1
play

1 Early 1970s Phreaks Blue Boxes: Free Long Distance Calls Once - PDF document

Mar 15, 2023 •357 likes •456 views

Thanks To Anthony Joseph, Doug Tygar, Umesh Vazirani, and David Wagner for generously allowing me to use their slides (with some slight modifications of my own). Fall 2008 Fall 2008 CS 334: Computer Security 1 Fall 2008 CS 334:

  1. Thanks… • To Anthony Joseph, Doug Tygar, Umesh Vazirani, and David Wagner for generously allowing me to use their slides (with some slight modifications of my own). Fall 2008 Fall 2008 CS 334: Computer Security 1 Fall 2008 CS 334: Computer Security 2 Our Path Phone System Hackers: Phreaks • War stories from the Telecom industry • 1870s: first switch (before that, leased lines) • War stories from the Internet: Worms and Viruses • 1920s: first automated switchboards • Crackers: from prestige to profit • Mid-1950s: deployment of automated direct-dial long distance switches • Lessons to be learned Fall 2008 CS 334: Computer Security 3 Fall 2008 CS 334: Computer Security 4 US Telephone System (mid 1950s) Early 1970s Phreaks • In 1957, Joe Engressia (Joybubbles), blind 7 year old with perfect pitch, discovers that tone E above middle C (2600Hz) would stop dialed phone recording • John Draper (Cap’n Crunch) • A dials B’s number – Makes free long-distance calls by blowing 2600Hz • Exchange collects digits, assigns inter-office trunk, and tone into a telephone using a whistle from a cereal transfers digits using Single or Multi Frequency signaling box… • Inter-office switch routes call to local exchange – Tone indicates caller has hung up  stops billing! • Local exchange rings B’s phone – Then, whistle digits one-by-one Fall 2008 CS 334: Computer Security 5 Fall 2008 CS 334: Computer Security 6 1

  2. Early 1970s Phreaks Blue Boxes: Free Long Distance Calls • Once trunk thinks call is over, use a • “2600” magazine helps phreaks make free “blue box” to dial desired number long-distance calls – Emits MF signaling tones • Builders included members of • But, not all systems use SF for dialing… California’s Homebrew Computer Club: – Steve Jobs (AKA Berkeley Blue) • No Problem: Specifics of MF system published – Steve Wozniak (AKA Oak Toebark) (by Bell Tel) in Bell Systems Technical Journal • Red boxes, white boxes, pink boxes, … – For engineers, but finds way to campuses – Variants for pay phones, incoming calls, … Fall 2008 CS 334: Computer Security 7 Fall 2008 CS 334: Computer Security 8 Signaling System #7 The Game is On • “Ma Bell” deployed Signaling System #6 in late 1970’s and SS#7 in 1980’s • Cat and mouse game between telcos and phreaks – Uses Common Channel Signaling (CCS) to transmit – Telcos can’t add filters to every phone switch out-of-band signaling information – Telcos monitor maintenance logs for “idle” trunks – Completely separate packet data network used to – Phreaks switch to emulating coin drop in pay phones setup, route, and supervise calls – Telcos add auto-mute function – Not completely deployed until 1990’s for some rural – Phreaks place operator assisted calls (disables mute) areas – Telcos add tone filters to handset mics – … • The Phone System’s Fatal Flaw? • False sense of security… – In-band signaling! – Single company that owned entire network – Information channel used for both voice and signaling – SS7 has no internal authentication or security – Knowing “secret” protocol = you control the system Fall 2008 CS 334: Computer Security 9 Fall 2008 CS 334: Computer Security 10 Cellular Telephony Phreaks US Telephone System (1978-) • Analog cellular systems deployed in the 1970’s used in-band signaling • Suffered same fraud problems as with fixed phones – Very easy over-the-air collection of “secret” identifiers – “Cloned” phones could make unlimited calls • A dials B’s number • Not (mostly) solved until the deployment of • Exchange collects digits and uses SS7 to query digital 2nd generation systems in the 1990’s B’s exchange and assign all inter-office trunks • Enck, Traynor, et. al: “Exploiting Open • Local exchange rings B’s phone Functionality in SMS-Capable Cellular Networks” • SS7 monitors call and tears down trunks when either end hangs up Fall 2008 CS 334: Computer Security 11 Fall 2008 CS 334: Computer Security 12 2

