Slashdot Mirror

← Back to Stories (view on slashdot.org)

Asterisk Vishing Attacks "Endemic"

Posted by Soulskill on from the enter-your-ssn-if-you-concur dept.

Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"

38 of 141 comments (clear)

  1. Vishing? by Red+Flayer · · Score: 3, Insightful

    Vishing? Really?

    What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

    I'm sure we could come up with a better term than "vishing".

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    1. Re:Vishing? by CannonballHead · · Score: 2, Funny

      I'm sure we could come up with a better term than "vishing".

      Like voice phishing? ;)

    2. Re:Vishing? by Carewolf · · Score: 3, Insightful

      Vishing? Really?

      What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

      I'm sure we could come up with a better term than "vishing".

      If the alternative is phreashing and phreammers, then I'll prefer "vishing". That said, I doubt most cases are using an actual "bug" in Asterisk, it is much more likely there are different setups, were some are incorrectly setup to handle _one_ of the many combinations of diversion, refer, redirection, route, proxy, RFC and draft SIP features that Asterisk "supports".

    3. Re:Vishing? by natehoy · · Score: 3, Insightful

      Yeah, "Phishing" still seems to apply as an appropriate term to describe social engineering attempts by email, which is already a pretty specialized term, where "email fraud" would have worked just as well to start with (since it is closely related to an existing term "mail fraud" which indicates the snail mail version of the same attempt). As usual, a term was invented to describe something that is harder for the layman to understand than the original term. Hey, we're geeks, new confusing terms are cool, so deal. 1337 n3w w0rdz0rz ru1z!

      A phisher is still sending someone an email and asking them to take a specific action that, if you take it, will result in you giving up important information to someone wearing a black hat. We don't need separate terms to describe every possible nuance of the way you would potentially send the information back. If someone sends me an email with form they want me to fill out and mail, do I have to call that mhishing? And what if they want me to fax it? fhishing? What if they simply want me to reply to them with some information? rhishing?

      What if you get an email that gives a bad link *AND* a scammer's phone number? pvhishing? Or does the order of the "p" and "v" depend on which appears in the email fraud attempt first, so it could be pvishing or vphishing? And do I read that right-to-left or top-to-bottom to determine "first"?

      Is there a 3-week class on this new terminology, or a 12-step program to get people to stop using it?

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    4. Re:Vishing? by jittles · · Score: 4, Funny

      Actually, the attack is named after my Indian friend Vishal. But everyone calls him Vish. No really, I didn't just make this up.

    5. Re:Vishing? by MiniMike · · Score: 2, Funny

      What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

      How about varmints and pharmints?

      Telemarketers don't deserve a new word, especially when an existing one fits so well. Phreakers at least are exhibiting some level of skill, even if it is in a somewhat antisocial manner (so I assume, at least).

    6. Re:Vishing? by Tony+Hoyle · · Score: 2, Informative

      vishing is what Dracula does on his holidays.

    7. Re:Vishing? by natehoy · · Score: 2, Insightful

      But all 9 syllables refer to concepts already stored in my brain. "Code Re-use"!

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    8. Re:Vishing? by jo42 · · Score: 2, Funny

      "Vishing" is what it is called when Vishnu goes fishing.

    9. Re:Vishing? by VoltageX · · Score: 2, Insightful

      It's pretty hard to set Asterisk up properly, let alone secure it. The cynic in me says this is so Digium can make more money on support and training.

      --
      "Anonymous could not immediately be reached for further comment." - International Business Times
  2. Vishing by camperdave · · Score: 2, Informative

    Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP)

    http://en.wikipedia.org/wiki/Vishing

    Either that or it's an old world ethnic pronunciation of the word "wishing".

    --
    When our name is on the back of your car, we're behind you all the way!
  3. Moral of the story by Random2 · · Score: 5, Insightful

    Don't give sensitive information away unless in person. If you bank says there's something wrong with your account, either call them via their listed phone number or go visit them in person.

    --
    "Our goal each year should be to increase the number of goals we set for ourselves!"
    1. Re:Moral of the story by tsm_sf · · Score: 2, Informative

      Or, as I preach to older relatives just getting into computers:

      You go to your bank, your bank doesn't come to you.

      --
      Literalism isn't a form of humor, it's you being irritating.
  4. Fishing, phishing, vishing, what's next? by noidentity · · Score: 5, Funny

    Fast-forward to 2109... ghoting attacks are on the rise, but nobody knows what the hell they are.

  5. I got one of those calls. by GrantRobertson · · Score: 2, Interesting

    I hung up and immediately called the FBI. I'm glad they are actually doing something about it.

