[asterisk-biz] PBX got Hacked

Peter Beckman beckman at angryox.com
Thu Mar 12 15:01:13 CDT 2009 

On Thu, 12 Mar 2009, Kristian Kielhofner wrote:

> On Thu, Mar 12, 2009 at 11:40 AM, Peter Beckman <beckman at angryox.com> wrote:
>>
>>  The simple matter is -- unless you secure your box properly, and set some
>>  really good not-easily-guessable passwords, you are screwed no matter HOW
>>  secure Olle and Digium makes Asterisk.  Changing from MD5 to SHA won't fix
>>  the fact that the username is 1000 and the password is 1000.  Even TLS
>>  doesn't fix the problem -- you're still using your dumbass password over a
>>  secure link.  The solution is either using strong passwords or use
>>  Certificate-only key-based authentication (SSH does it, not sure what else
>>  does, but I don't think SIP).
>
> SIP+TLS can in fact do this (X.509/PKI/cert auth) but it remains to
> be seen how widely this is (will be?) deployed.

  I'm guessing unless forced, admins will continue to use bad passwords
  rather than learn how to use certificates (if indeed they are supported on
  ATAs and SIP devices, which I'm unsure about) to secure their devices.

> That will cut down on all but the most deliberate and targeted attacks.

  If you used certificate based auth, you couldn't even start the TLS
  negotiation.  Brute-forcing certs is, AFAIK, really, really difficult,
  like billions of years.

> CAs, keys, and key revocation are probably beyond what most people want
> to do for a secure SIP install.  I don't think we can expect people to
> widely deploy this anytime soon.  Even if you share a private key on all
> of your clients you still have the revocation/reissue/web of trust issues
> in the event one of them becomes compromised.

  Completely agree.  SSH allows me to create a public/private keypair, then
  I can authenticate using that keypair.  No CAs or anything like that.
  It's not about trust, it's about preventing an unauthorized party from
  connecting to your Asterisk server and making fraudulent calls.

>  Word.  If you don't have the understanding to appreciate how
> financially vulnerable you can be connecting telephony to the internet
> (or any network) at least have the responsibility (to yourself, your
> clients, and the world) to at least hire someone who does.

  We are in full agreement!  I'll do it for $150/hour. :-)

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------

More information about the asterisk-biz mailing list