[VOIPSEC] NY Times, ABC News reporting on fraud scheme using hacked VoIP service providers
dan_york at Mitel.com
dan_york at Mitel.com
Fri Jun 9 14:33:46 CDT 2006
Andy,
Thanks for the great reply...
> Sorry folks, encryption wasn't really the issue here (though a
> well-designed PKI solution might have helped).
Hmmm... I agree with your points that this was really a simple
brute-forcing situation, but I guess my thought was that if the
call control had all been encrypted, it would not have been easy
for someone to simply inject signalling by brute-forcing prefixes.
However, a system that provided that level of encryption would
no doubt probably require the well-designed PKI solution you mention.
> The good news here is that if we can learn a bit more about what
> authentication systems were exploited,
Jonathan Zar pointed out to me today (as we were recording our
latest Blue Box podcast) that the full text of the US Dept. of
Justice complaints are available online. The complaint against
the primary businessman, Edwin Pena, is available at:
http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdffiles/penacomplaint.pdf
and the one against Robert Moore, the "hacker" Pena hired to obtain
info about third-party networks that Pena could use to disguise his
connections, is at:
http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdffiles/moorecomplaint.pdf
Both of the complaints make for fascinating reading. They name the
companies and go into some detail about what Pena allegedly did in
the execution of his scheme. Definitely worth a read.
Regards,
Dan
--
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp. http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for
secure communication
More information about the Voipsec
mailing list