    1. Re:I got one of those calls. by ColdWetDog · · Score: 5, Funny

      I hung up and immediately called the FBI. I'm glad they are actually doing something about it.

      If you're like me (and most of Slashdot), you don't need to call the FBI at all. Just look straight into the webcam and tell them what the problem is.

      Don't believe the naysayers that tell you that government is inefficient.

      --
      Faster! Faster! Faster would be better!
  6. Re:_All_ prerecorded calls are spam. by Deanalator · · Score: 4, Informative

    I was getting a recorded message from a spoofed cid at 000-000-0000 and would always kill the call as I saw it come in. Turns out it was the my gas company trying to resolve some billing issues.

    A note to all "legit" businesses out there, blocked numbers and especially spoofed cids are super sketchy, don't do it.

  7. Re:_All_ prerecorded calls are spam. by oldspewey · · Score: 2, Informative

    The solution to phone spammers is - oh the irony - to use more asterisk. With a little creativity you can keep telemarketers busy without even picking up the phone.

    --
    If libertarians are so opposed to effective government, why don't they all move to Somalia?
  8. Complete crap by screeble · · Score: 4, Insightful

    What a load of crap. Asterisk developers patch security holes relatively quickly. This isn't an Asterisk "endemic."

    Brute forced passwords are a bad administrator "endemic."

    If your password policy is so stupid that you can be wordlisted then the issue may just be a PICNIC problem and not a fault of an application.

    Asterisk isn't a security application. It's an enterprise-grade VoIP server and PBX.

    Connecting Asterisk to a public network without some sort of border control is just stupid.

    1. Re:Complete crap by screeble · · Score: 2, Informative

      Agreed. Couple that fact with the fact that a lot of the repos I've seen are built off of older iterations of the Asterisk code and it's a recipe for disaster. For example, Ubuntu has Asterisk 1.4.21.2 in the repository right now. This is directly exploitable:

      http://downloads.asterisk.org/pub/security/AST-2009-003.pdf

      If you run code out of repos without understanding the risks that's still an admin fail, though. Not the fault of Asterisk, per se.

    2. Re:Complete crap by screeble · · Score: 2, Interesting

      I work in engineering design for an ILEC and admin Asterisk on a day-to-day basis within our test facilities.

      I completely agree that Asterisk is not carrier-grade but that doesn't negate the fact that it's being used for carrier-grade applications by many operators.

      Hell, most linux distros aren't carrier grade. We're not arguing that point. I agree completely.

      To me, Asterisk is a perfect drop-in replacement for a legacy pbx when serving in-house sip clients. Perhaps saying the app is enterprise-class is a bit lofty?

      Errors in terminology aside... We're on the same side.

      FreeSwitch is nice but doesn't fix the bad admin issue which is really what the original article is about.

    3. Re:Complete crap by diego.viola · · Score: 2, Informative

      Linux is ok for carrier-grade in my opinion, at least it's very stable and performs well.

      I can't say the same with Asterisk really because I had many bad experiences with it, some of these bad experiences includes: deadlocks, crashes, transcoding problems, corrupted sound issues, etc.

      I work in the telecom industry as well and I was an Asterisk user who migrated to FreeSWITCH for the reasons that is more stable and performs better, I have also worked for companies such as Teliax Inc, etc. I'm also starting my own company as well for offering VoIP/telecommunication services and I'm going to use Linux and FreeSWITCH, some of these companies (Teliax Inc, Flowroute, etc) have also moved to FreeSWITCH for the same reasons.

      I recommend that you look FreeSWITCH if you are in the VoIP industry, you will be amazed of how great it is.

    4. Re:Complete crap by screeble · · Score: 2, Interesting

      DISCLAIMER: I sometimes use ubuntu server so I can't really point any fingers re: CGL

      Be careful, "ok for carrier-grade" isn't the same as being CGL 4.0 compliant. There are only a handful of certified CGL's.

      http://www.linuxfoundation.org/collaborate/workgroups/cgl

      I've personally had great experiences with Asterisk but we're using it in a completely nonstandard (if there is such a thing) way.

      We do a lot of code hacking to emulate customer troubles with presentation, etc.

      For us, it's great and filled our needs way better than a commercial offering that would have done the same but with a boatload of cash.

      We don't deploy Asterisk as a vendor to clients so I can't comment on production viability.

      (Ironically, I just got pinged by some of our security people regarding the latest exploit and now have some code to update.)

      Oh yeah: The views expressed in this post (and any other post I've made in this thread) are mine alone and do not necessarily reflect the views of my employer.

