Asterisk Vishing Attacks "Endemic"

Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"

Vishing?

[Red+Flayer]

Vishing? Really?

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

I'm sure we could come up with a better term than "vishing".

Re:Vishing?

[CannonballHead]

I'm sure we could come up with a better term than "vishing".

Like voice phishing? ;)

Re:Vishing?

[Carewolf]

Vishing? Really?

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

I'm sure we could come up with a better term than "vishing".

If the alternative is phreashing and phreammers, then I'll prefer "vishing". That said, I doubt most cases are using an actual "bug" in Asterisk, it is much more likely there are different setups, were some are incorrectly setup to handle _one_ of the many combinations of diversion, refer, redirection, route, proxy, RFC and draft SIP features that Asterisk "supports".

Re:Vishing?

Ooh! Something with avian implications seems appropriate, since everyone who's anyone has a cat, and unlike fish, birds have voices. Songbirding, bird poaching... voaching?

Re:Vishing?

[natehoy]

Yeah, "Phishing" still seems to apply as an appropriate term to describe social engineering attempts by email, which is already a pretty specialized term, where "email fraud" would have worked just as well to start with (since it is closely related to an existing term "mail fraud" which indicates the snail mail version of the same attempt). As usual, a term was invented to describe something that is harder for the layman to understand than the original term. Hey, we're geeks, new confusing terms are cool, so deal. 1337 n3w w0rdz0rz ru1z!

A phisher is still sending someone an email and asking them to take a specific action that, if you take it, will result in you giving up important information to someone wearing a black hat. We don't need separate terms to describe every possible nuance of the way you would potentially send the information back. If someone sends me an email with form they want me to fill out and mail, do I have to call that mhishing? And what if they want me to fax it? fhishing? What if they simply want me to reply to them with some information? rhishing?

What if you get an email that gives a bad link *AND* a scammer's phone number? pvhishing? Or does the order of the "p" and "v" depend on which appears in the email fraud attempt first, so it could be pvishing or vphishing? And do I read that right-to-left or top-to-bottom to determine "first"?

Is there a 3-week class on this new terminology, or a 12-step program to get people to stop using it?

Re:Vishing?

Especially since v typically indicates video, e.g. VJ and vlogging.

If "hacker" can mean "anyone who does anything remotely related to computers," I'm pretty sure we don't need "vishing" and (even worse) spear phishing.

Man, we're edgy and hip: even the kids aren't using this slang!

This stuff is almost as bad as when various drug propaganda prints out lists of terms for drugs. Because, you know, otherwise we might think X is something you get in your Flintstone's vitamins.

Re:Vishing?

[natehoy]

Never mind, I did read, but failed to comprehend, the article. Stupid me.

Anyway, I still don't think we need a new term. In fact, I think we already have one. "Telephone fraud".

Re:Vishing?

[quangdog]

From a link from TFS: "Vishing is much like phishing, but instead of urging e-mail recipients to click on a link (to a bogus website) this message instructs the reader to call a telephone number to rectify a problem with your account."

I agree - "vishing" is a stupid term.

Re:Vishing?

[jittles]

Actually, the attack is named after my Indian friend Vishal. But everyone calls him Vish. No really, I didn't just make this up.

Re:Vishing?

[oldspewey]

Well, more pedantically it should be something like "telephone impersonation fraud" to account for the fact the scammers attempt to trade on an existing relationship of trust ... and now we're up to 9 syllables.

Re:Vishing?

[NotQuiteReal]

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

Nah, following the "vishing" substitution logic, I come up with telemarketing spammers = tammers and phreaker hackers would be phackers.

Re:Vishing?

[MiniMike]

What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

How about varmints and pharmints?

Telemarketers don't deserve a new word, especially when an existing one fits so well. Phreakers at least are exhibiting some level of skill, even if it is in a somewhat antisocial manner (so I assume, at least).

Re:Vishing?

[Tony+Hoyle]

vishing is what Dracula does on his holidays.

Re:Vishing?

[natehoy]

And if a phacker tried to spam a woman with kids, he'd be known as a mother phacker?

Re:Vishing?

[natehoy]

But all 9 syllables refer to concepts already stored in my brain. "Code Re-use"!

Re:Vishing?

[element-o.p.]

But as natehoy pointed out in his original post, is it really necessary to coin a new term -- or even a new combination of existing terms -- for every possible permutation of communication media that scammers seek to exploit? How about just saying a scammer is a scammer is a scammer, whether (s)he is using e-mail, snail mail, voice mail, fax, or smoke signal?

IMHO, "FBI warns of scam exploiting Asterisk PBX software" is far more meaningful to more people than "FBI warns of vishing attack exploiting Asterisk PBX software". But, hey -- for a /. reader, I'm a bit of Luddite, so maybe it's just me.

Re:Vishing?

[fahrbot-bot]

I'm sure we could come up with a better term than "vishing".

I second this sentiment. Let's reserve "Vishing" for people pretending to be Vishnu.

Re:Vishing?

[element-o.p.]

"Stupid phackers..."

:D

Re:Vishing?

[element-o.p.]

I like it...because in some states, it's legal to hunt varmints >:]

Re:Vishing?

[phoenixwade]

those Phreaking Vishers........

Re:Vishing?

[NatasRevol]

Is spear phishing related to porn?

Re:Vishing?

[Carbaholic]

Yes, really. Not only that but soon there will be virtual actors or vactors.

Re:Vishing?

[jo42]

"Vishing" is what it is called when Vishnu goes fishing.

Re:Vishing?

[dkleinsc]

You laugh, but my first thought was that it was referring to Vishy Anand, current World Chess Champion.

Re:Vishing?

[Mike+Buddha]

How about calling the lot of them "dicks"? I think that pretty well sums it up.

Re:Vishing?

[hairyfeet]

Maybe "canary call"? As it acts like a canary singing out to warn you of danger, when it is really a stool pigeon giving your info to those that want to screw you? Meh, anything would be better than "vishing".

Re:Vishing?

[mcgrew]

I wondered the same thing, so I googled. Vishing is the criminal practice of using social engineering over the telephone system

I do vish they'd have come up with a better name... but considering GNU, TWAIN, Windows, iPod, (and especially that abominably named "WiFi"), we as a group are pretty bad at coming up with good names.

Re:Vishing?

I'm so hip I cant see over my pelvis.

Re:Vishing?

Vishing? Really?

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

I'm sure we could come up with a better term than "vishing".

I think I just spit coffee on my monitor!!!

