[*] [Fwd: [asterisk-dev] IC3/FBI security announcement - your help needed]
John Lange
john at johnlange.ca
Tue Dec 9 09:20:38 CST 2008
This FBI security alert generated some traffic on the Asterisk lists
over the weekend so I thought I'd forward along the official updated
information from Digium.
--
John Lange
www.johnlange.ca
-------- Forwarded Message --------
> From: John Todd <jtodd at digium.com>
> Reply-to: Asterisk Developers Mailing List
> <asterisk-dev at lists.digium.com>
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>, Commercial and Business-Oriented
> Asterisk Discussion <asterisk-biz at lists.digium.com>, Asterisk
> Developers Mailing List <asterisk-dev at lists.digium.com>
> Subject: [asterisk-dev] IC3/FBI security announcement - your help
> needed
> Date: Mon, 8 Dec 2008 17:11:02 -0800
>
> On Friday, the IC3 (FBI/NW3C/BJA) put out a security advisory on their
> website that contained a fairly vaguely worded warning about Asterisk
> systems being compromised and then being used as "vishing" (voice
> phishing) platforms. They were non-specific on the threat other than
> to advocate upgrading to "newer versions" of Asterisk. This
> announcement was done on Friday late afternoon, just as everyone was
> leaving for the weekend, which left us leaving frantic messages with
> various IC3 voicemail system deadends and emails to generic-sounding
> accounts.
>
> The delay in any authoritative information from IC3 quickly created a
> guessing game in the blogger and press community as to what was
> exactly the vulnerability and what were the details of this threat.
> The speculation here at Digium was that this was just a re-statement
> of an older bug from earlier this year, or it could have been entirely
> unrelated to Asterisk and just been a case of mis-diagnosis of poor
> password control.
>
> It turns out that we were correct on our first guess: this is not a
> new problem, and furthermore is a difficult vulnerability to exploit
> even on those systems that are unpatched - it would require fairly
> purposeful configuration to expose the system to a "vishing" abuse
> method, so it is probably the case that this was a very isolated
> event. We spoke with IC3 agents earlier today, and they have updated
> the alert to contain the correct warning (AST-2008-003) which was
> their original intent.
>
> There is a more complete description of the incident on the Digium
> blog site:
>
> http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/
>
> Other links:
> AST-2008-003 - http://www.asterisk.org/node/48466
> Revised IC3 announcement - http://www.ic3.gov/media/2008/081205-2.aspx
>
> WHAT YOU CAN DO:
> Unfortunately, the news of security risks spreads faster than the
> news of a non-issue - secure systems aren't "stories" so I expect it
> will be an uphill effort to update all the sites which copied or re-
> blogged the IC3 story initially. We would very much like to enlist
> the community to have you try to post where you can the link to the
> Digium blog above - it would help keep misperceptions from becoming
> part of the permanent data landscape as things get slowly archived
> into Google-able snippets. Post in the "Comments" sections of any
> blogs you see linking to this story, or put your own $.02 in as you
> see fit. We'd like to keep good relations with the IC3 and FBI, and
> we understand how this kind of mistake can happen (even though we're
> uncomfortable with the results) so please set your flamethrowers on
> "warm" instead of "scorch" if you choose to weigh in on the topic
> yourself.
>
> If anyone has questions regarding this issue, please feel free to
> contact me via email or phone to discuss.
>
> JT
>
> ---
> John Todd
> jtodd at digium.com +1-256-428-6083
> Asterisk Open Source Community Director
>
>
>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
More information about the Asterisk
mailing list