Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Telco Networks Open to Attack? 118

Posted by michael from the this-is-nine-one...two dept.
Cally writes: "This post to NANOG summarises Dave Henderson's paper (.ppt: HTML in Google cache, grep for 'Now Really Public') from the Internetwork Interoperability Test Coordination Committee, about the state of security in the public switched (telephone) network: wide open and "very fragile with a tremendous number of vulnerabilities". Apparently, there's $12b in fraud per year, growing interest from blackhat groups, and more, better, intruder tools. We often hear talk of "information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources" from budget-and-PR hungry, but clue-light, politicians and wonks these days. When an experienced engineer uses such language, it's more worrying." We've also had submissions of this AP article speculating about viruses hitting mobile phones.
This discussion has been archived. No new comments can be posted.

Telco Networks Open to Attack? More

Telco Networks Open to Attack?

Comments Filter:
  • Simple : you infiltrate a phone router, that links you to a global communication grid, that allow you access to a few T1 that can be used to synchronously sent 'Charge Test' packets to any IP that you define. At the same time, this operation is controlled by a call issuating from a poor companys ISDN phone system that you hacked through whithin 7".

    It's a shame this company is calling 500 meters from it's location, but will have a phone bill showing relays in almost every old Alcatel customers. I mean the chinese phone system is not porous. It's dead open...

    Don't try in Manhattan but in remote USA the old cheese boxes still works if you want to hack i,to ATT long distance...

    Heterogenous system with a LOT of Legacy Code / Hardware...

    a dream...

  • Scarier thought (Score:3)

    by digitalunity ( 19107 ) <digitalunity@yah o o . com> on Monday March 11, 2002 @07:13AM (#3141869) Homepage
    Did you all know that all power transactions on public power systems travel over the internet? Wanna hear something a little better? The backup plan in case of internet breakage is by E-Mail and then finally defaulting to the old fax machine. With the increasing complexity of transactions, increasing dependance on automation of power delivery, and an upcoming rollout of the ETag 1.7 transaction updgrade in April, who's to say the light switches will work in the future?

    In light of this article and the probability that the public phone system is very susceptible to a terrorist or otherwise dangerous attack, shouldn't there be a dedicated messaging medium for the power grid? Say, Satellite or Microwave? I realize how daunting a project would be, as well as how cost prohibitive, but look at it this way: A foreign or national threat doesn't attack the power generation facilities, instead, they DDoS a server responsible for scheduling the power delivery. Thus preventing or decreasing the reliability of this power grid. Statewide or even interstate power blackouts are just one of a million effects of such an attack.

    I'm not proclaiming a doomsday here, but with the current plight of Enron, shouldn't there be a little more scrutiny?

    Related links:
    FERC - Federal Energy Regulatory Commission [ferc.fed.us]

    NERC - North American Electric Reliability Coucil [nerc.com]

    • Re:Scarier thought (Score:1, Funny)

      by Anonymous Coward
      -1, uses terrorism as an argument
    • Did you all know that all power transactions on public power systems travel over the internet?
      Baloney. Electric power providers have had extensive backup, communication, and disaster recover plans in place since the 1880's. The plant where I used to work had contingency plans for everrything from a Bell System outage (we would revert to our own internal, hardwired phone network and our interally-owned microwave system) to complete loss of communication with the outside world (we would work with the local dispatcher to isolate our area and restart the unit in "island mode" - same way they did it in the 1920's).

      While some power sale transactions no doubt go over the Internet, I doubt very very much that any mission-critical dispatch information is being transmitted that way. For obvious reasons.

      sPh

      • Listen to me. You don't know shit. By federal law, all Control Areas for power grids are legally required to be accessible on the internet. Browse the FERC site.

        In fact, both on the CISO and EISO, ALL power transactions are coordinated through the internet by way of the ETag 1.67 or ETag 1.7 messaging, along with the OASIS power reservation system. This includes mission critical power delivery systems. With the increasing load and complexity of loading systems, manual operation is very tedious and a little fragile because human errors are so prone.

        You need to do a little research if you don't think we aren't vulnerable.
    • As a person who works with energy trading systems for a living and who gets to spend time on the trading floor for IT stuff, I feel entitled to respond.

