VoIP Mailing List Archives :: View topic

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-biz] ANI

Goto page Previous 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Next

VoIP Mailing List Archives Forum Index -> Asterisk Business

View previous topic :: View next topic

Author

Message

Alex.Lopez at OpSys.com
Guest

Posted: Tue May 13, 2008 12:19 pm Post subject: [asterisk-biz] ANI

I have avoided chiming in but this is getting pretty bad.

CALLERID, ANI, and EMAIL all suffer from the same problem. Once there is
no ONE entity controlling access, they are no viable (cost-effective)
ways to control it. I'll take the risk of a cab showing up and my door,
or a pizza I didn't deliver showing up at my door, rather than have
everything I say, do, write, or transfer, accounted and verified. If the
bad guys, are going to do anything, than no measure of legislation, or
regulation would stop them. Humans are generally trusting, Case in
point, we used to let passengers carry knifes on airplanes, we no longer
allow that, and the world is NOT a better place because of it. An hour
to get on a plane for a 30 minute flight, that's regulation for you!!!
I know that once you pass a law for one thing, someone thinks of a way
around it.

I don't have to hack into an asterisk box, to do harm, I can go to any
cross box, pick a pair hook up a Butt Set and crank call my life away!!!

In high school, we found the address to a uniquely uptight teacher. We
would call a cab to his house every Wednesday night at 3AM (it was
quarter beer night at the Pub), We would tell the cab company that I was
hard of hearing and to please place the car as close to the front door
as possible and repeat ably FLASH the lights and HONK the Horn until I
came out. We would have done it for a longer period of time except that
we ran out of Cab companies. We would sit in my friend's dad's custom
van down the street with a long roll of speaker cable, with clips on one
end and a RJ-Jack on the other. High TECH, Radio Shack!!!

I am sure that to this day, he still hates taxi cabs; maybe if he goes
to the 20 year reunion I'll let him in on the secret!!!!

This just proves the point that there are other 'entrances' into the
PSTN that are hard to be traced. A single cross box can handle a large
geographic area. Couple this with a pair of cross-connect wires to
another lateral (F2 or even F3) and you could be even further.

Quote:

-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-
bounces@lists.digium.com] On Behalf Of Steve Totaro
Sent: Tuesday, May 13, 2008 12:42 PM
To: nk3569@yahoo.com; Commercial and Business-Oriented Asterisk

Discussion

Quote:

Subject: Re: [asterisk-biz] ANI

Nitzan,

Maybe you are unaware that all of this could be done with *absolutely*
no way to trace it back to the "Culprit".

If you cannot trace it back to the culprit AND more importantly, clear
the INNOCENT, then more regulation is needed.

"Culprit -> VoIP carrier who lets set CID/ANI -> ILEC or CLEC ->
terminated to PSTN." would be stupid.

This make more sense:
Open WiFi AP (or cracked WEP) ----> hacked Asterisk box (who sets

the

Quote:

CID/ANI ----> Telco ------> terminated to the PSTN

Be sure to delete appropriate logs on the hacked Asterisk boxen and

just

Quote:

to be safe, spoof your laptop's MAC address. Perform your exploit
somewhere inconspicuous and a good distance from "home, then clean

your

Quote:

laptop by using DBAN http://dban.sourceforge.net/ which is DoD

5220.22-M

Quote:

compliant, before re-installing your OS"......

Thanks,
Steve Totaro

Nitzan Kon wrote:

Quote:

Yep. True.

So the issue is not needing more regulation - but just how to be

able to

Quote:

enforce existing regulation. Not something that more regulation by

itself

Quote:

will resolve!

Quote:

Of course for all these cases, there WILL be records allowing law

enforcement officials (***who know what they're doing***) to trace

back

Quote:

the calls. Even if you spoof ANI/CID - your call has to come from
somewhere.

Quote:

Let's take your 3AM campaign suggestion for example: the way the

call

Quote:

will go is:

Quote:

Culprit -> VoIP carrier who lets set CID/ANI -> ILEC or CLEC ->

terminated to PSTN.

Quote:

Tracing it back should not be a problem if you have the proper court

orders, just find out with the terminating party which ILEC/CLEC they

got

Quote:

the call from, then find out with the ILEC/CLEC which VoIP carrier

they

Quote:

got the call from - and then finally get the customer records from the
VoIP carrier.

Quote:

Sure, it's not as easy as it used to be, and I may be over

simplifying

Quote:

it - but it is possible and much better than trying to regulate who

can

Quote:

and can't set CID. Punish the CRIMINALS - not the PROVIDERS.

