[asterisk-biz] PBX got Hacked

Peter Beckman beckman at angryox.com
Thu Mar 12 10:40:40 CDT 2009 

On Thu, 12 Mar 2009, Olle E. Johansson wrote:

> To clarify: The password is never sent over the wire. It's a challenge-
> response authentication mechanism that sends a MD5 digest of a
> combination of data sent in clear text and a shared secret that is not
> sent at all ("password").
>
> I see two other alternatives:
>
> - TLS authentication. This requires a lot of certificate/key pair
>   management.
> - Stronger challenge-response by moving away from MD5 to SHAxxx.

  The problem for which this thread was started -- insecure and bad
  passwords and possibly lack of monitoring for brute force password
  breaking attemps leading to unauthorized users making costly phone calls
  via someone's Asterisk install -- cannot be fixed by Olle or Digium or
  Asterisk.

  The simple matter is -- unless you secure your box properly, and set some
  really good not-easily-guessable passwords, you are screwed no matter HOW
  secure Olle and Digium makes Asterisk.  Changing from MD5 to SHA won't fix
  the fact that the username is 1000 and the password is 1000.  Even TLS
  doesn't fix the problem -- you're still using your dumbass password over a
  secure link.  The solution is either using strong passwords or use
  Certificate-only key-based authentication (SSH does it, not sure what else
  does, but I don't think SIP).

  Summary: Stop whining and blaming Digium or Asterisk or VoIP-info Wiki or
  someone else for thou's dumb-ass decision to use weak-ass passwords and
  take full responsibility for thou's bad decisions and bad configuration
  which lead to your financial loss.

Beckman, who is SICK of lazy people blaming others when something bad
happens.  Yet is amused... :-)

PS -- VIP Carrier (Subject: PBX got Hacked [1]), who started this thread,
     clearly believed that the software was to blame, without any proof.  As a
     security professional, this standpoint is fully misguided. There are SOOOO
     many ways to gain access to a system.  He/she demonstrated that he used
     strong passwords for SIP auth [2], but not so good for VM.  Could they have
     used the VM password to get around some security?  Maybe the web GUI
     password was still the default.  Maybe there was some configuration
     that allowed them to get in, that was recommended to be changed.  Maybe
     the OS had a security flaw that let them in.  And maybe it WAS the
     software.

     But to get angry and point at the software before you know what happened is
     just plain rude and indicates a clear non-understanding of how software and
     the internet works.  Most hacks to gain access are NOT buffer overflows,
     but insecure configurations or social engineering.  How do you know that
     you or one of your customer service reps didn't give out the information to
     the wrong person accidentally?

PPS -- In contrast, C F (Subject: Fraud Alert) [3] did it right.  He explained what
     happened, what he did to troubleshoot, and took responsibility for the
     mistake.  C F, I applaud and admire you.

References: 
[1] http://lists.digium.com/pipermail/asterisk-biz/2009-February/029481.html
[2] http://lists.digium.com/pipermail/asterisk-biz/2009-February/029494.html
[3] http://lists.digium.com/pipermail/asterisk-biz/2009-February/029679.html

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------

More information about the asterisk-biz mailing list