[asterisk-biz] PBX got Hacked

Kristian Kielhofner kristian.kielhofner at gmail.com
Thu Mar 12 11:41:31 CDT 2009


On Thu, Mar 12, 2009 at 11:40 AM, Peter Beckman <beckman at angryox.com> wrote:
>
>  The problem for which this thread was started -- insecure and bad
>  passwords and possibly lack of monitoring for brute force password
>  breaking attemps leading to unauthorized users making costly phone calls
>  via someone's Asterisk install -- cannot be fixed by Olle or Digium or
>  Asterisk.
>
>  The simple matter is -- unless you secure your box properly, and set some
>  really good not-easily-guessable passwords, you are screwed no matter HOW
>  secure Olle and Digium makes Asterisk.  Changing from MD5 to SHA won't fix
>  the fact that the username is 1000 and the password is 1000.  Even TLS
>  doesn't fix the problem -- you're still using your dumbass password over a
>  secure link.  The solution is either using strong passwords or use
>  Certificate-only key-based authentication (SSH does it, not sure what else
>  does, but I don't think SIP).

  SIP+TLS can in fact do this (X.509/PKI/cert auth) but it remains to
be seen how widely this is (will be?) deployed.  I myself would advise
a "belt and suspenders" approach where you had some decent cert/key
management on top of strong password auth (once the channel has been
secured via TLS, obviously).  To even be able to start the INVITE/407
interaction one would have to establish the secure TLS channel.  That
will cut down on all but the most deliberate and targeted attacks.

  CAs, keys, and key revocation are probably beyond what most people
want to do for a secure SIP install.  I don't think we can expect
people to widely deploy this anytime soon.  Even if you share a
private key on all of your clients you still have the
revocation/reissue/web of trust issues in the event one of them
becomes compromised.

  The good news is there is already a large infrastructure for all of
this (HTTPS uses the same mechanisms, after all) and a lot of the CA
related infrastructure and understanding is already present.

>  Summary: Stop whining and blaming Digium or Asterisk or VoIP-info Wiki or
>  someone else for thou's dumb-ass decision to use weak-ass passwords and
>  take full responsibility for thou's bad decisions and bad configuration
>  which lead to your financial loss.

  Word.  If you don't have the understanding to appreciate how
financially vulnerable you can be connecting telephony to the internet
(or any network) at least have the responsibility (to yourself, your
clients, and the world) to at least hire someone who does.

-- 
Kristian Kielhofner
http://blog.krisk.org
http://www.submityoursip.com
http://www.astlinux.org
http://www.star2star.com



More information about the asterisk-biz mailing list