I have gone on about this before but most carriers have a psychological aversion to security, and most of their vendors adopt the same.
They see themselves as the wire, and thus completely incapable of being targeted by hostile third parties.
Non exhaustive list of problems I have seen:
Credit cards stored in plaintext on the carriers wordpress website.
esxi and drac ports publicly available to the internet, not patched.
inbound authentication not dropped by core infrastructure, log files just filling up with brute force attempts (often successful)
Software vendors not implementing carrier network standards and telling everyone they know better.
tech support opening socks proxy ports for technical support reasons and then leaving them open, where they get abused for netflix traffic.
Field techs running around with core infrastructure passwords written on their paperwork
Vulnerable hardware remaining unpatched and available to the internet for years - particularly fortigate stuff.
Technicians building unencrypted pptp vpns on client infrastructure and leaving them open for years.
It doesnt surprise me that freepbx/asterisk etc are full of issues. They only get yelled at when they push a change that knocks some eccentric sip config offline, no one cares if they maintain vulnerable code as long as it works. Doubly so because theres a cottage industry in locating and using vulnerable SIP credentials for fraudulent phone calls.
They see themselves as the wire, and thus completely incapable of being targeted by hostile third parties.
Non exhaustive list of problems I have seen:
Credit cards stored in plaintext on the carriers wordpress website. esxi and drac ports publicly available to the internet, not patched. inbound authentication not dropped by core infrastructure, log files just filling up with brute force attempts (often successful) Software vendors not implementing carrier network standards and telling everyone they know better. tech support opening socks proxy ports for technical support reasons and then leaving them open, where they get abused for netflix traffic. Field techs running around with core infrastructure passwords written on their paperwork Vulnerable hardware remaining unpatched and available to the internet for years - particularly fortigate stuff. Technicians building unencrypted pptp vpns on client infrastructure and leaving them open for years.
It doesnt surprise me that freepbx/asterisk etc are full of issues. They only get yelled at when they push a change that knocks some eccentric sip config offline, no one cares if they maintain vulnerable code as long as it works. Doubly so because theres a cottage industry in locating and using vulnerable SIP credentials for fraudulent phone calls.