    5. Re:Complete crap by rantingkitten · · Score: 3, Insightful

      Most of the security problems I've seen actually exploited are not a problem with asterisk as such, or even border control, but of retarded admins. For example, many IP phones expect to connect to a fileserver of some sort and download some xml files containing their SIP information. Admins will routinely just create an ftp account somewhere, using the default login and password of the phones, and dump the files there. They'll frequently allow that ftp user to have shell access too, or forget to disable directory listing on the ftp directory, or do anything else that resembles common sense and security.

      It would be trivial to portscan far and wide, find some asterisk boxes, and exploit these terribly common mistakes made by clueless admins. I have demonstrated to clients how I was able to log into their server armed only with the knowledge of what the default ftp username and password is, then download all their users' config files containing all the information I'd need to fraudulently use their phone lines. Sometimes it takes a dramatic demonstration like that to make people wake up.

      --
      mirrorshades radio -- darkwave, industrial, futurepop, ebm.
    6. Re:Complete crap by kasparov · · Score: 2, Interesting

      I remember you...you were that guy that spammed the asterisk bug tracker saying that people should switch to FreeSWITCH on about 10 different bugs. Nice to see that some things never change.

      --
      There's no place I can be, since I found Serenity.
    7. Re:Complete crap by spiffmastercow · · Score: 4, Interesting

      True enough about the admin fail.. But it sucks as a developer to work with software like that. I have to be both the admin and the developer for a small asterisk IVR, and it's really frustrating to have to dick with all the permissions just to get started coding. It should come relatively secure by default, in a repo with a reasonable update schedule. Don't get me wrong, Asterisk is a great tool, but there's definately times when I get that "duct tape and shoe string" impression when I'm coding apps for it.

    8. Re:Complete crap by kasparov · · Score: 2, Interesting

      I've used Asterisk in installations with 10s of thousands of users--and this was probably 4 years ago or so. It certainly wasn't initially designed for it--but it will most certainly do the job if you are willing to put in the work. And it is light years ahead of where it was when I was using it for carrier-grade operations.

      Don't get me wrong, there are certainly things that need improvement--especially in the area of being able to do live migrations and failover w/o dropping calls, but there are some truly massive Asterisk installations out there.

      --
      There's no place I can be, since I found Serenity.
    9. Re:Complete crap by screeble · · Score: 2, Informative

      Have you looked at http://packages.digium.com/ or maybe about checking out the svn branch for the version you are using?

      You didn't say what distro you use but if it's YUM-capable that might be an option.

      Personally, I'm against precompiled binaries for Asterisk. Asterisk source doesn't have any configs all other than samples. It's up to the admin to correctly configure the server. I like sticking to SVN as it allows me to make changes and also stay up to date. It's not perfect and I highly advise regression testing the code if you go that route as svn does sometimes break. Just stay out of the bleeding-edge branches.

      IMHO the biggest mistake someone can make with Asterisk and security is downloading the source and doing the "make install samples" portion of the install. It seems like often those are the generic confs I've run across when looking at a pre-existing repo version.

      Hand-tuned confs don't load needless modules and also eliminate a lot of security holes. Running asterisk -c over and over again until you get things working does actually suck but in the end is worth the effort. I wonder how many installs out there still have the stupid demo cruft in their production dialplans?

    10. Re:Complete crap by screeble · · Score: 2, Interesting

      I'm beginning to think you are just a jerk. Perhaps it's your interaction with devs that should be called into question?

      Some of your bugs look like they got a lot of good attention despite the fact that your reports are terrible...
      http://www.google.com/search?q=%22diego.viola%22+site%3Aissues.asterisk.org

      Your bug reports are often not well documented or easily duplicated.

      I've had excellent traction on bugs and issues from the asterisk dev teams.

      I even go on IRC occasionally and ask really oddball what-if questions that get answered smartly.

  9. Re:Usage guide by hcpxvi · · Score: 2, Funny

    voosh? (surely?)

  10. undoing moderation by Rashan · · Score: 2, Funny

    positing to undo incorrect moderation. nothing to see here, move along...

    --
    Insert witty .sig HERE.
  11. Re:Security! by hairyfeet · · Score: 2, Informative

    Which to me is the scarier part, as SMBs have fatter pipes which when compromised can send tons of spam, vishing, etc. As someone who works on plenty of SMBs you'd be amazed at what some of these places are running, we are talking Win2K and sometimes even Win98 machines, most haven't seen a patch since they left the factory, because some PHB is worried about downtime, meanwhile they are wondering "why the network is so slow". Yikes.

