[asterisk-biz] IC3/FBI security announcement - your help needed
John Todd
jtodd at digium.com
Mon Dec 8 19:11:02 CST 2008
On Friday, the IC3 (FBI/NW3C/BJA) put out a security advisory on their
website that contained a fairly vaguely worded warning about Asterisk
systems being compromised and then being used as "vishing" (voice
phishing) platforms. They were non-specific on the threat other than
to advocate upgrading to "newer versions" of Asterisk. This
announcement was done on Friday late afternoon, just as everyone was
leaving for the weekend, which left us leaving frantic messages with
various IC3 voicemail system deadends and emails to generic-sounding
accounts.
The delay in any authoritative information from IC3 quickly created a
guessing game in the blogger and press community as to what was
exactly the vulnerability and what were the details of this threat.
The speculation here at Digium was that this was just a re-statement
of an older bug from earlier this year, or it could have been entirely
unrelated to Asterisk and just been a case of mis-diagnosis of poor
password control.
It turns out that we were correct on our first guess: this is not a
new problem, and furthermore is a difficult vulnerability to exploit
even on those systems that are unpatched - it would require fairly
purposeful configuration to expose the system to a "vishing" abuse
method, so it is probably the case that this was a very isolated
event. We spoke with IC3 agents earlier today, and they have updated
the alert to contain the correct warning (AST-2008-003) which was
their original intent.
There is a more complete description of the incident on the Digium
blog site:
http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/
Other links:
AST-2008-003 - http://www.asterisk.org/node/48466
Revised IC3 announcement - http://www.ic3.gov/media/2008/081205-2.aspx
WHAT YOU CAN DO:
Unfortunately, the news of security risks spreads faster than the
news of a non-issue - secure systems aren't "stories" so I expect it
will be an uphill effort to update all the sites which copied or re-
blogged the IC3 story initially. We would very much like to enlist
the community to have you try to post where you can the link to the
Digium blog above - it would help keep misperceptions from becoming
part of the permanent data landscape as things get slowly archived
into Google-able snippets. Post in the "Comments" sections of any
blogs you see linking to this story, or put your own $.02 in as you
see fit. We'd like to keep good relations with the IC3 and FBI, and
we understand how this kind of mistake can happen (even though we're
uncomfortable with the results) so please set your flamethrowers on
"warm" instead of "scorch" if you choose to weigh in on the topic
yourself.
If anyone has questions regarding this issue, please feel free to
contact me via email or phone to discuss.
JT
---
John Todd
jtodd at digium.com +1-256-428-6083
Asterisk Open Source Community Director
More information about the asterisk-biz
mailing list