J., Thank you for posting the advisory in a public place for the users of the list. It had been distributed to our partners, and distributors, and they passed the information on to their customers. The recent round of fraudulent calls were almost all the result of systems being installed in a manner that would leave the administrative interface open to the internet (not a system default configuration) and with either weak or default admin passwords. Some were the result of registering to the server using SIP credentials for third party (non Allworx) devices with weak, and sometimes matching, username and passwords. Some others occurred because Allworx handsets had been placed directly on the internet and either had the password for the phones administrative interface set to null, or the default. And lastly, there were a few cases with older phone software, if the handset was accessible from the internet, where copying part of a URI could allow access to the config file stored on the phone, and get the SIP registration parameters in the clear. The last one was definitely our bug, and has been remedied in later versions of software. Each release of new software includes security features along with normal "new" customer features. We also advise partners to keep the customers updated with the latest releases for these very reasons. I will not say that Allworx brushed any known issues off. I will say that we have taken many different approaches to let our partner community know what had been taking place, and reiterating the need to take all necessary precautions to keep their customers systems secure. I have seen very little from other manufacturers regarding these recent rounds of fraud attempts, and know that they have been compromised also, but I would hope that the fact that we have been open about them shows our dedication to keeping our customers secure and confident in our system. Thanks again, Mark Stappenbeck -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo Sent: Monday, May 13, 2013 9:27 AM To: voiceops at voiceops.org; voipsec at voipsa.org Subject: [VoiceOps] Allworx Security Advisory Unsure why some of these vendors don't join this list. One of my clients who is an Allworx reseller, passed on the advisory. www.infiltrated.net/Allworx_Service_Bulletin_Security_Advisory.pdf I may (from the security standpoint) switch things up this year (vendors on this list beware). There are so many vulnerabilities that have yet to be addressed and although I am often torn about "disclosure," I WILL GO OUT on a whim and say Allworx knew this was an issue, and likely brushed it off as it was not reported. So back to my "switching things up", to those vendors on this list, I suggest you go back to your security queues and get things in order. In these days and times, its darn right absurd for backdoor accounts, and letting security issues linger for years. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops