Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Asterisk Vishing Attacks "Endemic"

Soulskill posted more than 3 years ago | from the enter-your-ssn-if-you-concur dept.

Communications 141

Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"

cancel ×

141 comments

Vishing? (3, Insightful)

Red Flayer (890720) | more than 3 years ago | (#29898213)

Vishing? Really?

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

I'm sure we could come up with a better term than "vishing".

Re:Vishing? (2, Funny)

CannonballHead (842625) | more than 3 years ago | (#29898291)

I'm sure we could come up with a better term than "vishing".

Like voice phishing? ;)

Re:Vishing? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#29898303)

Look At My Hearse. (A GOMH Tribute)

http://lookatmyhearse.googlepages.com/index.html [googlepages.com]

Phone Phishing (2, Insightful)

gd2shoe (747932) | more than 3 years ago | (#29901197)

Phone Phishing. That way it's clear, and you get an alliteration as a bonus.

Re:Vishing? (3, Insightful)

Carewolf (581105) | more than 3 years ago | (#29898331)

Vishing? Really?

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

I'm sure we could come up with a better term than "vishing".

If the alternative is phreashing and phreammers, then I'll prefer "vishing". That said, I doubt most cases are using an actual "bug" in Asterisk, it is much more likely there are different setups, were some are incorrectly setup to handle _one_ of the many combinations of diversion, refer, redirection, route, proxy, RFC and draft SIP features that Asterisk "supports".

Re:Vishing? (0)

Anonymous Coward | more than 3 years ago | (#29898333)

Ooh! Something with avian implications seems appropriate, since everyone who's anyone has a cat, and unlike fish, birds have voices. Songbirding, bird poaching... voaching?

Re:Vishing? (3, Insightful)

natehoy (1608657) | more than 3 years ago | (#29898499)

Yeah, "Phishing" still seems to apply as an appropriate term to describe social engineering attempts by email, which is already a pretty specialized term, where "email fraud" would have worked just as well to start with (since it is closely related to an existing term "mail fraud" which indicates the snail mail version of the same attempt). As usual, a term was invented to describe something that is harder for the layman to understand than the original term. Hey, we're geeks, new confusing terms are cool, so deal. 1337 n3w w0rdz0rz ru1z!

A phisher is still sending someone an email and asking them to take a specific action that, if you take it, will result in you giving up important information to someone wearing a black hat. We don't need separate terms to describe every possible nuance of the way you would potentially send the information back. If someone sends me an email with form they want me to fill out and mail, do I have to call that mhishing? And what if they want me to fax it? fhishing? What if they simply want me to reply to them with some information? rhishing?

What if you get an email that gives a bad link *AND* a scammer's phone number? pvhishing? Or does the order of the "p" and "v" depend on which appears in the email fraud attempt first, so it could be pvishing or vphishing? And do I read that right-to-left or top-to-bottom to determine "first"?

Is there a 3-week class on this new terminology, or a 12-step program to get people to stop using it?

Re:Vishing? (1)

natehoy (1608657) | more than 3 years ago | (#29898585)

Never mind, I did read, but failed to comprehend, the article. Stupid me.

Anyway, I still don't think we need a new term. In fact, I think we already have one. "Telephone fraud".

Re:Vishing? (1)

oldspewey (1303305) | more than 3 years ago | (#29898653)

Well, more pedantically it should be something like "telephone impersonation fraud" to account for the fact the scammers attempt to trade on an existing relationship of trust ... and now we're up to 9 syllables.

Re:Vishing? (2, Insightful)

natehoy (1608657) | more than 3 years ago | (#29899329)

But all 9 syllables refer to concepts already stored in my brain. "Code Re-use"!

Re:Vishing? (1)

element-o.p. (939033) | more than 3 years ago | (#29899455)

But as natehoy pointed out in his original post, is it really necessary to coin a new term -- or even a new combination of existing terms -- for every possible permutation of communication media that scammers seek to exploit? How about just saying a scammer is a scammer is a scammer, whether (s)he is using e-mail, snail mail, voice mail, fax, or smoke signal?

IMHO, "FBI warns of scam exploiting Asterisk PBX software" is far more meaningful to more people than "FBI warns of vishing attack exploiting Asterisk PBX software". But, hey -- for a /. reader, I'm a bit of Luddite, so maybe it's just me.

Re:Vishing? (1)

hairyfeet (841228) | more than 3 years ago | (#29900445)

Maybe "canary call"? As it acts like a canary singing out to warn you of danger, when it is really a stool pigeon giving your info to those that want to screw you? Meh, anything would be better than "vishing".

Re:Vishing? (0)

Anonymous Coward | more than 3 years ago | (#29898565)

Especially since v typically indicates video, e.g. VJ and vlogging.

