Episode 5 - Adventures in VOIP - Always be learning - Security Chipmunks

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
UNKNOWN (00:00):
Thank you.

SPEAKER_03 (00:08):
Welcome to Security Chipmunks podcast, where we talk
about the development ofcybersecurity skills.
To stay up to date in today'sworld, you need to be resilient.
That's why as advancedpersistent chipmunks, we keep
chipping away at it.
My name is Meg Sedna Johnson.
My co-host is Neil Smalley.

(00:28):
And today we are joined by ourspecial guest, Barry Pittman.
Welcome, Barry.

SPEAKER_00 (00:34):
Hey, how you doing?

SPEAKER_03 (00:36):
I'm doing great.
Glad to have you here.

SPEAKER_00 (00:38):
Awesome.

SPEAKER_03 (00:42):
Alright.
So before jumping into theinterview, we are going to talk
about the conferences and somescholarships for our listeners.
So today's conference that weare highlighting is the B-Sides
Boulder Conference.
It is happening on June 12th,and admission is free.

(01:04):
It is an online conference, somake sure that you check that
out.
And the scholarship that we arehighlighting is the Lockheed
Martin Community STEM EducationScholarship.
This is a vocational scholarshipthat you can use at community
colleges and for certificationprograms.

(01:27):
This scholarship is forrecipients based on their, takes
into consideration theiracademic performance,
demonstrated leadership andparticipation in school and
community activities, workexperience, and statement of
career and education.
And preferences will be given toapplicants enrolled or planning

(01:50):
to enroll at one of LockheedMartin's priority institutions.
However, it is not mandatory toattend one of the priority
institutions to be eligible fora scholarship.

SPEAKER_02 (02:03):
All right.
So would you like to tell us alittle bit about yourself,
Barry, and what you do?

SPEAKER_01 (02:10):
I'm Barry Pittman.
I am a voice network workengineer by trade and I've been
doing that for going on 20 yearsnow

SPEAKER_03 (02:19):
oh wow that's really neat what got you started in
voice uh

SPEAKER_01 (02:28):
uh It's kind of, it was a weird story actually.
Um, my, my dad, my late fatherhad retired from, uh, AT&T back
in the day and the particularposition that he had, uh, at
some point they had replaced himwith another guy, obviously when
he retired.
Well, that particular person,unfortunately had to go out on a

(02:50):
disability and they needed tofill that position quickly.
So they called my dad back andsaid, Hey, you want to come out
of retirement, go back to work,blah, blah, blah.
And he's like, heck no I'menjoying retirement I'm not
going back to work and they'relike we have to have someone in
this position immediatelyanybody technically minded you
know do you have any idea ofsomeone because you know I'm in

(03:12):
a very rural state and so it'snot always easy to find a tech
person especially 20 years agoso anyway he suggested me long
story short they called me and Iinterviewed did some tests got
hired

SPEAKER_03 (03:27):
nice okay So your father did it and then they
needed somebody to step in andyou were there available.
Right.
And you like it?

SPEAKER_01 (03:39):
Yeah, yeah.
Learned a lot.
Actually, he taught me most ofwhat I knew early on anyway.

SPEAKER_03 (03:46):
Oh, that's great.

SPEAKER_02 (03:49):
Very cool.
So for the listeners who mightnot know, what is VoIP exactly
and roughly how does it work?

SPEAKER_01 (03:55):
VoIP is another one of those many millions of IT
acronyms is short for voice overIP and basically it is how we
communicate today pretty muchjust about any phone call these
days at some point traverses aan IP network to get from point

(04:15):
A to point B and at that pointit's converted to IP obviously
and therefore it's VoIP it'ssome little segment along the
way some networks are obviouslyVoIP end to end you know like
where I work now if I pick upthe phone and call the guy two
cubicles over it's all void butif I call my wife's cell phone
it's obviously void then it getsconverted to either a PRI or a

(04:39):
SIP trunk and then ultimately tothe cellular which is again
another quasi IP format

SPEAKER_02 (04:45):
so definitely lots of different abbreviations I
don't want to learn yep

SPEAKER_03 (04:50):
All right.
So with all of these networksusing VoIP, what are some
security issues that you comeacross using VoIP?

SPEAKER_01 (05:00):
Oh, there...
There's a lot.
Sometimes there is, sometimesthere's not.
In the early days before therewas VoIP, we used basically a
traditional TDM architecturethat's actually still in use
today in a lot of places.
And it's very easy to basicallywiretap a TDM architecture.

