ALERT WhatMeWorry: €11 Million Heist

[Brian Simmons]

Ouch - I guess another reason to A) don't do updates unless you need to and B) Use PIAF over Elastix

Actually he said that it was the lack of updates that allowed the hackers access. Had the system been updated in a timely fashion, the exploits the hackers used would have been fixed.

 

[mbellot]

Ouch - I guess another reason to A) don't do updates unless you need to and B) Use PIAF over Elastix

A very good reason to use a prepaid service. When the money runs out, the hackers are shut off automatically.

It may not be practical for business, but it's simple insurance for home users.

 

[reconwireless]

Ouch - I guess another reason to A) don't do updates unless you need to and B) Use PIAF over Elastix

I believe the point was to actually keep your system updated, not to not do them unless you need to.

 

[krzykat]

My Bad - Yes - I originally heard them having an update that opened a hole. And Yes - using pre-paid without auto-replenish can save you. I know when I was doing pre-paid cards with A2B, I got hacked several times where I got dinged for over $100 each time ... but at least it was limited to that. Teaches you to harden your system and lock it down as tight as possible.

 

[wardmundy]

Here's another good one from AstriCon 10 this year.

 

[vic peters]

the media just loves to create fear...
http://www.wsbtv.com/news/news/local/hackers-targeting-internet-based-phone-services-me/ng9Qf/

really, getting behind a firewall is a good idea
prepaid account and hardware based firewalls are necessities!

 

[Johann]

Ward and friends, please read my post on sip.us, and security, which applies to many other providers of SIP trunks as well.

http://pbxinaflash.com/community/index.php?threads/sip-us-and-security.18281/

It is also important, that not only the PBX is kept secure, but the web control panels of sip providers as well.
Cause there you are just one cracked password away from someone changing your auto replenish settings, international settings and forwarding incoming calls to a toll fraud destination.
We need to have the option to lock down certain settings on the provider end, so if your control panel got hacked, the damage done would be minimal.

 

[billsimon]

I think that stirring up concern about specific providers when you have no history with them is unfair. Please raise your feature requests / concerns with them directly before posting imaginary disaster scenarios on forums.

 

[Johann]

Well, first I have raised this concern with them, second, it is not an imaginary disaster scenario at all, and, it is right, that this is the same with many SIP providers out there.
I should probably have changed the post header to something more general, as this is not provider specific at all.
In fact, sip.us made a very good impression on me, so that is why I would like them to fix this. In fact, this would put them ahead of competitors like SIP station.

 

[billsimon]

@Johann how did they respond to your concern?

 

[wardmundy]

@Johann makes some good points. But, to be clear, this has little or nothing to do with sip.us and everything to do with the design of virtually every VoIP provider's web portal. If there is a vulnerability in the portal code and the attacker gains access to the provider's server and data, you are screwed if your credit card credentials are on file regardless of whether you have enabled automatic replenishment or not.