[asterisk-dev] New Feature Idea

Nir Simionovich nir.simionovich at gmail.com
Sun Sep 26 06:11:31 CDT 2010


  Hi All,

   As some of you know, I'm currently involved in developing an 
Anti-Fraud system.
I've recently analyzed an Asterisk hack that happened about 2 weeks ago. 
The hack
involved the hacking of the "asterisk-config" tool via an insecure 
website, then
adding a new context with "NoCDR" application in it.

   This introduced a very interesting problem. Asterisk enables calls to 
traverse without
CDR's being created what so ever. I believe the the NoCDR application 
should have a small
config file indicating if no CDR are created, or if only manager events 
of CDRs are sent out.
If someone disables CDRs completely, then if they get hacked and there 
is no record,
it's their responsibility - however, the default should generate manager 
events at least.
If you then go about an connect an external system, at least that one 
should have some
visibility of it.

   What do you think?

Regards,
   Nir S



More information about the asterisk-dev mailing list