Asterisk Vishing Attacks "Endemic" 141
Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"
I got one of those calls. (Score:2, Interesting)
Re:Complete crap (Score:1, Interesting)
You probably never worked on the telecom field to say that, the fact is that there is a much better alternative and that alternative is FreeSWITCH.
Just take a look at this:
"How does FreeSWITCH compare to Asterisk?"
http://www.freeswitch.org/node/117
Re:Complete crap (Score:2, Interesting)
I work in engineering design for an ILEC and admin Asterisk on a day-to-day basis within our test facilities.
I completely agree that Asterisk is not carrier-grade but that doesn't negate the fact that it's being used for carrier-grade applications by many operators.
Hell, most linux distros aren't carrier grade. We're not arguing that point. I agree completely.
To me, Asterisk is a perfect drop-in replacement for a legacy pbx when serving in-house sip clients. Perhaps saying the app is enterprise-class is a bit lofty?
Errors in terminology aside... We're on the same side.
FreeSwitch is nice but doesn't fix the bad admin issue which is really what the original article is about.
Re:Complete crap (Score:2, Interesting)
DISCLAIMER: I sometimes use ubuntu server so I can't really point any fingers re: CGL
Be careful, "ok for carrier-grade" isn't the same as being CGL 4.0 compliant. There are only a handful of certified CGL's.
http://www.linuxfoundation.org/collaborate/workgroups/cgl [linuxfoundation.org]
I've personally had great experiences with Asterisk but we're using it in a completely nonstandard (if there is such a thing) way.
We do a lot of code hacking to emulate customer troubles with presentation, etc.
For us, it's great and filled our needs way better than a commercial offering that would have done the same but with a boatload of cash.
We don't deploy Asterisk as a vendor to clients so I can't comment on production viability.
(Ironically, I just got pinged by some of our security people regarding the latest exploit and now have some code to update.)
Oh yeah: The views expressed in this post (and any other post I've made in this thread) are mine alone and do not necessarily reflect the views of my employer.
Re:Complete crap (Score:3, Interesting)
I remember you...you were that guy that spammed the asterisk bug tracker saying that people should switch to FreeSWITCH on about 10 different bugs. Nice to see that some things never change.
Re:Complete crap (Score:5, Interesting)
Re:Complete crap (Score:3, Interesting)
I've used Asterisk in installations with 10s of thousands of users--and this was probably 4 years ago or so. It certainly wasn't initially designed for it--but it will most certainly do the job if you are willing to put in the work. And it is light years ahead of where it was when I was using it for carrier-grade operations.
Don't get me wrong, there are certainly things that need improvement--especially in the area of being able to do live migrations and failover w/o dropping calls, but there are some truly massive Asterisk installations out there.
Re:Complete crap (Score:2, Interesting)
I'm beginning to think you are just a jerk. Perhaps it's your interaction with devs that should be called into question?
Some of your bugs look like they got a lot of good attention despite the fact that your reports are terrible...
http://www.google.com/search?q=%22diego.viola%22+site%3Aissues.asterisk.org [google.com]
Your bug reports are often not well documented or easily duplicated.
I've had excellent traction on bugs and issues from the asterisk dev teams.
I even go on IRC occasionally and ask really oddball what-if questions that get answered smartly.
Re:Digium says: Protocol, not program (Score:3, Interesting)
John, one of the ways I got people to use "good" passwords is by getting them a Yubikey [yubico.com] and setting it to static mode. It then always generates the same password instead of an OTP, but it's a very long one and as it pretends to be a keyboard it types it in itself. The challenge is always to make it long enough to be safe, but short enough to actually fit in the entry field.
It is a simple way to both SET a decent password and to preserve that setting in other than a file..
Just a tip, and no, I don't work for Yubico. I just got one to play with any I like it (must go and buy some)..