If "hacker" can mean "anyone who does anything remotely related to computers," I'm pretty sure we don't need "vishing" and (even worse) spear phishing.

Man, we're edgy and hip: even the kids aren't using this slang!

This stuff is almost as bad as when various drug propaganda prints out lists of terms for drugs. Because, you know, otherwise we might think X is something you get in your Flintstone's vitamins.

Re:Vishing? (1)

NatasRevol (731260) | more than 3 years ago | (#29899721)

Is spear phishing related to porn?

Re:Vishing? (0)

Anonymous Coward | more than 3 years ago | (#29901005)

I'm so hip I cant see over my pelvis.

Re:Vishing? (1)

quangdog (1002624) | more than 3 years ago | (#29898589)

From a link [computerworld.com] from TFS: "Vishing is much like phishing, but instead of urging e-mail recipients to click on a link (to a bogus website) this message instructs the reader to call a telephone number to rectify a problem with your account."

I agree - "vishing" is a stupid term.

Re:Vishing? (4, Funny)

jittles (1613415) | more than 3 years ago | (#29898623)

Actually, the attack is named after my Indian friend Vishal. But everyone calls him Vish. No really, I didn't just make this up.

Re:Vishing? (1)

dkleinsc (563838) | more than 3 years ago | (#29899845)

You laugh, but my first thought was that it was referring to Vishy Anand [wikipedia.org] , current World Chess Champion.

Re:Vishing? (1)

NotQuiteReal (608241) | more than 3 years ago | (#29898741)

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

Nah, following the "vishing" substitution logic, I come up with telemarketing spammers = tammers and phreaker hackers would be phackers.

Re:Vishing? (1)

natehoy (1608657) | more than 3 years ago | (#29899287)

And if a phacker tried to spam a woman with kids, he'd be known as a mother phacker?

Re:Vishing? (1)

element-o.p. (939033) | more than 3 years ago | (#29899485)

"Stupid phackers..."

:D

Answering the question in your .sig (0)

Anonymous Coward | more than 3 years ago | (#29900163)

Please post the stock symbol of a highly profitable healthcare insurance company. I want to invest but can't find one.

All of them are highly profitable, even after all the paper shuffling, congressional payola, and obscene executive compensation and bonuses.

I recommend MetLife, MET, 3.2 billion in profits this year and rising, number 39 in the Fortune 500, and rising.

Some people prefer UNH, the largest of the whales, number 21 in the 500 and rising, but they only saw 2.9 billion in profits once they'd paid for all the cheesesteaks and blowjobs for the executive officers.

If you want to make some real money you want to invest in gigantic drug companies, though - they are the only ones with a chance of knocking the telcos and oil magnates off their bloody thrones.

Re:Vishing? (2, Funny)

MiniMike (234881) | more than 3 years ago | (#29899125)

What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

How about varmints [merriam-webster.com] and pharmints?

Telemarketers don't deserve a new word, especially when an existing one fits so well. Phreakers at least are exhibiting some level of skill, even if it is in a somewhat antisocial manner (so I assume, at least).

Re:Vishing? (1)

element-o.p. (939033) | more than 3 years ago | (#29899511)

I like it...because in some states, it's legal to hunt varmints >:]

Re:Vishing? (1)

Mike Buddha (10734) | more than 3 years ago | (#29900297)

How about calling the lot of them "dicks"? I think that pretty well sums it up.

Re:Vishing? (2, Informative)

Tony Hoyle (11698) | more than 3 years ago | (#29899277)

vishing is what Dracula does on his holidays.

Re:Vishing? (1)

fahrbot-bot (874524) | more than 3 years ago | (#29899465)

I'm sure we could come up with a better term than "vishing".

I second this sentiment. Let's reserve "Vishing" for people pretending to be Vishnu [wikipedia.org] .

Re:Vishing? (1)

phoenixwade (997892) | more than 3 years ago | (#29899553)

those Phreaking Vishers........

Re:Vishing? (1)

Carbaholic (1327737) | more than 3 years ago | (#29899775)

Yes, really. Not only that but soon there will be virtual actors or vactors.

Re:Vishing? (2, Funny)

jo42 (227475) | more than 3 years ago | (#29899779)

"Vishing" is what it is called when Vishnu [wikipedia.org] goes fishing [wikipedia.org] .

Re:Vishing? (1)

mcgrew (92797) | more than 3 years ago | (#29900775)

I wondered the same thing, so I googled. Vishing is the criminal practice of using social engineering over the telephone system [wikipedia.org]

I do vish they'd have come up with a better name... but considering GNU, TWAIN, Windows, iPod, (and especially that abominably named "WiFi"), we as a group are pretty bad at coming up with good names.