    You work PC repair for any length of time and the amount of total stupidity you'll see will make your face look like this permanently.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  12. Phone Phishing by gd2shoe · · Score: 2, Insightful

    Phone Phishing. That way it's clear, and you get an alliteration as a bonus.

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
    1. Re:Phone Phishing by misof · · Score: 2, Funny

      Yeah, but if you keep the current naming scheme, you get to call the incompetent bank employees "vankers" :)

  13. Digium says: Protocol, not program by Rememberthisname · · Score: 3, Informative

    So as is unfortunately typical, some of the quotes I made of course been taken out of proportion. My quote was not that "Asterisk attacks are endemic", but that SIP-based brute force attacks are endemic. Every SIP system that is open to the "public" Internet is seeing large numbers of brute-force attacks. Sites that have weak username and weak password control will be compromised - this is little different than email accounts being taken over by password-guessing systems and used for sending floods of email. The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets people's attention very quickly. I hear reports of these types of attacks now all the time - it's not unusual, and it's not just Asterisk. We had a blog about this a year ago; this is just a re-packaging of the same news a year later, when recently I unsurprisingly said that attacks are no longer even newsworthy because they're so frequent (hence, the term "endemic".) Apparently, not being newsworthy means... it's newsworthy!

    This has little to do with Asterisk other than it happens to be the most prevalent SIP-based platform on the Internet currently. It has everything to do with protocol attacks by script kiddies, or more professional attackers. Bad passwords = easy penetration. The upside on this is that it yet again gets the attention of administrators who might not otherwise know that their password of '1234' might be guessed by criminal users.

    The bug that was mentioned? Old news. Really, really old news. And really not even that much of a threat for most people the way they have their systems configured even if they haven't upgraded.

    Asterisk, Broadsoft, Cisco, Kamailio, OpenSER, FreeSwitch, Avaya - they're all vulnerable to the brute force attacks if adequate network and username/password security is not implemented. There are ways to minimize, if not eliminate these threats with very standard security policies that should be familiar to any network administrator (ACLs, random passphrases, random client usernames, adequate exception logging, and limits on account usage, to name a few.)

    Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins. It's really not something that can be done in the core of Asterisk; it has to be done by whatever is the layered UI on top of Asterisk for configuration, or just by good policy.

    http://blogs.digium.com/2009/03/28/sip-security/
    http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/

    John Todd - jtodd@digium.com
    Digium, Inc.
    Asterisk Open Source Community Director

    1. Re:Digium says: Protocol, not program by cheros · · Score: 2, Interesting

      John, one of the ways I got people to use "good" passwords is by getting them a Yubikey and setting it to static mode. It then always generates the same password instead of an OTP, but it's a very long one and as it pretends to be a keyboard it types it in itself. The challenge is always to make it long enough to be safe, but short enough to actually fit in the entry field.

      It is a simple way to both SET a decent password and to preserve that setting in other than a file..

      Just a tip, and no, I don't work for Yubico. I just got one to play with any I like it (must go and buy some)..

      --
      Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
  14. [OT] Re:Complete crap by kasparov · · Score: 3, Insightful

    No, I was just annoyed at your impolite behavior at the time with all of the spamming. Then I noticed this story and saw that you are still at it. I'm glad you found a solution that works for you. Many people have also found other solutions that work great for them, including Asterisk.

    Part of having such a huge user community is that the Asterisk devs have 100s of feature requests or bug reports at any given time. If someone is having a problem that is only having an effect on a very small number of people, sometimes it takes longer to fix than other problems. Everyone has to prioritize.

    Also, the quality of the debugging information that is presented is also a major factor in how long it takes to get a problem fixed. This is a good example of 3 or 4 actual Asterisk developers trying work on one of your issues and you being rude to them and not giving them the debug information they requested.

    I understand that having an issue that is affecting you take a while to get closed is annoying, but something being open for a week with no real information provided to help track it down is certainly no reason to get react the way you did.

    And us Asterisk users aren't pissed about FreeSWITCH existing--that is just silly. The more choices out there, the better! We just don't like people coming over and shouting YOU SUCK and doing the equivalent of spray painting our walls with "FreeSWITCH RULEZ!" like you did with the bug tracker. That is just childish. There are many excellent and polite freeswitch users and developers--I just don't think that you are one of them.

    --
    There's no place I can be, since I found Serenity.
  15. Vishing and hoping by lennier · · Score: 2, Funny

    'Vishing', eh? Vot are we going to call 'video phishing'?

    Pishing?

    --
    You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC