jtodd October 29th, 2009

Another rash of FUD (Fear, Uncertainty, and Doubt) has swept into my mailbox in the last few days, as an interview that I gave on SIP security may have been misinterpreted by some to mean something other than my intention.  My comment in the article was not that “Asterisk attacks are endemic”, but that SIP-based brute force attacks are endemic.  Every SIP system that is open to the “public” Internet is seeing large numbers of brute-force attacks.  Sites that have weak username and weak password control will be compromised – this is little different than email accounts being taken over by password-guessing systems and used for sending floods of email.  The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets people’s attention very quickly.  I hear reports of these types of attacks now all the time – it’s not unusual, and it’s not just Asterisk.  We had a blog about this a year ago or so and a follow-up that discussed secure SIP practices with Asterisk; this is just a re-packaging of the same news a year later, when recently I unsurprisingly said that attacks are no longer even newsworthy because they’re so frequent (hence, the term “endemic”.)  Apparently, not being newsworthy means… it’s newsworthy!

This has little to do with Asterisk other than it happens to be the most prevalent SIP-based platform on the Internet currently.  It has everything to do with protocol attacks by script kiddies, or more professional attackers.  Bad passwords = easy penetration.  The upside on this is that it yet again gets the attention of administrators who might not otherwise know that their password of ‘1234′ might be guessed by criminal users.

The bug that was mentioned in the SlashDot summary of the article?  Old news.  Really, really old news.  And really not even that much of a threat for most people the way they have their systems configured even if they haven’t upgraded.

Asterisk, Broadsoft, Cisco, Kamailio, OpenSER, FreeSwitch, Avaya – they’re all vulnerable to the brute force attacks if adequate network and username/password security is not implemented.  There are ways to minimize, if not eliminate these threats with very standard security policies that should be familiar to any network administrator (ACLs, random passphrases, random client usernames, adequate exception logging, and limits on account usage, to name a few.)  Here’s the blog I wrote on this a while back, which is somewhat Asterisk specific but contains useful pointers for pretty much any SIP system.  I suspect that >99% of the penetration threat is mitigated with just the simple policy of strong username/password pair combinations – the tools that are being used by most black-hat types are just brute force attacks.  Script kiddies take the easiest possible targets; common-sense methods remove you from that target range.

To update people on the current thinking about network-based mitigation: After quite a bit of debate in the development community, it was generally agreed that within Asterisk is not the appropriate place to do proactive “defense” mechanisms that block network ports or certain users.  There are extremely sophisticated systems (free and non-free) that will take log output from a network-based application such as Asterisk, and then provide IP-layer blocking and alerting.  They do it much better and faster than Asterisk could hope to.  What has been recently implemented in Asterisk is a framework to report security events upstream to such programs, and the SIP stack is the first on the list to be instrumented.  Digium has been working on this framework in conjunction with community members who have expressed interest in building more sophisticated third-party alerting and management tools around Asterisk and other SIP-based platforms.

Note that Asterisk already has basic Access Control List functionality for SIP and other IP protocols that Asterisk “talks” on, though it is statically configured in a very similar manner to the way that Apache or other network servers work.

Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it’s GUI a tool that indicates the relative strength of passwords.  We’d encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins.  It’s really not something that can be done in the core of Asterisk; it has to be done by whatever is the layered UI on top of Asterisk for configuration, or just by good policy.  Good security policy is really the cornerstone of the whole solution.  Asterisk is like any other infrastructure server program: it’s generally very secure as a core platform for an application service, PBX, or appliance, but that doesn’t absolve administrators from making sensible and secure policy decisions regarding how it is implemented.   I hope in the future that there is a better understanding between application security and implementation security, but I suspect I’ll be writing this explanation again in another year.

JT (Open Source Community Director)

• Digium
• Comments(4)

jtodd October 12th, 2009

Asterisk is building lots of momentum; it’s obvious from the number of books, articles, videos, “how-to” documents, conferences, and resources that now flood the internet and make any search on “VoIP” almost always come up with Asterisk contained in the top pages.