A new name...Why ? (1)

Archfeld (6757) | more than 3 years ago | (#29902671)

How about thieves, frauds, con-men, or scam artists ?? I find it hard to believe this is actually a problem. Is there REALLY anyone out there STUPID enough to give up your pin ? C'mon folks the real bankers don't need it to do what they do,ANYONE asking for your PIN is a thief, plain and simple. If you give anyone your PIN other than your more significant half you are a fool of the worst possible kind, and likely deserve what is coming to you. Tell you parents and grandparents that there is NEVER an emergency or occasion to give up the PIN...NEVER.

_All_ prerecorded calls are spam. (1)

John Hasler (414242) | more than 3 years ago | (#29898225)

I always hang up as soon as I recognize them for what they are. On the rare occasions when someone who actually has something to say that I need to hear tries to use one they always follow up with a real phone call or a letter.

Re:_All_ prerecorded calls are spam. (0)

Anonymous Coward | more than 3 years ago | (#29898367)

Not compleatly true, when I preordered ghostbusters from gamestop they had a prerecorded message from Dan Aykroyd saying to come pick up my copy, under your logic you would have missed out on that sheer awsomness.

Re:_All_ prerecorded calls are spam. (0)

Anonymous Coward | more than 3 years ago | (#29898435)

Don't always hang up. I hung up on a persistent caller and realized it was my bank confirming a charge. They then locked my account. (Strangely, I can get SMS alerts that I have more money, but not that I've spent it or that I'm low.)

Generally, if you hear connection and then a delay, you know it's either a recording or an autodialer. Both will pause to detect an answering machine / voicemail. Also, if a telemarketer is using an autodialer, it dials multiple numbers and then has to connect an operator.

Re:_All_ prerecorded calls are spam. (2, Informative)

oldspewey (1303305) | more than 3 years ago | (#29898717)

The solution to phone spammers is - oh the irony - to use more asterisk. With a little creativity [voiptechchat.com] you can keep telemarketers busy without even picking up the phone.

Re:_All_ prerecorded calls are spam. (0)

Anonymous Coward | more than 3 years ago | (#29898641)

I don't answer the home phone at all. It is always some pre-recorded message from the High School or Middle School or some political candidate who "approved this message". Last night - a new low. Some political candidate actually automatically joined us to a conference call he had organized. It started with a pre-recorded message saying it was going to join this conference on some shit and then it joined. All this was being recorded by the answering machine. We had to get up and pick up the phone and hang it up to stop the answering machine (digital) from recording. I don't know what the max recording time per message is on that model of answering box but it recorded about 2 minutes before we hung up. So now some politico can use up a good solid chuck of our answering machine space with their gobbledygook. Crazy.

Re:_All_ prerecorded calls are spam. (4, Informative)

Deanalator (806515) | more than 3 years ago | (#29898677)

I was getting a recorded message from a spoofed cid at 000-000-0000 and would always kill the call as I saw it come in. Turns out it was the my gas company trying to resolve some billing issues.

A note to all "legit" businesses out there, blocked numbers and especially spoofed cids are super sketchy, don't do it.

Re:_All_ prerecorded calls are spam. (1)

mcgrew (92797) | more than 3 years ago | (#29901433)

And robocalls. When I hear "please wait" when I answer the phone, I don't bother waiting around to see what moronic company is trying to spam me, I just hang up.

Adaptation (0)

Anonymous Coward | more than 3 years ago | (#29901963)

Our continued technological advancement is having a transformative impact on our way of life (duh). We are creating a world in which one needs ever-higher levels of intelligence (and, more importantly, critical-thinking capacity) just to survive.

Back in the good old days the majority of the human race didn't need to know much more than how to farm (with very simple farming technologies). The intellectual problems they faced weren't very sophisticated.

Today, a seemingly harmless deed like giving an account number (which doesn't really seem secret since it gets printed on checks and stuff) over the phone can result in someone losing everything they had worked for all their lives, and having ruined credit on top of it.

How does one protect themselves from this scam? Knowing the details of this specific scam is not sufficient. There are a whole host of other scams with different details. One must protect one's self from the entire class of scams, and the only way to do that is to have a basic knowledge of how "the system" works (whichever system is in question) as well as a basic capacity to think before one acts and determine if the action being requested is actually likely to be necessary, and whether or not it might be risky. There are also judgments one must make about when one can and cannot trust the voice on the other end of the phone, when one does and does not realistically have a choice, and so on.

All of these mental activities require mature and insightful brains. Education (as to the details of "the system") is also a necessary condition, but not a sufficient condition, for personal saftey.

Some people believe that critical thinking ability is more hereditary than learned. I am no geneticist, but whether it is nature or nurture the bottom line remains: there is a class of person who was born and raised in a technologically advanced nation, but is not mentally capable of surviving in this nation. And this class of person is going to be (slowly and painfully) purged from the human condition because of this.

