Vishing Fears Overblown
Those of you who frequently follow the IP-PBX and enterprise communications news feeds most likely have heard about the recently-issued "warning" by the Internet Crime Complaint Center about a "vishing vulnerability" and the Asterisk IP-PBX platform.
While a headline like this certainly makes good news and generates lots of site hits, it comes rather unfounded to the ears of the community. In March 2008, a security-related and hardly reproducible advisory was made public, and addressed by Digium, although no exploits were identified at that time. This recently-published security alert by the I3C & FBI on Friday of last week possibly re-surfaces the existing advisory and attempts to link the increase in "vishing" (voice phishing) threats and the Asterisk platform in some way.
Bottom line: Any platform with weak passwords, unpatched versions, and poor management can be susceptible to hacking, mischief, and "voice phishing". If an enterprise Avaya or Cisco platform is left unprotected, the same threats are certainly possible, as with any IT platform connected to the Internet today. Poor communication and unfounded threats from the Internet Crime Complaint Center can generate an unnecessary amount of attention on a previously-addressed issue.
For more information, I highly recommend John Todd's blog post on this very topic on the Digium site.
Your thoughts and comments are always welcome and appreciated!