[*] [Fwd: [asterisk-dev] IC3/FBI security announcement - your help needed]

John Lange john at johnlange.ca
Tue Dec 9 09:20:38 CST 2008 

This FBI security alert generated some traffic on the Asterisk lists
over the weekend so I thought I'd forward along the official updated
information from Digium.

-- 
John Lange
www.johnlange.ca


-------- Forwarded Message --------
> From: John Todd <jtodd at digium.com>
> Reply-to: Asterisk Developers Mailing List
> <asterisk-dev at lists.digium.com>
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>, Commercial and Business-Oriented
> Asterisk Discussion <asterisk-biz at lists.digium.com>, Asterisk
> Developers Mailing List <asterisk-dev at lists.digium.com>
> Subject: [asterisk-dev] IC3/FBI security announcement - your help
> needed
> Date: Mon, 8 Dec 2008 17:11:02 -0800
> 
> On Friday, the IC3 (FBI/NW3C/BJA) put out a security advisory on their  
> website that contained a fairly vaguely worded warning about Asterisk  
> systems being compromised and then being used as "vishing" (voice  
> phishing) platforms.  They were non-specific on the threat other than  
> to advocate upgrading to "newer versions" of Asterisk.  This  
> announcement was done on Friday late afternoon, just as everyone was  
> leaving for the weekend, which left us leaving frantic messages with  
> various IC3 voicemail system deadends and emails to generic-sounding  
> accounts.
> 
> The delay in any authoritative information from IC3 quickly created a  
> guessing game in the blogger and press community as to what was  
> exactly the vulnerability and what were the details of this threat.   
> The speculation here at Digium was that this was just a re-statement  
> of an older bug from earlier this year, or it could have been entirely  
> unrelated to Asterisk and just been a case of mis-diagnosis of poor  
> password control.
> 
> It turns out that we were correct on our first guess: this is not a  
> new problem, and furthermore is a difficult vulnerability to exploit  
> even on those systems that are unpatched - it would require fairly  
> purposeful configuration to expose the system to a "vishing" abuse  
> method, so it is probably the case that this was a very isolated  
> event.  We spoke with IC3 agents earlier today, and they have updated  
> the alert to contain the correct warning (AST-2008-003) which was  
> their original intent.
> 
> There is a more complete description of the incident on the Digium  
> blog site:
> 
>   http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/
> 
> Other links:
>   AST-2008-003 - http://www.asterisk.org/node/48466
>   Revised IC3 announcement - http://www.ic3.gov/media/2008/081205-2.aspx
> 
> WHAT YOU CAN DO:
>    Unfortunately, the news of security risks spreads faster than the  
> news of a non-issue - secure systems aren't "stories" so I expect it  
> will be an uphill effort to update all the sites which copied or re- 
> blogged the IC3 story initially.  We would very much like to enlist  
> the community to have you try to post where you can the link to the  
> Digium blog above - it would help keep misperceptions from becoming  
> part of the permanent data landscape as things get slowly archived  
> into Google-able snippets.  Post in the "Comments" sections of any  
> blogs you see linking to this story, or put your own $.02 in as you  
> see fit.  We'd like to keep good relations with the IC3 and FBI, and  
> we understand how this kind of mistake can happen (even though we're  
> uncomfortable with the results) so please set your flamethrowers on  
> "warm" instead of "scorch" if you choose to weigh in on the topic  
> yourself.
> 
> If anyone has questions regarding this issue, please feel free to  
> contact me via email or phone to discuss.
> 
> JT
> 
> ---
> John Todd
> jtodd at digium.com        +1-256-428-6083
> Asterisk Open Source Community Director
> 
> 
> 
> 
> 
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>

More information about the Asterisk mailing list