[VOIPSEC] VoIP Vulnerabilities and Exposures (VVE) - (Was Re: Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities)

Raul Siles raul.siles at gmail.com
Fri Apr 6 03:39:16 CDT 2007 

Dan,
Thanks for the follow up on this, your comments and for splitting it up in a
new thread :)

I sent the message to voipsa at voipsa.org on April, 2 (perhaps it got lost in
the SPAM filters, I'll resend it again).

Re your comments:
1) This is one of the main reasons I asked the community about your
concerns.

The main benefit of a separate service is that we (VOIPSA) would have more
control about specific VoIP vulns. and the information we want to include
for each of them: we could refer to specific threats using the current
Threat Taxonomy, tools that exploit the vuln from the Tools List, or
mitigation strategies referring to the upcoming Best Practices document.

I agree there is a drawback. Using the WVE (wireless) as an example, I know
about problems that fit almost all the categories: only in CVE, only in WVE,
in both (CVE and WVE).

Having only 39 CVE entries dating back to 1999 related to VoIP reflects the
issue :(

How feasible would be to "work with the CVE folks" in an accurate and
effective way to have all the entries and info we'd like in CVE? Based on
that we could decide to create a new service or not.

2) As far as I know, the way it works for WVE is because there are some
sponsors (that most probably invested some money there for the basic
infrastructure, I don't know the exact details) and a good set of editors
that enter or review the entries submitted by anyone in the community. I
agree that to make it succeed and be a high-quality service, investment
(economic and human) is required.

WVE is a community effort nowadays: http://www.wve.org/info.

Anyone has good contacts within CVE to see if we could provide some
requisites for the VoIP entries and integrate that into the VoIPSA Web page?
--
Raúl Siles
GSE
www.raulsiles.com

On 4/6/07, dan_york at mitel.com <dan_york at mitel.com> wrote:
>
> Raul,
>
> > Your comments and concerns are directly related with a topic I privately
> > suggested to VOIPSA a couple of days ago about VoIP-related
> vulnerabilities
> > (didn't hear from VOIPSA yet).
>
> To whom did you send it when you say you send it to "VOIPSA"?  Did you
> just
> send it to Dave Endler?  Or to several of us?  Generally Dave, Jonathan or
> I
> respond to inquiries.  I know Jonathan is travelling but I don't know
> Dave's
> status - and I can't find any message in my inbox.  Please feel free to
> send
> it my way and I'll be glad to circulate it to the others.
>
> > My suggestion was related with the creation
> > of a VoIP Vulnerabilities and Exposures (VVE) service, similar to CVE or
> WVE
> > but just focused on VoIP. I think VOISA should lead it. The VWE service
> > could apply a standard and homogeneous threat rating, as you wisely
> suggest.
>
> It's an interesting idea and I like the concept, but I have two thoughts:
>
> 1. Does it make sense to create a separate and new service?  Or should we
>    instead work with the CVE folks to ensure that VoIP vulnerabilities are
>    entered correctly there?  There are currently 39 CVE entries dating
> back
>    to 1999 related to VoIP -
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
>    On the one hand, creating a separate service allows people to find VoIP
>    security information much easier.  On the other hand, it is now a
>    separate body of information that can't be searched in an integrated
>    fashion. (i.e. a search for a vendor's name on CVE would NOT turn up
>    VoIP vulnerabilities... unless they were entered in both places, which
>    is now double the work for someone)
>
> 2. For VOIPSA to realistically launch and *maintain* an initiative like
>    this, it seems to me that you would need people who are truly dedicated
>    to doing this.  We *might* be able to do it with very committed
> volunteers,
>    but I would wonder if we don't really some folks a bit beyond volunteer
>    level... perhaps student internships... perhaps part time staff... all
>    of which starts to involve $$$.  For us to be able to do that, we have
>    to make the transition to a paid membership organization that we have
>    been talking about for a number of months now.
>
> It occurs to me that there might be a way to accomplish the VoIP focus
> while
> retaining the integration with the rest of the security industry.  Perhaps
> we
> could work with the CVE folks to be able to extract and display the VoIP
> vulnerabilities on a VOIPSA web page - but yet have the entries still
> reside in the CDE database.  That way we could put a focus on the VoIP
> vulnerabilities, yet leverage: a) the work and staff of the CVE project;
> and
> b) maintain the integration with all the other vulnerabilities.
>
> My 2 cents,
> Dan
>
>
>
> --
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel       http://www.mitel.com
> dan_york at mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list