Kim
kids water shoes

Re:Vishing?

[VoltageX]

It's pretty hard to set Asterisk up properly, let alone secure it. The cynic in me says this is so Digium can make more money on support and training.

Re:Vishing?

Vat do you have against ze term vishing? Ve chldren of ze night have hopes und dreams too. Vy, every day I vish for ze accursed sun to never rise again.

Re:Vishing?

[jsiren]

I'm sure we could come up with a better term than "vishing".

You might vant to throw a coin in the vishing vell.

_All_ prerecorded calls are spam.

[John+Hasler]

I always hang up as soon as I recognize them for what they are. On the rare occasions when someone who actually has something to say that I need to hear tries to use one they always follow up with a real phone call or a letter.

Re:_All_ prerecorded calls are spam.

Not compleatly true, when I preordered ghostbusters from gamestop they had a prerecorded message from Dan Aykroyd saying to come pick up my copy, under your logic you would have missed out on that sheer awsomness.

Re:_All_ prerecorded calls are spam.

Don't always hang up. I hung up on a persistent caller and realized it was my bank confirming a charge. They then locked my account. (Strangely, I can get SMS alerts that I have more money, but not that I've spent it or that I'm low.)

Generally, if you hear connection and then a delay, you know it's either a recording or an autodialer. Both will pause to detect an answering machine / voicemail. Also, if a telemarketer is using an autodialer, it dials multiple numbers and then has to connect an operator.

Re:_All_ prerecorded calls are spam.

I don't answer the home phone at all. It is always some pre-recorded message from the High School or Middle School or some political candidate who "approved this message". Last night - a new low. Some political candidate actually automatically joined us to a conference call he had organized. It started with a pre-recorded message saying it was going to join this conference on some shit and then it joined. All this was being recorded by the answering machine. We had to get up and pick up the phone and hang it up to stop the answering machine (digital) from recording. I don't know what the max recording time per message is on that model of answering box but it recorded about 2 minutes before we hung up. So now some politico can use up a good solid chuck of our answering machine space with their gobbledygook. Crazy.

Re:_All_ prerecorded calls are spam.

[Deanalator]

I was getting a recorded message from a spoofed cid at 000-000-0000 and would always kill the call as I saw it come in. Turns out it was the my gas company trying to resolve some billing issues.

A note to all "legit" businesses out there, blocked numbers and especially spoofed cids are super sketchy, don't do it.

Re:_All_ prerecorded calls are spam.

[oldspewey]

The solution to phone spammers is - oh the irony - to use more asterisk. With a little creativity you can keep telemarketers busy without even picking up the phone.

Re:_All_ prerecorded calls are spam.

[drpimp]

I actually think I got one of these calls sometime last week. The recording left a message and is still in my box, well half of it. Apparently their dialer script doesn't have that great of, if any, PAMD. The audio is what sounds like a native English speaker, speaking very fast but sometimes stumbling, likely reading from a written script asking for account numbers and ATM codes. I immediately knew it was a scam but I am sure others receiving the call might have not have been so lucky to recognize that.

Re:_All_ prerecorded calls are spam.

[Tony+Hoyle]

The problem is nobody should *ever* fall for this, no matter how good the caller sounds.

Someone phones you. CLID can be faked. Can't trust that. Unless they have some way of authenticating themselves to you treat them as unknown.
That phone call contains another number. Ignore it. Go to the website of your bank, find a published customer service number and ask them.

It's exactly the same as anyone with any sense has been doing for years.. telephone scams aren't new. Now if the bank's calling system is compromised.. that's a bigger problem, and one that the bank would have to answer for.

Re:_All_ prerecorded calls are spam.

[John+Hasler]

> Now if the bank's calling system is compromised..

My credit union has a branch six miles away and head offices at about 25 miles. If I ever get something purports to be a recorded call from them I won't be contacting them by phone.

Re:_All_ prerecorded calls are spam.

[element-o.p.]

I always hang up as soon as I recognize them for what they are.

Not me. I set the phone on my desk, press the "mute" button and tie up the telemarketers' phone lines for as long as possible while I get back to reading /.^w^w^wwork. Kind of a low-tech La Brea tar pit.

Re:_All_ prerecorded calls are spam.

[secretcurse]

When my credit card company detects a charge that might be fraud, they send a robo call telling me to call the number on the back of my card to discuss a possible fraud issue. I like that a lot better than having someone I can't verify call me and ask for personal information. When I call the number printed on my card I can be reasonably certain that I know which company is going to be on the other end of the line. If an attack is so advanced that a thief knows the number printed on the back of my card and has the means to intercept me when I dial that number there's probably nothing that can stop it. That's why I monitor my card statements online. You can't be liable for fraud you report in a timely manner.

Re:_All_ prerecorded calls are spam.

[mcgrew]

And robocalls. When I hear "please wait" when I answer the phone, I don't bother waiting around to see what moronic company is trying to spam me, I just hang up.

Re:_All_ prerecorded calls are spam.

So, did you give your "gas company" your credit card number in order to resolve this so called billing issue?

Just saying...

Re:_All_ prerecorded calls are spam.

My wife managed to screw us over with something similar. She kept getting calls from an unknown number on her cell phone, which she would just ignore. So then they would leave voicemails saying that we were past due on our Target credit card. But, of course, using an Indian customer service company with incredibly poor phone service, so all she could make out was something about our Target card. She figured it was some kind of scam.

After SEVERAL months of this she got a call while I was around, and hung up as usual. I suggest, "hey, maybe we should check on our card, since you've been getting calls about it?" Sure enough it was now months past due, with numerous "late fees" and etc. tacked on.

*grrrrrr*

Asterix

[lamadude]

Asterix was fishing when he was attacked by the Romans again? Where was Obelix? He'll win in the end, he always does.

Re:Asterix

[frenchbedroom]

And there'll be a huge banquet with wild boars roasted on a spit and ale !

Re:Asterix

[MRe_nl]

This just in: Home cooking is killing McDonalds.

Vishing

[camperdave]

Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP)

http://en.wikipedia.org/wiki/Vishing

Either that or it's an old world ethnic pronunciation of the word "wishing".

Security!

[Shadyman]

Sounds like some banks haven't been keeping things up to date...

Security patches are there for a reason. Security.

Re:Security!

[drpimp]

If you RTFA, it's not referring to the actual banks PBX getting hijacked. Regardless, yes there appears to have been an exploit due to a bug and should be fixed now, but the many businesses that use Asterisk and haven't applied patches are those affected.

