Re: "A million bucks in stolen calls"
On 6/8/06, mikeiscool <michaelslists@gmail.com> wrote:
On 6/9/06, Tyler Durden <camera_lumina@hotmail.com> wrote:
Wow. One guy and a hacker rerouted VoIP calls and in the process collected $1MM in fees. Lots of crypto & cypherpunkly implications here.
Sorry to double-post, but does anyone think Tor + encryption use would've saved this guy?
it's hard to sheild income, hence the advice to inflate expenses when fudging taxes rather than trying to hide incoming funds. these guys were making too much money to stay covert for long, so i don't think tor or encryption of comms or data would have helped. it might have delayed the inevitable a bit, but that's all. "Authorities said that to hide profits from his scheme, which ran from November 2004 to May 2006, Pena bought real estate, three luxury vehicles and a 40-foot motorboat." -- that's not a good way to hide funds :)
Here's some more details. So...does this amount to trespassing or merely arresting two guys for running traffic you don't like? This also implies that CALEA probably isn't even necessary in a lot of cases. NSA can probably surreptitiously copy and route traffic to themselves through intermediate networks. Come to think of it, this may imply that something like CALEA is far easier in the packet world than it was in the circuit switched world. One implication is that VoIP can't really be secure unless we can hide the routing and not just the pakcet contents, but of course this isn't a new problem as recent events a la NSAT&T prove. Anyway... Two Charged in VOIP Hacking Scandal JUNE 9, 2006 | Federal authorities pressed charges Thursday against a second man who helped perpetrate a VOIP wholesale scheme that defrauded at least 15 VOIP service providers. Robert Moore of Spokane, Wash., also known as the "Spokane Hacker," was served papers Thursday but had not yet been taken into custody, according U.S. Attorney's Office spokesman Michael Drewniak. On Wednesday, the U.S. Attorney's Office in New Jersey had filed charges against Edwin Andres Pena, who they say set up the allegedly fraudulent wholesale business -- called Fortes Telecom Inc. -- in 2004. (See 'Free' Skype Could Be Costly.) After charging his service provider customers cheap rates to route their calls, Pena's company secretly routed the calls over the IP networks of at least 15 VOIP providers, according to court documents. This was done using a two-step process. Step One. The men obscured the origin of the calls by sending them through an "intermediary." The feds believe Pena, with help from Moore, scanned the networks of companies all over the world looking for network ports to use for routing calls. The New Jersey U.S. Attorney's Office said it obtained records from AT&T Inc. (NYSE: T - message board) showing that, between June and October of last year, Moore ran more than 6 million scans for those susceptible ports. The two eventually decided on routing calls through a router owned by an unnamed New Jersey-based hedge fund company. (See Ingate Secures VOIP.) Step Two. With a "blind" established, Pena then needed to gain admittance for his customers' calls to be routed onto the networks of other VOIP providers. VOIP providers tag their own calls with a unique identifier or "prefix" so they can be admitted to the network. Pena allegedly bombarded the VOIP providers' networks with test calls -- each carrying a different prefix -- until he found one that was admitted to the network. He then tagged all his fraudelent calls with the winning prefix. Having penetrated the networks of VOIP telephone service providers, Pena programmed the third party's computer networks to use the illegally obtained proprietary prefix to route calls of customers of his companies, federal authorities say. The Pena case will certainly revive the issue of security among VOIP providers. Many in the VOIP community are all too aware of the security perils of running calls over the Internet. "This hacker's approach is certainly not a surprise to those in the Internet community who follow these types of issues," says Brian Lustig, spokesman for VOIP provider SunRocket Inc. . "It is just another variation of fraud that can be perpetrated." So what does the VOIP community intend to do to protect itself from hacking? "The industry as a whole -- including Sun Rocket -- is already hard at work on standards and security measures that can prevent this type of activity," Lustig says. Pena was taken into custody today and was scheduled to appear in court Thursday. Moore will appear in court soon, Drewniak said. Mark Sullivan, Reporter, Light Reading
I was deleting old emails and re-read this one, noticing something I had missed the first time: On Fri, 9 Jun 2006, Tyler Durden wrote: <SNIP>
Two Charged in VOIP Hacking Scandal
<SNIP>
Step One. The men obscured the origin of the calls by sending them through an "intermediary." The feds believe Pena, with help from Moore, scanned the networks of companies all over the world looking for network ports to use for routing calls. The New Jersey U.S. Attorney's Office said it obtained records from AT&T Inc. (NYSE: T - message board) showing that, between June and October of last year, Moore ran more than 6 million scans for those susceptible ports.
ATT had *records* of *port scans*, going back 12-18 *months*??? How? -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF "Surely the larger lesson learned from that day is that other men, all over the world, took inspiration not from the heroism of the rescuers in New York or the passengers flying over Pennsylvania, but from the 19 hijackers - the twisted brilliance of their scheme and their willingness to sacrifice their lives to make a political and, as they saw it, religious statement." Richard Corliss/Time Magazine 11 Aug 2006
At 02:52 PM 8/26/2006, J.A. Terranson wrote:
On Fri, 9 Jun 2006, Tyler Durden wrote: <SNIP>
Two Charged in VOIP Hacking Scandal <SNIP> Step One. The men obscured the origin of the calls by sending them through an "intermediary." The feds believe Pena, with help from Moore, scanned the networks of companies all over the world looking for network ports to use for routing calls. The New Jersey U.S. Attorney's Office said it obtained records from AT&T Inc. (NYSE: T - message board) showing that, between June and October of last year, Moore ran more than 6 million scans for those susceptible ports.
ATT had *records* of *port scans*, going back 12-18 *months*??? How?
Go check out AT&T Internet Protect. AT&T started it as a research project a few years ago, logging traffic at AT&T peering points, and it's grown to cover more of the network, and customers can subscribe to summaries and analysis of the traffic data. It logs to&from IP addresses, protocol, to&from ports, timestamp, and maybe another field or two like DSCP/ToS or TCP syn/ack bits or whatever. and yes, there's a big honkin' custom database backend. I don't know which data they keep for how long, though it's at least a month for some of the data. If you remember the EFF suit about AT&T helping NSA eavesdroppers, the descriptions of the "secret" equipment all sound pretty much like the stuff AT&T's had in public sales brochures for a few years, except for the issue of how much access NSA gets to the database. From a research perspective, one of the biggest problems is how to make any sense of that much data and present it in some sort of useful format. One of the measurements that seems to be really valuable is looking at what percentage of traffic is a given protocol, either by bytes/packets/flows, and how much that's changed in the last day/week/month. For instance, back when the Slammer worm came out, there were half a dozen events over the preceding week that were big spikes in UDP 1434, so we knew to build blocking filters. So there'll be a lot of reports like "there's been a big increase in traffic on TCP Port 139", with analysis like "it's related to this week's latest Microsoft vulnerability, and it seems to be a widely distributed search for targets", or "most of it's from the X virus, with a bit left over from the Y virus", or "it's a very focused 10 Gbps attack on a gamer's DSL line coming from the dorms at X university, with a bit of collateral damage if you're nearby." Some of the information is similar to what you'd get from McAfee or SANS, but it's got a different perspective because of the scale of traffic measurement.
participants (4)
-
Bill Stewart
-
coderman
-
J.A. Terranson
-
Tyler Durden