there... There's a lot. Sometimes there is, sometimes there's not. In the early days before there was VoIP, we used basically a traditional TDM architecture that's actually still in use today in a lot of places. And it's very easy to basically wiretap a TDM architecture. A lot of places, I hate to name businesses, but there's a lot of restaurants out there that are chain restaurants that use what we call a hybrid analog digital phone system, old school PBX. It's very easy if you know what you're doing to tap that or listen in on phone calls, especially if you can get to those little gray boxes hanging on the outside like you have usually on your house, which are usually on businesses too. You can easily, even with an analog phone, tap onto that and listen to phone calls. So now we've got VoIP, which is over the IP, over the IP network, but the fallacy within VoIP itself is that it uses UDP packets for most of the voice transmission. UDP packets are very easy to capture and very easy to trace obviously with something such as Wireshark well depending on your system some of those have encryption on it some of them don't some of them are most of them are capable of being set up to be used encryption so if you're using a service or a provider make sure when they set up your system that you're using encryption or otherwise someone checks into your network they can run a sniffer capture some UDP packets listen to your voice conversations etc Oh,

SPEAKER_03:

wow.

SPEAKER_02:

Very cool. Yeah, it's my understanding, or at least I've used Wireshark before, they have a plug-in that will actually let you play back captured calls.

SPEAKER_01:

Yes.

SPEAKER_02:

Yes,

SPEAKER_01:

they do. So be wary. If you're on a VoIP network that you know, make sure it's secure before you go rattling off someone your credit card number over the phone.

SPEAKER_03:

Yeah.

SPEAKER_02:

So if someone wants to learn more about this stuff, are there any good resources when you're getting started?

SPEAKER_01:

Yeah, there's basic networking. I would start there. And like predominant players these days, obviously Cisco, they have Cisco Call Manager. Cisco has a pretty good suite of VoIP training. Another big contender is a company called Avaya, which formerly used to be Lucent. technologies, which formerly used to be AT&T, which is who I worked for at one time. And they're a big player in the VoIP market. And then we have what we call hosted services today, which is VoIP in the cloud. And probably the biggest player in that is probably Broadsoft. I actually think they got acquired by Cisco within the last couple of years. They have a very good product. It does work well, but there's a lot of resellers. So always be sure if you go with that service you know do not be afraid to ask and you know how are you setting this up for secure use you know because again you don't want some fly-by-night company selling you a service and they don't know what they're doing and setting up something insecurely

SPEAKER_03:

yeah all right so if somebody wanted to set this set up their own VoIP home lab would they need to get some specialized hardware to do that

SPEAKER_01:

no actually you can get most of what you need for that you could probably get off the shelf and some people probably actually have it laying around their house. You know, you could take an old unused server and download something like i think there's a one called free pbx and load that you could download that freely put that on there and just have you a local network switch and you could pick up a couple like very affordable say polycom ip phones off of ebay and put on there now you would obviously need to have a poe switch to power the phones over the network or have the power bricks to plug into them

SPEAKER_03:

but

SPEAKER_01:

i mean for very little money you could have two phones working on your desk pretty quick.

SPEAKER_02:

That's my current project right now. I have an old desktop sitting under my desk. I slapped FreePBX on and then I have a Polycom I got off Amazon. I used one and it looks brand new, honestly. You

SPEAKER_01:

probably don't have much tied up in it. In the early days, people would set up home labs and use something like Google Voice. I think Google has made some changes to that application and it's a little harder to use now for something like that. There's been people who use something like MagicJack as a trunk for their VoIP service, you

SPEAKER_03:

know. Okay, I haven't heard that name in a few

SPEAKER_01:

years. Yeah,

SPEAKER_03:

that used to be the late night advertising to get your phone service with MagicJack. Okay, cool. So what are some trends that you're seeing in the telecom world? the VoIP world?

SPEAKER_01:

Mainly a lot of this is going to the hosted service, to the cloud. Again, some of the stuff I work with lately has been going to a broad soft base service. Again, it's in the cloud, but from what we could tell, it's basically being hosted like on an Amazon web service somewhere.

SPEAKER_03:

Okay. All right.

SPEAKER_02:

So shifting away a little bit from the work aspects, you're also a WGU student. How has it been juggling the work and

SPEAKER_01:

the school? This was my first term. And actually yesterday morning, I successfully completed my first class. So I'm kind of like, I'm kind of like a static right now. I'm like, yeah. So there was, yeah, that, that first class was a big learning curve because obviously I'm an older student. So the brain's not as fast as it used to be, or I don't think it is anyway, but my wife tells me otherwise. So, you know, there was the whole, you know, anyone who gets a little age, I don't want to start doubting themselves if they can do something that's dominated by a younger generation. Right. So there was this whole, can I actually do this? But I had, I have a great mentor there and he's been very encouraging the whole time. And my instructor has been very encouraging. So I made it to the first class yesterday, passed my, I call it the final exam. They call it an objective assessment, but I passed that by a very good margin. So I'm excited. I'm just, to get started on my next class. Awesome.

SPEAKER_03:

Awesome. Good. Glad to hear that.

SPEAKER_01:

Yeah.

SPEAKER_03:

So what is the biggest challenge facing you right now?

SPEAKER_01:

Basically, from a security standpoint, is making sure that that hosted service is secure. Because I'm one of those, I like to see my server. I want to know where it is. I want to be able to access it, not just over the network, but I want to physically approach and see that it's sitting there safely locked up in a rack. You know what I'm saying?

SPEAKER_03:

Yeah.

