[asterisk-security] Sometimes, Reality is far more scary? (Hugh McLenaghan)

Eric Klein eric.klein at greenfieldtech.net
Wed Oct 16 08:06:45 CDT 2013 

Hugh,

I am not sure about the legality of contacting the people with publicly
accessible
unprotected devices. Even if we could identify the (responsible) person,
and their email; those kinds of mails usually need to done as opt-in. As we
discussed at Astricon there is a fine line between letting people know
about a general problem and being perceived as being responsible for it.
Someone even suggested that Digium create a database and let users know,
but we were all sure that their legal department would not approve it.
Hence putting it here in the mailing list.

As to these unprotected phones not affecting us, in most cases I would
disagree. These phones are either:
1 - potential fraud point on our: customer/company networks
2 - potentially able to be used to hit other networks of
our customer/company

Education and proper configuration seem to be the only option.

Eric

----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 14 Oct 2013 18:13:43 -0500
> From: Hugh McLenaghan <hughmcl at hotmail.com>
> To: "asterisk-security at lists.digium.com"
>         <asterisk-security at lists.digium.com>
> Subject: Re: [asterisk-security] Sometimes, Reality is far more scary?
> Message-ID: <BAY172-W227D6BC6A94E52090C622FBF1A0 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> It is definitely scary how many IP phone devices out there are unprotected
> and have their credentials easily crackable.  Luckily most of the people
> that were at the convention are there for good purposes.   Just think what
> kind of damage that can be done if the information gets into the wrong
> hands.   Of course the information is readily accessible, but at the moment
> I don't think that those who do damage know about the site in the blog.
>
> I'm wondering if it would be smart to set up a communication network to
> notify or at least assist in notifying all those people with unprotected
> devices on the internet.  I for one, would be interested and willing to
> participate in such a 'movement' or security move.   Of course I don't want
> to get in trouble for attempting to hack which is the other downside here,
> in that although we're wanting to do this for good, it may end up in
> hurting us.
>
> These easily hackable devices, may not directly affect us, however at some
> point it will, as those who have those devices might end up using our
> networks, and then we'd also be the targets of these attacks.
>
> Thoughts?
>
>             Hugh McLenaghan
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-security/attachments/20131016/330104a6/attachment.html>

More information about the asterisk-security mailing list