Phone System Hackers Phreaks Network Security War Stories CS 161 194 1 Anthony D Joseph September 7 2005 Earliest phone hackers 1870 s teenagers 1920 s first automated switchboards Mid 1950 s saw deployment of automated direct dial long distance switches September 7 2005 About Me CS161 Fall 2005 Joseph Tygar Vazirani Wagner 4 US Telephone System mid 1950 s Joined faculty in 1998 MIT SB MS PhD Contact info adj cs berkeley edu http www cs berkeley edu adj A dials B s number Exchange collects digits assigns inter office trunk and transfers digits using Single or Multi Frequency signaling Inter office switch routes call to local exchange Local exchange rings B s phone Research Areas Mobile wireless computing network security and security testbeds Office hours 675 Soda Hall M Tu 1 2pm September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 2 Outline September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 5 Early 1970 s Phreaks John Draper AKA Captain Crunch War stories from the Telecom industry War stories from the Internet Worms and Viruses Crackers from prestige to profit Lessons to be learned Makes free long distance calls by blowing a precise tone 2600Hz into a telephone using a whistle from a cereal box Tone indicates caller has hung up stops billing Then whistle digits one by one 2600 magazine help phreaks make free long distance calls But not all systems use SF for dialing September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 3 September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 6 1 Blue Boxes Free Long Distance Calls US Telephone System 1978 Once trunk thinks call is over use a blue box to dial desired number Emits MF signaling tones Builders included members of California s Homebrew Computer Club A dials B s number Exchange collects digits and uses SS7 to query B s exchange and assign all inter office trunks Local exchange rings B s phone SS7 monitors call and tears down trunks when either end hangs up Steve Jobs AKA Berkeley Blue Steve Wozniak AKA Oak Toebark Red boxes white boxes pink boxes Variants for pay phones incoming calls September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 7 The Game is On Cat and mouse game between telcos and phreaks Telcos can t add filters to every phone switch Telcos monitor maintenance logs for idle trunks Phreaks switch to emulating coin drop in pay phones Telcos add auto mute function Phreaks place operator assisted calls disables mute Telcos add tone filters to handset mics 8 Signaling System 7 September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 11 Deregulation in 1980 s Anyone can become a Competitive Local ExChange CLEC provider and get SS7 access No authentication can spoof any messages think CallerID Uses Common Channel Signaling CCS to transmit out of band signaling information Completely separate packet data network used to setup route and supervise calls Not completely deployed until 1990 s for some rural areas PC modem redirections 1999 Surf free gaming porn site and download playing viewing sw Software mutes speaker hangs up modem dials Albania Charged 7 min until you turn off PC repeats when turned on Telco forced to charge you because of international tariffs PBX hacking for free long distance False sense of security Default voicemail configurations often allow outbound dialing for convenience 1 800 social engineering Please connect me to x9011 Single company that owned entire network SS7 has no internal authentication or security CS161 Fall 2005 Joseph Tygar Vazirani Wagner Cellular Telephony Phreaks Analog cellular systems deployed in the 1970 s used in band signaling Suffered same fraud problems as with fixed phones Today s Phone System Threats Ma Bell deployed Signaling System 6 in late 1970 s and SS 7 in 1980 s September 7 2005 10 Not mostly solved until the deployment of digital 2nd generation systems in the 1990 s In band signaling Information channel used for both voice and signaling Knowing secret protocol you control the system CS161 Fall 2005 Joseph Tygar Vazirani Wagner CS161 Fall 2005 Joseph Tygar Vazirani Wagner Very easy over the air collection of secret identifiers Cloned phones could make unlimited calls The Phone System s Fatal Flaw September 7 2005 September 7 2005 9 September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 12 2 Phreaking Summary Morris Worm In band signaling enabled phreaks to compromise telephone system integrity Moving signaling out of band provides added security New economic models mean new threats Written by Robert Morris while a Cornell graduate student Nov 2 4 1988 Exploited debug mode bug in sendmail Exploited bugs in finger rsh and rexec Exploited weak passwords Not one big happy family but bitter rivals Infected DEC VAX BSD and Sun machines End nodes are vulnerable Beware of default configurations 99 lines of C and 3200 lines of C library code Social engineering of network end nodes September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 13 Outline September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 16 Morris Worm Behavior Bug in finger server War stories from the Telecom industry War stories from the Internet Worms and Viruses Crackers from prestige to profit Lessons to be learned Allows code download and execution in place of a finger request sendmail server had debugging enabled by default Allowed execution of a command interpreter and downloading of code Password guessing dictionary attack Used rexec and rsh remote command interpreter services to attack hosts that share that account Next steps Copy over compile and execute bootstrap Bootstrap connects to local worm and copies over other files Creates new remote worm and tries to propagate again September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 14 September 7 2005 Internet Worms CS161 Fall 2005 Joseph Tygar Vazirani Wagner 17 Morris Worm Self replicating self propagating code and data Use network to find potential victims Typically exploit vulnerabilities in an application running on a machine or the machine s operating system to gain a foothold Then search the network for new victims Network operators and FBI tracked down author First felony conviction under 1986 Computer Fraud and Abuse Act After appeals was sentenced to 3 years probation 400 hours of community service Fine of more than 10 000 Now a professor at MIT September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 15 September 7 2005 CS161 Fall 2005 Joseph Tygar Vazirani Wagner 18 3
View Full Document
Unlocking...