Slashdot Mirror
Asterisk Vishing Attacks "Endemic"
Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"
I hung up and immediately called the FBI. I'm glad they are actually doing something about it.
Asterisk is by no means a carrier-grade server, and it has many problems, these problems include bugs, deadlocks, etc.
You probably never worked on the telecom field to say that, the fact is that there is a much better alternative and that alternative is FreeSWITCH.
Just take a look at this:
"How does FreeSWITCH compare to Asterisk?"
http://www.freeswitch.org/node/117
I work in engineering design for an ILEC and admin Asterisk on a day-to-day basis within our test facilities.
I completely agree that Asterisk is not carrier-grade but that doesn't negate the fact that it's being used for carrier-grade applications by many operators.
Hell, most linux distros aren't carrier grade. We're not arguing that point. I agree completely.
To me, Asterisk is a perfect drop-in replacement for a legacy pbx when serving in-house sip clients. Perhaps saying the app is enterprise-class is a bit lofty?
Errors in terminology aside... We're on the same side.
FreeSwitch is nice but doesn't fix the bad admin issue which is really what the original article is about.
DISCLAIMER: I sometimes use ubuntu server so I can't really point any fingers re: CGL
Be careful, "ok for carrier-grade" isn't the same as being CGL 4.0 compliant. There are only a handful of certified CGL's.
http://www.linuxfoundation.org/collaborate/workgroups/cgl
I've personally had great experiences with Asterisk but we're using it in a completely nonstandard (if there is such a thing) way.
We do a lot of code hacking to emulate customer troubles with presentation, etc.
For us, it's great and filled our needs way better than a commercial offering that would have done the same but with a boatload of cash.
We don't deploy Asterisk as a vendor to clients so I can't comment on production viability.
(Ironically, I just got pinged by some of our security people regarding the latest exploit and now have some code to update.)
Oh yeah: The views expressed in this post (and any other post I've made in this thread) are mine alone and do not necessarily reflect the views of my employer.
I remember you...you were that guy that spammed the asterisk bug tracker saying that people should switch to FreeSWITCH on about 10 different bugs. Nice to see that some things never change.
There's no place I can be, since I found Serenity.
True enough about the admin fail.. But it sucks as a developer to work with software like that. I have to be both the admin and the developer for a small asterisk IVR, and it's really frustrating to have to dick with all the permissions just to get started coding. It should come relatively secure by default, in a repo with a reasonable update schedule. Don't get me wrong, Asterisk is a great tool, but there's definately times when I get that "duct tape and shoe string" impression when I'm coding apps for it.
I've used Asterisk in installations with 10s of thousands of users--and this was probably 4 years ago or so. It certainly wasn't initially designed for it--but it will most certainly do the job if you are willing to put in the work. And it is light years ahead of where it was when I was using it for carrier-grade operations.
Don't get me wrong, there are certainly things that need improvement--especially in the area of being able to do live migrations and failover w/o dropping calls, but there are some truly massive Asterisk installations out there.
There's no place I can be, since I found Serenity.
I'm beginning to think you are just a jerk. Perhaps it's your interaction with devs that should be called into question?
Some of your bugs look like they got a lot of good attention despite the fact that your reports are terrible...
http://www.google.com/search?q=%22diego.viola%22+site%3Aissues.asterisk.org
Your bug reports are often not well documented or easily duplicated.
I've had excellent traction on bugs and issues from the asterisk dev teams.
I even go on IRC occasionally and ask really oddball what-if questions that get answered smartly.
John, one of the ways I got people to use "good" passwords is by getting them a Yubikey and setting it to static mode. It then always generates the same password instead of an OTP, but it's a very long one and as it pretends to be a keyboard it types it in itself. The challenge is always to make it long enough to be safe, but short enough to actually fit in the entry field.
It is a simple way to both SET a decent password and to preserve that setting in other than a file..
Just a tip, and no, I don't work for Yubico. I just got one to play with any I like it (must go and buy some)..
Insert