      If you are referring to power brokerage, the answer is that you are mostly incorrect. A few trading systems support IP trading brokerage between similar systems, but not many. Most trades are done by telephone or (and I shit-you-not) AIM/Yahoo Messenger. we have had people actaully ask us to not let people enter deals into the trading system if the deals was wrong for some reason. (Umm, sir, if the deals has already been made, what good will it do to keep it out of the system if you don't like it? cough cough enron cough)

      Now, if you are referring to power generation assets in the field communicating to a central point as to their status, I wouldn't know, because IT has kept me from using my engineering degree for a while...

      my 2 bits
      • Absolutely, I know a few marketers and they spend about 12 hours a day on the phone. That's all they do. But, thats just the Market Path. That's just buisiness. You should check out the process of Pre Scheduling and Real Time Scheduling. Most of this is coordinated over the internet with little use of the telephone for many places.

        Because of FERC 888 and 889, now when you transfer power openly across multiple Transmission providers, you must let them all either Passively or Actively accept the transfer. Most of this requires little human interaction and the ETags do most of the coordination(on the internet).

        And Yahoo Messenger? I believe you. That's got to be a really smooth way to make a deal; if you type fast enough :)
        • I guess the scheduling desk orders transport based on the system whomever is managing the lines uses to keep trace of the transport (and to NERC tag it, whatever). Unfortunately, I haven't had much exposure to the transport desks. The most exposure I have had is watching a physicals trader and a basis trader go at it because the basis was making the physical deal (which was apperantly a good deal) go in the red.

          I learned a few new words that day, and how to use them to describe another persons shortcomings... :)

  • Just occasionally the policy wonks are right. (Score:3)

    by Performer Guy ( 69820 ) on Monday March 11, 2002 @07:13AM (#3141870)
    The policy wonks when they get it right manage to tune into the right people. They don't always make it up as they go along, so there's no need to be so contemptuous. Alarm bells like this have been sounding for ages and some of the right people have clearly been listening. Despite this yet the /. story dismisses their opinions with casual contempt. They deserve more credit than that for their efforts in the vanguard.
  • With poorly implemented user rights and security. User have the right to be billed, and administrator have the rights to change anything, and there is (almost) nothing in between.

    Any LAN administrator oversees a more balanced aproach, e.g., preventing most user with rights to clear the print que, from deleting all printer software, or deleting anything else. Until SS7's security is better implemented, abuse will be rampant.

    -Nathaniel
    • I don't think security was ever a concern when SS7 was implemented - after all, the end user never gets to see SS7, there will always be an access protocol like DASS2 (for ISDN) between the user and SS7.

      At the end of the day, we have to trust the network ops that have access, in the same way we would trust banks etc.

      James

  • Time to start worrying... (Score:3, Funny)

    by Anaxagor ( 211917 ) on Monday March 11, 2002 @07:16AM (#3141876)
    "When an experienced engineer uses such language, it's more worrying".

    Yep, sure is... those engineering degrees ain't what they used to be...
  • Maybe the reason there have been so many submissions about mobile security and viruses hitting phones is this article [slashdot.org] on the same cnn.com Sci-Tech page as the one posted. Hopefully, people are trying to head off some of the grief that our European and Asian neighbors have had to deal with.

  • Disintegration of the Bell System (Score:3, Insightful)

    by Detritus ( 11846 ) on Monday March 11, 2002 @07:27AM (#3141894) Homepage
    This appears to be just another indication that the formerly monolithic telecommunications system in the USA is continuing its slow collapse into anarchy. The system has been jettisoning its research, engineering and operations expertise for decades. The former Bell companies are following the example of American rail and steel companies, milk the system for cash and let the infrastructure rot in place.
    • Funny, same thing is happening in Australia.
    • "The former Bell companies are following the example of American rail and steel companies, milk the system for cash and let the infrastructure rot in place"

      I'm afaid this analogy is rather unaccurate for several reasons. Contrary to traditional blue-collar rhetoric, neither the rail empires nor the steel magnates voluntarily let their infrastructure crumble in order to maximze their profits.

      The construction of America's interstate system in the 1940's and 50's brought with it an explosion in cheaper (relative to rail) freight service via large trucks. This major blow to the railroad's traditonal revenue streams, long-distance freight service, precipitated an almost complete collapse of most publicly owned rail systems in less than a decade. (read::Conrail)

      As for steel, the late 1970's and early 80's trend towards increased unionization made it more economically rational for firms to buy raw steel imported from South America and Southern Asia where reduced labor costs brought the total costs to less than 1/5 of the domestically produced alternative. Perhaps if more capital was invested
      in automation (read::South Asia), the decline of American steel could have been averted.