SPEAKER_01:

When something's in the cloud, you don't know. I mean, a salesperson could say, oh, it's cloud, it's safe. Yeah, but really? I mean, where is it? I can't see it. You can tell me that it's in the data center, you know, 17 states away or something, but I don't know that, right? So, you know, maybe that's a little oddity of mine, but I really like to know where their hardware sits and I want to know if it's being shared by other businesses I want it you know do I have a dedicated cloud is it a private cloud shared cloud exactly how much the resource is shared

SPEAKER_03:

yeah no that makes sense like if we think about like Texas recently your server was in Texas their electrical infrastructure has issues right so that's a consideration I've

SPEAKER_02:

been studying for various cloud classes and they talk about basically third-party audits of cloud services. Are there any kind of VoIP third-party certifications to look out for? As

SPEAKER_01:

far as the VoIP, there's none that I'm aware of dedicated strictly to VoIP. We usually just go by the ones like you just said, a third-party, I call it a generic certification.

SPEAKER_02:

Gotcha.

SPEAKER_01:

There are other security aspects This being a security podcast dealing with VoIP and PBX equipment. One of the things that stuck out in my mind was early on in my career, I was doing some work at a university. I won't say which one. But at that time, they had old school PRI T1 circuits coming in. And over those circuits, they had what we call DID numbers, direct inward dialing. And that's a number that anyone can dial and it rings true. straight to a specific phone, right? Like a dedicated number almost. Well, when they were going through revitalizing some of the sorority buildings that had elevators, they unknowingly or unwittingly assigned DID numbers to the elevator phones on the elevators. Okay, that's okay, whatever. The thing is, within those elevators, those specific type of elevator phones that were in there, when you call it, it doesn't ring. It just goes live. And it's a speaker with a call button on it. So if you used to call it, the speaker just goes live. Whoever's in the elevator doesn't hear ringing. They didn't hear a tone. You're just there. So I was at this university working and one of the university technicians let it slip that, oh yeah, that elevator phone over there in the sorority houses, it has a DID number assigned to it and I was like oh interesting okay so at some point somewhere down the line someone would sit up on Friday or Saturday nights call the elevator phone and just let it sit there and listen to it and at some point college people being as they are you would hear sometimes some inebriated college students getting onto the elevator and they would be talking about whatever they did at the club or who they hung out with with or what they thought about this guy or that guy at which point some person who had ever called this phone this elevator phone would in a deep voice say this is God I know what you did and I do not approve of it at which point when you heard the elevator door go ding it opened they would go screaming off the elevator so civic service that's what that's what it was called at the time hey trying to straighten them up keep them on straight and narrow oh my goodness

SPEAKER_03:

That's funny.

SPEAKER_01:

Yeah, it actually is if you think about it. Imagine you're getting on the elevator and you're not knowing all of a sudden somebody's talking to you through a speaker and you're like, who is that?

SPEAKER_03:

Yeah.

SPEAKER_02:

Yeah, making sure those are hooked up is important as well.

SPEAKER_01:

But that could be another security flaw too. Don't have DID numbers designated to specific internal devices that you don't want anyone outside of your facility to be able to call.

SPEAKER_03:

Yeah.

SPEAKER_01:

Absolutely.

SPEAKER_03:

What are the best resources that have helped you along the way?

SPEAKER_01:

Probably the training that the company that I used to work for sent me to,

SPEAKER_03:

which

SPEAKER_01:

was with their proprietary stuff, which was basically classes on the Avaya and the Lucent equipment and some of the older AT&T equipment. Then some Cisco stuff that's been very helpful, mainly on the networking side. Then my dad, my late father, he taught me so much about basic troubleshooting skills. Those apply to just about anything within the IT realm. If you've got basic troubleshooting skills, you can probably figure out just about anything.

SPEAKER_03:

Yeah.

SPEAKER_01:

Just know how to use logic, know how to do a rough root cause analysis, and you can figure something out.

SPEAKER_02:

So with the way things are going in the VoIP realm, everything moving to the cloud, do you want to move more towards cloud stuff, or do you have a dream job that you want to transition to here?

SPEAKER_01:

The industry is transitioning to the cloud, I don't necessarily want it to, but that's where it's going, right? You know, you can say I don't like heat, but summer's going to come every year. So you got to deal with it, right? So yeah, it's going to the cloud and I have been picking up some more cloud skills because, you know, as anyone within the IT realm, it's a constant learning process. You got to stay with it or you're going to get left behind like yesterday. So the biggest hurdle for me is just trying to stay current with everything. And it's not too bad, but there's some pretty good resources out there. I review a lot of the free stuff on places such as like cyberary.it Then there's, I mean, you could go on YouTube and there's some great, great content creators out there. And then there's great podcasts like this one that I usually pick up something from just about every person on there and learn something, you know. But Strictly Security, the Cyber Mentor, he's been great. Again, Cyber IT has been great. When I really want to think about something, maybe not specifically voiceover, related, I'll listen to one of the generic, I call them generic, security podcasts where they tell a story about how someone got hacked or something. It always gets your brain to thinking, right?

SPEAKER_02:

Out of everything we've talked about in this episode, what would be your number one takeaway for our listeners? If you're

SPEAKER_01:

going to be in this industry, whether it's VoIP or security as a whole or anything niche within IT, stay focused, number one, to Two, keep an open mind. Three, always be willing to learn because, again, it's constantly changing. What was two, three years ago is already dated today. So you've got to be constantly learning. You've got to be constantly open-minded. Don't resist change because it's coming. And whether you like it or not, if you don't, you're going to get left behind.

SPEAKER_02:

Where can our listeners connect with you online?

SPEAKER_01:

I'm on Twitter. It's Pittman underscore Barry. All right. Thank you so much. All right, thanks.

SPEAKER_03:

Thank you for joining us.

SPEAKER_01:

All right, no problem.

SPEAKER_03:

So thanks for listening to the Security Chipmunks. And remember, if it seems overwhelming, just keep chipping away at it.