(05:20):
A lot of places, I hate to namebusinesses, but there's a lot of
restaurants out there that arechain restaurants that use what
we call a hybrid analog digitalphone system, old school PBX.
It's very easy if you know whatyou're doing to tap that or
listen in on phone calls,especially if you can get to
those little gray boxes hangingon the outside like you have

(05:43):
usually on your house, which areusually on businesses too.
You can easily, even with ananalog phone, tap onto that and
listen to phone calls.
So now we've got VoIP, which isover the IP, over the IP
network, but the fallacy withinVoIP itself is that it uses UDP
packets for most of the voicetransmission.
UDP packets are very easy tocapture and very easy to trace

(06:04):
obviously with something such asWireshark well depending on your
system some of those haveencryption on it some of them
don't some of them are most ofthem are capable of being set up
to be used encryption so ifyou're using a service or a
provider make sure when they setup your system that you're using
encryption or otherwise someonechecks into your network they

(06:27):
can run a sniffer capture someUDP packets listen to your voice
conversations etc Oh,

SPEAKER_03 (06:33):
wow.

SPEAKER_02 (06:34):
Very cool.
Yeah, it's my understanding, orat least I've used Wireshark
before, they have a plug-in thatwill actually let you play back
captured calls.

SPEAKER_01 (06:43):
Yes.

SPEAKER_02 (06:43):
Yes,

SPEAKER_01 (06:44):
they do.
So be wary.
If you're on a VoIP network thatyou know, make sure it's secure
before you go rattling offsomeone your credit card number
over the phone.

SPEAKER_03 (06:54):
Yeah.

SPEAKER_02 (06:55):
So if someone wants to learn more about this stuff,
are there any good resourceswhen you're getting started?

SPEAKER_01 (07:03):
Yeah, there's basic networking.
I would start there.
And like predominant playersthese days, obviously Cisco,
they have Cisco Call Manager.
Cisco has a pretty good suite ofVoIP training.
Another big contender is acompany called Avaya, which
formerly used to be Lucent.

(07:23):
technologies, which formerlyused to be AT&T, which is who I
worked for at one time.
And they're a big player in theVoIP market.
And then we have what we callhosted services today, which is
VoIP in the cloud.
And probably the biggest playerin that is probably Broadsoft.
I actually think they gotacquired by Cisco within the

(07:45):
last couple of years.
They have a very good product.
It does work well, but there's alot of resellers.
So always be sure if you go withthat service you know do not be
afraid to ask and you know howare you setting this up for
secure use you know becauseagain you don't want some
fly-by-night company selling youa service and they don't know
what they're doing and settingup something insecurely

SPEAKER_03 (08:08):
yeah all right so if somebody wanted to set this set
up their own VoIP home lab wouldthey need to get some
specialized hardware to do that

SPEAKER_01 (08:17):
no actually you can get most of what you need for
that you could probably get offthe shelf and some people
probably actually have it layingaround their house.
You know, you could take an oldunused server and download
something like i think there's aone called free pbx and load
that you could download thatfreely put that on there and
just have you a local networkswitch and you could pick up a

(08:40):
couple like very affordable saypolycom ip phones off of ebay
and put on there now you wouldobviously need to have a poe
switch to power the phones overthe network or have the power
bricks to plug into them

SPEAKER_03 (08:54):
but

SPEAKER_01 (08:54):
i mean for very little money you could have two
phones working on your deskpretty quick.

SPEAKER_02 (09:00):
That's my current project right now.
I have an old desktop sittingunder my desk.
I slapped FreePBX on and then Ihave a Polycom I got off Amazon.
I used one and it looks brandnew, honestly.
You

SPEAKER_01 (09:16):
probably don't have much tied up in it.
In the early days, people wouldset up home labs and use
something like Google Voice.
I think Google has made somechanges to that application and
it's a little harder to use nowfor something like that.
There's been people who usesomething like MagicJack as a

(09:37):
trunk for their VoIP service,you

SPEAKER_03 (09:39):
know.
Okay, I haven't heard that namein a few

SPEAKER_01 (09:41):
years.
Yeah,

SPEAKER_03 (09:46):
that used to be the late night advertising to get
your phone service withMagicJack.
Okay, cool.
So what are some trends thatyou're seeing in the telecom
world?
the VoIP world?

SPEAKER_01 (09:59):
Mainly a lot of this is going to the hosted service,
to the cloud.
Again, some of the stuff I workwith lately has been going to a
broad soft base service.
Again, it's in the cloud, butfrom what we could tell, it's
basically being hosted like onan Amazon web service somewhere.

SPEAKER_03 (10:16):
Okay.
All right.

SPEAKER_02 (10:18):
So shifting away a little bit from the work
aspects, you're also a WGUstudent.
How has it been juggling thework and

SPEAKER_01 (10:29):
the school?
This was my first term.
And actually yesterday morning,I successfully completed my
first class.
So I'm kind of like, I'm kind oflike a static right now.
I'm like, yeah.
So there was, yeah, that, thatfirst class was a big learning
curve because obviously I'm anolder student.
So the brain's not as fast as itused to be, or I don't think it

(10:50):
is anyway, but my wife tells meotherwise.
So, you know, there was thewhole, you know, anyone who gets
a little age, I don't want tostart doubting themselves if
they can do something that'sdominated by a younger
generation.
Right.
So there was this whole, can Iactually do this?
But I had, I have a great mentorthere and he's been very

(11:12):
encouraging the whole time.
And my instructor has been veryencouraging.
So I made it to the first classyesterday, passed my, I call it
the final exam.
They call it an objectiveassessment, but I passed that by
a very good margin.
So I'm excited.
I'm just, to get started on mynext class.
Awesome.

SPEAKER_03 (11:31):
Awesome.
Good.
Glad to hear that.

SPEAKER_01 (11:34):
Yeah.

SPEAKER_03 (11:35):
So what is the biggest challenge facing you
right now?

SPEAKER_01 (11:38):
Basically, from a security standpoint, is making
sure that that hosted service issecure.
Because I'm one of those, I liketo see my server.
I want to know where it is.
I want to be able to access it,not just over the network, but I
want to physically approach andsee that it's sitting there

(11:59):
safely locked up in a rack.
You know what I'm saying?

SPEAKER_03 (12:02):
Yeah.

SPEAKER_01 (12:04):
When something's in the cloud, you don't know.
I mean, a salesperson could say,oh, it's cloud, it's safe.
Yeah, but really?
I mean, where is it?
I can't see it.
You can tell me that it's in thedata center, you know, 17 states
away or something, but I don'tknow that, right?
So, you know, maybe that's alittle oddity of mine, but I

(12:26):
really like to know where theirhardware sits and I want to know
if it's being shared by otherbusinesses I want it you know do
I have a dedicated cloud is it aprivate cloud shared cloud
exactly how much the resource isshared

SPEAKER_03 (12:44):
yeah no that makes sense like if we think about
like Texas recently your serverwas in Texas their electrical
infrastructure has issues rightso that's a consideration I've

SPEAKER_02 (12:59):
been studying for various cloud classes and they
talk about basically third-partyaudits of cloud services.
Are there any kind of VoIPthird-party certifications to
look out for?
As

SPEAKER_01 (13:12):
far as the VoIP, there's none that I'm aware of
dedicated strictly to VoIP.
We usually just go by the oneslike you just said, a
third-party, I call it a genericcertification.

SPEAKER_02 (13:24):
Gotcha.

SPEAKER_01 (13:25):
There are other security aspects This being a
security podcast dealing withVoIP and PBX equipment.
One of the things that stuck outin my mind was early on in my
career, I was doing some work ata university.
I won't say which one.
But at that time, they had oldschool PRI T1 circuits coming

(13:49):
in.
And over those circuits, theyhad what we call DID numbers,
direct inward dialing.
And that's a number that anyonecan dial and it rings true.
straight to a specific phone,right?
Like a dedicated number almost.
Well, when they were goingthrough revitalizing some of the
sorority buildings that hadelevators, they unknowingly or

(14:13):
unwittingly assigned DID numbersto the elevator phones on the
elevators.
Okay, that's okay, whatever.
The thing is, within thoseelevators, those specific type
of elevator phones that were inthere, when you call it, it
doesn't ring.
It just goes live.
And it's a speaker with a callbutton on it.

(14:35):
So if you used to call it, thespeaker just goes live.
Whoever's in the elevatordoesn't hear ringing.
They didn't hear a tone.
You're just there.
So I was at this universityworking and one of the
university technicians let itslip that, oh yeah, that
elevator phone over there in thesorority houses, it has a DID

(14:58):
number assigned to it and I waslike oh interesting okay so at
some point somewhere down theline someone would sit up on
Friday or Saturday nights callthe elevator phone and just let
it sit there and listen to itand at some point college people
being as they are you would hearsometimes some inebriated

(15:20):
college students getting ontothe elevator and they would be
talking about whatever they didat the club or who they hung out
with with or what they thoughtabout this guy or that guy at
which point some person who hadever called this phone this
elevator phone would in a deepvoice say this is God I know
what you did and I do notapprove of it at which point

(15:43):
when you heard the elevator doorgo ding it opened they would go
screaming off the elevator socivic service that's what that's
what it was called at the timehey trying to straighten them up
keep them on straight and narrowoh my goodness

SPEAKER_03 (15:57):
That's funny.