      The demise of both examples is a result of obsolence brought about by technolgical change. The telcos are probably immune to any similar paradigm shift as they will own exclusive rights to whatever technology replaces the current telecommunications infrastructure (this include wireless since the telcos have invested ungodly sums of money to "rent" most of the usefull UHF and microwave spectrums).

  • If the 'phones did go down... (Score:3, Interesting)

    by SomethingOrOther ( 521702 ) on Monday March 11, 2002 @07:31AM (#3141902) Homepage

    Maybe slightly off topic... but I do recall reading that upon Alexander Graham Bells death, all the telephone networks went silent for a period of 1min (?) as a mark of respect.

    If that happend today the world would panic
    Would stock markets crash and water/rail etc networks to go tits-up because of a major 1min phone outage?

    We dont realise how dependent we are on the telephone!
    (Also... try subsetuteing telephones for oil in the above post :-)

    • The only things that will explode,implode and everyone flings themselves out of the window when the phone system fails are those companies that are so poorly run that all it takes is a small event like a phone innteruption to blow them up.

      a real company with a real emergency contingency plan will see it as a minor inconvience. Internet will probably still operate (espically with Cable modems in areas where they switched to a fiber infrastructure that is outside the telco control.)

      Plus noone can do something and take down ALL telcos. not possible no way. Yes you can crash all of mci and ATT but you wont crash the allendale telephone company, or GTE local services.

      • Wanna bet? The vulnerability is synchronization. (Score:5, Informative)

        by Myself ( 57572 ) on Monday March 11, 2002 @10:07AM (#3142262) Journal
        The entire infrastructure is carried on SONET equipment. (That's Synchronous Optical Network, and if you didn't know that, you should read up on it, it's neat stuff.) Being synchronous, this stuff royally shits if there's something wrong with the timing.

        Way back when T-carrier was first deployed, Bell realized this and set up a nationwide synchronization distribution. I think the master clock was in Kansas City. Anyway, the sync signal was distributed over wireline circuits to every central office in the country. Maybe Canada too?

        However, most interoffice links are fiber now, the same SONET rings that depend on such precise synchronization. Ring-timing is awkward, and without very careful planning, sync loops can form. (Long story, look it up. The short version is that when a SONET system loses sync, it doesn't carry traffic.)

        The modern concept is called BITS, or Building Integrated Timing Supply. Each office has a sync signal source, driven by an LPR (local primary reference) oscillator, which is in turn frequency-locked to a reference signal derived from GPS satellite signals.

        Yes, that's right, the whole telephone network will fall apart if the Global Positioning System stops transmitting. Depending on the stratum class of the LPR, it might be able to "hold over" for a couple days, maintaining an accurate timing signal in the absence of an upstream reference. They will eventually drift, and most offices only have stratum-3 units anyway.

        The network is so poorly planned in the first place, most transport engineers haven't got a clue about ring timing and such. They just hook each terminal to the BITS clock and hope it works, which it does, until something happens to the BITS clock. If all the BITSes in the network started drifting from one another, the system would slowly fail over a few days, as timing slips exceeded the tolerances of the various systems.

        If such a thing were to happen, don't bet on the ability to patch things up quickly. Recordkeeping is horrible, and even if it weren't, it would be a daunting task to spontaneously set up a new sync distribution network independent of GPS.

        I've heard on good authority that you wouldn't even need to take out the satellites themselves. A couple properly placed nuclear detinations could screw up the somethingsphere such that GPS signal propagation would suffer. Any physicists care to clarify?

        • Re:Wanna bet? The vulnerability is synchronization (Score:5, Insightful)

