. . ___::http://_:::hybrid.DTMF:___::org::___::___:::: / || || |_| __ || || || _|| || | | | | :__|| |:_ | | : :: | || |:_ |/ | | : \ | | _ | __:|: _::_ | |: | | --: --<_____ |___ |_|__\____||_ ||_ ||_ ||____ |_|\__>-- |/ |/:::BL4CKM1LK:|/ |/:: |/::@%$!|/ : : : : : : . . . . Remote Information Interception Over The International PSTN. A Very Brief Overview of Remote Telecommunications "Spying". by hybrid ============================================================================== In this article I will discuss various "information gathering" techniques which can be covertly deployed, implementing the PSTN as a trojan. I'm not going to discuss the standard "microfone in the wall" scenarios because that is to obvious, the basis of this article is that no-one needs to actually break into your house and place some bullshit listening device in a coffee mug, they dont need to. Nearly every single premisis on this planet has some kind of telecommunications equipment installed, if someone was to "bug" you, the harware needed to carry out such a task is allready in place.. (The Subscriber Loop), think about it, what is a standard domestic phone line? -- In most casess its a pair of copper wires going into a persons home and back to the local exchange, frame point, creating a loop. To break things down even more.. what is on the customer terminating end of that bundle of copper wires? -- A Microphone and A Speaker, (Transmission). If you dont know much about electronics, or have no common sense, you'll probably be thinking, "big deal"... Well, the point is that a telephone speaker can be turned into a micophone when in idle state by reversing the circuit of the customer loop, essencially becoming a room bug when you place the handset down. Now this is just a VERY simple example of what I am going to discuss in this article. To begin with, I'll list some of the most likely "targets" for a digital sniper. ========================================+======================================= WHO/WHAT | WHY ========================================|======================================= Scientific Research | Depending on the level of | "research" some entitys may wish | to have detailed knowledge of | just what the other entitys are | doing, usually when some kind of | academic competition is | concerned, and depending on the | level of scientific research. ========================================|======================================= Diplomatic Internal Government | People/Organisations that are | involved in any government work | are likely targets to "buging" | usually in the interests of | intellegence gathering on the | other-side's part. Worldwide | governments percieve it as | imperitive to possess knowledge | of what other governments are | upto, right down to the smallest | detail. ========================================|====================================== Business People/Organisations | Its common knowledge that | competing companys like to know | what the opposition is upto, and | what strategic advantage they | may have. In this case financial | reasons are usually the | foundation. ========================================|====================================== Crime "Suspects" | Usually when law agencies | suspect some kind of organised | crime, or need more evidence | they will use resources to | gather information. Very | obvious, if someone's down with | somthing, they are a target to | this activity. ========================================|====================================== Attorneys | These people will do anything to | know what the "opposition" has | up their sleve. They'll bug each | other, aswell as clients. ========================================+====================================== The list could go on forever.. The main basis is, if A wants to know what B is doing, they'll try their best to find out somehow, and vise versa. It could be any scenario. Now, I'm not going to drift out of the scope of this article, because the idea is to discuss how someone can be "buged" just by using the PSTN and nothing more. Now, the scary thing is, a single person with a telephone can be just as "dangerous" than a fully trained covert "spy" with a briefcase full of 007 warez.. To emphasise and explain this, I'm going to set up two scenarios. The first scenario is domestic, the second is more business based. We'll start with the first scenario and suppose that "Mr A" is the target, and "Mr B" is the sniper. Mr B has no purpose or has no reason to spy on Mr A, he just feels like it.. to make things a little more interesting, Mr A (the target) lives in Virginia (703) and Mr B (the sniper) lives in another country, lets say, England (+44). To save me writting a big essay, I'll list some of the more effective methods that Mr B could implement in order to gather as much information about mr A as possible (using a telephone and nothing more) ================================+============================================== OBJECTIVE | ACTION ================================|============================================== Find out Mr A's Contacts | Telephone Records/Bills: who does mr A | Call? Examining Mr A's most commonly | called numbers would reveal a great deal | about his activitys, perhaps even more | effective than simply listening to his | telephone conversations. Essentialy an | entire profile could be built up on | someone just by looking at their | phone records: ie: what taxi companys | they use, when and what time they go | out, what kind of food they like, etc. | Telephone records are considered | sensitive information for this matter, | but can be obtained by customer request | (fax) or someone in the phone | company(BOC) requesting to view them for | billing purposes. Customer records are | also kept in an array of databases | concerning the maintanance of a local | exchange. See * Note. ================================|============================================== Monitor Mr A's Calls (realtime) | Perhaps slightly more elaborate, but | easily achieved. Mr A's line information | can be modifyied at the local switching | office to induce a number of occurances. | Using ManMachineLanguage, a subscriber | line can be setup to trigger an | automatic conference call with a "silent | number" whenever mr A pics his phone up. | Aswell as this, a subscriber trunk can | be configured to loop to 2 POT lines | (similtaniously), ie: routed to Mr A, | aswell as a loopline (which can be | remotely dialed into). Mr B could | effectivly "sit on the trunk". ================================|============================================== Audibly Monitor Mr A's House | The simple scenario would be that Mr A | has an AnswerPhone, which in most casess | would have a remote-room monitor | function built into it. Believe it or | not, these kind of answerphones DO | EXIST! It's a gimic built into an | answerphone that allows a person to | phone there own number when they are | away from there house, plug in the 2 | digit answerphone code, and then be | presented with a menu such as "1. listen | to messages, 2. record OGM, 3. room | monitor".. So