[asterisk-dev] IC3/FBI security announcement - your help needed

John Todd jtodd at digium.com
Mon Dec 8 19:11:02 CST 2008 

On Friday, the IC3 (FBI/NW3C/BJA) put out a security advisory on their  
website that contained a fairly vaguely worded warning about Asterisk  
systems being compromised and then being used as "vishing" (voice  
phishing) platforms.  They were non-specific on the threat other than  
to advocate upgrading to "newer versions" of Asterisk.  This  
announcement was done on Friday late afternoon, just as everyone was  
leaving for the weekend, which left us leaving frantic messages with  
various IC3 voicemail system deadends and emails to generic-sounding  
accounts.

The delay in any authoritative information from IC3 quickly created a  
guessing game in the blogger and press community as to what was  
exactly the vulnerability and what were the details of this threat.   
The speculation here at Digium was that this was just a re-statement  
of an older bug from earlier this year, or it could have been entirely  
unrelated to Asterisk and just been a case of mis-diagnosis of poor  
password control.

It turns out that we were correct on our first guess: this is not a  
new problem, and furthermore is a difficult vulnerability to exploit  
even on those systems that are unpatched - it would require fairly  
purposeful configuration to expose the system to a "vishing" abuse  
method, so it is probably the case that this was a very isolated  
event.  We spoke with IC3 agents earlier today, and they have updated  
the alert to contain the correct warning (AST-2008-003) which was  
their original intent.

There is a more complete description of the incident on the Digium  
blog site:

  http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/

Other links:
  AST-2008-003 - http://www.asterisk.org/node/48466
  Revised IC3 announcement - http://www.ic3.gov/media/2008/081205-2.aspx

WHAT YOU CAN DO:
   Unfortunately, the news of security risks spreads faster than the  
news of a non-issue - secure systems aren't "stories" so I expect it  
will be an uphill effort to update all the sites which copied or re- 
blogged the IC3 story initially.  We would very much like to enlist  
the community to have you try to post where you can the link to the  
Digium blog above - it would help keep misperceptions from becoming  
part of the permanent data landscape as things get slowly archived  
into Google-able snippets.  Post in the "Comments" sections of any  
blogs you see linking to this story, or put your own $.02 in as you  
see fit.  We'd like to keep good relations with the IC3 and FBI, and  
we understand how this kind of mistake can happen (even though we're  
uncomfortable with the results) so please set your flamethrowers on  
"warm" instead of "scorch" if you choose to weigh in on the topic  
yourself.

If anyone has questions regarding this issue, please feel free to  
contact me via email or phone to discuss.

JT

---
John Todd
jtodd at digium.com        +1-256-428-6083
Asterisk Open Source Community Director

More information about the asterisk-dev mailing list