Asterisk Vishing Attacks "Endemic"

Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"

Re:Complete crap

[spiffmastercow]

True enough about the admin fail.. But it sucks as a developer to work with software like that. I have to be both the admin and the developer for a small asterisk IVR, and it's really frustrating to have to dick with all the permissions just to get started coding. It should come relatively secure by default, in a repo with a reasonable update schedule. Don't get me wrong, Asterisk is a great tool, but there's definately times when I get that "duct tape and shoe string" impression when I'm coding apps for it.