Re:_All_ prerecorded calls are spam. (1)

drpimp (900837) | more than 3 years ago | (#29898965)

I actually think I got one of these calls sometime last week. The recording left a message and is still in my box, well half of it. Apparently their dialer script doesn't have that great of, if any, PAMD. The audio is what sounds like a native English speaker, speaking very fast but sometimes stumbling, likely reading from a written script asking for account numbers and ATM codes. I immediately knew it was a scam but I am sure others receiving the call might have not have been so lucky to recognize that.

Re:_All_ prerecorded calls are spam. (1)

Tony Hoyle (11698) | more than 3 years ago | (#29899235)

The problem is nobody should *ever* fall for this, no matter how good the caller sounds.

Someone phones you. CLID can be faked. Can't trust that. Unless they have some way of authenticating themselves to you treat them as unknown.
That phone call contains another number. Ignore it. Go to the website of your bank, find a published customer service number and ask them.

It's exactly the same as anyone with any sense has been doing for years.. telephone scams aren't new. Now if the bank's calling system is compromised.. that's a bigger problem, and one that the bank would have to answer for.

Re:_All_ prerecorded calls are spam. (1)

John Hasler (414242) | more than 3 years ago | (#29899399)

> Now if the bank's calling system is compromised..

My credit union has a branch six miles away and head offices at about 25 miles. If I ever get something purports to be a recorded call from them I won't be contacting them by phone.

Re:_All_ prerecorded calls are spam. (1)

element-o.p. (939033) | more than 3 years ago | (#29899607)

I always hang up as soon as I recognize them for what they are.

Not me. I set the phone on my desk, press the "mute" button and tie up the telemarketers' phone lines for as long as possible while I get back to reading /.^w^w^wwork. Kind of a low-tech La Brea tar pit [sourceforge.net] .

Re:_All_ prerecorded calls are spam. (1)

secretcurse (1266724) | more than 3 years ago | (#29899819)

When my credit card company detects a charge that might be fraud, they send a robo call telling me to call the number on the back of my card to discuss a possible fraud issue. I like that a lot better than having someone I can't verify call me and ask for personal information. When I call the number printed on my card I can be reasonably certain that I know which company is going to be on the other end of the line. If an attack is so advanced that a thief knows the number printed on the back of my card and has the means to intercept me when I dial that number there's probably nothing that can stop it. That's why I monitor my card statements online. You can't be liable for fraud you report in a timely manner.

Asterix (1)

lamadude (1270542) | more than 3 years ago | (#29898321)

Asterix was fishing when he was attacked by the Romans again? Where was Obelix? He'll win in the end, he always does.

Re:Asterix (1)

frenchbedroom (936100) | more than 3 years ago | (#29898729)

And there'll be a huge banquet with wild boars roasted on a spit and ale !

Re:Asterix (1)

MRe_nl (306212) | more than 3 years ago | (#29898921)

This just in: Home cooking is killing McDonalds.

Vishing (2, Informative)

camperdave (969942) | more than 3 years ago | (#29898335)

Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP)

http://en.wikipedia.org/wiki/Vishing [wikipedia.org]

Either that or it's an old world ethnic pronunciation of the word "wishing".

Verevolves! (1)

AioKits (1235070) | more than 3 years ago | (#29901631)

Werewolves?
There...Volves!

Security! (1)

Shadyman (939863) | more than 3 years ago | (#29898349)

Sounds like some banks haven't been keeping things up to date...

Security patches are there for a reason. Security.

Re:Security! (1)

drpimp (900837) | more than 3 years ago | (#29899343)

If you RTFA, it's not referring to the actual banks PBX getting hijacked. Regardless, yes there appears to have been an exploit due to a bug and should be fixed now, but the many businesses that use Asterisk and haven't applied patches are those affected.

Re:Security! (2, Informative)

hairyfeet (841228) | more than 3 years ago | (#29900821)

Which to me is the scarier part, as SMBs have fatter pipes which when compromised can send tons of spam, vishing, etc. As someone who works on plenty of SMBs you'd be amazed at what some of these places are running, we are talking Win2K and sometimes even Win98 machines, most haven't seen a patch since they left the factory, because some PHB is worried about downtime, meanwhile they are wondering "why the network is so slow". Yikes.

You work PC repair for any length of time and the amount of total stupidity you'll see will make your face look like this [wordpress.com] permanently.

Moral of the story (5, Insightful)

Random2 (1412773) | more than 3 years ago | (#29898419)

Don't give sensitive information away unless in person. If you bank says there's something wrong with your account, either call them via their listed phone number or go visit them in person.

Re:Moral of the story (2, Informative)

tsm_sf (545316) | more than 3 years ago | (#29898607)

Or, as I preach to older relatives just getting into computers:

You go to your bank, your bank doesn't come to you.

