VoiceOps Digest, Vol 52, Issue 7

[voiceops-request]

Send VoiceOps mailing list submissions to
        voiceops@voiceops.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
        voiceops-requ...@voiceops.org

You can reach the person managing the list at
        voiceops-ow...@voiceops.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."


Today's Topics:

   1. Anybody going to BroadSoft Connections? (Mark R Lindsey)
   2. Re: Anybody going to BroadSoft Connections? (Joshua Goldbard)
   3. New SPA2100/2102/1001 exploit in the wild? (Ryan Delgrosso)
   4. Re: New SPA2100/2102/1001 exploit in the wild? (David Thompson)
   5. Re: Anybody going to BroadSoft Connections? (Shripal Daphtary)
   6. Re: Anybody going to BroadSoft Connections? (Jason L. Nesheim)
   7. FYI:  Back door found in D-Link routers (Peter Rad.)
   8. Re: Anybody going to BroadSoft Connections? (Anthony Orlando)
   9. Re: New SPA2100/2102/1001 exploit in the wild? (Anthony Orlando)
  10. Re: New SPA2100/2102/1001 exploit in the wild? (Ryan Delgrosso)


----------------------------------------------------------------------

Message: 1
Date: Mon, 14 Oct 2013 17:55:00 -0400
From: Mark R Lindsey <lind...@e-c-group.com>
To: "voiceops@voiceops.org" <voiceops@voiceops.org>
Subject: [VoiceOps] Anybody going to BroadSoft Connections?
Message-ID: <da56b2fe-28ea-40b5-b530-ea0d71a14...@e-c-group.com>
Content-Type: text/plain; charset=us-ascii

Anybody else going to BroadSoft Connections? It'd be nice just to say howdy 
with other voiceopians.

>>> m...@ecg.co +1-229-316-0013 http://ecg.co/lindsey




------------------------------

Message: 2
Date: Mon, 14 Oct 2013 22:22:00 +0000
From: Joshua Goldbard <j...@2600hz.com>
To: Mark R Lindsey <lind...@e-c-group.com>
Cc: "voiceops@voiceops.org" <voiceops@voiceops.org>
Subject: Re: [VoiceOps] Anybody going to BroadSoft Connections?
Message-ID: <7a685ac3-acf0-4da8-87ca-9a9d4c60d...@2600hz.com>
Content-Type: text/plain; charset="us-ascii"

Nope, but if you're at KazooCon today please say hi!!!

Cheers,
Joshua

Sent from my iPhone

On Oct 14, 2013, at 2:55 PM, "Mark R Lindsey" <lind...@e-c-group.com> wrote:

> Anybody else going to BroadSoft Connections? It'd be nice just to say howdy 
> with other voiceopians.
> 
>>>> m...@ecg.co +1-229-316-0013 http://ecg.co/lindsey
> 
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps@voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops



------------------------------

Message: 3
Date: Mon, 14 Oct 2013 16:08:49 -0700
From: Ryan Delgrosso <ryandelgro...@gmail.com>
To: "voiceops@voiceops.org" <voiceops@voiceops.org>
Subject: [VoiceOps] New SPA2100/2102/1001 exploit in the wild?
Message-ID: <525c7981.9040...@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hey all,
I am seeing my fraud-o-meter tick up as of yesterday and it all seems to 
be driven by accounts attached to these devices. We have taken measures 
to start locking this down but I am wondering if anyone out there is 
seeing similar.

It looks like somehow legacy devices that have been deployed for 5+ 
years are having accounts lifted out of them.

Does anyone have info on this exploit, or if you are seeing this as well 
and want to compare notes feel free to ping me.

Thanks,
-Ryan


------------------------------

Message: 4
Date: Mon, 14 Oct 2013 16:20:18 -0700
From: David Thompson <dthomp...@esi-estech.com>
To: ryandelgro...@gmail.com, voiceops@voiceops.org
Subject: Re: [VoiceOps] New SPA2100/2102/1001 exploit in the wild?
Message-ID: <3e984d9053842119f236fb801d6a7...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Are you making certain that they aren't publically accessable w/default
user name password? Also check your device provisioning server and make
certain that indexing isn't enabled. Someone could be browsing through
your config files and lifting them from there but I think the
configuration files are all binary and not text readable.