Re:Security!

[hairyfeet]

Which to me is the scarier part, as SMBs have fatter pipes which when compromised can send tons of spam, vishing, etc. As someone who works on plenty of SMBs you'd be amazed at what some of these places are running, we are talking Win2K and sometimes even Win98 machines, most haven't seen a patch since they left the factory, because some PHB is worried about downtime, meanwhile they are wondering "why the network is so slow". Yikes.

You work PC repair for any length of time and the amount of total stupidity you'll see will make your face look like this permanently.

Moral of the story

[Random2]

Don't give sensitive information away unless in person. If you bank says there's something wrong with your account, either call them via their listed phone number or go visit them in person.

Re:Moral of the story

[tsm_sf]

Or, as I preach to older relatives just getting into computers:

You go to your bank, your bank doesn't come to you.

Re:Moral of the story

[Bryansix]

Exactly! The same tactic that defeats Phishing emails also works for Vishing or any other type of social engineering in the direction of the company to the consumer. It however doesn't fix the problem of when the customer (or someone pretending to be them) calls the company.

Re:Moral of the story

[John+Hasler]

> It however doesn't fix the problem of when the customer (or someone
> pretending to be them) calls the company.

That, however, places the liability on the company.

Re:Moral of the story

[CRiMSON]

Yup, keep yer money in your sock like I do! No one gets it, and you ever get in trouble you can bust out the sock and weild that shit like a blackjack tear it up!

Re:Moral of the story

[glodime]

> It however doesn't fix the problem of when the customer (or someone > pretending to be them) calls the company.

That, however, places the liability on the company.

Unfortunately, for checking and savings accounts in the US, it does not. If someone empties your bank account via false identification, your bank is not liable for your losses.

Re:Moral of the story

[stephanruby]

If you bank says there's something wrong with your account, either call them via their listed phone number or go visit them in person.

This is missing the point of the article. It's the banks voice mail systems that were compromised. So even if you call them back at their official listed number, you may still be duped by their re-programmed voice mail system.

Re:Moral of the story

[totally+bogus+dude]

Which article said that? So far as I can tell, the compromised phone systems belong to random businesses. Calls are then made from the compromised system, meaning the attacker doesn't have to pay for the calls they're making, and also makes it harder to trace the scam back to them.

It's just like spammers using compromised/"zombie" machines to send their spam. They're offloading the cost and risk to others, while still providing the benefit to themselves.

Fishing, phishing, vishing, what's next?

[noidentity]

Fast-forward to 2109... ghoting attacks are on the rise, but nobody knows what the hell they are.

Re:Fishing, phishing, vishing, what's next?

[natehoy]

We need a "Funny AND Insightful" mod that goes to 6 so there's a little extra when you need it.

Because, for the post I am replying to, we need it.

Re:Fishing, phishing, vishing, what's next?

Brilliant, absolutely brilliant. I wish there was a "funny and educational" mod option.

Re:Fishing, phishing, vishing, what's next?

[mathx314]

Why don't you just make 5 a little better, make that the top number and make that a little better?

Re:Fishing, phishing, vishing, what's next?

[csnydermvpsoft]

But... it goes to 6.

Re:Fishing, phishing, vishing, what's next?

[sconeu]

I just vish zat zey vould ztop vith the forced vords.

Re:Fishing, phishing, vishing, what's next?

[MrSenile]

I had a relative that used to raise ghots. Some veeps and vickens, too.

Every morning you voke the vows, and vilked them vry.

Re:Fishing, phishing, vishing, what's next?

[lennier]

Just whatever you do, don't click on brain://vr.fishse.facebook.gov.

Re:Fishing, phishing, vishing, what's next?

[noidentity]

Yeah, I realized I could have made a German joke instead, something about them wishing (vishing) and why that is bad.

Usage guide

Vishing is pronounced "wishing," as in "I am vishing to see your nuclear vessels."

Re:Usage guide

Vishing is pronounced "wishing," as in "I am vishing to see your nuclear vessels."

I thought it was 'wessels'.

Re:Usage guide

[bakawolf]

woosh?

Re:Usage guide

[hcpxvi]

voosh? (surely?)

I got one of those calls.

[GrantRobertson]

I hung up and immediately called the FBI. I'm glad they are actually doing something about it.

Re:I got one of those calls.

[ColdWetDog]

I hung up and immediately called the FBI. I'm glad they are actually doing something about it.

If you're like me (and most of Slashdot), you don't need to call the FBI at all. Just look straight into the webcam and tell them what the problem is.

Don't believe the naysayers that tell you that government is inefficient.

Re:I got one of those calls.

While you're at it, why not also load up some phony data to the vishers then? Might as well pollute their dataset until some authority is able to shut them down.

Re:I got one of those calls.

[shaitand]

If you do buy into the inefficiency thing then go old school and send an email that begins...

"Dear Uncle bin laden, what is your new address again?"

Hello, This Is YABRIL OMOTAYO

from G.M.A.C..
We owe you a credit on your current loan for your Government Motors clunker and need your bank account number and Social Security Number to deposit this credit in your bank. Do wish to proceed with this authorization?

Yes.

No.

Thank you for your cooperation.

Yours In Lahore,
Y. Omotayo.

Lock Down Your Phones, People!

[mercutioviz]

Actually, it's lock down your phones, your VM systems, your IVRs, etc. etc. Many years ago I had someone guess a password on a VM system and I had forgotten to disable "external transfers"... oops. Toll fraud. Now I use safe telecom practices. Practice number 1: Use FreeSWITCH instead of anything else. While any system can be configured unsafely and insecurely, at least the initial FreeSWITCH config is "paranoid by default." -MC

Re:Lock Down Your Phones, People!

[kasparov]

Just using FreeSWITCH is not a security solution. It isn't like Asterisk is designed to route toll calls for all callers as a default or something. Software has bugs. Some bugs are security problems. Make sure you apply security updates ASAP. Asterisk even has a mailing list specifically for security updates which makes it super simple to know when you really need to apply a patch.

Re:Lock Down Your Phones, People!

[mishehu]

I do believe that is in fact what mercutioviz was saying. First pick a better tool, then make sure that tool is in proper configuration and working order. There are just somethings that FS is designed to do differently that make it easier implement good security practices. One example is having one SIP profile (UA) for one IP:port combination. I can have multiple SIP UA's with various levels of security bound to various different dialplan contexts all at the same time. There's none of 1 IP 1 port or all IPs one port scenario. It's a finer grained tool.

