Slashdot Mirror
Asterisk Vishing Attacks "Endemic"
Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"
http://en.wikipedia.org/wiki/Vishing
Either that or it's an old world ethnic pronunciation of the word "wishing".
When our name is on the back of your car, we're behind you all the way!
Or, as I preach to older relatives just getting into computers:
You go to your bank, your bank doesn't come to you.
Literalism isn't a form of humor, it's you being irritating.
I was getting a recorded message from a spoofed cid at 000-000-0000 and would always kill the call as I saw it come in. Turns out it was the my gas company trying to resolve some billing issues.
A note to all "legit" businesses out there, blocked numbers and especially spoofed cids are super sketchy, don't do it.
The solution to phone spammers is - oh the irony - to use more asterisk. With a little creativity you can keep telemarketers busy without even picking up the phone.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
vishing is what Dracula does on his holidays.
Agreed. Couple that fact with the fact that a lot of the repos I've seen are built off of older iterations of the Asterisk code and it's a recipe for disaster. For example, Ubuntu has Asterisk 1.4.21.2 in the repository right now. This is directly exploitable:
http://downloads.asterisk.org/pub/security/AST-2009-003.pdf
If you run code out of repos without understanding the risks that's still an admin fail, though. Not the fault of Asterisk, per se.
Which to me is the scarier part, as SMBs have fatter pipes which when compromised can send tons of spam, vishing, etc. As someone who works on plenty of SMBs you'd be amazed at what some of these places are running, we are talking Win2K and sometimes even Win98 machines, most haven't seen a patch since they left the factory, because some PHB is worried about downtime, meanwhile they are wondering "why the network is so slow". Yikes.
You work PC repair for any length of time and the amount of total stupidity you'll see will make your face look like this permanently.
ACs don't waste your time replying, your posts are never seen by me.
Linux is ok for carrier-grade in my opinion, at least it's very stable and performs well.
I can't say the same with Asterisk really because I had many bad experiences with it, some of these bad experiences includes: deadlocks, crashes, transcoding problems, corrupted sound issues, etc.
I work in the telecom industry as well and I was an Asterisk user who migrated to FreeSWITCH for the reasons that is more stable and performs better, I have also worked for companies such as Teliax Inc, etc. I'm also starting my own company as well for offering VoIP/telecommunication services and I'm going to use Linux and FreeSWITCH, some of these companies (Teliax Inc, Flowroute, etc) have also moved to FreeSWITCH for the same reasons.
I recommend that you look FreeSWITCH if you are in the VoIP industry, you will be amazed of how great it is.
So as is unfortunately typical, some of the quotes I made of course been taken out of proportion. My quote was not that "Asterisk attacks are endemic", but that SIP-based brute force attacks are endemic. Every SIP system that is open to the "public" Internet is seeing large numbers of brute-force attacks. Sites that have weak username and weak password control will be compromised - this is little different than email accounts being taken over by password-guessing systems and used for sending floods of email. The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets people's attention very quickly. I hear reports of these types of attacks now all the time - it's not unusual, and it's not just Asterisk. We had a blog about this a year ago; this is just a re-packaging of the same news a year later, when recently I unsurprisingly said that attacks are no longer even newsworthy because they're so frequent (hence, the term "endemic".) Apparently, not being newsworthy means... it's newsworthy!
This has little to do with Asterisk other than it happens to be the most prevalent SIP-based platform on the Internet currently. It has everything to do with protocol attacks by script kiddies, or more professional attackers. Bad passwords = easy penetration. The upside on this is that it yet again gets the attention of administrators who might not otherwise know that their password of '1234' might be guessed by criminal users.
The bug that was mentioned? Old news. Really, really old news. And really not even that much of a threat for most people the way they have their systems configured even if they haven't upgraded.
Asterisk, Broadsoft, Cisco, Kamailio, OpenSER, FreeSwitch, Avaya - they're all vulnerable to the brute force attacks if adequate network and username/password security is not implemented. There are ways to minimize, if not eliminate these threats with very standard security policies that should be familiar to any network administrator (ACLs, random passphrases, random client usernames, adequate exception logging, and limits on account usage, to name a few.)
Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins. It's really not something that can be done in the core of Asterisk; it has to be done by whatever is the layered UI on top of Asterisk for configuration, or just by good policy.
http://blogs.digium.com/2009/03/28/sip-security/
http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/
John Todd - jtodd@digium.com
Digium, Inc.
Asterisk Open Source Community Director
Have you looked at http://packages.digium.com/ or maybe about checking out the svn branch for the version you are using?
You didn't say what distro you use but if it's YUM-capable that might be an option.
Personally, I'm against precompiled binaries for Asterisk. Asterisk source doesn't have any configs all other than samples. It's up to the admin to correctly configure the server. I like sticking to SVN as it allows me to make changes and also stay up to date. It's not perfect and I highly advise regression testing the code if you go that route as svn does sometimes break. Just stay out of the bleeding-edge branches.
IMHO the biggest mistake someone can make with Asterisk and security is downloading the source and doing the "make install samples" portion of the install. It seems like often those are the generic confs I've run across when looking at a pre-existing repo version.
Hand-tuned confs don't load needless modules and also eliminate a lot of security holes. Running asterisk -c over and over again until you get things working does actually suck but in the end is worth the effort. I wonder how many installs out there still have the stupid demo cruft in their production dialplans?