David Thompson
Network Services Support Technician
(O) 858.357.8794
(F) 858-225-1882
(E) dthomp...@esi-estech.com
(W)?www.esi-estech.com


-----Original Message-----
From: VoiceOps [mailto:voiceops-boun...@voiceops.org] On Behalf Of Ryan
Delgrosso
Sent: Monday, October 14, 2013 4:09 PM
To: voiceops@voiceops.org
Subject: [VoiceOps] New SPA2100/2102/1001 exploit in the wild?

Hey all,
I am seeing my fraud-o-meter tick up as of yesterday and it all seems to
be driven by accounts attached to these devices. We have taken measures to
start locking this down but I am wondering if anyone out there is seeing
similar.

It looks like somehow legacy devices that have been deployed for 5+ years
are having accounts lifted out of them.

Does anyone have info on this exploit, or if you are seeing this as well
and want to compare notes feel free to ping me.

Thanks,
-Ryan
_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops



------------------------------

Message: 5
Date: Mon, 14 Oct 2013 18:00:02 -0400
From: Shripal Daphtary <shrip...@gmail.com>
To: Mark R Lindsey <lind...@e-c-group.com>
Cc: "voiceops@voiceops.org" <voiceops@voiceops.org>
Subject: Re: [VoiceOps] Anybody going to BroadSoft Connections?
Message-ID: <48548d4e-9324-45d5-b73f-77ae84e0f...@gmail.com>
Content-Type: text/plain;       charset=us-ascii

I'll be there. 

9734321440 is my cell. Would love to get a drink and say hi

Shri. 

Shripal

> On Oct 14, 2013, at 5:55 PM, Mark R Lindsey <lind...@e-c-group.com> wrote:
> 
> Anybody else going to BroadSoft Connections? It'd be nice just to say howdy 
> with other voiceopians.
> 
>>>> m...@ecg.co +1-229-316-0013 http://ecg.co/lindsey
> 
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps@voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops



------------------------------

Message: 6
Date: Mon, 14 Oct 2013 23:06:37 +0000 (UTC)
From: "Jason L. Nesheim" <jnesh...@cytek.biz>
To: Mark R Lindsey <lind...@e-c-group.com>
Cc: voiceops@voiceops.org
Subject: Re: [VoiceOps] Anybody going to BroadSoft Connections?
Message-ID: <661677601.8332549.1381791997550.javamail.r...@cytek.biz>
Content-Type: text/plain; charset=utf-8

I will be getting in Wednesday afternoon.

--
Jason Nesheim
+1-702-885-0815

----- Original Message -----
From: "Mark R Lindsey" <lind...@e-c-group.com>
To: voiceops@voiceops.org
Sent: Monday, October 14, 2013 5:55:00 PM
Subject: [VoiceOps] Anybody going to BroadSoft Connections?

Anybody else going to BroadSoft Connections? It'd be nice just to say howdy 
with other voiceopians.

>>> m...@ecg.co +1-229-316-0013 http://ecg.co/lindsey


_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops


------------------------------

Message: 7
Date: Mon, 14 Oct 2013 19:37:58 -0400
From: "Peter Rad." <pe...@4isps.com>
To: "voiceops@voiceops.org" <voiceops@voiceops.org>
Subject: [VoiceOps] FYI:  Back door found in D-Link routers
Message-ID: <525c8056.6090...@4isps.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/


Regards,

Peter Radizeski
RAD-INFO INC
pe...@rad-info.net
813.963.5884


------------------------------

Message: 8
Date: Mon, 14 Oct 2013 19:22:07 -0500
From: Anthony Orlando <avorla...@yahoo.com>
To: "Jason L. Nesheim" <jnesh...@cytek.biz>
Cc: "voiceops@voiceops.org" <voiceops@voiceops.org>
Subject: Re: [VoiceOps] Anybody going to BroadSoft Connections?
Message-ID: <57a12068-bf39-4d84-856f-2f630e61e...@yahoo.com>
Content-Type: text/plain;       charset=us-ascii

I'll be there. 