Re:Lock Down Your Phones, People!

[diego.viola]

I agree with mercutioviz, FreeSWITCH is a much better tool than anything else I ever seen in the OSS or proprietary world when it comes to VoIP and telecommunications.

Re:Lock Down Your Phones, People!

[mercutioviz]

Kasparov, I am in total agreement with you. Putting FreeSWITCH into an insecure environment isn't a "complete solution" by any stretch, and that certainly wasn't my point. Like mishehu mentioned in his post, I believe in using the best tools available and using them properly with good security best practices. FreeSWITCH is simply a better tool in many cases. (Note that I said "in many cases" and not "in ALL cases")

VoIP is an enabling technology, and like all enabling technology both consumers and criminals get "enabled." The technologist has the fun job of balancing security with functionality. I prefer to make that job a little bit easier by utilizing the best tools for the job at hand.

-MC

Complete crap

[screeble]

What a load of crap. Asterisk developers patch security holes relatively quickly. This isn't an Asterisk "endemic."

Brute forced passwords are a bad administrator "endemic."

If your password policy is so stupid that you can be wordlisted then the issue may just be a PICNIC problem and not a fault of an application.

Asterisk isn't a security application. It's an enterprise-grade VoIP server and PBX.

Connecting Asterisk to a public network without some sort of border control is just stupid.

Re:Complete crap

It doesn't help that, if you want to run Asterisk as non-root, you actually have to compile it to do so. All of the repos and asterisk-based distros that I know of install it to run with root permissions.

Re:Complete crap

[screeble]

Agreed. Couple that fact with the fact that a lot of the repos I've seen are built off of older iterations of the Asterisk code and it's a recipe for disaster. For example, Ubuntu has Asterisk 1.4.21.2 in the repository right now. This is directly exploitable:

http://downloads.asterisk.org/pub/security/AST-2009-003.pdf

If you run code out of repos without understanding the risks that's still an admin fail, though. Not the fault of Asterisk, per se.

Re:Complete crap

[diego.viola]

Asterisk is by no means a carrier-grade server, and it has many problems, these problems include bugs, deadlocks, etc.

You probably never worked on the telecom field to say that, the fact is that there is a much better alternative and that alternative is FreeSWITCH.

Just take a look at this:

"How does FreeSWITCH compare to Asterisk?"
http://www.freeswitch.org/node/117

Re:Complete crap

[screeble]

I work in engineering design for an ILEC and admin Asterisk on a day-to-day basis within our test facilities.

I completely agree that Asterisk is not carrier-grade but that doesn't negate the fact that it's being used for carrier-grade applications by many operators.

Hell, most linux distros aren't carrier grade. We're not arguing that point. I agree completely.

To me, Asterisk is a perfect drop-in replacement for a legacy pbx when serving in-house sip clients. Perhaps saying the app is enterprise-class is a bit lofty?

Errors in terminology aside... We're on the same side.

FreeSwitch is nice but doesn't fix the bad admin issue which is really what the original article is about.

Re:Complete crap

[diego.viola]

Linux is ok for carrier-grade in my opinion, at least it's very stable and performs well.

I can't say the same with Asterisk really because I had many bad experiences with it, some of these bad experiences includes: deadlocks, crashes, transcoding problems, corrupted sound issues, etc.

I work in the telecom industry as well and I was an Asterisk user who migrated to FreeSWITCH for the reasons that is more stable and performs better, I have also worked for companies such as Teliax Inc, etc. I'm also starting my own company as well for offering VoIP/telecommunication services and I'm going to use Linux and FreeSWITCH, some of these companies (Teliax Inc, Flowroute, etc) have also moved to FreeSWITCH for the same reasons.

I recommend that you look FreeSWITCH if you are in the VoIP industry, you will be amazed of how great it is.

Re:Complete crap

[screeble]

DISCLAIMER: I sometimes use ubuntu server so I can't really point any fingers re: CGL

Be careful, "ok for carrier-grade" isn't the same as being CGL 4.0 compliant. There are only a handful of certified CGL's.

http://www.linuxfoundation.org/collaborate/workgroups/cgl

I've personally had great experiences with Asterisk but we're using it in a completely nonstandard (if there is such a thing) way.

We do a lot of code hacking to emulate customer troubles with presentation, etc.

For us, it's great and filled our needs way better than a commercial offering that would have done the same but with a boatload of cash.

We don't deploy Asterisk as a vendor to clients so I can't comment on production viability.

(Ironically, I just got pinged by some of our security people regarding the latest exploit and now have some code to update.)

Oh yeah: The views expressed in this post (and any other post I've made in this thread) are mine alone and do not necessarily reflect the views of my employer.

Re:Complete crap

[rantingkitten]

Most of the security problems I've seen actually exploited are not a problem with asterisk as such, or even border control, but of retarded admins. For example, many IP phones expect to connect to a fileserver of some sort and download some xml files containing their SIP information. Admins will routinely just create an ftp account somewhere, using the default login and password of the phones, and dump the files there. They'll frequently allow that ftp user to have shell access too, or forget to disable directory listing on the ftp directory, or do anything else that resembles common sense and security.

It would be trivial to portscan far and wide, find some asterisk boxes, and exploit these terribly common mistakes made by clueless admins. I have demonstrated to clients how I was able to log into their server armed only with the knowledge of what the default ftp username and password is, then download all their users' config files containing all the information I'd need to fraudulently use their phone lines. Sometimes it takes a dramatic demonstration like that to make people wake up.

Re:Complete crap

[kasparov]

You don't have to compile asterisk any differently to run it as non-root, you just have to set up the permissions on files/directories appropriately and set runuser/grungroup in asterisk.conf.

Re:Complete crap

[kasparov]

I remember you...you were that guy that spammed the asterisk bug tracker saying that people should switch to FreeSWITCH on about 10 different bugs. Nice to see that some things never change.

Re:Complete crap

[spiffmastercow]

True enough about the admin fail.. But it sucks as a developer to work with software like that. I have to be both the admin and the developer for a small asterisk IVR, and it's really frustrating to have to dick with all the permissions just to get started coding. It should come relatively secure by default, in a repo with a reasonable update schedule. Don't get me wrong, Asterisk is a great tool, but there's definately times when I get that "duct tape and shoe string" impression when I'm coding apps for it.

Re:Complete crap

[kasparov]

I've used Asterisk in installations with 10s of thousands of users--and this was probably 4 years ago or so. It certainly wasn't initially designed for it--but it will most certainly do the job if you are willing to put in the work. And it is light years ahead of where it was when I was using it for carrier-grade operations.

Don't get me wrong, there are certainly things that need improvement--especially in the area of being able to do live migrations and failover w/o dropping calls, but there are some truly massive Asterisk installations out there.

Re:Complete crap

I was just trying to help these guys, as almost all of the bugs that I posted on http://issues.asterisk.org never got fixed and got closed for no reason, I had to help them know that a much better alternative exist, an alternative where developers actually listen to their users and treat them with more respect.

And yes, I will continue to encourage and tell people about how great FreeSWITCH is, and I will continue to tell people how great it is, and your comment doesn't only tell me that you are pissed, but that you Asterisk guys are annoyed about the existence of FreeSWITCH.

So get used to it and good luck.

Re:Complete crap

[screeble]

Have you looked at http://packages.digium.com/ or maybe about checking out the svn branch for the version you are using?

You didn't say what distro you use but if it's YUM-capable that might be an option.

Personally, I'm against precompiled binaries for Asterisk. Asterisk source doesn't have any configs all other than samples. It's up to the admin to correctly configure the server. I like sticking to SVN as it allows me to make changes and also stay up to date. It's not perfect and I highly advise regression testing the code if you go that route as svn does sometimes break. Just stay out of the bleeding-edge branches.

IMHO the biggest mistake someone can make with Asterisk and security is downloading the source and doing the "make install samples" portion of the install. It seems like often those are the generic confs I've run across when looking at a pre-existing repo version.

Hand-tuned confs don't load needless modules and also eliminate a lot of security holes. Running asterisk -c over and over again until you get things working does actually suck but in the end is worth the effort. I wonder how many installs out there still have the stupid demo cruft in their production dialplans?

Re:Complete crap

[mercutioviz]

Kasparov,

My apologies for Diego. While we appreciate his enthusiasm we (the FreeSWITCH community) abhor his behavior online. It is not condoned by the FS devs who've had to chastise him multiple times. Please ignore him when he goes off like that.

-MC

Re:Complete crap

[screeble]

I'm beginning to think you are just a jerk. Perhaps it's your interaction with devs that should be called into question?

Some of your bugs look like they got a lot of good attention despite the fact that your reports are terrible...
http://www.google.com/search?q=%22diego.viola%22+site%3Aissues.asterisk.org

Your bug reports are often not well documented or easily duplicated.

I've had excellent traction on bugs and issues from the asterisk dev teams.

I even go on IRC occasionally and ask really oddball what-if questions that get answered smartly.

Re:Complete crap

[kasparov]

Yeah, like I said in another post--there are lots of great people and developers (I *suppose* developers are people too) in both the FS and Asterisk communities (in fact there is a decent amount of overlap). His behavior is in no way typical of the FS people I've dealt with.

Re:Complete crap

I agree. Asterisk is complete crap.

Re:Complete crap

[screeble]

It is but it's so flexible. I have a lot of fun emulating carrier's broken VoIP calls into our network with Asterisk.

No scalability, drops calls during a reboot, causes alarms on SBCs, no HA, load balancing requires a session director (perhaps another asterisk) of some sort.

The code is not pretty. Asterisk and sipP make a pretty good testbed, though. The T.30 to T.38 passthrough in 1.6.1 with the digium plugin is pretty cool.

Faxing from a web page to a land line is fun.

Re:Complete crap

[screeble]

It's worse than that, actually. Cisco 7960's are pretty brain dead. They pull their configs off tftp based on the mac address. Flip the phone over and write down some digits and you're halfway there. Keys to the kingdom on the bottom of the phone.

Re:Complete crap

asterisk need a SBC?
so bad,;
freeswitch is both a PBX/Softswitch/SBC/... and auto protected

undoing moderation

[Rashan]

positing to undo incorrect moderation. nothing to see here, move along...

Just use FreeSWITCH instead of Asterisk

[diego.viola]

Why someone would still use Asterisk is beyond me, just use FreeSWITCH, it's a much better alternative.

Answering the question in your .sig

Please post the stock symbol of a highly profitable healthcare insurance company. I want to invest but can't find one.

All of them are highly profitable, even after all the paper shuffling, congressional payola, and obscene executive compensation and bonuses.

I recommend MetLife, MET, 3.2 billion in profits this year and rising, number 39 in the Fortune 500, and rising.

Some people prefer UNH, the largest of the whales, number 21 in the 500 and rising, but they only saw 2.9 billion in profits once they'd paid for all the cheesesteaks and blowjobs for the executive officers.

If you want to make some real money you want to invest in gigantic drug companies, though - they are the only ones with a chance of knocking the telcos and oil magnates off their bloody thrones.

Re:Answering the question in your .sig

MET = losing money. Profit margin -0.71% But I agree, they might be a "buy" at these prices.

UNH = not "wildly profitable". Profit margin 4.2%

MSFT and AAPL are over 20% and 15% profit margin, respectively.

Drug companies, on balance, at whatever profit margin, provide a net benefit to mankind. Even if you, personally, don't get any benefit. I submit to you, the poorest among us today can get better health care than kings could, only a few generations back.

Giving the profit motive to drug companies now, provides the commodity cures for the masses of the future.

FBI doesn't care

One of my clients got hacked and was being used for a vishing attack. I called the FBI and was passed around and around because no particular office wanted the case. The client had setup SIP devices with the same name and secret and had not limited them to a specific IP range. Not a good idea.

In a more blatant case, someone purchased a toll free number 1 digit away from one that I own and was using an legitimate carrier to process incoming calls. Once again, I notified the authorities after people were misdialing the number and reaching me, and the case was too complex for them to handle.

Re:FBI doesn't care

[gujo-odori]

The FBI cares, and the Secret Service is also involved in the investigation and prosecution of things related to phishing (carding, for example), but it can be hard to get to the right people.

The Anti-Phishing Working Group may (or not, I'm uncertain) may have some contact info for the right parties.

Before you ask why I didn't provide a link, it's because that would be such a good place to put a link leading to a drive-by download of malware. Don't trust links on Slashdot, look it up for yourself.

not just asterix

I've been noticing in my firewall logs a lot attacking with strange user names (not the usual root and test etc.)

When I googled it I found out it was a default system account for some commercial VOIP product. Seemed not very useful to me at the time, but now I get it.