they can check out what is | going on in there house while they are | away. The scary thing is, these | answerphones have 2 digit passcodes, | which are plugged in while the OGM | occurs, an answerphone can also be | remotely switched on/off by ringing it | 10 times and hanging up and calling | back. Using this "room monitor" function | Mr B can do just that.. monitor audible | room activity. See * Note for the more | plausable method. ================================|============================================== Find Additional Information | The most common threat to any subscriber | to the phone company is the fact that | RBOCs hold detailed account information | concerning their customers, which can be | obtained for reference by an "engineer" | or such.. for example, one piece of | information leads to another, ie: the | customers prefered method of paying the | IXC bill will lead to bank details and | from there, credit details and status, | to social security information. ================================+============================================== * Taken from (http://www.tscm.com) A very interesting site. "A Soft Wiretap, is a modification to the software used to run the phone system. This can be done at the telephone company, or in the case of a business, the PBX. A soft wiretap is a preferred method to tap a phone, easy to catch on a PBX, but tough to find in the phone company's system. (It is sometimes called a REMOBS, ESS, or translation tap). This type of tap is very popular with large law enforcement agencies, larger corporations, and with hackers who find it quite simple to gain access via maintenance software." So, in my lame example, Mr B now has a FULL background on Mr A, just by using his telephone. In the next scenario, we'll consider that Company A wants internal information on the workings of Comany B. It is important to take into acocunt that companys are very secretive when it comes to the internal workings/operations of the company concerned, due to the simple fact that any informational leaked from that particular company could prove bennificial to their compitors. Therefore, most companys that operate strategic buisness plans etc, will go to great lenghts to safegaurd that backbone or inter workings of their companys workforce, ie: the securing of database systems and accounts, employee information. The problem is the more security that is implememented, the harder it can be for a legitiamte company employee to access data, therfore this decreses work efficiancy. However, it is important that a company locks down on the availability of there companys internal workings, as in some cases, a leak to a competitor could result in colosal financial loss. I remember reading somewhere that the biggest security hole/weakness in ANY network is not the network itself, but the people that interact with it. A machine cannot be psycologicaly stered to do somthing over the telephone, a person can. A company with a workforce that is un-educated to the risks of information leaks can be a very vulnerable target to anyone wishing to gain such information. Particualry vulnerable are lower-level employees, who may hold a lower level of respect to the workings of the company than an employee who has a close relationship with the hiearchial workings of a company. I believe that the biggest (and commonly overlooked) security flaw in any company, is the companys internal phone system, PBX and Voicemail networks. Employees are given the sense that a company voicemail system is for "employees only" and therefore see fit to discuss company sensitive matters on such systems. Most employees are un-aware that they are able to remotely check their voicemail from home, they just use it to COMMUNICATE with other members of the company, to the standard employee, they tend to build up a mental image that the internal Voicemail system is just "one big answerphone", and that is all they will ever need to know about it. I have yet to see a Voicemail system that CANNOT be accessed via an external line. The fact is, voicemail is designed to be an asset to the internal communication of the company, and therfore must be remotely accessable, which in its own sense is the biggest security hole. A typical voicemail system will handle thousands of internal/external messages every working day, and STORE them all on backup devices, digital or tape driven. Most employees dont care for the security of the "work" voicemailboxes, simply because it's "work" and just that, it does not concern them on a personal level, so users tend to be lazy with passcodes (they dont even need one to access voicemail from their workphones). Now, lets suppose that Company A hold an interest in how Company B's financial status. Remotely "they" can dial into Company B's PBX, probably a listed number, get an automated recording, then find the Voicemail login prompt by trying a few well-known numerical login patterns, ie: *# (octel) *81 (meridian) *7 (audix).. or in alot of cases, the employee VoiceMail login menu option will be presented in the IVR menu at the dialin prompt. Once prompted to login, Company A could be essentially stealthing through the entire of company B's voicemail system in seconds.. picking up contact numbers, account information, financial status, ideas etc along the way. A "sophisticated" method would involve a slightly higher aim than just intercepting emplopyee voicemail. All voicemail and pbx networks have to be administered by someone 24 hours a day, and therefore all have remote administration capabilitys. A few things to note, all voicemail messages varying from system to system are backed up on storage mediums, digital or analouge, and can be remotely downloaded for "audit" purposess. A potential spy, could in essance download the entire pbx database for the company they have interests in, ie: company incoming/outgoing phone records, voice data, commonly used conference lines, etc. Another thing to note, is that alot of companys like to use teleconferencing as a means to communicate with remote clients etc. Usually if an employee is invited to attend the teleconference they will be left a voicemail message from the host containing the dialin and password information for the conference call. Again, the possible security risks are endless, and are always overlooked by companys.. "It's just a phone". Anyway, I've illistrated some of the simple methods that can be used by an intruder to remotely spy on someone/somthing. I find it very interesting as to how such obvious things such as common-sense telecom security is always overlooked. Even more interesting is how a large company can spend ALOT of time and money securing and maintaining server's in fear that an intruder could gain internal information about their company, when a single person could pick up a telephone and filter all their companys operations in a matter of seconds. The fact is, most administators do not see a phone system as an imediate threat to security, and will spend little or no time whatsover looking into securing their own phone system. http://hybrid.dtmf.org ======================