[asterisk-dev] New Feature Idea
Nir Simionovich
nir.simionovich at gmail.com
Sun Sep 26 06:11:31 CDT 2010
Hi All,
As some of you know, I'm currently involved in developing an
Anti-Fraud system.
I've recently analyzed an Asterisk hack that happened about 2 weeks ago.
The hack
involved the hacking of the "asterisk-config" tool via an insecure
website, then
adding a new context with "NoCDR" application in it.
This introduced a very interesting problem. Asterisk enables calls to
traverse without
CDR's being created what so ever. I believe the the NoCDR application
should have a small
config file indicating if no CDR are created, or if only manager events
of CDRs are sent out.
If someone disables CDRs completely, then if they get hacked and there
is no record,
it's their responsibility - however, the default should generate manager
events at least.
If you then go about an connect an external system, at least that one
should have some
visibility of it.
What do you think?
Regards,
Nir S
More information about the asterisk-dev
mailing list