          by Orangedog_on_crack ( 544931 ) on Monday March 11, 2002 @10:50AM (#3142435)
          You are correct about the vulnerability due to telecom's dependance on the GPS system. If the GPS network over the US were to go down, it would cause a lot of problems, but it would not crash the entire phone system nationwide. Many central offices, at least the larger ones, have a cesium clock for timing purposes(I'm an engineer at one of the big 4 telecoms and I'm very familiar with our BITS standards). These can go weeks without a slip but eventually they will start to lose sync. Sites that have only stratum 3 back ups are few and far between. Almost all sites that rely on GPS timing have at least a stratum 1 backup. From what I know of my company's and the others SOP's, the industry operates on the belief that if the GPS network goes, we expect it to be back up before the cesium clocks would begin to slip. Stratum 1 can go for a few days, so it would be my estimate that we would encounter problems with the phone networks, major disruptions would be avoided if GPS can be restored within a week. I believe that this theory follows the line of thaught that if the GPS network is down for longet than that, something nearly catostrophic would have to have happened...something so bad that having the phones screwd up would be the least of the country's problems. If something were to happen that takes out GPS sats, it would almost certainly take out a lot of other satellites. Now THAT would really screw us. If you remember what happened in the summer of 1998 what just one communication satellite went down, then you know what I mean. Almost all ATM and credit card transactions, as well as a lot of pagers (mine included) came to a screatching halt. Take out GPS and a dozen other satellites and things get really scary.
        • You are vastly over simplyfying the concept of a timing source.

          A true reference clock takes a number of inputs, GPS being a less desired form. Almost all of the major carriers also include an atomic clock as part of their reference.

          The militiary pioneered the design of insane consistency when it comes to reference clock signals, with entire 1000+ page documetns describing the various levels of reliability and consistency and the proper combination of all sorts of timing sources from GPS to atomic clocks.

          The phone networks will not go down if GPS does.
          • I'm aware that a good reference has multiple inputs, I'm simply saying that there isn't a good reference at most offices.

            The CO's I've been in have a Telecom Solutions (by Symmetricom) DCD-LPR with GPS GTI cards feeding a DCD-ST2 with Stratum-2 oscillators, which drives the TOxA cards to feed the BITS-clocked network elements in the office.

            In such a situation, if the GTI boards lose lock, the ST2 shelf goes into holdover, where it should be good for a few days. (I don't have the specs in front of me.) Equipment still has timing, it's just not locked to anything in particular. The switch and stuff will continue to run, but interoffice links will suffer as slip increases.

            I'm sure all the major carriers had a Cesium reference in an office at one time, but nowadays I don't think that's used for anything. It's simply too awkward to push that signal out to each office. The GPS constellation is considered the primary reference.

            The phone system won't go down completely, but it will break up into islands until a terrestrial sync distribution system can be established, or GPS can be restored.

            Sure, the GPS satellites could be taken out by a rogue nation with too much laser power on their hands. The orbit data are public, after all. It's not a direct military strike, just a nasty thing to do, with repercussions that wouldn't be realized until after the fact.
    • If that happend today the world would panic
      Um, why, exactly? Do you never have thunderstorms where you live? Never any downed tree limbs taking out wires? Does the ATM nearest your house never break or run out of cash?

      In fact, about 4 years ago Quebec experienced the worst ice storm ever recorded in North America. Electricity and phone service were cut off in some urban areas for up to six weeks. No panic or mass disorder that I am aware of; just a lot of people working very hard to get things cleaned up and running again.

      The only people who would "panic" over a 1 minute phone outage are those already in line for a Darwin Award.

      sPh

    • On X (where X = a date sometime before 1980 = Bell's birthday | anniversery of Bell's death) , all telephone lines in North America went silent for Y (where Y= 1 | 2) second(s), as a tribute to Alexander Bell.
    • Would stock markets crash and water/rail etc networks to go tits-up because of a major 1min phone outage?

      We dont realise how dependent we are on the telephone!

      We're not that dependent, all of us have lasted much longer than a minute without talking to anybody (days, months, years?)

      Now if the telephone system suddenly stopped then that's another story, until we get broadband to everybody then not many will have access to the internet in a time of crisis such as the telephone and television lines being severed

      We'll always have radio I suppose...
  • http://www.atis.org/pub/iitc/ntc/ntc24.doc

    This seems to contain the same information in what I found was a tad easier to read although it is in word format so it may not be for everyone.
  • I remember hearing somewhere that someone could bring down ALL over-Atlantic phone connections by finding the IP address of AT&T's router and shutting it down via DoS.
    • Yeah thats because VoIP networks are accessible to the common internet right?

      Just because something has an IP doesn't mean its on what most people know as the www.

      I mean common, anyone with a LAN knows this. My IP is 192.168.0.2 but you cannot see that from where you sit.

      Anyways, I'd like to think there is more than one transatlantic carrier.

      Tom

  • It's only gonna get worse (Score:3, Interesting)

    by ChrisPaget ( 229422 ) on Monday March 11, 2002 @08:01AM (#3141940)
    3rd generation mobile phone networks are only just around the corner (relatively speaking); these networks use IPv6 as the transport for the call data. Billing is likely to be based on your source IP address, so if you can spoof someone's address (and probably circumvent a whole load of encryption and authentication) you can probably end up with free phone calls. Voice and data traffic will be going down the same backbone, with intelligent switches that decide what traffic is Internet data and what traffic is voice data. SkRiPt KiDdIeS will have easy access to all the 3G networks the moment they dial up to the internet. I don't know about you lot, but this idea scares the hell outta me given the current state of worldwide network security. I don't know how many IP-based attacks have been solved with IPv6, but I know it's gonna get messy sooner or later.

    For those that are interested, there's various IPv4-IPv6 tunnels around that are open for use. If you have a dual-stack machine (Linux can, and there's a MS IPv6 stack available for 'doze) you can set up a VPN into various IPv6 networks. Can't remember the URL, but I know there's one from BT. If people start using / attacking these networks now, then perhaps the problems will be fixed before IPv6 and 3G become mainstream...
    • The link for BT's IPv6 trial network is here [bt.com] Click on "BT Trials" and then the link for "BT's IPv6 ISP Trial" (in the page), and you get all the details you need.
    • >Billing is likely to be based on your source IP
      >address, so if you can spoof someone's address (and
      >probably circumvent a whole load of encryption and
      >authentication) you can probably end up with free
      >phone calls.

      Billing is NOT done on source IP adress in a 3G network.

      Billing is done on your subsciption identity that is stored on a SIM (Subscriber Identity Module, a smart card in the phone).

      /Thomas
    • It is clear that you do not understand a thing about 3rd generation mobile networks.

      these networks use IPv6 as the transport for the call data Wrong. Networks can use IPv6, but do not need to. Most probably they will not initially. There is to much ATM out there. (Ever studied Voice over IP over ATM?)

      Billing is likely to be based on your source IP addressBilling will not be based on your I address. Your IP address will have no meaning within the network. Spoofing the normal way is out of the question.

      (and probably circumvent a whole load of encryption and authentication) ...is mostly done on the air-interface. Please explain me how you intend to do this.

      SkRiPt KiDdIeS will have easy access to all the 3G networks the moment they dial up to the internet
      Those networks only transport data. If a use snailmail, my letter is able to control a mail distribution centre? (Bombs excluded)

      Please check http://www.3gpp.org in case you want to know more.
    • Not true. 3G networks are built from the ground up with security and operability. There isn't the 100+ legacy issues to deal with. Our 3G network is an overlay network, it sits on top of the 2G network, and is deployed where the demand is, then rolled out on schedule. We have more firewalls, command and control networks, backup networks, and intrusion detection on these networks than on the 2G. This is the future of the company, we want to make sure its damn secure and unbreakable, we get to build it right this time, perfect.

      Currently we don't use IPv6, Our phone IP space is nat'ed. But we don't even care about your IP, we bill on your IMSI which is programmed in your SIM Card. But yes, we have these neat sniffers that will show your phone from the (gb) base station link to the (gi) Internet connection. Nice real time ping pong charts that show your every move. Oh yes, and we have location based services, we know where you are. (For E911 etc..)

      Interesting fact, most of us read /. and attend the black hat security conferences. This is the place that hires the hackers. Hell I even have a copy of 2600 on my desk, nobody said a damn word. lol..
      -
      All comments are my own, not of my employer.

  • I work for a VoIP Telephony Company... (Score:5, Informative)

    by phunhippy ( 86447 ) <zavoid&gmail,com> on Monday March 11, 2002 @08:08AM (#3141953) Journal

    I helped build one of the world's largest VoIP companies & i know a few things about the telephony networks as a result. And from what i read in the article is mostly wrong.. You can't just interconnect with out a carrier knowing who you are, Even with ss7. You need to have work orders generated, physical connections involved.. even in VoIP you need set up CICs and point codes, testing of the connection..

    Also if anything the decentralization of the telephone networks have made absolutely stronger as a reliable means of transport in times of failure now. It works on the same principle in effect as the internet. Where you can reach a destination via many differnt hops.

    For example.. in the old days if you wanted to call London, your call went across AT&T and that was that. Now with 5-10 serious International carriers if even 3 or 4 of the carriers have a facility outage for whatever reason(rare as it is) they can re-route calls to alternate carries where as before they would not be able to do that.

    What he seems to fail to mention is that with in 10-15 years traditional telephone networks will be thing of the past and phone service will be regulated to just being another service provided through one of a number of broadband pipes(fiber to your house, g3,g4,gwhatever wireless networks that come next) and the whole concept of a telco will change to the point where companies will server merely as giant switching operation and "enhanced services" with almost zero physical infrastructure, which will also result in the fast drop of telephone pricing as the infrastructure costs dramatically.

    Some 7am blurred tired thoughts.. hope that was coherent enough.

  • 2001-12-05 21:23:51 MCI Worldcom networks hacked (articles,news) (rejected)

    and I used to work at MCI WorldCom, they were constantly fighting this...
  • I volunteer to guard Eva Savalot.
  • Well this is hardly a surprise. Telcos make money per second that you are speaking, with the exception in some states of free local calls, a phenomenon hard to understand if you were brought up in Europe as I was.

    Their infrastructures have rarely been upgraded apart from by default, when old equipment goes obsolete, or in order to make more money with interoperability issues and by increasing international traffic.

    That they now realise they have a security issue is no surprise really; they are running stuff which is often vendor configured anyway. They have no value to add - the voice conversation is just a voice conversation. They just want you to stay for more and more minutes.

    Some have imaginatively added Caller ID, Voicemail, etc, but all with the interest of more minutes (you call back, you reply to calls even when you wouldn't usually because you can see who's calling, etc) rather than making a better network.

    Most Telcos have a monopoly on a geographical area anyway, the small fry always get eaten up. Better quality, higher speed dialup etc all come way after the technology has been available.

    The problem of course is that user choice is always limited; the Internet is democratic because you can choose your OS and run what you want, taking your own security. But the phone network you can do nothing about, you have to lump it and pay high rates because regulators tend, alarmingly, to protect the Telco way more than the consumer.

    Hopefully someone will make a big attack and wake them up. Not unlike Bin Laden. Whatever the morals of the story, the violence, the cause he was fighting for, one positive thing to come out of the tragedy was the shift in psychology of the average Amercian, who has been forced to soul-search and reach out internationally to understand why some people hate America so much. The Telcos need to understand why the consumers hate them so much.

    I cannot think of one state where Telcos run losses on voice calls on fixed networks; GSM and 3G is a whole different ball game which should be taken apart from landline fixed telephony.

  • there's not a vulnerability (Score:3, Insightful)

    by tuj ( 303347 ) on Monday March 11, 2002 @09:04AM (#3142070) Homepage Journal
    At the local level, your phone is switched by your neighboorhood central office, which is basically a small building filled with relays (or nowdays, digital switching equipment). The most striking thing about CO's is the battery room. They have racks upon racks of batteries that are constantly charged, and can provide power to run the CO at full load for roughly 12 hours. CO's also have 2 diesel generators to recharge the batteries and enough fuel onsite to run the generators continuously for 2+ days.

    Think about it: how often has your phone went out? And when it has, how often was your neighboor's phone out also? Remember, the phone system keeps working even when the power is out.

    The physical infrastructure is the most important layer. Everything else can be fixed relatively quickly in the event of an attack (DOS). Its trival to sever a carrier from your network, but its a major undertaking to replace physical infrastructure. As long as that is redundant, and relatively secure, your phones aren't going to stop working any time soon.

    • Well, that is at least partially true.
      When the 9/11 attacks happened in NY, Verizon's central office near the tower was damaged.
      It still kept working for about 12 hours (not the 2 days you claim) on generator power, etc, before finally giving way.

      It took about a month until I got my DSL back, even though I'm miles from Manhattan! It turned out that Verizon's lines weren't nearly as redundant as they thought.

  • Lets take Bellsouth for an example.

    Somone overseas wants to knock our %99.9 of our communication. Lets say.. Russia, or Pakistan. All they would have to do is either cut the phiber backbones, or D.D.o.S the HELL out of the switches, or routers that ran the voice, or IP circutes. It isn't that complicated, provided you have the bandwidth. If one Bell company, like Bellsouth was affected, then ALL the states under that region would fall under this attack, and every phone would be out.

    The amount of bandwidth you would need would almost be ludacris, probably up around in the GB range if you had enough machines taken over. Bellsouth's main backbone is slightly over 12gigabits from what I understand. (I heard this somewhere).

