Near the end of last year (December 2008), the U.S. Federal Bureau of Investigation warned of a variation of a new type of vishing attack.

By exploiting a bug in the open-source Asterisk VoIP software, criminals have been able to use vulnerable Asterisk systems as their own personal auto-dialers and call potential victims directly. The attack can generate "thousands of vishing telephone calls to consumers within one hour,"

the FBI said in an advisory posted to the Internet Crime Complaint Center (IC3).

The FBI is urging Asterisk users to upgrade their software immediately so that their VoIP systems are not vulnerable to this bug.

SIP Security and Asterisk

Since the start of 2009 we had several clients to whom we provide Asterisk Support Service become victims of a "vishing" attack.

After looking at the situation - and plugging the security hole (more about this later) - here is a recent warning from the IC3 (Internet Crime Complaint Center). 

The Digium Patch

The SIP Security hole referred to in the above warning has been pacthed in all recent implementations of Star*PBX (version 1.2.3 and above).  However, as the attacks are real, it is obvious that something else is going on. 

Two Distinct Attack Vectors

Any Asterisk based PBX that has not been updated remains vulnerable to the SIP channel exploit.  This means that  the attacker can now - at will - find out SIP "secrets" etc. and exploit the box.  I have seen several examples of this over the last two weeks.  None of those involved Star*PBX, but another Asterisk based PBX system.

We also had a Star*PBX system come under attack.  This attack had nothing to do with the SIP channel vulnerability - since it was not present.  In this case the vulnerability was an insecure - i.e. easy to crack - SIP secret.  If the SIP extension can easily be guessed, and the SIP "secret" is easy to crack, a brute-force password guessing will likely succeed.  The solution is to simply change the SIP "secret" to a more complex thing.  This, indeed, proved effective.

In the case of the "older" Asterisk systems, unfortunately, this was no help.  Even the complex password was  - somehow - instantly known to the attacker. 

The solution - temporary at best - was to have the dialplan amended to only allow outbound calls to a limited set of area codes.  The long term solution is to upgrade the PBX.  It can still be Asterisk based, and so the investment in infrastructure (wiring, phones, etc.) can be maintained.   Our suggestion for an upgrade would - of course - be Star*PBX.

In general I am not a fan of Instant Messaging (IM). That said, I am not unsympathetic to the benefits that can be realized, especially in a decentralized / virtualized work environment.  For any number of reasons I consider the public IM services such as AOL, MSN, Skype etc. more of a nuisance than a service.

So, while hunting for something we could deploy here at ME, I started looking for an Open Source solution. I came across jabber. This pup has morphed into an impressive creature which became the XMPP Standards Foundation.  XMPP stands for ‘Extensible Messaging and Presence Protocol’.  And since a protocol not an implementation makes I hunted further and found …

Openfire by Jive Software

Visited the site, looked at documentation, watched a flash demo.  I am convinced enough to try.  Together with the Asterisk Plugin, this looks like a tool that would integrate really well with the Star*PBX product.  So, we can use it, and incorporate it in an existing product. Sweet.

IM @ Work

This is a catchy phrase to promote awareness of this technology.  I can’t wait to deploy it and start pushing the possibilities.

Stay tuned.

One of the things we do at ME is remote customer support.  The technology spectrum is wide, and encompasses MS-Windows administration, end user support (help desk), Network troubleshooting, PBX / Phone system support etc.

We - usually - do a good job of helping a client out of a pickle, but not always.  Things do fall through the cracks.  Furthermore, since sometimes multiple people are involved in interacting with a single client on a given problem, the internal communication (or lack thereof) may contribute to the perceived lack of service / responsiveness by a client.

And even, when we DO assist a client in an effective and timely manner, this effort is not always sufficiently documented to allow proper billing.  So things fall through the cracks at both ends: (a) the client perceives non-responsive service; (b) as a business, we spend time and effort without compensation.

 Avoid Verbal Orders

This was hammered into me when working at a large government contractor / consulting company.  The reasons are legion.  Firstly, it is too easy to misunderstand, or even simply mishear a communication / complaint / issue. Secondly, the action required may be misunderstood.  The client in question might simply have wanted you to be aware of something, NOT to jump in and start reconfiguring their system.  Or vice-versa, you think it’s piece of info to be filed, while the client expects immediate attention - if not action. 

email to the rescue

Well .. maybe .. perhaps .. who knows.  The problem there is, again, follow-through.  While an email alleviates the mis-communication issue, or at least provides a defensible CYA response in case of later complaints, it still can lead to a ‘crack fall’ at either end (see above).  The problem, of course, is who the email is actually sent to, and if that person takes action, if only to perhaps alert someone else.  And, after ‘delegating’, what if it does not get followed up.  Or it does get followed-up, the client is happy, but never billed, because we lost track.  At least we have an email - right?  Not really.  Emails get sent by clients - or associates - to different people (read email addresses).  Unless there is some unification going on afterwards, this can well lead to more mass confusion. 

support@myhelpdesk.com

Ah! One single email address.  Now what?  We have multiple clients - multiple technologies - multiple responders. So we’d have to task a single person / agent as support manager, to (a) watch the inbox; (b) delegate cases; (c) track progress; (d) ensure issue resolution (i.e. client satisfaction); (e) ensure proper client billing; (f) ensure proper credit to responders. 

Hmm .. sounds like a full-time job, AND error-prone.  At ME, as at most organizations of a similar nature, this job gets only partially done with resulting efficiency (we spend too much) and effectiveness (the client is still unhappy) issues.

Request Tracker

I have in my past lives setup and used RT from Best Practical in an IT support and Customer Satisfaction environment.  This is one of the reasons that here at ME we offer our services to install / configure / train your organization in setting up RT.  Sad to say, we are - as of January 15, 2009 - not using it ourselves.  This is about to change.  We have experienced the issues alluded to above, and as our business continues to grow, we need to get better at supporting our clients.  So, we’ll be deploying an RT based ticket system for the various activities we are engaged in.  Stay tuned. 

Links and Plug

http://bestpractical.com/rt/

Read all about it.  We will offer an RT Appliance in the near future.  In the mean time, ask (use our contact page) if you want RT deployed for your organization, we may be able to assist you.

If such a user uses email (and who doesn’t), chances are that all his contacts, etc. are also stored on this workstation.  The loss of that information can be crippling. Especially MS-Outlook users are at risk since it is not always clear how to backup Outlook data.  But there is more, such as web browser bookmarks (favorites), etc.

Mirroring

This is often employed as a backup technique.  At least one commercial company (carbonite) offers an off-site mirroring solution for individual Windows workstations. 

A mirror is basically a refection of the data as it exists on the workstation when the image is taken.  Any history is lost however.  Since the scheduling of he mirror u snot always controlled by the user, this does not protect against accidental deletion of files and folders or corruption due to user mistakes or virus / malware action.

So, this is of limited value to an end user as it really only protects against total data loss due to a system crash or loss of a computer (i.e. laptop gets stolen). 

Snapshots

Think of this as a mirror with history. Now we ARE protected against accidental data deletion and / or corruption as long as the data in it’s good state is in the history buffer.  It is not unreasonable to have daily snaps available for the last two weeks and weekly snaps for an entire year.

This provides all benefits of a mirror, plus it also protects against accidental - or intentional - data loss and corruption.

Application data such as Outlook, Thunderbird or other mail clients can be included as well as the state of browser bookmarks. 

The User Decides

Since we are primarily interested in data, we should automatically include the standard Windows data areas.  Furthermore, the most common email clients, i.e. Outlook, Outlook Express and Thunderbird store their data in well known areas, and these can be included automatically.  The same goes for Firefox and MSIE bookmarks. 

In addition to this, the user should be able to include / exclude based upon folders and file wild cards.  As a common practice I always keep my install files in the C:\installs directory.  This is definitely a directory Ii would want backed-up. 

To summarize: based upon the OS, a certain number of folders should automatically be included.  The same goes for files (e.g. mail files from Outlook).  The user can then decide to exclude (for their dominion) folders or files, and to specify additional ones.  Note that the user has to have access to these folders in order to include them.

When you ask five people what they understand by a good ‘backup system‘ you will likely get five different answers.  The reason is simply this: ‘backup’ is too general a term to describe a specific need and solution.

So let us dwell a bit in the various types of backup (and recovery) that people would want.  That is the functionality of the system - rather than the implementation.  Not that implementation technology is unimportant.  One thing that should have become clear however over the last few years is tape backup is on the way out.  For a hillarious illustration of the potential trauma associated with tape backup, see this YouTube video.

 Given the slowness and limited capacity of optical media, the obvious solution is some form of disk based backup. 

OK, with that out of the way let us return to functional requirements / scenarios.  This involves a combination of what information to back up, from which computers, stored where.  Furthermore there is the mirror versus history, and the recovery process. 

The plot thickens.  There is a multi-dimensional matrix to be considered:

• Computer Function:  Server / Workstation (fixed) / Workstation (mobile)
• Computer OS: Linux / Windows / Mac OSX
• Backup Data: Selected Data Only / All Data / Full System
• Backup Type: Mirror / History Snaps
• Backup Storage: On-site / Off-site

Each possible combination needs its own consideration.  And considering that the above outlined parameters are neither complete nor exhaustive, yet the total combination of cases already is 3 x 3 x 3 x 2 x 2 = 108.  So, how is a user / consumer to choose, and as a provider, which solution does one offer.  It very well may be that a business / enterprise should not consider a single ‘fit all’ solution, but a menu of backup options / systems each addressing a particular need.

In future posts I hope to flesh out more specific scenarios and suggest specific solutions.

If you have any comments, please feel free speak up.  Registration is required, but painless and free.

Since we mainly operate as consultants, I feel it is important to provide some insight into some of the thought processes and research going on as it relates to what we do and - sometimes more important - what we do NOT do.

It is my hope that this new site and format will improve the quality and scope of the services we can offer our clients.  Since the site incorporates this ‘BLOG’ it also allows for discussion.