But as that momentum of resources has built, some parts of the Asterisk community infrastructure haven’t kept up with the wave of new demand for information.  The “asterisk.org” website has served well over the last few years as a fairly static repository of information, but after some review it was determined that a new structure was needed to give better access to the community as well as present a new style that was a bit more suited to the vibrancy of the project.

Today, we’re introducing today the re-worked “asterisk.org” website. It’s live already – take a look! Our goal has been to become the first source people look to when they’re wanting more information about Asterisk or anything Asterisk-related.  Asterisk.org has always been the place to look for the code, and the mailing lists have been a tremendous resource for anyone with questions and discussions.  Now the website itself will have the ability to keep up with those two other foundational items in the Asterisk community, and we hope to make it the permanent repository for answers to any kind of question that involves Asterisk.

Here are some of the big changes:

- Better community involvement: Some of these documentation areas will be edited entirely by community members (appoint yourself!) and some areas, like the documentation on actual code parameters, will be able to have comments and additional data added to it.  The site has previously not been edited by a wide number of community members, and it’s time to harness the incredible energy and enthusiasm of the Asterisk developer, implementer, and user community.

- Reference Documentation: The documentation that is embedded in Asterisk is now extracted and published on the site.  You can add your own notes, FAQs, or examples to the documentation for everyone else to use. This is only a fraction of the documentation we hope to have published eventually (much more “free-form” documentation is planned and expected from Digium as well as the community) so it’s a good start.

- New Format: The new format is hoped to be easier to navigate, and the graphics have been updated.

To start with, the site is going to have some holes and empty spots where data should go.  See something you like?  Something you want to edit?  Something you’d like to see added?  If you know what really needs to be there… put it in!  Or if it’s not obvious that you can edit the page, ask me (jtodd@digium.com) and we’ll see if we can add you as an editor for that section.  (AstriCon is also this week, so please be patient with the inquiries.)  We’re going to try to open things up as quickly as we can while still ensuring good data.

We hope you like the new format.  The coming weeks will see significant changes and additions as well; stay tuned for interesting announcements here, and at AstriCon this coming week!

JT

• Asterisk Global Online Community , Community , Genuine Asterisk , Open Source
• Comments(1)

jtodd October 7th, 2009

If you’re coming out west to Glendale for AstriCon (Oct 13-15) you’ll have the chance to be a winner in more than the obvious way of being an AstriCon attendee!  There’s the chance to show off your Asterisk skills!

We all love Asterisk, and we love hooking to up to all that IP telephony stuff, but… there’s still a lot of plain ol’ telephones out there…  Welcome to the hi-tech honky tonk (no fist-fighting, just some sparring between Asterisk dudes…  Last year, we wrangled SIP phones for the prize, but this year, we’re going old-school, and sticking with analog ports.

Step right up, step right up – the contest is simple.  We’ll give you a PC with a good ol’ analog speakerphone attached to the Digium analog card inside, and the Asterisk and DAHDI source files already on the machine.

All you have to do is install DAHDI and Asterisk from the tarballs and set up a configuration to the point of achieving a very simple set of call results. The clock starts when from your first command and stops when the right thing is heard out of the speakerphone.  We won’t tell you exactly what the test is, but I’d suggest you brush up on rapid dialplan creation, DAHDI configs, and fast typing!

The contest will run in the exhibition hall and will run during show hours, and the master of testing ceremony is long-time Asterisk author, consultant, and carnival barker David Duffett, who will guide you through the process whilst peppering you with witty observations and possibly even teaching the crowd a thing or two during the process.  (Having him shout “Yeehaa!” with a British accent during the planning of this contest is reward enough for me, actually.)

You’ll be up against some of the fastest geeks in the south (Yeehaa!), all with an eye on one of the stunning prizes on offer – which will be presented by Allison Smith, our far superior fill-in for Vanna White.  Prizes to be awarded in the same room as and just before the last “Asterisk Roadmap” conference session.

Quickest Dude to the dialtone prizes:

Fastest: An unlocked HTC Hero Google Android Phone
2nd Quickest: Digium backpack w/schwag, Digium analog card with FXO/FXS, retro bluetooth handset, geek toolkit
3rd Quickest: Digium backpack w/schwag, Digium analog card with FXO/FXS

• AstriCon , DAHDI , Digium , Open Source
• Comments(1)