💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › F4ITH › bug.txt captured on 2021-12-03 at 14:04:38.

View Raw

More Information

-=-=-=-=-=-=-

        .                                      .
     ___::http://_:::hybrid.DTMF:___::org::___::___::::
   /    ||   ||   |_|  __ ||   ||   ||  _||   ||   | | |
  |  :__||   |:_  | |    :     ::    |   ||   |:_  |/  |
  |  :   \   |  | _ |  __:|:  _::_   |   |:   |  |   --:
--<_____  |___  |_|__\____||_  ||_  ||_  ||____  |_|\__>-- 
        |/    |/:::BL4CKM1LK:|/   |/:: |/::@%$!|/
        :     :              :    :    :       :
        .     .              .                 .

Remote Information Interception Over The International PSTN.
A Very Brief Overview of Remote Telecommunications "Spying".
by hybrid <hybrid@f41th.com>
==============================================================================

In this article I will discuss various "information gathering" techniques
which can be covertly deployed, implementing the PSTN as a trojan. I'm not
going to discuss the standard "microfone in the wall" scenarios because
that is to obvious, the basis of this article is that no-one needs to
actually break into your house and place some bullshit listening device in
a coffee mug, they dont need to. Nearly every single premisis on this
planet has some kind of telecommunications equipment installed, if someone
was to "bug" you, the harware needed to carry out such a task is allready
in place.. (The Subscriber Loop), think about it, what is a standard
domestic phone line? -- In most casess its a pair of copper wires going
into a persons home and back to the local exchange, frame point, creating
a loop. To break things down even more.. what is on the customer
terminating end of that bundle of copper wires? -- A Microphone and A
Speaker, (Transmission). If you dont know much about electronics, or have
no common sense, you'll probably be thinking, "big deal"... Well, the
point is that a telephone speaker can be turned into a micophone when in
idle state by reversing the circuit of the customer loop, essencially
becoming a room bug when you place the handset down. Now this is just a
VERY simple example of what I am going to discuss in this article.

To begin with, I'll list some of the most likely "targets" for a digital
sniper. 

========================================+=======================================
WHO/WHAT			        | WHY
========================================|=======================================
Scientific Research			| Depending on the level of
					| "research" some entitys may wish
					| to have detailed knowledge of
					| just what the other entitys are
					| doing, usually when some kind of
					| academic competition is
					| concerned, and depending on the
					| level of scientific research.   
========================================|=======================================
Diplomatic Internal Government		| People/Organisations that are 
					| involved in any government work
					| are likely targets to "buging"
					| usually in the interests of 
					| intellegence gathering on the
				        | other-side's part. Worldwide 
					| governments percieve it as 
					| imperitive to possess knowledge
					| of what other governments are
					| upto, right down to the smallest
					| detail. 
========================================|======================================
Business People/Organisations		| Its common knowledge that 
					| competing companys like to know
					| what the opposition is upto, and
					| what strategic advantage they
					| may have. In this case financial
					| reasons are usually the
					| foundation.
========================================|======================================
Crime "Suspects"			| Usually when law agencies
					| suspect some kind of organised
					| crime, or need more evidence
					| they will use resources to
					| gather information. Very
					| obvious, if someone's down with
					| somthing, they are a target to
					| this activity.
========================================|======================================
Attorneys				| These people will do anything to 
					| know what the "opposition" has
					| up their sleve. They'll bug each
					| other, aswell as clients.
========================================+======================================

The list could go on forever.. The main basis is, if A wants to know what
B is doing, they'll try their best to find out somehow, and vise versa. It
could be any scenario. Now, I'm not going to drift out of the scope of
this article, because the idea is to discuss how someone can be "buged"
just by using the PSTN and nothing more. Now, the scary thing is, a single
person with a telephone can be just as "dangerous" than a fully trained
covert "spy" with a briefcase full of 007 warez..

To emphasise and explain this, I'm going to set up two scenarios. The
first scenario is domestic, the second is more business based. We'll start
with the first scenario and suppose that "Mr A" is the target, and "Mr B"
is the sniper. Mr B has no purpose or has no reason to spy on Mr A, he
just feels like it.. to make things a little more interesting, Mr A (the
target) lives in Virginia (703) and Mr B (the sniper) lives in another
country, lets say, England (+44). 

To save me writting a big essay, I'll list some of the more effective
methods that Mr B could implement in order to gather as much information
about mr A as possible (using a telephone and nothing more)

================================+==============================================
OBJECTIVE			| ACTION
================================|==============================================
Find out Mr A's Contacts	| Telephone Records/Bills: who does mr A
				| Call? Examining Mr A's most commonly
				| called numbers would reveal a great deal
				| about his activitys, perhaps even more 
				| effective than simply listening to his
				| telephone conversations. Essentialy an
				| entire profile could be built up on
				| someone just by looking at their
				| phone records: ie: what taxi companys
				| they use, when and what time they go
				| out, what kind of food they like, etc.
				| Telephone records are considered
				| sensitive information for this matter,
				| but can be obtained by customer request
				| (fax) or someone in the phone
				| company(BOC) requesting to view them for
				| billing purposes. Customer records are
				| also kept in an array of databases
				| concerning the maintanance of a local 
				| exchange. See * Note.
================================|==============================================
Monitor Mr A's Calls (realtime) | Perhaps slightly more elaborate, but
				| easily achieved. Mr A's line information 
				| can be modifyied at the local switching
				| office to induce a number of occurances.
				| Using ManMachineLanguage, a subscriber 
				| line can be setup to trigger an
				| automatic conference call with a "silent
				| number" whenever mr A pics his phone up.
				| Aswell as this, a subscriber trunk can
				| be configured to loop to 2 POT lines
				| (similtaniously), ie: routed to Mr A,
				| aswell as a loopline (which can be
				| remotely dialed into). Mr B could
				| effectivly "sit on the trunk".
================================|==============================================
Audibly Monitor Mr A's House	| The simple scenario would be that Mr A
				| has an AnswerPhone, which in most casess 
				| would have a remote-room monitor
				| function built into it. Believe it or
				| not, these kind of answerphones DO
				| EXIST! It's a gimic built into an
				| answerphone that allows a person to
				| phone there own number when they are
				| away from there house, plug in the 2
				| digit answerphone code, and then be 
				| presented with a menu such as "1. listen
				| to messages, 2. record OGM, 3. room
				| monitor".. So they can check out what is
				| going on in there house while they are
				| away. The scary thing is, these
				| answerphones have 2 digit passcodes,
				| which are plugged in while the OGM
				| occurs, an answerphone can also be
				| remotely switched on/off by ringing it
				| 10 times and hanging up and calling
				| back. Using this "room monitor" function
				| Mr B can do just that.. monitor audible
				| room activity. See * Note for the more
				| plausable method.
================================|==============================================
Find Additional Information	| The most common threat to any subscriber
				| to the phone company is the fact that
				| RBOCs hold detailed account information
				| concerning their customers, which can be
				| obtained for reference by an "engineer"
				| or such.. for example, one piece of
				| information leads to another, ie: the
				| customers prefered method of paying the
				| IXC bill will lead to bank details and
				| from there, credit details and status,
				| to social security information.
================================+==============================================



"A Soft Wiretap, is a modification to the software used to run the phone
system. This can be done at the telephone company, or in the case of a
business, the PBX. A soft wiretap is a preferred method to tap a phone,
easy to catch on a PBX, but tough to find in the phone company's system.
(It is sometimes called a REMOBS, ESS, or translation tap). This type of
tap is very popular with large law enforcement agencies, larger
corporations, and with hackers who find it quite simple to gain access via
maintenance software."

So, in my lame example, Mr B now has a FULL background on Mr A, just by
using his telephone. In the next scenario, we'll consider that Company A
wants internal information on the workings of Comany B. It is important to
take into acocunt that companys are very secretive when it comes to the
internal workings/operations of the company concerned, due to the simple
fact that any informational leaked from that particular company could
prove bennificial to their compitors. Therefore, most companys that
operate strategic buisness plans etc, will go to great lenghts to
safegaurd that backbone or inter workings of their companys workforce, ie:
the securing of database systems and accounts, employee information. The
problem is the more security that is implememented, the harder it can be
for a legitiamte company employee to access data, therfore this decreses
work efficiancy. However, it is important that a company locks down on the
availability of there companys internal workings, as in some cases, a leak
to a competitor could result in colosal financial loss. 

I remember reading somewhere that the biggest security hole/weakness in
ANY network is not the network itself, but the people that interact with
it. A machine cannot be psycologicaly stered to do somthing over the
telephone, a person can. A company with a workforce that is un-educated to
the risks of information leaks can be a very vulnerable target to anyone
wishing to gain such information. Particualry vulnerable are lower-level
employees, who may hold a lower level of respect to the workings of the
company than an employee who has a close relationship with the hiearchial
workings of a company.

I believe that the biggest (and commonly overlooked) security flaw in any
company, is the companys internal phone system, PBX and Voicemail
networks. Employees are given the sense that a company voicemail system is
for "employees only" and therefore see fit to discuss company sensitive
matters on such systems. Most employees are un-aware that they are able to
remotely check their voicemail from home, they just use it to COMMUNICATE
with other members of the company, to the standard employee, they tend to
build up a mental image that the internal Voicemail system is just "one
big answerphone", and that is all they will ever need to know about it. 

I have yet to see a Voicemail system that CANNOT be accessed via an
external line. The fact is, voicemail is designed to be an asset to the
internal communication of the company, and therfore must be remotely
accessable, which in its own sense is the biggest security hole. A typical
voicemail system will handle thousands of internal/external messages every
working day, and STORE them all on backup devices, digital or tape driven.
Most employees dont care for the security of the "work" voicemailboxes,
simply because it's "work" and just that, it does not concern them on a
personal level, so users tend to be lazy with passcodes (they dont even
need one to access voicemail from their workphones). 

Now, lets suppose that Company A hold an interest in how Company B's
financial status. Remotely "they" can dial into Company B's PBX, probably
a listed number, get an automated recording, then find the Voicemail login
prompt by trying a few well-known numerical login patterns, ie: *# (octel)

login menu option will be presented in the IVR menu at the dialin prompt.
Once prompted to login, Company A could be essentially stealthing through
the entire of company B's voicemail system in seconds.. picking up contact
numbers, account information, financial status, ideas etc along the way. 

A "sophisticated" method would involve a slightly higher aim than just
intercepting emplopyee voicemail. All voicemail and pbx networks have to
be administered by someone 24 hours a day, and therefore all have remote
administration capabilitys. A few things to note, all voicemail messages
varying from system to system are backed up on storage mediums, digital or
analouge, and can be remotely downloaded for "audit" purposess. A
potential spy, could in essance download the entire pbx database for the
company they have interests in, ie: company incoming/outgoing phone
records, voice data, commonly used conference lines, etc. Another thing to
note, is that alot of companys like to use teleconferencing as a means to
communicate with remote clients etc. Usually if an employee is invited to
attend the teleconference they will be left a voicemail message from the
host containing the dialin and password information for the conference
call. Again, the possible security risks are endless, and are always
overlooked by companys.. "It's just a phone". 

Anyway, I've illistrated some of the simple methods that can be used by an
intruder to remotely spy on someone/somthing. I find it very interesting
as to how such obvious things such as common-sense telecom security is
always overlooked. Even more interesting is how a large company can spend
ALOT of time and money securing and maintaining server's in fear that an
intruder could gain internal information about their company, when a
single person could pick up a telephone and filter all their companys
operations in a matter of seconds. The fact is, most administators do not
see a phone system as an imediate threat to security, and will spend
little or no time whatsover looking into securing their own phone system. 


http://hybrid.dtmf.org
======================