One of the big news items in telecom security this past week was the arrest in Manila of 4 men accused of defrauding AT&T of almost $2 million USD and then using those funds to finance a terrorist organization. The Philippine National Police issued a statement (annoyingly you have to scroll down to the “November 24, 2011″ entry) that explained the terrorist link:

Sosa said that Kwan and the other hackers in Manila were being used by the Zamir’s terrorists group to hack the trunk-line (PBX) of different telecommunication companies including the AT&T. Revenues derived from the hacking activities of the Filipino-based hackers were diverted to the account of the terrorists, who paid the Filipino hackers on a commission basis via local banks.

The joint operation between the Philippine Criminal Investigation and Detection Group (CIDG) and the US FBI is per the statement a result of a long-standing effort within the FBI to combat this kind of fraud.

It’s not clear yet exactly how the fraud was perpetrated and whether or not there was any “VoIP” involved. Ars Technica, in a lengthy piece, “How Filipino phreakers turned PBX systems into cash machines for terrorists, indicates that the attackers used traditional attacks against PBXs to compromise voicemail systems that allow outbound calling (DISA) and then passed that list of compromised PBXs along to others who sold this access as a way to cheaply call into premium rate services (similar to 900-numbers in the US).

There’s also a note in the Ars Technica article that the attackers used good old default passwords to get into many of these PBXs. Assuming the prosecutions move forward we will hopefully learn more as the cases go to trial.

Regardless of the precise mechanism, it’s a great reminder that people need to check the traditional security mechanisms of their PBX systems, and REMOVE/CHANGE default passwords!

If you are interested in discussing this case, it will be the topic of today’s (Dec 2, 2011) Voip Users Conference (VUC) call at 12 noon US Eastern. All are welcome to join – or to listen to the conversation later once the recording is posted.

Reading through the FBI news release, the scam really has nothing to do with “VoIP security”, per se, and everything to do with “social engineering.” Essentially, the group managed to appear to be a legitimate business so that VoIP service providers would let them resell their services to businesses. They then resold that service and pocketed the money without ever paying the service providers.

From the news release, it seems to have been a rather extensive scam:

To make it appear as if the shell companies were legitimate VoIP wholesalers and to induce the victim providers to extend credit to the companies on favorable terms, Tonangi and his co-conspirators took several fraudulent steps, including establishing fake business addresses for the shell companies at prominent New York locations, including the Empire State Building.

The co-conspirators also used Internet-based answering services that purported to connect callers to the shell companies’ various departments, such as accounts receivable and marketing, but really connected to cell phones controlled by the co-conspirators.

Tonangi and his co-conspirators created shell company e-mail accounts in the names of non-existent employees for communicating with victim providers; websites that contained false information, such as the names of non-existent employees and the companies’ fabricated qualifications to serve as VoIP wholesalers; and aliases to negotiate the purchase of VoIP services.

They also fabricated year-end financial reports that bore the logo of a national accounting firm in order to give the appearance that the shell companies’ financial reports had been reviewed by that firm.

When the victim providers sold VoIP services to the shell companies on credit, Tonangi and his co-conspirators would “bust out” the account by causing the companies to use substantially more VoIP services than the companies had been approved to buy in such a short period of time. The co-conspirators would do this over weekends and holidays so that the providers would not notice.

When the invoices for the services came due, the co-conspirators would send fake wire transfer confirmations via e-mail or submit small payments to keep the victim providers from cutting off service.

If victim providers sued or threatened to sue the shell companies, Tonangi and his co-conspirators would respond in legal pleadings or letters that they prepared in the name of a non-existent attorney, Frank Soss. Tonangi and Bhambhani created and used a fraudulent United States passport in the name Frank Soss by downloading and altering a exemplar passport image and photograph from the Internet.

Given the degree of subterfuge undertaken by the group, I’m not at all surprised that they fooled numerous companies into extending credit for VoIP services. When you are doing due diligence on a new customer, you would explore many of the avenues that these folks seem to have covered.

It’s not clear from the news release or any other information I’ve seen online what if any VoIP technology was used here but given that the group was acting as a legitimate business they didn’t need anything very sophisticated. Many software and service options would have met their needs.

It’s good to see the FBI successfully cracking this fraud ring… sadly I’m sure there will be others as we see the increased usage of VoIP across the industry.

