[VOIPSEC] NY Times, ABC News reporting on fraud scheme

David Schwartz David.Schwartz at Kayote.com
Sun Jun 11 03:22:34 CDT 2006 

Why are you all assuming this was "brute force" Digest attack?

I did not see Digest mentioned once in the 2 links Dan provided
(thanks). I am not even sure that SIP was the underlying protocol.

I think the attack was much simpler. 

As the complaint states, the VoIP provider uses prefixes to route
authorized traffic. As opposed to retail traffic where ACL's are used
(not that those can't be spoofed as well), in wholesale traffic this is
not always done and as such in this particular case I believe the
traffic was not even challenged.

The traffic is considered "authorized" if it contains the correct
prefix. All an attacker would need to do is start with "1" and continue
to "9........." or however long it takes to find a valid prefix. I would
not even be surprised if the attacker in this case found more than 1
prefix as I have a hard time believing that the VoIP provider would not
immediately disable a prefix that out of the blue started sending a
disproportionate amount of traffic.

What I cannot figure is how the VoIP provider did not detect an
inordinate amount of "prefix" rejects prior to receipt of the fraudulent
traffic. Most networks monitor for this kind of stuff and this should
have been detected. 

Cheers,

David Schwartz


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Hallam-Baker, Phillip
Sent: Saturday, June 10, 2006 4:21 PM
To: Geoff Devine; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] NY Times, ABC News reporting on fraud scheme

Yes, it was a brute force attack.

How long are the prefixes you use?

Why was digest chosen? It's a 1993 design. At the time I could not use
RSA because of the patent encumbrances. If it was possible to use public
key then I would have.

Digest is vulnerable to a brute force attack  

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Geoff Devine
> Sent: Saturday, June 10, 2006 8:24 AM
> To: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] NY Times, ABC News reporting on fraud scheme
> 
> Reading through the .pdf file, I see:
> "Records provided by N.T.P. demonstrate that Defendant Pena 
> obtained, without authorization, the valid proprietary prefix 
> that N.T.P. used to identify authorized calls."
> 
> Am I correct in thinking that this was just a brute force 
> attack against the SIP digest authentication process?  
> 
> ---REGISTER--->
> <---401 Unauthorized---
> ---REGISTER + authorization info--->
> <---200 OK---
> 
> Geoff Devine
> Chief Architect
> Cedar Point Communications
> 
> -------------------------------------------------------
> Date: Fri, 9 Jun 2006 15:33:46 -0400
> From: dan_york at Mitel.com
> Subject: Re: [VOIPSEC] NY Times, ABC News reporting on fraud scheme
> 	using hacked VoIP service providers
> To: "Zmolek, Andrew \(Andy\)" <zmolek at avaya.com>
> Cc: voipsec at voipsa.org
> Message-ID:
> 	
> <OF845A12B8.2F4CDBA3-ON85257188.006A0C13-85257188.006B7668 at mitel.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> Andy,
> 
> Thanks for the great reply...
> 
> > Sorry folks, encryption wasn't really the issue here (though a 
> > well-designed PKI solution might have helped).
> 
> Hmmm... I agree with your points that this was really a 
> simple brute-forcing situation, but I guess my thought was 
> that if the call control had all been encrypted, it would not 
> have been easy for someone to simply inject signalling by 
> brute-forcing prefixes.
> However, a system that provided that level of encryption 
> would no doubt probably require the well-designed PKI 
> solution you mention.
> 
> > The good news here is that if we can learn a bit more about what 
> > authentication systems were exploited,
> 
> Jonathan Zar pointed out to me today (as we were recording 
> our latest Blue Box podcast) that the full text of the US 
> Dept. of Justice complaints are available online.  The 
> complaint against the primary businessman, Edwin Pena, is 
> available at:
> 
> http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdff
> iles/penac
> omplaint.pdf
> 
> and the one against Robert Moore, the "hacker" Pena hired to 
> obtain info about third-party networks that Pena could use to 
> disguise his connections, is at:
> 
> http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdff
> iles/moore
> complaint.pdf
> 
> Both of the complaints make for fascinating reading.  They 
> name the companies and go into some detail about what Pena 
> allegedly did in the execution of his scheme.  Definitely 
> worth a read.
> 
> Regards,
> Dan
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list