[Asterisk-Dev] Security issue mumblings

Andrew Latham lathama at gmail.com
Sun Nov 6 16:35:06 MST 2005


John

Telecomm security is a wash at best. Most transport protocols are
unencrypted (I acknowledge the advancements, small as they are). The
guts of this is that some older and still unpatched switches and
general processes in major telcos are targets once again. Asterisk is
a PBX/Switch replacement and the Digium contacts in the story make
sure to let that shine. The gateway or PSTN is where the trouble can
happen.

As far as hacks on them I would say that they fall in the following list.

1. Default Passwords
2. Unsecured Transports
3. DNS Redirects
4. Social Engineering
5. Unpatched Systems

Lets not forget the media spewing its _unconfirmed_ reports. Ten years
down the road when DUNDi is everywhere and one system on it gets
_p0wn3d_ then the news report will state that "VoIP Telephony Network
Fails".


Andrew


On 11/6/05, John Todd <jtodd at loligo.com> wrote:
> [sent to -dev first to avoid total devolution into wild speculation
> and nonsense on -users]
>
> http://www.accessintel.com/cgi-bin/press/show.cgi?1130972376
>
> Can anyone here speak more clearly on this otherwise un-useful list
> of assertions as to "security flaws with VoIP" specifically
> referencing Asterisk?  The lack of a protocol discussion is
> suspicious - VoIP is not homogenous.  The other term of "billing
> code" is also suspicious - I can't recall a "billing code" field in
> my SIP packets.  CCM is mentioned - is this an SCCP issue?
>
> Perhaps most importantly (and relevant to -dev) is this an issue that
> can be resolved or patched within Asterisk, or is it that Asterisk is
> being used as the toolset to wedge into other platforms?
>
> Please respond to this post with real data if you have it; guesses
> and speculation are just noise.
>
> JT
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>


--
---
Andrew Latham - AKA: LATHAMA (lay-th-ham-eh)
lathama at lathama.com - lathama at yahoo.com - lathama at gmail.com
If any of the above are down we have bigger problems than my email!
---



More information about the asterisk-dev mailing list