Re:Moral of the story (1)

Bryansix (761547) | more than 3 years ago | (#29899003)

Exactly! The same tactic that defeats Phishing emails also works for Vishing or any other type of social engineering in the direction of the company to the consumer. It however doesn't fix the problem of when the customer (or someone pretending to be them) calls the company.

Re:Moral of the story (1)

John Hasler (414242) | more than 3 years ago | (#29899473)

> It however doesn't fix the problem of when the customer (or someone
> pretending to be them) calls the company.

That, however, places the liability on the company.

Re:Moral of the story (1)

glodime (1015179) | more than 3 years ago | (#29902637)

> It however doesn't fix the problem of when the customer (or someone > pretending to be them) calls the company.

That, however, places the liability on the company.

Unfortunately, for checking and savings accounts in the US, it does not. If someone empties your bank account via false identification, your bank is not liable for your losses.

Re:Moral of the story (1)

CRiMSON (3495) | more than 3 years ago | (#29901449)

Yup, keep yer money in your sock like I do! No one gets it, and you ever get in trouble you can bust out the sock and weild that shit like a blackjack tear it up!

Fishing, phishing, vishing, what's next? (5, Funny)

noidentity (188756) | more than 3 years ago | (#29898451)

Fast-forward to 2109... ghoting [wikipedia.org] attacks are on the rise, but nobody knows what the hell they are.

Re:Fishing, phishing, vishing, what's next? (1)

natehoy (1608657) | more than 3 years ago | (#29898557)

We need a "Funny AND Insightful" mod that goes to 6 so there's a little extra when you need it.

Because, for the post I am replying to, we need it.

Re:Fishing, phishing, vishing, what's next? (1)

mathx314 (1365325) | more than 3 years ago | (#29899801)

Why don't you just make 5 a little better, make that the top number and make that a little better?

Re:Fishing, phishing, vishing, what's next? (1)

csnydermvpsoft (596111) | more than 3 years ago | (#29900317)

But... it goes to 6.

Re:Fishing, phishing, vishing, what's next? (0)

Anonymous Coward | more than 3 years ago | (#29898933)

Brilliant, absolutely brilliant. I wish there was a "funny and educational" mod option.

Re:Fishing, phishing, vishing, what's next? (1)

sconeu (64226) | more than 3 years ago | (#29900687)

I just vish zat zey vould ztop vith the forced vords.

Re:Fishing, phishing, vishing, what's next? (1)

MrSenile (759314) | more than 3 years ago | (#29900705)

I had a relative that used to raise ghots. Some veeps and vickens, too.

Every morning you voke the vows, and vilked them vry.

Usage guide (1, Insightful)

Anonymous Coward | more than 3 years ago | (#29898525)

Vishing is pronounced "wishing," as in "I am vishing to see your nuclear vessels."

Re:Usage guide (0)

Anonymous Coward | more than 3 years ago | (#29898699)

Vishing is pronounced "wishing," as in "I am vishing to see your nuclear vessels."

I thought it was 'wessels'.

Re:Usage guide (1)

bakawolf (1362361) | more than 3 years ago | (#29898755)

woosh?

Re:Usage guide (2, Funny)

hcpxvi (773888) | more than 3 years ago | (#29899083)

voosh? (surely?)

I got one of those calls. (2, Interesting)

GrantRobertson (973370) | more than 3 years ago | (#29898651)

I hung up and immediately called the FBI. I'm glad they are actually doing something about it.

Re:I got one of those calls. (5, Funny)

ColdWetDog (752185) | more than 3 years ago | (#29899251)

I hung up and immediately called the FBI. I'm glad they are actually doing something about it.

If you're like me (and most of Slashdot), you don't need to call the FBI at all. Just look straight into the webcam and tell them what the problem is.

Don't believe the naysayers that tell you that government is inefficient.

Re:I got one of those calls. (1)

shaitand (626655) | more than 3 years ago | (#29900939)

If you do buy into the inefficiency thing then go old school and send an email that begins...

"Dear Uncle bin laden, what is your new address again?"

Re:I got one of those calls. (0)

Anonymous Coward | more than 3 years ago | (#29899315)

While you're at it, why not also load up some phony data to the vishers then? Might as well pollute their dataset until some authority is able to shut them down.

Hello, This Is YABRIL OMOTAYO (0)

Anonymous Coward | more than 3 years ago | (#29898745)

from G.M.A.C. [google.com] .
We owe you a credit on your current loan for your Government Motors clunker and need your bank account number and Social Security Number to deposit this credit in your bank. Do wish to proceed with this authorization?

Yes [huffingtonpost.com] .

No [microsoft.com] .

Thank you for your cooperation.

Yours In Lahore,
Y. Omotayo.

Lock Down Your Phones, People! (1)

mercutioviz (1350573) | more than 3 years ago | (#29898853)

Actually, it's lock down your phones, your VM systems, your IVRs, etc. etc. Many years ago I had someone guess a password on a VM system and I had forgotten to disable "external transfers"... oops. Toll fraud. Now I use safe telecom practices. Practice number 1: Use FreeSWITCH instead of anything else. While any system can be configured unsafely and insecurely, at least the initial FreeSWITCH config is "paranoid by default." -MC

Re:Lock Down Your Phones, People! (1)

kasparov (105041) | more than 3 years ago | (#29899001)

Just using FreeSWITCH is not a security solution. It isn't like Asterisk is designed to route toll calls for all callers as a default or something. Software has bugs. Some bugs are security problems. Make sure you apply security updates ASAP. Asterisk even has a mailing list specifically for security updates which makes it super simple to know when you really need to apply a patch.

Re:Lock Down Your Phones, People! (1)

mishehu (712452) | more than 3 years ago | (#29899413)

I do believe that is in fact what mercutioviz was saying. First pick a better tool, then make sure that tool is in proper configuration and working order. There are just somethings that FS is designed to do differently that make it easier implement good security practices. One example is having one SIP profile (UA) for one IP:port combination. I can have multiple SIP UA's with various levels of security bound to various different dialplan contexts all at the same time. There's none of 1 IP 1 port or all IPs one port scenario. It's a finer grained tool.

Re:Lock Down Your Phones, People! (1)

mercutioviz (1350573) | more than 3 years ago | (#29900159)

Kasparov, I am in total agreement with you. Putting FreeSWITCH into an insecure environment isn't a "complete solution" by any stretch, and that certainly wasn't my point. Like mishehu mentioned in his post, I believe in using the best tools available and using them properly with good security best practices. FreeSWITCH is simply a better tool in many cases. (Note that I said "in many cases" and not "in ALL cases")

VoIP is an enabling technology, and like all enabling technology both consumers and criminals get "enabled." The technologist has the fun job of balancing security with functionality. I prefer to make that job a little bit easier by utilizing the best tools for the job at hand.

-MC

Re:Lock Down Your Phones, People! (1)

diego.viola (1104521) | more than 3 years ago | (#29899851)

I agree with mercutioviz, FreeSWITCH is a much better tool than anything else I ever seen in the OSS or proprietary world when it comes to VoIP and telecommunications.

Complete crap (4, Insightful)

screeble (664005) | more than 3 years ago | (#29898993)

What a load of crap. Asterisk developers patch security holes relatively quickly. This isn't an Asterisk "endemic."

Brute forced passwords are a bad administrator "endemic."

If your password policy is so stupid that you can be wordlisted then the issue may just be a PICNIC problem and not a fault of an application.

Asterisk isn't a security application. It's an enterprise-grade VoIP server and PBX.

Connecting Asterisk to a public network without some sort of border control is just stupid.

Re:Complete crap (0)

Anonymous Coward | more than 3 years ago | (#29899061)

It doesn't help that, if you want to run Asterisk as non-root, you actually have to compile it to do so. All of the repos and asterisk-based distros that I know of install it to run with root permissions.

Re:Complete crap (2, Informative)

screeble (664005) | more than 3 years ago | (#29899593)

Agreed. Couple that fact with the fact that a lot of the repos I've seen are built off of older iterations of the Asterisk code and it's a recipe for disaster. For example, Ubuntu has Asterisk 1.4.21.2 in the repository right now. This is directly exploitable:

http://downloads.asterisk.org/pub/security/AST-2009-003.pdf [asterisk.org]

If you run code out of repos without understanding the risks that's still an admin fail, though. Not the fault of Asterisk, per se.

Re:Complete crap (4, Interesting)

spiffmastercow (1001386) | more than 3 years ago | (#29903057)

True enough about the admin fail.. But it sucks as a developer to work with software like that. I have to be both the admin and the developer for a small asterisk IVR, and it's really frustrating to have to dick with all the permissions just to get started coding. It should come relatively secure by default, in a repo with a reasonable update schedule. Don't get me wrong, Asterisk is a great tool, but there's definately times when I get that "duct tape and shoe string" impression when I'm coding apps for it.

Re:Complete crap (1)

kasparov (105041) | more than 3 years ago | (#29902765)

You don't have to compile asterisk any differently to run it as non-root, you just have to set up the permissions on files/directories appropriately and set runuser/grungroup in asterisk.conf.

Re:Complete crap (1, Interesting)

diego.viola (1104521) | more than 3 years ago | (#29899931)

Asterisk is by no means a carrier-grade server, and it has many problems, these problems include bugs, deadlocks, etc.

You probably never worked on the telecom field to say that, the fact is that there is a much better alternative and that alternative is FreeSWITCH.

Just take a look at this:

"How does FreeSWITCH compare to Asterisk?"
http://www.freeswitch.org/node/117

Re:Complete crap (2, Interesting)

screeble (664005) | more than 3 years ago | (#29900173)

I work in engineering design for an ILEC and admin Asterisk on a day-to-day basis within our test facilities.

I completely agree that Asterisk is not carrier-grade but that doesn't negate the fact that it's being used for carrier-grade applications by many operators.

Hell, most linux distros aren't carrier grade. We're not arguing that point. I agree completely.

To me, Asterisk is a perfect drop-in replacement for a legacy pbx when serving in-house sip clients. Perhaps saying the app is enterprise-class is a bit lofty?

Errors in terminology aside... We're on the same side.

FreeSwitch is nice but doesn't fix the bad admin issue which is really what the original article is about.

Re:Complete crap (2, Informative)

diego.viola (1104521) | more than 3 years ago | (#29900903)

Linux is ok for carrier-grade in my opinion, at least it's very stable and performs well.

I can't say the same with Asterisk really because I had many bad experiences with it, some of these bad experiences includes: deadlocks, crashes, transcoding problems, corrupted sound issues, etc.

I work in the telecom industry as well and I was an Asterisk user who migrated to FreeSWITCH for the reasons that is more stable and performs better, I have also worked for companies such as Teliax Inc, etc. I'm also starting my own company as well for offering VoIP/telecommunication services and I'm going to use Linux and FreeSWITCH, some of these companies (Teliax Inc, Flowroute, etc) have also moved to FreeSWITCH for the same reasons.

I recommend that you look FreeSWITCH if you are in the VoIP industry, you will be amazed of how great it is.

Re:Complete crap (2, Interesting)

screeble (664005) | more than 3 years ago | (#29901443)

DISCLAIMER: I sometimes use ubuntu server so I can't really point any fingers re: CGL

Be careful, "ok for carrier-grade" isn't the same as being CGL 4.0 compliant. There are only a handful of certified CGL's.

http://www.linuxfoundation.org/collaborate/workgroups/cgl [linuxfoundation.org]

I've personally had great experiences with Asterisk but we're using it in a completely nonstandard (if there is such a thing) way.

We do a lot of code hacking to emulate customer troubles with presentation, etc.

For us, it's great and filled our needs way better than a commercial offering that would have done the same but with a boatload of cash.

We don't deploy Asterisk as a vendor to clients so I can't comment on production viability.

(Ironically, I just got pinged by some of our security people regarding the latest exploit and now have some code to update.)

Oh yeah: The views expressed in this post (and any other post I've made in this thread) are mine alone and do not necessarily reflect the views of my employer.

Re:Complete crap (2, Interesting)

kasparov (105041) | more than 3 years ago | (#29903169)

I've used Asterisk in installations with 10s of thousands of users--and this was probably 4 years ago or so. It certainly wasn't initially designed for it--but it will most certainly do the job if you are willing to put in the work. And it is light years ahead of where it was when I was using it for carrier-grade operations.

Don't get me wrong, there are certainly things that need improvement--especially in the area of being able to do live migrations and failover w/o dropping calls, but there are some truly massive Asterisk installations out there.

Re:Complete crap (2, Interesting)

kasparov (105041) | more than 3 years ago | (#29903001)

I remember you...you were that guy that spammed the asterisk bug tracker saying that people should switch to FreeSWITCH on about 10 different bugs. Nice to see that some things never change.

Re:Complete crap (3, Insightful)

rantingkitten (938138) | more than 3 years ago | (#29902277)

Most of the security problems I've seen actually exploited are not a problem with asterisk as such, or even border control, but of retarded admins. For example, many IP phones expect to connect to a fileserver of some sort and download some xml files containing their SIP information. Admins will routinely just create an ftp account somewhere, using the default login and password of the phones, and dump the files there. They'll frequently allow that ftp user to have shell access too, or forget to disable directory listing on the ftp directory, or do anything else that resembles common sense and security.

It would be trivial to portscan far and wide, find some asterisk boxes, and exploit these terribly common mistakes made by clueless admins. I have demonstrated to clients how I was able to log into their server armed only with the knowledge of what the default ftp username and password is, then download all their users' config files containing all the information I'd need to fraudulently use their phone lines. Sometimes it takes a dramatic demonstration like that to make people wake up.

undoing moderation (2, Funny)

Rashan (546637) | more than 3 years ago | (#29899163)

positing to undo incorrect moderation. nothing to see here, move along...

Just use FreeSWITCH instead of Asterisk (1)

diego.viola (1104521) | more than 3 years ago | (#29900097)

Why someone would still use Asterisk is beyond me, just use FreeSWITCH, it's a much better alternative.

Please be careful (1)

mercutioviz (1350573) | more than 3 years ago | (#29900745)

Remember, just dropping FreeSWITCH into an insecure environment isn't a solution. As systems integrators we still have to do our due diligence for security. Locking down Asterisk installs is always a good policy.

I think the real question is why there are so many Asterisk-based systems out there with little or no security in place. My guess is that it's because a lot of people just download it and throw it onto a customer's site. Oopsie.

The advantage that FreeSWITCH gives is that it makes security easier. Note that I said "easier" and not "automatic." If you don't think about security then you will hear about your FreeSWITCH system getting hacked, or vished, or whatever.

Like I said in a previous post: lock it down, people! I also agree that people shouldn't be entering their PIN codes on any incoming call, EVER. However, that doesn't absolve all of these foolish PBX installers (Asterisk or other) from their sin of failing to lock things down.

-MC

FBI doesn't care (0)

Anonymous Coward | more than 3 years ago | (#29900187)

One of my clients got hacked and was being used for a vishing attack. I called the FBI and was passed around and around because no particular office wanted the case. The client had setup SIP devices with the same name and secret and had not limited them to a specific IP range. Not a good idea.

In a more blatant case, someone purchased a toll free number 1 digit away from one that I own and was using an legitimate carrier to process incoming calls. Once again, I notified the authorities after people were misdialing the number and reaching me, and the case was too complex for them to handle.

Re:FBI doesn't care (1)

gujo-odori (473191) | more than 3 years ago | (#29901687)

The FBI cares, and the Secret Service is also involved in the investigation and prosecution of things related to phishing (carding, for example), but it can be hard to get to the right people.

The Anti-Phishing Working Group may (or not, I'm uncertain) may have some contact info for the right parties.

Before you ask why I didn't provide a link, it's because that would be such a good place to put a link leading to a drive-by download of malware. Don't trust links on Slashdot, look it up for yourself.

not just asterix (0)

Anonymous Coward | more than 3 years ago | (#29900623)

I've been noticing in my firewall logs a lot attacking with strange user names (not the usual root and test etc.)

When I googled it I found out it was a default system account for some commercial VOIP product. Seemed not very useful to me at the time, but now I get it.

Language Problems? (1)

ndunnuck (833465) | more than 3 years ago | (#29901581)

"You keep using that word. I do not think it means what you think it means." I'm not entirely sure anyone here knows what "endemic" means. "Endemic" is not newsworthy, unless we've been searching and searching for where these vishing attacks come from. "Pandemic" might be newsworthy. Or "epidemic" might be newsworthy. "Endemic" not so much.

Digium says: Protocol, not program (3, Informative)

Rememberthisname (464554) | more than 3 years ago | (#29902581)

So as is unfortunately typical, some of the quotes I made of course been taken out of proportion. My quote was not that "Asterisk attacks are endemic", but that SIP-based brute force attacks are endemic. Every SIP system that is open to the "public" Internet is seeing large numbers of brute-force attacks. Sites that have weak username and weak password control will be compromised - this is little different than email accounts being taken over by password-guessing systems and used for sending floods of email. The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets people's attention very quickly. I hear reports of these types of attacks now all the time - it's not unusual, and it's not just Asterisk. We had a blog about this a year ago; this is just a re-packaging of the same news a year later, when recently I unsurprisingly said that attacks are no longer even newsworthy because they're so frequent (hence, the term "endemic".) Apparently, not being newsworthy means... it's newsworthy!

This has little to do with Asterisk other than it happens to be the most prevalent SIP-based platform on the Internet currently. It has everything to do with protocol attacks by script kiddies, or more professional attackers. Bad passwords = easy penetration. The upside on this is that it yet again gets the attention of administrators who might not otherwise know that their password of '1234' might be guessed by criminal users.

The bug that was mentioned? Old news. Really, really old news. And really not even that much of a threat for most people the way they have their systems configured even if they haven't upgraded.

Asterisk, Broadsoft, Cisco, Kamailio, OpenSER, FreeSwitch, Avaya - they're all vulnerable to the brute force attacks if adequate network and username/password security is not implemented. There are ways to minimize, if not eliminate these threats with very standard security policies that should be familiar to any network administrator (ACLs, random passphrases, random client usernames, adequate exception logging, and limits on account usage, to name a few.)

Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins. It's really not something that can be done in the core of Asterisk; it has to be done by whatever is the layered UI on top of Asterisk for configuration, or just by good policy.

http://blogs.digium.com/2009/03/28/sip-security/ [digium.com]
http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/ [digium.com]

John Todd - jtodd@digium.com
Digium, Inc.
Asterisk Open Source Community Director

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...