FBI clarifies Digium Asterisk IP PBX vishing BOLO
On Monday, the Federal Bureau of Investigation (FBI) issued an updated notice regarding the use of Digium's Asterisk IP PBX for vishing. Now, if they could get the date of posting (Dec. 8) to match the date listed within the notice (Dec. 5), we might actually have a "case closed."
The update comes on the heels of discussions late Friday between Digium and the Internet Crime Complaint Center (IC3), the FBI department that issued an initial vaguely worded alert on Dec. 5. Digium was not contacted prior to the alert being published, for either notification and/or clarification.
Digium also faced the challenge of trying to find the person within the FBI bureaucracy who published the alert and discuss the reasoning behind it. We still don't know if the FBI went on a raid last week and picked up a couple of computers with notes on how to exploit Asterisk on them, or if the agency has documented (and will soon take to court) cases of attacks.
The Dec. 8 update provides much more detail on the Asterisk vulnerability, which affects older versions. But Digium already released a security advisory on that problem in March 2008.
Digium has provided some commentary in their "SIP Security and Asterisk" blog as to their frustrations both with the initial posting and the challenges the company had in terms of understanding the nature of the post and clarifying the information within it. One should read through to the end of the post to understand the many areas left open for improvement.