In a story earlier today we posted about the FBI announcement regarding pwning asterisk systems. Digium has posted a response to this on the Asterisk Mailing Lists asking the community for help in response to the FBI's warning and other various news outlets misrepresenting the issue or not fully informing their audience. Here's the message posted by Digium;
On Friday, the IC3 (FBI/NW3C/BJA) put out a security advisory on their website that contained a fairly vaguely worded warning about Asterisk systems being compromised and then being used as "vishing" (voice
phishing) platforms. They were non-specific on the threat other than to advocate upgrading to "newer versions" of Asterisk. This announcement was done on Friday late afternoon, just as everyone was leaving for the weekend, which left us leaving frantic messages with various IC3 voicemail system deadends and emails to generic-sounding accounts.
The delay in any authoritative information from IC3 quickly created a guessing game in the blogger and press community as to what was
exactly the vulnerability and what were the details of this threat.
The speculation here at Digium was that this was just a re-statement of an older bug from earlier this year, or it could have been entirely unrelated to Asterisk and just been a case of mis-diagnosis of poor password control.
It turns out that we were correct on our first guess: this is not a new problem, and furthermore is a difficult vulnerability to exploit even on those systems that are unpatched - it would require fairly purposeful configuration to expose the system to a "vishing" abuse method, so it is probably the case that this was a very isolated event. We spoke with IC3 agents earlier today, and they have updated the alert to contain the correct warning (AST-2008-003) which was their original intent.
There is a more complete description of the incident on the Digium blog site:
AST-2008-003 - http://www.asterisk.org/node/48466
Revised IC3 announcement - http://www.ic3.gov/media/2008/081205-2.aspx
WHAT YOU CAN DO:
Unfortunately, the news of security risks spreads faster than the news of a non-issue - secure systems aren't "stories" so I expect it will be an uphill effort to update all the sites which copied or re- blogged the IC3 story initially. We would very much like to enlist the community to have you try to post where you can the link to the Digium blog above - it would help keep misperceptions from becoming part of the permanent data landscape as things get slowly archived into Google-able snippets. Post in the "Comments" sections of any blogs you see linking to this story, or put your own $.02 in as you see fit. We'd like to keep good relations with the IC3 and FBI, and we understand how this kind of mistake can happen (even though we're uncomfortable with the results) so please set your flamethrowers on "warm" instead of "scorch" if you choose to weigh in on the topic yourself.
If anyone has questions regarding this issue, please feel free to contact me via email or phone to discuss.
Asterisk Open Source Community Director