>I've been asked to review the security of our Nor-tel >Meridian PBX. I've searched Google & Yahoo and can't >find to much to aid me in this. Can anyone point me to >some good information on key things to audit/test? There's a couple of papers on auditing PBX environments at NIST: NIST SP 800-24, PBX Vulnerability Analysis, National Institute of Standards and Technology, 2000. These can be found at: http://www.itl.nist.gov/lab/bulletns/bltnaug00.htm http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf Particularly fruitful areas of investigation with the Meridian are Voicemail- the default password for voicemail accounts is the same as the extension number, and users aren't necessarily forced to change them, and also administrative access- if teh PBX is managed by an outside company, they will typically use the same password for all sites. Access on these lines is almost never encrypted. Other possibilities centre around remote toll access- dial a freephone number to a company PBX, enter a passcode and get a dialtone with open access. This has been a major source of abuse in the past. Free, encrypted, secure Web-based email at www.hushmail.com -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 10:07:12 PDT