>I've been asked to review the security of our Nor-tel
>Meridian PBX. I've searched Google & Yahoo and can't
>find to much to aid me in this. Can anyone point me to
>some good information on key things to audit/test?
There's a couple of papers on auditing PBX environments at NIST:
NIST SP 800-24, PBX Vulnerability Analysis, National Institute of Standards
and
Technology, 2000.
These can be found at:
http://www.itl.nist.gov/lab/bulletns/bltnaug00.htm
http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf
Particularly fruitful areas of investigation with the Meridian are Voicemail-
the default password for voicemail accounts is the same as the extension
number, and users aren't necessarily forced to change them, and also administrative
access- if teh PBX is managed by an outside company, they will typically
use the same password for all sites. Access on these lines is almost never
encrypted.
Other possibilities centre around remote toll access- dial a freephone number
to a company PBX, enter a passcode and get a dialtone with open access.
This has been a major source of abuse in the past.
Free, encrypted, secure Web-based email at www.hushmail.com
--------------------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to
the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Jul 02 2001
Intro