Please be careful

[mercutioviz]

Remember, just dropping FreeSWITCH into an insecure environment isn't a solution. As systems integrators we still have to do our due diligence for security. Locking down Asterisk installs is always a good policy.

I think the real question is why there are so many Asterisk-based systems out there with little or no security in place. My guess is that it's because a lot of people just download it and throw it onto a customer's site. Oopsie.

The advantage that FreeSWITCH gives is that it makes security easier. Note that I said "easier" and not "automatic." If you don't think about security then you will hear about your FreeSWITCH system getting hacked, or vished, or whatever.

Like I said in a previous post: lock it down, people! I also agree that people shouldn't be entering their PIN codes on any incoming call, EVER. However, that doesn't absolve all of these foolish PBX installers (Asterisk or other) from their sin of failing to lock things down.

-MC

Phone Phishing

[gd2shoe]

Phone Phishing. That way it's clear, and you get an alliteration as a bonus.

Re:Phone Phishing

[misof]

Yeah, but if you keep the current naming scheme, you get to call the incompetent bank employees "vankers" :)

Language Problems?

[ndunnuck]

"You keep using that word. I do not think it means what you think it means." I'm not entirely sure anyone here knows what "endemic" means. "Endemic" is not newsworthy, unless we've been searching and searching for where these vishing attacks come from. "Pandemic" might be newsworthy. Or "epidemic" might be newsworthy. "Endemic" not so much.

Re:Language Problems?

[misof]

Mod parent up. And see http://dictionary.reference.com/browse/endemic

Verevolves!

[AioKits]

Werewolves?
There...Volves!

Adaptation

Our continued technological advancement is having a transformative impact on our way of life (duh). We are creating a world in which one needs ever-higher levels of intelligence (and, more importantly, critical-thinking capacity) just to survive.

Back in the good old days the majority of the human race didn't need to know much more than how to farm (with very simple farming technologies). The intellectual problems they faced weren't very sophisticated.

Today, a seemingly harmless deed like giving an account number (which doesn't really seem secret since it gets printed on checks and stuff) over the phone can result in someone losing everything they had worked for all their lives, and having ruined credit on top of it.

How does one protect themselves from this scam? Knowing the details of this specific scam is not sufficient. There are a whole host of other scams with different details. One must protect one's self from the entire class of scams, and the only way to do that is to have a basic knowledge of how "the system" works (whichever system is in question) as well as a basic capacity to think before one acts and determine if the action being requested is actually likely to be necessary, and whether or not it might be risky. There are also judgments one must make about when one can and cannot trust the voice on the other end of the phone, when one does and does not realistically have a choice, and so on.

All of these mental activities require mature and insightful brains. Education (as to the details of "the system") is also a necessary condition, but not a sufficient condition, for personal saftey.

Some people believe that critical thinking ability is more hereditary than learned. I am no geneticist, but whether it is nature or nurture the bottom line remains: there is a class of person who was born and raised in a technologically advanced nation, but is not mentally capable of surviving in this nation. And this class of person is going to be (slowly and painfully) purged from the human condition because of this.

Digium says: Protocol, not program

[Rememberthisname]

So as is unfortunately typical, some of the quotes I made of course been taken out of proportion. My quote was not that "Asterisk attacks are endemic", but that SIP-based brute force attacks are endemic. Every SIP system that is open to the "public" Internet is seeing large numbers of brute-force attacks. Sites that have weak username and weak password control will be compromised - this is little different than email accounts being taken over by password-guessing systems and used for sending floods of email. The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets people's attention very quickly. I hear reports of these types of attacks now all the time - it's not unusual, and it's not just Asterisk. We had a blog about this a year ago; this is just a re-packaging of the same news a year later, when recently I unsurprisingly said that attacks are no longer even newsworthy because they're so frequent (hence, the term "endemic".) Apparently, not being newsworthy means... it's newsworthy!

This has little to do with Asterisk other than it happens to be the most prevalent SIP-based platform on the Internet currently. It has everything to do with protocol attacks by script kiddies, or more professional attackers. Bad passwords = easy penetration. The upside on this is that it yet again gets the attention of administrators who might not otherwise know that their password of '1234' might be guessed by criminal users.

The bug that was mentioned? Old news. Really, really old news. And really not even that much of a threat for most people the way they have their systems configured even if they haven't upgraded.

Asterisk, Broadsoft, Cisco, Kamailio, OpenSER, FreeSwitch, Avaya - they're all vulnerable to the brute force attacks if adequate network and username/password security is not implemented. There are ways to minimize, if not eliminate these threats with very standard security policies that should be familiar to any network administrator (ACLs, random passphrases, random client usernames, adequate exception logging, and limits on account usage, to name a few.)

Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins. It's really not something that can be done in the core of Asterisk; it has to be done by whatever is the layered UI on top of Asterisk for configuration, or just by good policy.

http://blogs.digium.com/2009/03/28/sip-security/
http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/

John Todd - jtodd@digium.com
Digium, Inc.
Asterisk Open Source Community Director

Re:Digium says: Protocol, not program

[mercutioviz]

John,

Thanks for chiming in. You are correct that attacks are not discriminating against only Asterisk or only OSS. Also, thanks for telling us what you actually said as opposed to what was reported. Maybe at next year's ClueCon you can give a talk on this subject? The FreeSWITCH footprint is much smaller than Asterisk's and other vendors' so it would be interesting to us to hear about the kinds of attacks you've seen and what kinds of measures you put into place to combat those attacks.

-MC

Re:Digium says: Protocol, not program

[Carnildo]

Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins.

There's no good algorithm for telling the strength of a password (password strength is related to the Kolmogorov complexity of the password, which is incomputable), and every password-strength indicator I've seen uses heuristics that either accept weak passwords ("Password1" is strong because it's nine characters, a mix of upper- and lower-case, and has a non-letter) or rejects strong passwords ("this password is very very strong even though it only contains lowercase letters because it is a long password and plain english has between one and two bits of randomness per letter").

Re:Digium says: Protocol, not program

[Qwell]

I'm not familiar with how Switchvox determines the strength of a password, however...

It should strike everybody here as obvious that '1234' on an account '1234' would be a poor password. I could say with some confidence that 'apple' would be universally considered to be a poor password, just based on it being a common dictionary word.

Unfortunately, there are many people who don't share this understanding. It most certainly isn't unique to VoIP.

Re:Digium says: Protocol, not program

[cheros]

John, one of the ways I got people to use "good" passwords is by getting them a Yubikey and setting it to static mode. It then always generates the same password instead of an OTP, but it's a very long one and as it pretends to be a keyboard it types it in itself. The challenge is always to make it long enough to be safe, but short enough to actually fit in the entry field.

It is a simple way to both SET a decent password and to preserve that setting in other than a file..

Just a tip, and no, I don't work for Yubico. I just got one to play with any I like it (must go and buy some)..

A new name...Why ?

[Archfeld]

How about thieves, frauds, con-men, or scam artists ?? I find it hard to believe this is actually a problem. Is there REALLY anyone out there STUPID enough to give up your pin ? C'mon folks the real bankers don't need it to do what they do,ANYONE asking for your PIN is a thief, plain and simple. If you give anyone your PIN other than your more significant half you are a fool of the worst possible kind, and likely deserve what is coming to you. Tell you parents and grandparents that there is NEVER an emergency or occasion to give up the PIN...NEVER.

Vunerabilities are the nature of appliances

[thatkid_2002]

I think part of the reason this vulnerability still exists in the wild is because of the appliance style deployment of Asterisk implementations. I believe the term is "Once you have MythTV set up DO NOT FIDDLE WITH IT!!!". Oops, I meant Asterisk not MythTV. Same difference. Not fiddling often involves not updating.

[OT] Re:Complete crap

[kasparov]

No, I was just annoyed at your impolite behavior at the time with all of the spamming. Then I noticed this story and saw that you are still at it. I'm glad you found a solution that works for you. Many people have also found other solutions that work great for them, including Asterisk.

Part of having such a huge user community is that the Asterisk devs have 100s of feature requests or bug reports at any given time. If someone is having a problem that is only having an effect on a very small number of people, sometimes it takes longer to fix than other problems. Everyone has to prioritize.

Also, the quality of the debugging information that is presented is also a major factor in how long it takes to get a problem fixed. This is a good example of 3 or 4 actual Asterisk developers trying work on one of your issues and you being rude to them and not giving them the debug information they requested.

I understand that having an issue that is affecting you take a while to get closed is annoying, but something being open for a week with no real information provided to help track it down is certainly no reason to get react the way you did.

And us Asterisk users aren't pissed about FreeSWITCH existing--that is just silly. The more choices out there, the better! We just don't like people coming over and shouting YOU SUCK and doing the equivalent of spray painting our walls with "FreeSWITCH RULEZ!" like you did with the bug tracker. That is just childish. There are many excellent and polite freeswitch users and developers--I just don't think that you are one of them.

Re:[OT] Re:Complete crap

[diego.viola]

Hello,

I admit that I was childish and impolite and that some of my bug reports lacked information, I apologize for all that... part of why I acted like that was that I got treated by the same way in #asterisk when I was only trying to be nice and ask for help, I wont give names but I felt sad after that and that's what made me act like that and put me off from the project, not really the software or bugs because I know that's all solvable.

I tried to make the peaces with some of the Asterisk people and they have not tell me anything, although I don't blame them and I understand. Asterisk is a cool project and I would still use it, I have no problems with it, maybe I only got a bit sensible by some of the harsh comments I received, but that's it.

Peace out.

Diego

Re:[OT] Re:Complete crap

[kasparov]

Sorry to hear you had trouble. I suppose every project attracts some people who aren't the most patient with newcomers--and that is always a shame. I can certainly understand being irritated by that. I am glad that you found a project that works for you.

Re:[OT] Re:Complete crap

I'm an Asterisk user and supporter who follows FreeSWITCH development. I was glad when this topic came up recently on their (FreeSWITCH user's) mailing list.

http://lists.freeswitch.org/pipermail/freeswitch-users/2009-October/020367.html

FreeSWITCH developers and community members should Google "How Open Source Projects Survive Poisonous People (And You Can Too)." Give it a read and do something about it.

Meanwhile, I've learned to stop feeding the trolls.

Vishing and hoping

[lennier]

'Vishing', eh? Vot are we going to call 'video phishing'?

Pishing?

You're not getting in MY Asterisk setup

[Centurix]

So vuck you.

Diego

[screeble]

Hi Slashdot. I'm very sorry, but I fed the troll and I'll try not to do it again.

I've done a bit of research into this Diego fellow and I'd just like to apologize publicly for feeding the troll. You would think with a six-digit ID I'd been around long enough to recognize someone poking through the cage bars but Diego's agenda was well hidden at first and I fell hook, line and sinker.

Evidently, he got pissed off at some Asterisk developers back in the day and he's had a hate on ever since. He's now a Freeswitch fanboi and his lunacy outweighs that of any PC vs. Mac user.

He classifies himself as a FreeSWITCH engineer in job boards but I can't see how this could be helpful to his career in any way based on the way he presents himself in a public forum.

At any rate, even the FreeSWITCH people don't really like him so I'm going to ignore him from now on.

Again, sorry... I'll be more careful in the future.

Re:Diego

[diego.viola]

So you are trying to attack me personally this time?

How low from your part, I think that comments tells a lot more about you than me actually.

Re:Diego

I was an Asterisk developer (and in my migration process to FreeSwitch). Asterisk "Real dev" (Digium/Mark) is the big problem behind it. We tried to many times for years to get thing changes and improved, but never succeed to get them to acknowledge it. We even have video proof of this ! Now having other very fast growing competition to Asterisk have help force the hand of the dev, but still, the foundation on witch * rely is not really good, and to fix it would require pretty much a rewrite. So some developer decided to do this 3 year ago and we have something ready now that offer much much more.

You have to understand that having their patch sit on the bug trackers for YEARS !!! And getting ask to update it every month is not healthy and it get to a point of no return. And this was problem for anyone who wasn't working at digium or wasn't in bed with digium in some way or another. So you understand why we do really say to people to move away from * or not even learn it, there is better solutions out there that are finally ready and surpassing feature wise.

This will be my only post about this, no need to continue the discussion, but Im telling you that Diego is not alone who carry the Asterisk Scars, and once you find a cure to it, you do not want other people ending up with the same Scars you got. I resist to tell pubicly people to move away from FreeSwitch because people like you who instead of saying reason why asterisk is not problematic, just flame people who offer alternative.