Quote:

--- On Thu, 5/29/08, Charles Vance <cbvance@msn.com> wrote:

Quote:

From: Charles Vance <cbvance@msn.com>
Subject: Re: [asterisk-biz] ANI
To: "Commercial and Business-Oriented Asterisk Discussion"

<asterisk-

Quote:

biz@lists.digium.com>

Quote:

Date: Thursday, May 29, 2008, 6:40 PM
each of those scenario's involve either fraud or intent
to do harm and are already prohibited
in FCC regs even absent the "Truth in Caller ID
Act"
----- Original Message -----
From: Steve
Totaro<mailto:stotaro@totarotechnologies.com>
To:
trixter@0xdecafbad.com<mailto:trixter@0xdecafbad.com>
; Commercial and Business-Oriented Asterisk
Discussion<mailto:asterisk-biz@lists.digium.com>
Sent: Monday, May 12, 2008 18:22
Subject: Re: [asterisk-biz] ANI

Setting up a drone Asterisk box to take hundreds of
thousands of FTP
.call files at 3AM (by each time zone) and play pro
Hillary Clinton
campaign messages (or whoever you don't like),
obviously spoofing
her/his campaign headquarters caller ID and ANI.

Obtaining a new credit card from someone's mailbox
with the sticker to
call from your home phone to activate the card. Spoof
their Caller ID
and ANI, activate, and buy some cool gadgets or whatever
people do
with cards that don't belong to them.

Setting CallerID/ANI to clients', girlfriends',
bosses' cell phone and
call until voicemail picks up, if no PIN is set, I have
full control
of their voicemail (and could possibly call out, I will
have to test
that with the call back option. Then someone could
really have some
fun depending on what messages they have saved)

So many exploits.....

Thanks,
Steve Totaro

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

stotaro at totarotechn...
Guest

Posted: Tue May 13, 2008 2:49 pm Post subject: [asterisk-biz] ANI

(From a US centric view obviously)

Well you do make several valid points about getting around things and
regulation taking resources. I am positive that certain measures are
needed but should be outsourced from the Government. They should not
go to the lowest bidder, they should go to the best ROI, taking into
consideration monetary and time costs, efficiency, and effectiveness.

Here are a couple of links of what I feel have some very good points.
I have to admit I am a fan of Donald Trump (full disclosure, I did
security system installations for many of his properties in NYC).

The part about the Ice Rink is a perfect example but there is plenty
of good info.

http://www.govote.com/Archive/Art_Of_The_Deal_Donald_Trump.htm
http://www.ontheissues.org/Celeb/Donald_Trump_Government_Reform.htm

We must be vocal and vote, that is our power and duty.

I am not going to pretend I know what this means (but I think I know)
"A single cross box can handle a large geographic area. Couple this
with a pair of cross-connect wires to another lateral (F2 or even F3)
and you could be even further."

If you are talking about butt sets and single pairs, then you may be
caught while dialing several thousand calls.... Smalltime at best.

The prank about the taxi is just that, a prank, just like leaving a
burning bag of dog poop and ringing someone's doorbell so they come
and stomp out the fire. Apples, to oranges.

I don't follow this, "We would sit in my friend's dad's custom van
down the street with a long roll of speaker cable, with clips on one
end and a RJ-Jack on the other. High TECH, Radio Shack!!!" What
exactly does that do?

I am afraid that nothing you have outlined could do any severe harm to
anyone (person or property).

Thanks,
Steve Totaro

On Tue, May 13, 2008 at 1:14 PM, Alexander Lopez <Alex.Lopez@opsys.com> wrote:

Quote:

Discussion

Quote:

the

Quote:

CID/ANI ----> Telco ------> terminated to the PSTN

Be sure to delete appropriate logs on the hacked Asterisk boxen and

just

Quote:

to be safe, spoof your laptop's MAC address. Perform your exploit
somewhere inconspicuous and a good distance from "home, then clean

your

Quote:

laptop by using DBAN http://dban.sourceforge.net/ which is DoD

5220.22-M

Quote:

compliant, before re-installing your OS"......

Thanks,
Steve Totaro

Nitzan Kon wrote:

Quote:

Yep. True.

So the issue is not needing more regulation - but just how to be

able to

Quote:

enforce existing regulation. Not something that more regulation by

itself

Quote:

will resolve!

Quote:

Of course for all these cases, there WILL be records allowing law

enforcement officials (***who know what they're doing***) to trace

back

Quote:

the calls. Even if you spoof ANI/CID - your call has to come from
somewhere.

Quote:

Let's take your 3AM campaign suggestion for example: the way the

call

Quote:

will go is:

Quote:

Culprit -> VoIP carrier who lets set CID/ANI -> ILEC or CLEC ->

terminated to PSTN.

Quote:

Tracing it back should not be a problem if you have the proper court

orders, just find out with the terminating party which ILEC/CLEC they

got

Quote:

the call from, then find out with the ILEC/CLEC which VoIP carrier

they

Quote:

got the call from - and then finally get the customer records from the
VoIP carrier.

Quote:

Sure, it's not as easy as it used to be, and I may be over

simplifying

Quote:

it - but it is possible and much better than trying to regulate who

can

Quote:

and can't set CID. Punish the CRIMINALS - not the PROVIDERS.

Quote:

--- On Thu, 5/29/08, Charles Vance <cbvance@msn.com> wrote:

Quote:

From: Charles Vance <cbvance@msn.com>
Subject: Re: [asterisk-biz] ANI
To: "Commercial and Business-Oriented Asterisk Discussion"

<asterisk-

Quote:

biz@lists.digium.com>

Quote:

trixter at 0xdecafbad.com
Guest

Posted: Tue May 13, 2008 3:18 pm Post subject: [asterisk-biz] ANI

On Tue, 2008-05-13 at 15:40 -0400, Steve Totaro wrote:

Quote:

I don't follow this, "We would sit in my friend's dad's custom van
down the street with a long roll of speaker cable, with clips on one
end and a RJ-Jack on the other. High TECH, Radio Shack!!!" What
exactly does that do?

they would clip in at the box, run the wire to the van and place the
calls. In this way they arent visible at the box, they are in an
enclosed area which can shield light they may be using for other things,
and they are climate controlled.

It lets you basically do it for longer, and if you have multiple pairs
of wire, in parallel, all from the comfort of a poofy chair or sofa in
the back.

Further if you just get a hard hat and a harris buttset most people will
ignore you thinking you really are the phone company. The hard hat goes
a long way, especially if its the same color (most are white) with a
bell (or whatever) logo on the side. You are only there for a couple
minutes long enough to use the 3/8" wrench (no locks on most) and your
wire prefabricated with clips on the end, you just clip them in and away
you go. These boxes exist in neighborhoods of various sizes (even here
in NL, but they are all punched wire here) from small square ones for a
couple homes to larger ones for an entire neighborhood. Strip malls
generally have them exposed in the back, a lot of homes have TNIs that
provide access for both rj11 and clips. Many of the TNIs cant be fully
locked, while they provide a lock facility, a socket can open them
trivially.

So in essence its not that hard to find a vulnerable pair, its harder to
find one that lets you set ani/clid, or target a specific person.
Knowing the neighborhood they are in along wtih the local ANAC number
can go a long way, and if you can pull the cable pair that someone is
off of you can target them specifically, but yeah.

The biggest limitation with what he is proposing is the inability to
specify arbitrary ani/clid, and the fact that at some point you have to
physically go somewhere. With voip you can be anywhere in the world
that has inet, you can pick and choose your access method and point, you
can use proxies to make traffic seem like its an entirely different
jurisdiction, and with some ITSPs set arbitrary clid/ani. Thus I think
that beige boxing is much more limited to the types of mischief that
someone can do with voip.
--
Trixter http://www.0xdecafbad.com Bret McDanel
Belfast +44 28 9099 6461 US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

stotaro at totarotechn...
Guest

Posted: Tue May 13, 2008 3:23 pm Post subject: [asterisk-biz] ANI

On Tue, May 13, 2008 at 1:06 PM, Trixter aka Bret McDanel
<trixter@0xdecafbad.com> wrote:

Quote:

On Tue, 2008-05-13 at 12:41 -0400, Steve Totaro wrote:

Quote:

I agree to a point, I dont think more regulation is needed, I think a
fairer approach of not charging people out of suspicion but rather facts
would clear more innocent even if it lets some guilty get away. The
feds have a 96% plea rate give or take. This is because they threaten
people with really long sentences and offer pleas of minimal sentences,
many who have given up on fighting accept the plea out of desperation
and not because they believe they are guilty. Of those that go to trial
75% loose in the federal system, often because of dirty tricks used and
a bunch of retired postal employees as jurors. One of the first tactics
that the feds use is to dry up your income so you cant afford a real
lawyer and end up with a public defender. Seizing funds (or at least
freezing them), ensuring you get fired, etc are all standard tactics.

Very true about their tactics... It is, what it is, for now. Voting
and being vocal is the only way this will change it certainly will not
happen overnight.

An ANI that was not spoofable would go a long way to creating
reasonable doubt if explained to a jury.

CDRs showing spoofed CID/ANI certainly would make a public defender
suggest opting for the plea even if not admissible in court. If it
did go to trial and the CDRs with CID/ANI are deemed admissible, then
I am afraid someone may go to the Federal "Spa" for a bit (and if it
was under the "Patriot Act", they may be in the "Spa" for a very long
time.)

Quote:

If there is regulation it needs to be that the government will play fair
in prosecution, if this happens you will see many more people walk when
the evidence just isnt there, rather than conviction because the
government says so.

Generally more regulation only leads to more "criminals" some of whom
are unintended consequences of a poorly written law. It generally does
little to actually stop innocent convictions, or halt an undesirable
action.

Sad but true.

Quote:

This make more sense:
Open WiFi AP (or cracked WEP) ----> hacked Asterisk box (who sets the
CID/ANI ----> Telco ------> terminated to the PSTN

open/cracked wifi device using voip device -> itsp that takes paypal or
credit cards and does instant activation -> pstn

paypal and credit cards are stolen all the time, and are probably more
plentiful than vulnerable voip systems (asterisk or not) so the attack
vector is larger than in your example.

I was thinking along the lines of thousands of calls, so an Asterisk
box would be ideal. It is not very hard to find Asterisk boxen wide
open with the prevalence of newbs with Trixbox or whatever. Also
getting root via various exploits is pretty easy when there is no
active admin.

Quote:

Be sure to delete appropriate logs on the hacked Asterisk boxen and just
to be safe, spoof your laptop's MAC address. Perform your exploit
somewhere inconspicuous and a good distance from "home, then clean your
laptop by using DBAN http://dban.sourceforge.net/ which is DoD 5220.22-M
compliant, before re-installing your OS"......

this step also could be removed, certain the clean up, but if you can
really get in and out without anyone noticing, bounce around to
different locations, use proxies, etc tracing it back to the user of the
access point becomes difficult and unless you enter the US or UK where
they can search the contents of your laptop "because they feel like it"
wiping it isnt always required.

(Sorry, US Centric when in the US, no witnesses either)

Quote:

fyi eteraser does DoD compliant wipes of free and slack space on windows
boxes, and if you use a wifi phone or ATA or something that way there
generally arent logs to even require this step. And many of the wifi
phones look like mobiles so it wouldnt look as odd, but you may not have
as much ability to set clid/ani to said itsp provider.

Again, still looking for large volume, an ATA or SIP phone is cracker jacks.

Here is one, install Asterisk on your laptop, open/cracked wifi/stolen
paypal or cc, launch, then follow the hard drive wipe instructions.

You could always use your butt set to get into a phone closet too
(might have a network jack or even be one and the same as the "data
center".

I work in the DC area and am almost always asked to sign in but they
never check ID. I could put any name, and the butt set and outfit has
worked as credentials to almost every building with a couple of
exceptions. They are generally the places that have you exit your
vehicle, open the trunk, run a mirror on wheels under the car, check
the interior and glove box.

You could certainly order some free Verizon business cards from
www.vistaprint.com.

OK, I am done writing. Any more might get me or someone else in trouble.

Quote:

--
Trixter http://www.0xdecafbad.com Bret McDanel
Belfast +44 28 9099 6461 US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!

Thanks,
Steve Totaro

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

bill at cosi.com
Guest

Posted: Tue May 13, 2008 3:37 pm Post subject: [asterisk-biz] ANI

Alex Balashov wrote:

Quote:

Steve Totaro wrote:

Quote:

This make more sense:
Open WiFi AP (or cracked WEP) ----> hacked Asterisk box (who sets the
CID/ANI ----> Telco ------> terminated to the PSTN

Well, sure, but you can do far worse things than spoof ANI/CID with that
kind of mischief. The sort of things generated in the scenario you
described are hard to track down whether they're telephony-related or not.

Precisely right, and in the general case, it seems that the essential problem is the lack of general awareness that certain forms of identification are unreliable. Thus the perceived need to clear the innocent. And also, perhaps, the reason for excessive apathy about the (general) problem in many corners.

Referring back to my earlier suggestion about public key authentication, a more widespread appreciation and understanding of it's applicability in various realms would go a long way toward helping solve many problems ranging from spam and phishing to stuff like this. It's a mind-share/social problem. There is nothing inherently wrong with spoofing; the problems arise when the receiver is unduly deceived.

jra at baylink.com
Guest

Posted: Tue May 13, 2008 3:47 pm Post subject: [asterisk-biz] ANI

On Tue, May 13, 2008 at 01:25:49AM -0400, Alex Balashov wrote:

Quote:

Jay R. Ashworth wrote:

Quote:

On Mon, May 12, 2008 at 08:26:35PM -0400, Alex Balashov wrote:

Quote:

There is a whole host of data dumped into internal CDRs accessible via
switch craft interfaces and softswitch / big-iron EMSs that admits of
internal PRI trunks and cross-connects, TCICs from private and ILEC
tandem interconnection SS7 IMTs, and various other such things.

I knew someone would eventually show up who was 100% buzzword
compliant. Smile

Yes, I took time out from my busy day of delivering transformative
matrix value convergence through five-9s, N+1 24/7 methodologies and
chaining synergistic B2B and B2C channel partner sales, monetising VAR
click-through portal infomediaries, and leveraging turn-key, whiteboard
deliverables to bring you this dose of enterprise-strength insight.

Bingo!!

Quote:

*swivels in executive chair ominously, looking smuggy smug smug*

Quote:

So, Alex, *does* the ISUP element dictionary separate BTN, ANI, and
CLID?

As far as I know, the ANI is the BTN, but I could be very wrong.

Well, that's what *I* thought. I have an LSSGR available; I guess I'll
go look it up.

Quote:

I will
not be duped into an appointment as the ISUP expert. Smile

I have worked
for and with several CLECs at various times and have some experience in
the esoterica of TDM land, but I still don't sit around reading

http://www.itu.int/rec/T-REC-Q.767-199102-I/en

all day. Smile

Thanks, Alex. Smile

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Joseph Stalin)

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

trixter at 0xdecafbad.com
Guest

Posted: Tue May 13, 2008 4:00 pm Post subject: [asterisk-biz] ANI

On Tue, 2008-05-13 at 16:32 -0400, Bill Michaelson wrote:

Quote:

Referring back to my earlier suggestion about public key
authentication, a more widespread appreciation and understanding of
it's applicability in various realms would go a long way toward
helping solve many problems ranging from spam and phishing to stuff
like this. It's a mind-share/social problem. There is nothing
inherently wrong with spoofing; the problems arise when the receiver
is unduly deceived.

that only works if you can trust the key holders. Someone has to have
your public key and be trusted so that you know its real, and not a fake
one. Yes you can cache it once you have had contact but not first
contact.

Further when you get phone calls that are authenticated on each end as
to whom you are talking there will be abuses. It will be used as a
method of surveilance and tracking by governments, presumably it will be
a smart card type device and not the phone itself, and when you go from
phone to phone you will ultimately be required to insert it to prove
identity. After all this will help stop drug dealers, child
pornographers and terrorists right? (those are the 3 claims that most
of the tracking laws have used for the last 15-20 years).

But it wont stop there, this can help stop credit card theft on the
intarweb, so it will be mandated that you use it there too, meaning you
wont be able to do anything online anonymous, because you will have to
authenticate with your card. Why stop there, make it some type of RFID
system so that they can monitor who you are as you drive down the road
(michelin has a plan to put RFIDs in tires and claim they can be read
upto 90mph so its not just a random theory).

While you arent proposing all of this, think for a second about how many
governments have been clamoring for something like this. End to end
authentication is not always a good thing, it may be helpful in a couple
of situations but at what cost?
--
Trixter http://www.0xdecafbad.com Bret McDanel
Belfast +44 28 9099 6461 US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

trixter at 0xdecafbad.com
Guest

Posted: Tue May 13, 2008 5:01 pm Post subject: [asterisk-biz] ANI

On Tue, 2008-05-13 at 16:40 -0400, Jay R. Ashworth wrote:

Quote:

As far as I know, the ANI is the BTN, but I could be very wrong.

Well, that's what *I* thought. I have an LSSGR available; I guess I'll
go look it up.

Ok, I will give one final post on this. I had hoped that you would let
it go seeing that I wasnt going to respond, but that was not the case.

Here are a few examples of others that think they are indeed different:

http://www.patentstorm.us/patents/7289613-description.html
Unlike FG-D, which can only pass one call identifier, such as the
caller's ANI, more advanced signaling systems can pass multiple call
identifiers, e.g., the BTN and the ANI, which is helpful in keeping
track of details used to bill telephone calls across telephone lines
controlled by different entities.

The patent indicates that they are separate. Metro One was the company
that filed that.

http://www22.verizon.com/wholesale/glossary/?l=b#billing_telephone_number

Automatic Number Identification (ANI)
The number transmitted through the network that identifies the calling
party. Technically, a Common Channel Inter-office Signaling (CCIS)
parameter that refers to the number transmitted on an out-of-band basis
through the SS7 signaling network identifying the calling party's
telephone number. Also known as Calling Party Number (CPN).

Billing Telephone Number (BTN)
The ten-digit number, including the area code, to which charges for a
given telephone service are billed.

Calling Party Number (CPN)
The number transmitted through the network that identifies the calling
party. Technically, a Common Channel Inter-office Signaling (CCIS)
parameter that refers to the number transmitted on an out-of-band basis
through the SS7 signaling network identifying the calling party's
telephone number. Also known as Automatic Number Identification (ANI)

If verizon thought the BTN was the same as ANI they probably would have
used the same definition as they did for CPN/ANI. Further CPN/ANI make
no mention of being the number service is billed to. This number has
been known to traffic on the SS7 network as I had originally said, it
however is almost never logged and if it were it would lead to the ITSP
that interfced with the pstn and start allowing for tracking back to who
actually placed the call. It takes at the minimum SS7 interconnection
to specify this, so most people wont be spoofing that.

I cited 2 reasonably large phone companies, and logically the reason why
its different is because you may want all calls billed to 1 number but
allow either arbitrary ANI setting to any of your multiple DIDs on that
circuit. It is a separation between what will be presented to end users
as the caller identity and who is getting billed.

I hope that this can be dropped now and focus back on the original
thread.

--
Trixter http://www.0xdecafbad.com Bret McDanel
Belfast +44 28 9099 6461 US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

stotaro at totarotechn...
Guest

Posted: Tue May 13, 2008 5:03 pm Post subject: [asterisk-biz] ANI

Bill Michaelson wrote:

Quote:

Alex Balashov wrote:

Quote:

Steve Totaro wrote:

Quote:

This make more sense:
Open WiFi AP (or cracked WEP) ----> hacked Asterisk box (who sets the
CID/ANI ----> Telco ------> terminated to the PSTN

Precisely right, and in the general case, it seems that the essential
problem is the lack of general awareness that certain forms of
identification are unreliable. Thus the perceived need to clear the
innocent. And also, perhaps, the reason for excessive apathy about
the (general) problem in many corners.

Referring back to my earlier suggestion about public key
authentication, a more widespread appreciation and understanding of
it's applicability in various realms would go a long way toward
helping solve many problems ranging from spam and phishing to stuff
like this. It's a mind-share/social problem. There is nothing
inherently wrong with spoofing; the problems arise when the receiver
is unduly deceived.

I motion that this thread be moved to the Asterisk Users (already copied
to Users List)

For those that do not subscribe to the Biz list, this thread may be
interesting to you.
http://lists.digium.com/pipermail/asterisk-biz/2008-May/subject.html

I am done giving examples of what could be done as far as current
exploits. The purpose was to clue some people into what can actually be
done that could cause *real harm*.

I would like to see what Bill and others can offer as solutions. This
particular issue could result in many forms of real harm and is worth
more discussion.

*Maybe the "Asterisk Community" can do more than talk about Asterisk.
We are numerous, smart, and many are influential or have influential
contacts.*

Thanks,
Steve Totaro

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

bill at cosi.com
Guest

Posted: Tue May 13, 2008 7:54 pm Post subject: [asterisk-biz] ANI

Trixter aka Bret McDanel wrote:

Quote:

On Tue, 2008-05-13 at 16:32 -0400, Bill Michaelson wrote:

Quote:

Yes, of course, just as this is an issue with web browsers.

Quote:

Further when you get phone calls that are authenticated on each end as
to whom you are talking there will be abuses. It will be used as a
method of surveilance and tracking by governments, presumably it will be
a smart card type device and not the phone itself, and when you go from
phone to phone you will ultimately be required to insert it to prove
identity.

Maybe.

Quote:

After all this will help stop drug dealers, child
pornographers and terrorists right? (those are the 3 claims that most
of the tracking laws have used for the last 15-20 years).

Those are favorite excuses for increased surveillance, I agree.

Quote:

But it wont stop there, this can help stop credit card theft on the
intarweb, so it will be mandated that you use it there too, meaning you
wont be able to do anything online anonymous, because you will have to
authenticate with your card. Why stop there, make it some type of RFID
system so that they can monitor who you are as you drive down the road
(michelin has a plan to put RFIDs in tires and claim they can be read
upto 90mph so its not just a random theory).

While you arent proposing all of this, think for a second about how many
governments have been clamoring for something like this. End to end
authentication is not always a good thing, it may be helpful in a couple
of situations but at what cost?

You make a good point - essentially that the widespread acceptance and facility of this technology also facilitates abuse of another sort. I agree that anonymity should be available. Would it necessarily eliminate all channels of anonymous communication? I don't think that is a foregone conclusion (nor do I think you are really suggesting it is).

trixter at 0xdecafbad.com
Guest

Posted: Tue May 13, 2008 8:31 pm Post subject: [asterisk-biz] ANI

On Tue, 2008-05-13 at 20:50 -0400, Bill Michaelson wrote:

Quote:

Trixter aka Bret McDanel wrote:

Quote:

While you arent proposing all of this, think for a second about how many
governments have been clamoring for something like this. End to end
authentication is not always a good thing, it may be helpful in a couple
of situations but at what cost?

You make a good point - essentially that the widespread acceptance and
facility of this technology also facilitates abuse of another sort. I
agree that anonymity should be available. Would it necessarily
eliminate all channels of anonymous communication? I don't think that
is a foregone conclusion (nor do I think you are really suggesting it
is).

no I was just cautioning against public key authenticated phone calls
because it is my belief if that were done via legislation it would
quickly be abused and applied to many other things. If its not through
legislation you will find that few will want it since generally they
know who they are talking to. Retailers/call centers may want it but
consumers have little desire, especially if it costs them something.

I do believe that covert data channels would persist, but the act of
trying to be anonymous in that day and age would itself look quite odd
and suspect, and if it got to that point probably illegal.

This is why I took the time to comment on proposed legislation (I dont
see it viable any other way). You never know what staffers of a senator
will read and suggest that "people have requested" relating to a
particular criminal problem that has emerged. Then someone really does
enact it, or at least try Sad

Back more on the thread, you have 2 basic paths you can take. Use
clid/ani as indicators but not trusted information, and try to educate
people that its not reliable and to use common sense (ha!), or try to
come up with a way that it cant be spoofed, that anyone who places a
call will do so from their own number(s), etc which legislating that is
FAR easier than actually implementing it without taking away from
already existing services.

The bill that I read on the federal level (which partly infringes on the
10th amendment, sigh), and what I read from florida all require deceit
or an attempt to cause harm. It also places the burden on the caller
not the phone company (or itsp). So really they wont do anything but
let them slap another charge on that will run at the same time as
everything else.

I dont know that its our responsibility to come up with legislation and
redesign the pstn though, and even if we did in the most perfect way
would anyone that could implement it actually listen?

--
Trixter http://www.0xdecafbad.com Bret McDanel
Belfast +44 28 9099 6461 US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

joakimsen at gmail.com
Guest

Posted: Tue May 13, 2008 11:39 pm Post subject: [asterisk-biz] ANI

Or you can just wear gloves and a mask, go steal prepaid SIM cards...
drive off in an unmarked stolen car with fake license tags which you
burn anyways after you leave the vicinity of the store (get rid of all
the DNA evidenc)

Untraceable... ok traceable to a small phone card shop somewhere on
Ferdinand Bolstraat that was robbed at gunpoint by unknown persons.

You get the point. Where there is a will there is a way. There is no
need in burdening 99% of the "good guys" for the 1% of people that are
going to break the laws anyways and do bad things. They are going to
keep on doing them anyways. It's like restricting cold medicines in
the USA to stop illegal drugs. Has that at all affected the illegal
drug market? If anything it reduces the supply... and the rest well
study some basic economics.

What is the entire point of regulation? Honestly the biggest issue I
see with spoofed CID and ANI is the RBOCs being unable to collect
intrastate rates and being forced to settle for interstate rates...
boo-fucking-hoo

On Tue, May 13, 2008 at 12:41 PM, Steve Totaro
<stotaro@totarotechnologies.com> wrote:

Quote:

Nitzan,

Maybe you are unaware that all of this could be done with *absolutely*
no way to trace it back to the "Culprit".

If you cannot trace it back to the culprit AND more importantly, clear
the INNOCENT, then more regulation is needed.

"Culprit -> VoIP carrier who lets set CID/ANI -> ILEC or CLEC ->
terminated to PSTN." would be stupid.

This make more sense:
Open WiFi AP (or cracked WEP) ----> hacked Asterisk box (who sets the
CID/ANI ----> Telco ------> terminated to the PSTN

Be sure to delete appropriate logs on the hacked Asterisk boxen and just
to be safe, spoof your laptop's MAC address. Perform your exploit
somewhere inconspicuous and a good distance from "home, then clean your
laptop by using DBAN http://dban.sourceforge.net/ which is DoD 5220.22-M
compliant, before re-installing your OS"......

Thanks,
Steve Totaro

Nitzan Kon wrote:

Quote:

Yep. True.

So the issue is not needing more regulation - but just how to be able to enforce existing regulation. Not something that more regulation by itself will resolve!

Of course for all these cases, there WILL be records allowing law enforcement officials (***who know what they're doing***) to trace back the calls. Even if you spoof ANI/CID - your call has to come from somewhere.

Let's take your 3AM campaign suggestion for example: the way the call will go is:

Culprit -> VoIP carrier who lets set CID/ANI -> ILEC or CLEC -> terminated to PSTN.

Tracing it back should not be a problem if you have the proper court orders, just find out with the terminating party which ILEC/CLEC they got the call from, then find out with the ILEC/CLEC which VoIP carrier they got the call from - and then finally get the customer records from the VoIP carrier.

Sure, it's not as easy as it used to be, and I may be over simplifying it - but it is possible and much better than trying to regulate who can and can't set CID. Punish the CRIMINALS - not the PROVIDERS.

--- On Thu, 5/29/08, Charles Vance <cbvance@msn.com> wrote:

Quote:

From: Charles Vance <cbvance@msn.com>

Quote:

Subject: Re: [asterisk-biz] ANI

Quote:

To: "Commercial and Business-Oriented Asterisk Discussion" <asterisk-biz@lists.digium.com>
Date: Thursday, May 29, 2008, 6:40 PM

Quote:

each of those scenario's involve either fraud or intent
to do harm and are already prohibited
in FCC regs even absent the "Truth in Caller ID
Act"
----- Original Message -----
From: Steve

Quote:

Totaro<mailto:stotaro@totarotechnologies.com>
To:
trixter@0xdecafbad.com<mailto:trixter@0xdecafbad.com>
; Commercial and Business-Oriented Asterisk

Quote:

Discussion<mailto:asterisk-biz@lists.digium.com>
Sent: Monday, May 12, 2008 18:22
Subject: Re: [asterisk-biz] ANI

Setting up a drone Asterisk box to take hundreds of
thousands of FTP
.call files at 3AM (by each time zone) and play pro
Hillary Clinton
campaign messages (or whoever you don't like),
obviously spoofing
her/his campaign headquarters caller ID and ANI.

Obtaining a new credit card from someone's mailbox
with the sticker to
call from your home phone to activate the card. Spoof
their Caller ID
and ANI, activate, and buy some cool gadgets or whatever
people do
with cards that don't belong to them.

Setting CallerID/ANI to clients', girlfriends',
bosses' cell phone and
call until voicemail picks up, if no PIN is set, I have
full control
of their voicemail (and could possibly call out, I will
have to test
that with the call back option. Then someone could
really have some
fun depending on what messages they have saved)

So many exploits.....

Thanks,
Steve Totaro

stotaro at totarotechn...
Guest

Posted: Wed May 14, 2008 5:40 am Post subject: [asterisk-biz] ANI

On Wed, May 14, 2008 at 12:31 AM, Andreas van dem Helge
<joakimsen@gmail.com> wrote:

Quote:

You were probably among the many sheep that thought the biggest issue
with a hijacked airplane was paying a ransom or the inconvenience of
being rerouted to a third world country....

Anyways, (I know you were trying to be funny or something...) your
comparison is again apples to oranges, a few calls cell calls which
can be tri-located, hardly visible can hardly cause any real damage.
Plus you cannot spoof the ANI which is the topic of the thread.
Please stay on topic. I guess you will need something along the lines
of thermite to burn license plates....

How about a hijacked DS3 or higher blasting 911 and effectively
bringing it it's knees to real emergencies, opening the possibility of
a multitude of crimes to be committed with nobody to call. Maybe if
you have a CB and the police still monitor channel nine....

How about a hijacked DS3 calling some of these $500/min premium
numbers and keeping the calls up? Just ask NuFone and many other
ITSPs.

You could make a competitor bankrupt, you could get someone jailed,
your imagination is very limited.

But anyways, when I see people use profanity on a business list for no
real reason, I know they have no common sense.

Thanks,
Steve Totaro

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

trixter at 0xdecafbad.com
Guest

Posted: Wed May 14, 2008 6:05 am Post subject: [asterisk-biz] ANI

On Wed, 2008-05-14 at 00:31 -0400, Andreas van dem Helge wrote:

Quote:

What is the entire point of regulation? Honestly the biggest issue I
see with spoofed CID and ANI is the RBOCs being unable to collect
intrastate rates and being forced to settle for interstate rates...
boo-fucking-hoo

the fines for that can be quite large. But aside from that the
lawmakers that are actually doing the legislation appear to be
concerning themselves with fraud, where someone spoofs their number
largely to try to rip someone else off.
--
Trixter http://www.0xdecafbad.com Bret McDanel
Belfast +44 28 9099 6461 US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

abalashov at evaristes...
Guest

Posted: Wed May 14, 2008 10:57 am Post subject: [asterisk-biz] ANI

Steve Totaro wrote:

Quote:

Plus you cannot spoof the ANI which is the topic of the thread.
Please stay on topic.

It's not off-topic to make analogies, comparisons or correlations
between ANI spoofing and other things that are also possible, and which
together serve to elucidate the genus to which both problems belong in
terms of applicable policy and attitudes toward them.

Dismissing other things that are also judged to be "like" ANI spoofing
that are brought up to clearly illustrate a point about one or both runs
into the danger of narrowmindedness and lack of perspective, and also
limits the creative, discursive and intellectual freedom of the
participants in the discussion.

--
Alex Balashov
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Business	All times are GMT - 5 Hours Goto page Previous 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Next
Page 8 of 10

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum