[VOIPSEC] NY Times, ABC News reporting on fraud scheme

Sat Jun 10 10:37:21 CDT 2006

I did not see any mention of SIP protocol or a brute force attack against SIP digest authentication in the complaint.

-----Original Message-----
From: Voipsec-bounces at voipsa.org on behalf of Geoff Devine
Sent: Sat 6/10/2006 8:24 AM
To: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] NY Times, ABC News reporting on fraud scheme

Reading through the .pdf file, I see:
"Records provided by N.T.P. demonstrate that Defendant Pena obtained,
without authorization, the valid proprietary prefix that N.T.P. used to
identify authorized calls."

Am I correct in thinking that this was just a brute force attack against
the SIP digest authentication process?  

---REGISTER--->
<---401 Unauthorized---
---REGISTER + authorization info--->
<---200 OK---

Geoff Devine
Chief Architect
Cedar Point Communications

-------------------------------------------------------
Date: Fri, 9 Jun 2006 15:33:46 -0400
From: dan_york at Mitel.com
Subject: Re: [VOIPSEC] NY Times, ABC News reporting on fraud scheme
	using hacked VoIP service providers
To: "Zmolek, Andrew \(Andy\)" <zmolek at avaya.com>
Cc: voipsec at voipsa.org
Message-ID:

<OF845A12B8.2F4CDBA3-ON85257188.006A0C13-85257188.006B7668 at mitel.com>
Content-Type: text/plain; charset="us-ascii"

Andy,

Thanks for the great reply...

> Sorry folks, encryption wasn't really the issue here (though a
> well-designed PKI solution might have helped). 

Hmmm... I agree with your points that this was really a simple
brute-forcing situation, but I guess my thought was that if the 
call control had all been encrypted, it would not have been easy
for someone to simply inject signalling by brute-forcing prefixes.
However, a system that provided that level of encryption would 
no doubt probably require the well-designed PKI solution you mention.

> The good news here is that if we can learn a bit more about what
> authentication systems were exploited,

Jonathan Zar pointed out to me today (as we were recording our
latest Blue Box podcast) that the full text of the US Dept. of 
Justice complaints are available online.  The complaint against
the primary businessman, Edwin Pena, is available at:

http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdffiles/penac
omplaint.pdf

and the one against Robert Moore, the "hacker" Pena hired to obtain
info about third-party networks that Pena could use to disguise his
connections, is at:

http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdffiles/moore
complaint.pdf

Both of the complaints make for fascinating reading.  They name the
companies and go into some detail about what Pena allegedly did in
the execution of his scheme.  Definitely worth a read.

Regards,
Dan

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org