[asterisk-users] fraud advice

Steve Totaro stotaro at totarotechnologies.com
Fri Oct 15 10:20:28 CDT 2010 

On Fri, Oct 15, 2010 at 10:29 AM, Steve Edwards
<asterisk.org at sedwards.com> wrote:
> On Thu, 14 Oct 2010, bruce bruce wrote:
>
>> But it also sickens me at how badly Asterisk is made to not cope with
>> situations like this and worse than that is FreePBX.
>
> Kind of like blaming the gun manufacturer instead of the criminal with
> their finger on the trigger?
>
> Is there some gaping hole in Asterisk security or are you just asleep at
> the wheel?
>
> --
> Thanks in advance,
> -------------------------------------------------------------------------
> Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
> Newline                                              Fax: +1-760-731-3000
>

This is nothing new.  Trunk to trunk transfers and other exploits
could be used on old school phone systems to do the same thing.

I would start with getting the current balance, if over $10k call the
FBI, call them anyways, it couldn't hurt.  You want the Feds to check
things out before local police if possible.

Gather as much info as possible, along with police and FBI case
numbers and then call the carrier and see what can be done.

A friend of mine took what was supposed to be my one month rotation to
Iraq.  I had too much going on to be in Iraq for a month and a half
and had taken the last rotation so it wasn't even my turn.

The phone bill came for his cell (company provided on Asia Cell) for
$4k in just a couple weeks.  It turns out that he was not using the
cell and one of the cleaning people stole his SIM.

After contacting Asia Cell a few times about the matter, they credited
the whole amount back.  So you never know.

As for security, I assume you need to allow these extensions to
register from outside the LAN?  If not, then only allow them to
register via a LAN IP, I would do it with iptables, only allow the
provider IP through.

I am curious what your user:pass was?  something like 1000:1000, I see
many systems setup like this and am surprised they haven't been hit
yet.

In the future, you could use a scheme that makes it much more secure
and also pretty easy to maintain.

The username could be the MAC and the pass could be the serial number
or asset tags if you use them.

I know there must be dozens of people reading this that have had the
same issue but are embarrassed to speak up.

(BTW Sierra Leone is in West Africa, not the Middle East.)

Thanks,
Steve T

More information about the asterisk-users mailing list