  3. Today’s Phone System Threats Today’s Phone System Threats • Deregulation in 1980s – Anyone can become a Competitive Local ExChange (CLEC) • PBX (private branch exchange) hacking provider and get SS7 access for free long-distance – No authentication  can spoof any message (think CallerID)... – Default voicemail configurations often allow • PC modem redirections (1999-) outbound dialing for convenience – Surf “free” gaming/porn site and download “playing/ – 1-800-social engineering (“Please connect viewing” sw me to x9011…”) – Software mutes speaker, hangs up modem, dials Albania – Charged $7/min until you turn off PC (repeats when turned on) – Telcos “forced” to charge you because of international tariffs Fall 2008 CS 334: Computer Security 13 Fall 2008 CS 334: Computer Security 14 Our Path Phreaking Summary • War stories from the Telecom industry • In-band signaling enabled phreaks to compromise telephone system integrity • War stories from the Internet: Worms • Moving signaling out-of-band provides added and Viruses security • New economic models mean new threats – Not one big happy family, but bitter rivals • Crackers: from prestige to profit • End nodes are vulnerable – Beware of default configurations! • Lessons to be learned • Social engineering of network/end nodes Fall 2 CS 334: Computer Security 15 Fall 2008 CS 334: Computer Security 16 Internet Worms Morris Worm (briefly: more detail later) • Self-replicating, self-propagating code and data • Written by Robert Morris while a Cornell graduate student (Nov 2-4, 1988) • Use network to find potential victims – Exploited debug mode bug in sendmail • Typically exploit vulnerabilities in an – Exploited bugs in finger, rsh, and rexec application running on a machine or the – Exploited weak passwords machine’s operating system to gain a foothold • Infected DEC VAX (BSD) and Sun machines • Then search the network for new – 99 lines of C and ≈ 3200 lines of C library victims code Fall 2008 CS 334: Computer Security 17 Fall 2008 CS 334: Computer Security 18 3

  4. Morris Worm Behavior Morris Worm Behavior • Bug in finger server – Allows code download and execution in place of a finger request • Next steps: • sendmail server had debugging enabled by default – Copy over, compile and execute bootstrap – Allowed execution of a command interpreter and – Bootstrap connects to local worm and copies downloading of code over other files • Password guessing (dictionary attack) – Creates new remote worm and tries to – Used rexec and rsh remote command interpreter propagate again services to attack hosts that share that account • rexec, rsh – execute command on remote machine (difference is that rexec requires a password) Fall 2008 CS 334: Computer Security 19 Fall 2008 CS 334: Computer Security 20 Morris Worm Internet Worms: Zero-Day Exploits • Network operators and FBI tracked • Morris worm infected a small number of hosts down author in a few days (several thousand?) • First felony conviction under 1986 – But, Internet only had ~60,000 computers! Computer Fraud and Abuse Act • What about today? ~600M computers • After appeals, was sentenced to: • Theoretical “zero-day” exploit worm – Rapidly propagating worm that exploits a common – 3 years probation Windows vulnerability on the day it is exposed – 400 hours of community service – Propagates faster than human intervention, infecting – Fine of more than $10,000 all vulnerable machines in minutes • Now a professor at MIT… Fall 2008 CS 334: Computer Security 21 Fall 2008 CS 334: Computer Security 22 Saphire (AKA Slammer) Worm Saphire 5:33 UTC • January 25, 2003 (5:30 UTC) • Fastest computer worm in history (at the time) – Used MS SQL Server buffer overflow vulnerability – Doubled in size every 8.5 seconds, 55M scans/sec – Infected >90% of vulnerable hosts within 10 mins – Infected at least 75,000 hosts – Caused network outages, canceled airline flights, elections problems, interrupted E911 service, and caused ATM failures Fall 2008 CS 334: Computer Security 23 Fall 2008 CS 334: Computer Security 24 4

  5. Saphire 5:36 UTC Saphire 5:43 UTC Fall 2008 CS 334: Computer Security 25 Fall 2008 CS 334: Computer Security 26 Worm Propagation Behavior Saphire 6:00 UTC • More efficient scanning finds victims faster (< 1hr) • Even faster propagation is possible if you cheat – Wasted effort scanning non-existent or non- vulnerable hosts – Warhol: seed worm with a “hit list” of vulnerable hosts (15 mins) Fall 2008 CS 334: Computer Security 27 Fall 2008 CS 334: Computer Security 28 Since Original Slides Created… Since Original Slides Created… Fall 2008 CS 334: Computer Security 29 Fall 2008 CS 334: Computer Security 30 5

Recommend

More recommend