P.S. Thanks to J. Oquendo in the VOIPSEC mailing list for alerting us to this news from the FBI.

I didn’t know of such a service, but posted the question to the VOIPSEC mailing list. A couple of people contacted me privately about some services in the works, but then someone did pass along a link to a public service available now:

https://voipscanner.com/voipscanner/

Now, I’ve not used this service but I’m certainly aware of Sandro Gauci and a number of the different tools he has been working on, including SIPVicious and VOIPPACK. After watching his short video and seeing the sample report, this definitely looks like an interesting service.

Of course, with any hosted service my security paranoia is heightened and I want to know what will be done with my data. Will the scan of my IP-PBX be recorded on the Voipscanner.com servers? Will a copy of my report be saved there? Basically… can I trust the site? In looking through the terms of service after you click the graphic to “apply” for access I didn’t see any wording around this… but it’s also Friday and I’m tired… I could have missed it.

Anyway, this service is out there and for those of you comfortable with using such a service it may be useful for you. If you know of other similar services I’d also love to hear about them.

One of the NSA staff will be on a Enterprise Connect communications security panel at 9:00am in the “Sun B” room of the Gaylord Palms tomorrow (Thursday, March 3, 2011). They are also hosting a private meeting tomorrow at the Gaylord Palms from 1-3pm for people interested in learning more. The best way to find out more about that meeting would probably be to attend the 9am session. (They were promoting details at their booth, too, but the exhibit area is now closed.)

Good to see the NSA reaching out to the commercial sector and when more information is available about their program (they said it would be soon) I’ll update this post.

David was out there on behalf of Tripwire, Inc, and produced a number of other good video interviews. I enjoyed this one with my friend Martin McKeay of the Network Security Podcast on the topic of “why is ‘cloud security’ so over hyped?”

Those are issues that I (Dan York) will be discussing on a panel on Friday, Feb 4, 2011, at the Cloud Communications Summit in South Beach, Miami. The abstract is:

There’s a general consensus that Cloud Communications improves the bottom line while reducing both financial and technology risks. What about from a security perspective? This session identifies the differences between premise based and cloud based offerings from a security perspective, and provides the audience with a checklist of what to worry about as they move into the cloud. This session is appropriate for both business and technologists.

I’ll be on the panel along with folks from Rackspace, Pac-West and Path Solutions and the whole session will be moderated by analyst Dave Michels. It should be a fun discussion… if you are down in Miami, do come and join us!

• TheNextWeb: Hackers crack open GSM networks to eavesdrop on mobile calls
• InfoSecurity.com: Security researchers subvert GSM encryption
• eWeek Europe: Researchers Demonstrate GSM Phone Call Hack

The researchers are apparently not releasing their toolkit publicly, but obviously word of their success will encourage others to investigate further.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

On the opposite site, you have the WikiLeaks organization itself moving its content to various places and among various providers… desperately seeking a way to keep itself online. But even more you have supporters of WikiLeaks downloading all the content and popping up mirror sites all over the place, trying to keep the organization’s content out there. The distributed and decentralized nature of the Internet allows easily for this type of content propagation.

Through the WikiLeaks Twitter page, they have been reporting the growth in mirror sites, most recently 507 mirrors. (Note the reported checkbox for new mirror sites.) Which, of course, provides a nice hit list to those who want to shut it down…

And every new site or domain name that pops up with WikiLeaks content becomes yet another target for those wishing to knock the organization offline.

… such as the report today that the WikiLeaks servers in Sweden are under attack.

And undoubtedly there are supporters of WikiLeaks out there who are trying to counter-attack the attackers.

UPDATE, 2 hours later: I noticed this in a NY Times piece yesterday: The collective Anonymous, an informal but notorious group of hackers and activists, also declared war on Sunday against enemies of Mr. Assange, calling on supporters to attack sites companies that do not support WikiLeaks and to spread the leaked material online.

As I wrote last week:

I think it will get uglier before it’s all over.

Indeed, TechCrunch wonders how long the @wikileaks Twitter account will stay around…

I’m NOT talking here about the politics of the WikiLeaks situation. A significant number of you reading this will probably believe that WikiLeaks is an extreme terrorist organization that should be eliminated from the network and the leaders should be hunted down and imprisoned (or worse). And a significant number of you reading this will probably believe that WikiLeaks is a champion of transparency and openness and a leader in fighting against government censorship and secrecy and needs to be supported by all means possible.