> On Oct 14, 2013, at 18:06, "Jason L. Nesheim" <jnesh...@cytek.biz> wrote:
> 
> I will be getting in Wednesday afternoon.
> 
> --
> Jason Nesheim
> +1-702-885-0815
> 
> ----- Original Message -----
> From: "Mark R Lindsey" <lind...@e-c-group.com>
> To: voiceops@voiceops.org
> Sent: Monday, October 14, 2013 5:55:00 PM
> Subject: [VoiceOps] Anybody going to BroadSoft Connections?
> 
> Anybody else going to BroadSoft Connections? It'd be nice just to say howdy 
> with other voiceopians.
> 
>>>> m...@ecg.co +1-229-316-0013 http://ecg.co/lindsey
> 
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps@voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps@voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops



------------------------------

Message: 9
Date: Mon, 14 Oct 2013 19:23:53 -0500
From: Anthony Orlando <avorla...@yahoo.com>
To: "ryandelgro...@gmail.com" <ryandelgro...@gmail.com>
Cc: "voiceops@voiceops.org" <voiceops@voiceops.org>
Subject: Re: [VoiceOps] New SPA2100/2102/1001 exploit in the wild?
Message-ID: <423db57c-676f-4b09-a375-1d593dac3...@yahoo.com>
Content-Type: text/plain;       charset=us-ascii

Seeing something similar with the new 112/122.  They are locked down hard yet 
still getting hacked. 

> On Oct 14, 2013, at 18:08, Ryan Delgrosso <ryandelgro...@gmail.com> wrote:
> 
> Hey all,
> I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be 
> driven by accounts attached to these devices. We have taken measures to start 
> locking this down but I am wondering if anyone out there is seeing similar.
> 
> It looks like somehow legacy devices that have been deployed for 5+ years are 
> having accounts lifted out of them.
> 
> Does anyone have info on this exploit, or if you are seeing this as well and 
> want to compare notes feel free to ping me.
> 
> Thanks,
> -Ryan
> _______________________________________________
> VoiceOps mailing list
> VoiceOps@voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops



------------------------------

Message: 10
Date: Mon, 14 Oct 2013 23:09:01 -0700
From: Ryan Delgrosso <ryandelgro...@gmail.com>
To: Anthony Orlando <avorla...@yahoo.com>
Cc: "voiceops@voiceops.org" <voiceops@voiceops.org>
Subject: Re: [VoiceOps] New SPA2100/2102/1001 exploit in the wild?
Message-ID: <525cdbfd.3080...@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Anthony,
What details do you have? Are the calls actually originating from the 
devices or are the credentials just getting lifted from them somehow?

Feel free to reply off-list if you don't want it public but I would like 
to see if any info could be mutually beneficial.


On 10/14/2013 05:23 PM, Anthony Orlando wrote:
> Seeing something similar with the new 112/122.  They are locked down hard yet 
> still getting hacked.
>
>> On Oct 14, 2013, at 18:08, Ryan Delgrosso <ryandelgro...@gmail.com> wrote:
>>
>> Hey all,
>> I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be 
>> driven by accounts attached to these devices. We have taken measures to 
>> start locking this down but I am wondering if anyone out there is seeing 
>> similar.
>>
>> It looks like somehow legacy devices that have been deployed for 5+ years 
>> are having accounts lifted out of them.
>>
>> Does anyone have info on this exploit, or if you are seeing this as well and 
>> want to compare notes feel free to ping me.
>>
>> Thanks,
>> -Ryan
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps@voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops



------------------------------

Subject: Digest Footer

_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops


------------------------------

End of VoiceOps Digest, Vol 52, Issue 7
***************************************