[VOIPSEC] VoIP Vulnerabilities and Exposures (VVE) - (Was Re: Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities)

dan_york at Mitel.com dan_york at Mitel.com
Thu Apr 5 19:14:26 CDT 2007 

Raul,

> Your comments and concerns are directly related with a topic I privately
> suggested to VOIPSA a couple of days ago about VoIP-related 
vulnerabilities
> (didn't hear from VOIPSA yet). 

To whom did you send it when you say you send it to "VOIPSA"?  Did you 
just 
send it to Dave Endler?  Or to several of us?  Generally Dave, Jonathan or 
I 
respond to inquiries.  I know Jonathan is travelling but I don't know 
Dave's 
status - and I can't find any message in my inbox.  Please feel free to 
send
it my way and I'll be glad to circulate it to the others.

> My suggestion was related with the creation
> of a VoIP Vulnerabilities and Exposures (VVE) service, similar to CVE or 
WVE
> but just focused on VoIP. I think VOISA should lead it. The VWE service
> could apply a standard and homogeneous threat rating, as you wisely 
suggest.

It's an interesting idea and I like the concept, but I have two thoughts:

1. Does it make sense to create a separate and new service?  Or should we 
   instead work with the CVE folks to ensure that VoIP vulnerabilities are
   entered correctly there?  There are currently 39 CVE entries dating 
back
   to 1999 related to VoIP - 
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
   On the one hand, creating a separate service allows people to find VoIP
   security information much easier.  On the other hand, it is now a 
   separate body of information that can't be searched in an integrated 
   fashion. (i.e. a search for a vendor's name on CVE would NOT turn up 
   VoIP vulnerabilities... unless they were entered in both places, which
   is now double the work for someone)

2. For VOIPSA to realistically launch and *maintain* an initiative like
   this, it seems to me that you would need people who are truly dedicated
   to doing this.  We *might* be able to do it with very committed 
volunteers,
   but I would wonder if we don't really some folks a bit beyond volunteer
   level... perhaps student internships... perhaps part time staff... all 
   of which starts to involve $$$.  For us to be able to do that, we have
   to make the transition to a paid membership organization that we have
   been talking about for a number of months now.

It occurs to me that there might be a way to accomplish the VoIP focus 
while
retaining the integration with the rest of the security industry.  Perhaps 
we
could work with the CVE folks to be able to extract and display the VoIP
vulnerabilities on a VOIPSA web page - but yet have the entries still 
reside in the CDE database.  That way we could put a focus on the VoIP 
vulnerabilities, yet leverage: a) the work and staff of the CVE project; 
and
b) maintain the integration with all the other vulnerabilities.

My 2 cents,
Dan



-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel       http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication

More information about the Voipsec mailing list