Re:Diego

[voipworld]

hi, are you bad? do you know freeswitch? what is freeswitch? right, asterisk will to by atacked mor personaly i hate asterisk because there bad eventing engine, shell commands, CDR formats, SIP and other protocol stacks, Bad real time integration, very bad AMI and other unlimited bad stufs freeswitch mintin all that freeswitch run in win32, unix, linux, mac, *bsd, solaris, arm and other platform natively and will to by ported to all all all and all runing platforms thank to mikeJ the build and multi platform guru asterisk is bad because no win32 port anymore need cygwin the fact that #asterisk is full of hostile people hostility in #asterisk the fact that asterisk has deadlocks, and a hostile user community... "An example of the hostility in the asterisk community is how they treat Diego, and at's why Diego reacts against them, Diego is a very good person." freeswitch let you do ZRTP, SSL, TLS and TCP asterisk don't do TCP/TLS except for 1.6.X that is very nbad the freeswitch developer, anthony, is a very well very good person that helped me much mor about freeswitch including there flexible and realy nice dialplan, XML user directory, ldap integration and mor! because freeswitch is Smart and awesome, freeswitch mintin compatibility with asterisk by adding a asterisk dialplan module, but asterisk don't mintin anything about compatibility freeswitch let you do your dialplan in XML, Asterisk, YAML and other supported syntax for real time integration, i love the freeswitch integration including XMLRPC, XML_curl, the very good event sockett module and library and other integration asterisk do any users meeting? bad, bad, bad, bad and very bad freeswitch have a weekly organised big and nice meeting in any freeday asterisk community don't meet any asterisk users except for astricon that i hate it and i'm going to CluCon to meet my freeswitch friends and lovers so, about you, you are very bad because you don't read anything about freeswitch please go to http://www.freeswitch.org/ http://wiki.freeswitch.org/ and read mor and never talk about anyone because diego is a very nice and a very long time friend that give the freeswitch community mor help for free without any payment in #freeswitch IRC channel and all people love it, except for you that i don't love you because you hate him why the fs developer (anthony) don't talked about it? because diego is loving freeswitch and promoting it, unstid of the very bad disasterisk so pplease review your post befaure posting bad+bad=you

Re:Diego

[mercutioviz]

I recommend not posting anonymously when making such strong assertions. While I may share some of your feelings on the matter I don't believe that an anonymous post is a very effective means of communicating a message like this. If you aren't willing to sign your name to your post then how much weight can we really give it?

As to Asterisk fans "flaming people who offer an alternative" - I disagree with this statement. (Remember, I'm a FreeSWITCH fan here.) I've only seen some Asterisk guys react strongly to what I can only describe as obnoxious posts by Diego (and a few others). It's one thing to say, "I think FreeSWITCH suits my needs better than Asterisk because X, Y, Z..." but it is quite another thing to say, "Asterisk sucks! I don't know why people even use it any more..." I've seen strong reactions to the latter statements but not the former. The latter statements are pointless and take away valuable time and energy from the real issues at hand, namely making OSS telephony take over the world.

I appreciate everyone's passion for this subject. I only ask that you channel that energy into more positive discussions.

-MC

Re:Diego

[screeble]

I've actually checked out FreeSWITCH quite thoroughly. I believe I said before that I've used the app?

There were many of Diego's comments that I agreed with. I don't hate him. I never said I hate him. I think the strongest thing I said was "I'm beginning to think you are just a jerk." As far as i'm concerned, he is. In all honesty you can't behave like an idiot and expect to get your bugs looked at with any seriousness. You can't go onto public communities and rant completely off-topic without expecting some sort of backlash. Is it my fault that googling for Diego Viola turns up rampant lunacy? I think not.

I just think he acts like a troll and I fell for his bait so I felt the need to apologize to a community I feel a certain kinship with. I feel like I let Slashdot down yesterday by feeding the troll after contributing here for almost a decade.

There's no denying the fact that Diego acts like a jerk and posts pro-FreeSWITCH comments all over the internet. He's even admitted so. I don't really think any of my comments were out of line. In fact, I gave him the benefit of the doubt having not run into him on the internet before.

It didn't take too long to see through the agenda. He's a fanboi. Fanbois are annoying.

Nothing he has said here has really given anything positive or helpful to this discussion... Which, let me remind everyone, is about Asterisk and "Vishing" and has nothing to do with FS. Really, though, the problem is with shitty passwords and default settings which is an issue that plagues EVERY app when administered by an idiot.

I'm neither for or against FS for fucks sakes. Can I just drop out of this bullshit conversation now? I tried it and Asterisk serves my needs far better than FS does. Like I said before, we hack the code into smithereens in our labs and for us Asterisk just works. As a matter of fact, my original post in this thread-- http://tech.slashdot.org/comments.pl?sid=1421913&cid=29898993 --had many negative things to say about Asterisk's security model. Diego missed my point regarding "BADministrators" completely and launched into his FreeSWITCH agenda. I agreed with many of his comments regarding security models.

I'm through with this. Last post in this thread for me. None of this is really about Asterisk, FreeSWITCH or any VoIP platform. Even the quoted guy is pissed off about the comments being taken out of context. This is just stupid now. It's Mac vs. PC vs. Linux with the names changed to protect the innocent. All of you need to take your Asterisk vs. FreeSWITCH hate-on's back to Kindergarten where behaviour like that belongs. I've honestly never experienced any problems with either the Asterisk or FreeSWITCH community until yesterday.

If people don't like being called jerks then they probably shouldn't be acting like jerks. THE END.

Don't allow SIP or IAX access from the internet

[noahisaac]

I'm an asterisk administrator for several systems. I try to keep them up-to-date with the latest versions that patch security flaws, but I can't always get them updated immediately. The easy answer is to just not allow SIP or IAX (or MGCP, SCCP, etc) access from the entire internet. I firewall off those ports except to certain locations that require access to them.

One big question I have, though, is what about all those appliance-type IP-PBX's from the old-school vendors like Panasonic and Toshiba? I would wager that the vast majority of those are NEVER updated after installation. Surely they are subject to many of the same security flaws that Asterisk's SIP stack are. I know that at least one of Asterisk's security advisories was for a fundamental flaw in the SIP protocol. All SIP-capable PBX's would be vulnerable to this. Are Panasonic and Toshiba just not talking openly about this?

First Service Credit Union - Milwaukee, WI

If anyone banks with these folks be advised their system was compromised about two days ago. I am not a customer of theirs but I still have a Milwaukee area code cell phone (currently reside in Orlando). They only have two branches, as the article indicated a small institution. I forwarded them these articles so hopefully they will take corrective action.

Branch Info:
333 N 35th St
Milwaukee, WI 53208-4108
(414) 342-7660