[VOIPSEC] When Convienence/Obscurity Goes Wrong

ANDRE LUIZ CABRAL DUTRA andred at superig.com.br
Tue Feb 10 20:41:14 GMT 2009 

If I understood the situation correctly, this "hot line" would drop any
other right? The total amount of damage was made for the impossibility to
achieve the ideal connection for trunking signaling with other operators,
this value really change a lot and fast, usually it is managed by automated
applications and the operator only select the carriers that must be
connected first.

In this case, this task of shifting the traffic was completely manual, the
company was already in the red and was impossible to operate. So, completely
messed up, the damage was done!!

True or not it is a good exercise for BCM, security threats analysis and
risk assessment.

But I assure you, at least in Latin America, there are big telecom operators
that are in conditions that matchs, partially, the history - the part
related to the staff, training and incident respond that do not fit to the
usual incidents.

André Dutra
Security Consultant

2009/2/10 <voipsec-request at voipsa.org>

> Send Voipsec mailing list submissions to
>        voipsec at voipsa.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> or, via email, send a message with subject or body 'help' to
>        voipsec-request at voipsa.org
>
> You can reach the person managing the list at
>        voipsec-owner at voipsa.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Voipsec digest..."
>
>
> Today's Topics:
>
>   1. Best practices: responding to the "809 scam" and similar
>      (James Sewell)
>   2. When Convienence/Obscurity Goes Wrong (Dustin D. Trammell)
>   3. Re: When Convienence/Obscurity Goes Wrong (J. Oquendo)
>   4. Re: When Convienence/Obscurity Goes Wrong (Dustin D. Trammell)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 9 Feb 2009 11:15:07 -0600
> From: "James Sewell" <sewellj at westmancom.com>
> Subject: [VOIPSEC] Best practices: responding to the "809 scam" and
>        similar
> To: <voipsec at voipsa.org>
> Message-ID:
>        <465A78192891144EA1CE7644AC7E1A7AA38363 at windowsdr.westman.int>
> Content-Type: text/plain;       charset="us-ascii"
>
> This is my first post so let me introduce myself and my company:  We are
> Westman Communications Group, a regional ISP, cable company, and now
> CLEC operating in Brandon, MB, Canada.  We recently started offering
> residential phone services and will be branching out to business
> services later this year.  I am the phone switch system administrator.
>
> My CFO has glommed onto the whole 809 scam thing over the weekend.  He's
> concerned about bad things happening if one of our subscribers ever got
> a scam email and fell for it, making a call and racking up huge charges.
>
> No matter how much I reassure my CFO and Director of Tech Ops that these
> scams are nothing for us to worry about, they still want to hear it from
> someone outside the company.  I did show them some verbiage from Snopes
> to reassure them that the dire warnings are all out of proportion to the
> scam itself.
>
> So are there any "canned answers" to these concerns?
>
>
> James Sewell
> Network Analyst
> Westman Communications Group
> sewellj at westmancom.com
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 09 Feb 2009 15:17:12 -0600
> From: "Dustin D. Trammell" <dtrammell at breakingpoint.com>
> Subject: [VOIPSEC] When Convienence/Obscurity Goes Wrong
> To: voipsec at voipsa.org
> Message-ID: <1234214232.10808.106.camel at localhost>
> Content-Type: text/plain
>
> "We had to make 5M that night to break even for the year (we were
> already in the red). We expected to make closer to 50M. We actually made
> about -30M. Let me write that out for you: One ass-hat residential
> customer with a 20yo telephone with four extra buttons did thirty
> million dollars in damages in less than one night.
>
> Anyways, that's how the company went bankrupt in late 2001 and about
> 6000 or so people in the Ft Lauderdale area all got laid off. :("
>
>
> http://www.reddit.com/r/programming/comments/7vvti/what_on_gods_green_earth_gets_a_fucking_pl7/c07k5nn
>
> Perhaps they should have just had their line techs memorize the NOC's
> phone number... or carry an address book (:
>
> --
> Dustin D. Trammell
> Security Researcher
> BreakingPoint Systems, Inc.
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 9 Feb 2009 15:37:36 -0600
> From: "J. Oquendo" <sil at infiltrated.net>
> Subject: Re: [VOIPSEC] When Convienence/Obscurity Goes Wrong
> To: "Dustin D. Trammell" <dtrammell at breakingpoint.com>
> Cc: voipsec at voipsa.org
> Message-ID: <20090209213736.GA50954 at infiltrated.net>
> Content-Type: text/plain; charset=us-ascii
>
> On Mon, 09 Feb 2009, Dustin D. Trammell wrote:
>
> > thirty
> > million dollars in damages in less than one night.
> >
>
> $30,000,000.00 / 86400 (minutes in a day) = 347.22 per call.
> Not even porn operators charge that much. Remember, he said
> it was one person making that call, and it also stated in
> one night. So if we have the time frame, he'd of paid $694.00
> or so per minute for a 12 hour period, and so on and so forth.
>
> In other news... I hear saying Bloody Mary a couple of times
> in a mirror...
>
> ;) Sup DT.
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
>
> "Enough research will tend to support your
> conclusions." - Arthur Bloch
>
> "A conclusion is the place where you got
> tired of thinking" - Arthur Bloch
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 09 Feb 2009 15:52:31 -0600
> From: "Dustin D. Trammell" <dtrammell at breakingpoint.com>
> Subject: Re: [VOIPSEC] When Convienence/Obscurity Goes Wrong
> To: "J. Oquendo" <sil at infiltrated.net>
> Cc: voipsec at voipsa.org
> Message-ID: <1234216351.10808.111.camel at localhost>
> Content-Type: text/plain
>
> On Mon, 2009-02-09 at 15:37 -0600, J. Oquendo wrote:
> > $30,000,000.00 / 86400 (minutes in a day) = 347.22 per call.
> > Not even porn operators charge that much. Remember, he said
> > it was one person making that call, and it also stated in
> > one night. So if we have the time frame, he'd of paid $694.00
> > or so per minute for a 12 hour period, and so on and so forth.
>
> I don't think the overages were due to the single repeated call.  If I
> read the story right, the one guy repeatedly calling caused them to not
> receive notices of toll increases for some of their carriers, so they
> didn't remove them (or prioritize them correctly) from their routes.
> Then those carriers noticed they were still being used and
> opportunistically hiked once again.  The total overages occurred from
> their legitimate customers being routed over carriers that became
> super-expensive without them noticing (due to not receiving the
> notices).
>
> --
> Dustin D. Trammell
> Security Researcher
> BreakingPoint Systems, Inc.
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> End of Voipsec Digest, Vol 50, Issue 3
> **************************************
>

More information about the Voipsec mailing list