Internet Telephony Has Security Problems: This was an interesting read this morning for different reasons:

  • First of all, it is not surprising (even if we would not have known the problems it would have to be expected).
  • I liked the statement: The goal is to raise awareness about flaws in these systems – and create a market for VoIPshield's product… - This is the scary part: It is not about the security of the environment or the ecosystem but about sales.
  • But then: Dalmazzi says he tried unsuccessfully to get the attention of the VoIP makers, including shoving a business card with a note describing the vulnerabilities he'd discovered into one executive's hand at a conference. One company told us that it wants to learn more about the vulnerabilities but has had difficulty working with VoIPshield. In other words, it isn't a clean process. It seems that there are still too many companies not being able to handle this kind of information (if it is really true). I guess today, if a Microsoft person is made aware of a vulnerability (and for sure an Exec), even if they do not know the process exactly, they would definitely know whom to ask and from there on it is a defined process.
  • When I worked in Switzerland we created a CSO Roundtable called Swiss Security Exchange, where we discussed current challenges with CSO. Two years ago, the core theme there was – you guess it – VoIP! If you interested in the results of the discussion, here you find the summary.

Roger