[VOIPSEC] VoIP Vulnerabilities and Exposures (VVE) - (Was Re: Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities)

Tom Hayden haydenth at msu.edu
Wed Apr 11 07:53:02 CDT 2007 

This is a pretty interesting idea. Let me know if you guys need any
help getting something like this setup and maintained - I've been
looking for a project like this for some time.

Cheers,

Tom Hayden
www.tomhayden3.com

On 4/6/07, Raul Siles <raul.siles at gmail.com> wrote:
> Dan,
> Thanks for the follow up on this, your comments and for splitting it up in a
> new thread :)
>
> I sent the message to voipsa at voipsa.org on April, 2 (perhaps it got lost in
> the SPAM filters, I'll resend it again).
>
> Re your comments:
> 1) This is one of the main reasons I asked the community about your
> concerns.
>
> The main benefit of a separate service is that we (VOIPSA) would have more
> control about specific VoIP vulns. and the information we want to include
> for each of them: we could refer to specific threats using the current
> Threat Taxonomy, tools that exploit the vuln from the Tools List, or
> mitigation strategies referring to the upcoming Best Practices document.
>
> I agree there is a drawback. Using the WVE (wireless) as an example, I know
> about problems that fit almost all the categories: only in CVE, only in WVE,
> in both (CVE and WVE).
>
> Having only 39 CVE entries dating back to 1999 related to VoIP reflects the
> issue :(
>
> How feasible would be to "work with the CVE folks" in an accurate and
> effective way to have all the entries and info we'd like in CVE? Based on
> that we could decide to create a new service or not.
>
> 2) As far as I know, the way it works for WVE is because there are some
> sponsors (that most probably invested some money there for the basic
> infrastructure, I don't know the exact details) and a good set of editors
> that enter or review the entries submitted by anyone in the community. I
> agree that to make it succeed and be a high-quality service, investment
> (economic and human) is required.
>
> WVE is a community effort nowadays: http://www.wve.org/info.
>
> Anyone has good contacts within CVE to see if we could provide some
> requisites for the VoIP entries and integrate that into the VoIPSA Web page?
> --
> Raúl Siles
> GSE
> www.raulsiles.com
>
> On 4/6/07, dan_york at mitel.com <dan_york at mitel.com> wrote:
> >
> > Raul,
> >
> > > Your comments and concerns are directly related with a topic I privately
> > > suggested to VOIPSA a couple of days ago about VoIP-related
> > vulnerabilities
> > > (didn't hear from VOIPSA yet).
> >
> > To whom did you send it when you say you send it to "VOIPSA"?  Did you
> > just
> > send it to Dave Endler?  Or to several of us?  Generally Dave, Jonathan or
> > I
> > respond to inquiries.  I know Jonathan is travelling but I don't know
> > Dave's
> > status - and I can't find any message in my inbox.  Please feel free to
> > send
> > it my way and I'll be glad to circulate it to the others.
> >
> > > My suggestion was related with the creation
> > > of a VoIP Vulnerabilities and Exposures (VVE) service, similar to CVE or
> > WVE
> > > but just focused on VoIP. I think VOISA should lead it. The VWE service
> > > could apply a standard and homogeneous threat rating, as you wisely
> > suggest.
> >
> > It's an interesting idea and I like the concept, but I have two thoughts:
> >
> > 1. Does it make sense to create a separate and new service?  Or should we
> >    instead work with the CVE folks to ensure that VoIP vulnerabilities are
> >    entered correctly there?  There are currently 39 CVE entries dating
> > back
> >    to 1999 related to VoIP -
> > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
> >    On the one hand, creating a separate service allows people to find VoIP
> >    security information much easier.  On the other hand, it is now a
> >    separate body of information that can't be searched in an integrated
> >    fashion. (i.e. a search for a vendor's name on CVE would NOT turn up
> >    VoIP vulnerabilities... unless they were entered in both places, which
> >    is now double the work for someone)
> >
> > 2. For VOIPSA to realistically launch and *maintain* an initiative like
> >    this, it seems to me that you would need people who are truly dedicated
> >    to doing this.  We *might* be able to do it with very committed
> > volunteers,
> >    but I would wonder if we don't really some folks a bit beyond volunteer
> >    level... perhaps student internships... perhaps part time staff... all
> >    of which starts to involve $$$.  For us to be able to do that, we have
> >    to make the transition to a paid membership organization that we have
> >    been talking about for a number of months now.
> >
> > It occurs to me that there might be a way to accomplish the VoIP focus
> > while
> > retaining the integration with the rest of the security industry.  Perhaps
> > we
> > could work with the CVE folks to be able to extract and display the VoIP
> > vulnerabilities on a VOIPSA web page - but yet have the entries still
> > reside in the CDE database.  That way we could put a focus on the VoIP
> > vulnerabilities, yet leverage: a) the work and staff of the CVE project;
> > and
> > b) maintain the integration with all the other vulnerabilities.
> >
> > My 2 cents,
> > Dan
> >
> >
> >
> > --
> > Dan York, CISSP
> > Dir of IP Technology, Office of the CTO
> > Mitel       http://www.mitel.com
> > dan_york at mitel.com +1-613-592-2122
> > PGP key (F7E3C3B4) available for
> > secure communication
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list