Put the politics aside for a moment and think about WikiLeaks in terms of:

an entity that many organizations around the world want to eliminate from the Internet.

Consider the attacks they have been under:

• Multiple reports of large-scale distributed denial-of-service attacks
• Being kicked off of multiple hosting providers, including Amazon Web Services
• Most recently, having the wikileaks.org domain name removed from DNS

and undoubtedly many other forms of attacks…

The Guardian in the UK had a good article up today on the issue:

WikiLeaks fights to stay online after US company withdraws domain name

I definitely understand the difficult decision EveryDNS.net faced (and in full disclosure, I do personally use their free service for some dynamic DNS domains). I know a couple of the folks there, and as they state in the notice on their home page:

More specifically, the services were terminated for violation of the provision which states that “Member shall not interfere with another Member’s use and enjoyment of the Service or another entity’s use and enjoyment of similar services.” The interference at issues arises from the fact that wikileaks.org has become the target of multiple distributed denial of service (DDOS) attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.

You are a provider of a free domain name service … and suddenly one of those 500,000+ domains comes under extreme attack to such a degree that it could endanger the accessibility for everyone. Though I am sure that the EveryDNS folks will be vilified by some (and probably attacked) and praised by others, as a network and security professional I can understand why they made the choice they did. At some point, there is a need to protect and preserve your own infrastructure and connectivity. They can’t stay in business if they don’t.

But reading that Guardian article and all the other ongoing coverage, I can’t help but think:

We are witnessing a preview of true cyber-war.

Beyond the public pressure from various senators and government officials around the world to shut down WikiLeaks and encourage companies to sever ties, you have to wonder if various intelligence and/or military agencies with different governments aren’t actively trying to shut them down online. Add in all the private groups clamoring for a shut-down… you have to think some of them are engaged in electronic activity. And add in all the individuals out there trying to do their part to shut down WikiLeaks.

How many botnets are probably active right now trying to execute DDoS’ against WikiLeaks?

On the opposite site, you have the WikiLeaks organization itself moving its content to various places and among various providers… desperately seeking a way to keep itself online. But even more you have supporters of WikiLeaks downloading all the content and popping up mirror sites all over the place, trying to keep the organization’s content out there. The distributed and decentralized nature of the Internet allows easily for this type of content propagation.

And every new site or domain name that pops up with WikiLeaks content becomes yet another target for those wishing to knock the organization offline. And undoubtedly there are supporters of WikiLeaks out there who are trying to counter-attack the attackers.

I think it will get uglier before it’s all over.

For us in the security community, there is much to think about:

• Where are your services hosted on the Internet? How well do you know those providers? And how solid and redundant are their services?
• Could your sites become “collateral damage” and be knocked off the ‘Net if some other site hosted at a provider came under attack?
• Where are the single points-of-failure (SPOFs) in your hosting and Internet connectivity?
• Where are your domain names hosted? What if the DNS provider came under attack?
• Do you have alternative domains available? Perhaps through a completely different DNS provider and able to be pointed to a completely different hosting provider?
• What are the Time-To-Live (TTL) values set for your primary domain names? If one provider was knocked out, how quickly could you repoint those domains to another site?
• And if you are hosting your own services, what levels of protection do you have in place? What kind of redundant connections do you have?
• What ability do you have to rapidly move your connectivity (and content) to another site?

• etc., etc.

Bringing this to a VoIP and communications context, if you are using IP-based systems for real-time communications, is your architecture robust enough to withstand attacks? (whether or not those attacks are targeted at you or at others connected near you?) Can you answer those questions above for your real-time communications system? Where are your SPOFs? What are your backup plans? How will you stay online and connected in the face of an overwhelming attack?

This particular saga of WikiLeaks will play out in the days, weeks and months ahead… and whether they stay online or are forced offline remains to be seen… but what we’re publicly witnessing right now is a case study of the time ahead of us.

Are you prepared?

Dan York, CISSP, is chair of the VoIP Security Alliance, author of “Seven Deadliest Unified Communications Attacks” and a frequent speaker on communication security issues.