[asterisk-biz] Any installations in European Consulates or Embassies?
lists at contacttel.com
lists at contacttel.com
Tue Sep 1 13:04:28 CDT 2009
Just got a client call about unauthorized calls, logged in his system and
this is what i saw.
SSH port forwarded to a freepbx box
Default user/pass for mysql/web/ssh
User created peers in mysql directly and then changed ssh pass
All peers that was on where 104/104 105/105 etc..
Sip anon yes..
That's the default install
You give a loaded gun to a guy that never used one, without instructions, he
will surely shoot himself before learning to put the safety on.
But ain't that the purpose of mass distributing a commercial (support part)
swiss army knife telecom platform ?
Why doesn't Freepbx come with FORCED password changes on install ?? i guess
150$ an hour support is better than no support at all right ?
http://www.freepbx.org/support-and-professional-services
There are also perl and python scanners out there that do :
Scan ranges of ips for sip, scan them for default ssh/sip user/passes.. and
create an asterisk sip.conf with these as well as the extensions for those.
All the wanna-be hacker has to do next is mass dial and use un-authorized
boxes... 99.5 % are all trixbox/freepbx etc
But hey .. 99% of all stats are made up
>>-----Original Message-----
>>From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-
>>bounces at lists.digium.com] On Behalf Of John Todd
>>Sent: September-01-09 11:59 AM
>>To: Commercial and Business-Oriented Asterisk Discussion
>>Subject: Re: [asterisk-biz] Any installations in European Consulates or
>>Embassies?
>>
>>
>>Well, I think that's a bit far-fetched. Really, really far-fetched.
>>Random fishing expeditions for vendors of PBX platforms, which are
>>going to be on private networks, is inefficient to the point of zero
>>returns. There are so many other layers of security that have to be
>>penetrated before the concept of "Asterisk" is a security element that
>>is even considered... If you've seen embassy telecommunications
>>systems in any security-minded nation, you'd understand that vendor
>>identity for primary platform isn't a serious consideration.
>>
>>JT
>>
>>
>>On Sep 1, 2009, at 2:43 AM, C. Savinovich wrote:
>>
>>> I would be so paranoid... what if they want that information to see
>>> what
>>> embassies can be hacked?
>>>
>>> CS
>>>
>>> -----Original Message-----
>>> From: asterisk-biz-bounces at lists.digium.com
>>> [mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of John Todd
>>> Sent: Tuesday, September 01, 2009 6:53 PM
>>> To: Commercial and Business-Oriented Asterisk Discussion
>>> Subject: [asterisk-biz] Any installations in European Consulates or
>>> Embassies?
>>>
>>>
>>> I've got a rather unusual request to discover if any European
>>> Consulates are
>>> running Asterisk as their PBX platform. For that matter, are there
>>> any
>>> embassies that could step forward? This is for a private query (by
>>> another
>>> consulate) and replies may be privately held if requested, other than
>>> informing the end user. Or they may be public, which would be
>>> preferred so
>>> we can get various government agencies on the list of reference-able
>>> sites.
>>>
>>> JT
>>>
>>
>>---
>>John Todd email:jtodd at digium.com
>>Digium, Inc. | Asterisk Open Source Community Director
>>445 Jan Davis Drive NW - Huntsville AL 35806 - USA
>>direct: +1-256-428-6083 http://www.digium.com/
>>
>>
>>
>>
>>_______________________________________________
>>--Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>>AstriCon 2009 - October 13 - 15 Phoenix, Arizona
>>Register Now: http://www.astricon.net
>>
>>asterisk-biz mailing list
>>To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-biz
More information about the asterisk-biz
mailing list