SPEAKER_01 (15:59):
Yeah, it actually is if you think about it.
Imagine you're getting on theelevator and you're not knowing
all of a sudden somebody'stalking to you through a speaker
and you're like, who is that?

SPEAKER_03 (16:07):
Yeah.

SPEAKER_02 (16:10):
Yeah, making sure those are hooked up is important
as well.

SPEAKER_01 (16:14):
But that could be another security flaw too.
Don't have DID numbersdesignated to specific internal
devices that you don't wantanyone outside of your facility
to be able to call.

SPEAKER_03 (16:27):
Yeah.

SPEAKER_01 (16:27):
Absolutely.

SPEAKER_03 (16:28):
What are the best resources that have helped you
along the way?

SPEAKER_01 (16:33):
Probably the training that the company that I
used to work for sent me to,

SPEAKER_03 (16:37):
which

SPEAKER_01 (16:38):
was with their proprietary stuff, which was
basically classes on the Avayaand the Lucent equipment and
some of the older AT&Tequipment.
Then some Cisco stuff that'sbeen very helpful, mainly on the
networking side.
Then my dad, my late father, hetaught me so much about basic
troubleshooting skills.
Those apply to just aboutanything within the IT realm.

(17:00):
If you've got basictroubleshooting skills, you can
probably figure out just aboutanything.

SPEAKER_03 (17:04):
Yeah.

SPEAKER_01 (17:05):
Just know how to use logic, know how to do a rough
root cause analysis, and you canfigure something out.

SPEAKER_02 (17:12):
So with the way things are going in the VoIP
realm, everything moving to thecloud, do you want to move more
towards cloud stuff, or do youhave a dream job that you want
to transition to here?

SPEAKER_01 (17:27):
The industry is transitioning to the cloud, I
don't necessarily want it to,but that's where it's going,
right?
You know, you can say I don'tlike heat, but summer's going to
come every year.
So you got to deal with it,right?
So yeah, it's going to the cloudand I have been picking up some

(17:47):
more cloud skills because, youknow, as anyone within the IT
realm, it's a constant learningprocess.
You got to stay with it oryou're going to get left behind
like yesterday.
So the biggest hurdle for me isjust trying to stay current with
everything.
And it's not too bad, butthere's some pretty good
resources out there.
I review a lot of the free stuffon places such as like

(18:08):
cyberary.it Then there's, Imean, you could go on YouTube
and there's some great, greatcontent creators out there.
And then there's great podcastslike this one that I usually
pick up something from justabout every person on there and
learn something, you know.
But Strictly Security, the CyberMentor, he's been great.

(18:34):
Again, Cyber IT has been great.
When I really want to thinkabout something, maybe not
specifically voiceover, related,I'll listen to one of the
generic, I call them generic,security podcasts where they
tell a story about how someonegot hacked or something.
It always gets your brain tothinking, right?

SPEAKER_02 (18:53):
Out of everything we've talked about in this
episode, what would be yournumber one takeaway for our
listeners?
If you're

SPEAKER_01 (19:00):
going to be in this industry, whether it's VoIP or
security as a whole or anythingniche within IT, stay focused,
number one, to Two, keep an openmind.
Three, always be willing tolearn because, again, it's
constantly changing.
What was two, three years ago isalready dated today.

(19:22):
So you've got to be constantlylearning.
You've got to be constantlyopen-minded.
Don't resist change because it'scoming.
And whether you like it or not,if you don't, you're going to
get left behind.

SPEAKER_02 (19:32):
Where can our listeners connect with you
online?

SPEAKER_01 (19:34):
I'm on Twitter.
It's Pittman underscore Barry.
All right.
Thank you so much.
All right, thanks.

SPEAKER_03 (19:40):
Thank you for joining us.

SPEAKER_01 (19:42):
All right, no problem.

SPEAKER_03 (19:45):
So thanks for listening to the Security
Chipmunks.
And remember, if it seemsoverwhelming, just keep chipping
away at it.

All Episodes

Episode 5 - Adventures in VOIP - Always be learning

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Crime Junkie

Cardiac Cowboys

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Episode 5 - Adventures in VOIP - Always be learning