    It would not take much of a blow to knock out SWBell, or Bell$outh. Remember the M$ attack? The one where the guy aimed his tools at their routers? That was a full blown good, thought out, and planned attack. Lets apply the same to the Bells. More people would be affected. If all 4 baby Hells were brought to their knees, then maybe our senators would think twice before giving these idiots total control, and pass more laws in favor of joe user/admin/ISP. Why would they reconsider? Because they couln't call Hollywood and ask for their paycheck, so THEN they would get pissed.

    • Why you're clueless. (Score:5, Insightful)

      by Myself ( 57572 ) on Monday March 11, 2002 @09:46AM (#3142198) Journal
      Point 1: When a telco person says "switch", it means something totally different than what a data person means when they say "switch". This is a persistent annoyance.

      You can't simply packet an ESS out of existence, because it doesn't know what a packet is. It's not connected to the internet. There are SS7 signaling links and X.25 control links, and maybe a few IP control links if you're lucky. None of them are connected to the internet. Your phone line is payload, not control.

      Exactly how do you propose to access the switch in order to DoS it? There are switch dialins, but most are pretty secure, and good luck finding them. You're planning to do a lot of wardialing first?

      Point 2: Telcos lie about bandwidth. When someone says they have a 10 Gigabit backbone, it means they own a couple OC192 circuits. Most of the channels in those circuits are probably not filled.

      That's like saying I can move a thousand shipping containers a day, because there's a large river between me and my destination, and seaports at each end. Nevermind that I don't own any ships!

      An OC192 circuit, for instance, can carry four OC48 signals, or 16 OC12 signals, or a mix thereof. Anything that adds up to 192 STS-1 payload envelopes, or equivalent concatenated payloads. You get the idea. Chances are, they're carrying one or two OC48s on the thing, and the rest is for future expansion. Each of those OC48s in turn is probably only 70% full.

      • Reality check (Score:1, Interesting)

        by Anonymous Coward
        Yes, the management plane is seperate. However, it's horribly insecure: You can simply ring the doorbell and walk into the COs in my area, tour around and leave. I've done it a few times, covering three offices. Face it, the only security is the wall of jargon and the priesthood of odd procedures that goes with the public phone network.

        [I type this as I latch-up the console on a local ADM and hop around a ring which has a couple of SLICs and a cosmos console on it]
    • Wow, "Myself", that's probably the most intelligent response I've read so far! And for what it's worth, I totally agree, and people need to make an effort to understand the difference between a "data switch" and a "voice switch"!

      Simple fact - 99.9% of basic wired telco infrastructure is completely IP "unaware". In other words, no IP address, doesn't have a clue what TCP/IP is, nor does it care. Granted, the new wireless technologies are more/heavily IP based, but that's a different matter - wireless services always have been, and likely always will be many orders of magnitude more vulnerable to abuse/attack purely because of the uncontrolled nature of the transmission medium (without wires, hence wireless). But I digress...

      Of the equipment that does have an IP address, 99.9% of it is privately addresses or firewalled or simply not physically or logically connected to another network.

      The only way to "DoS" a switch is to use up the DS0's on it's switching backplane (or whatever, the terminology varies). Even on a tiny switch (5ESS VCDX, etc), this can be multiple hundreds of simultaneous calls.

      Then what happens you ask? Simple really, no dial tone to the customer. Your phone doesn't explode, melt down, or otherwise. Nor does the switch "crash". Would it be easily detectable? Without doubt. Would the phone company know where it was coming from or what was causing it? Sure they would.

      And, to add to this, most people don't have the slightest clue that dedicated nailed-up circuits (such as PtP T1's) never see a switch. That data is split/multiplexed out of the fiber and handled independantly of switched data. It can't be "jumped" onto another circuit, or have some "magic packet" sent to it to allow it to then connect itself to another circuit or timeslot. Hence the term "nailed-up". Even frame relay is external to the switched voice network for the most part.

      What is quite possibly vulnerable is the internal IP (ie computer) network of a particular phone company, or possibly dialup administration modems connected to craft interfaces on various bits of telco gear. But cracking a single telco or exchange and using it as the source of a massive nationwide DoS attack on other carriers isn't going to happen anytime soon.

      What's far more likely is a very low-tech attack on the physical infrastructure. Even with redundant facility (logical, physical, and route), there always comes a point in a network that a single "failure point" can bite you. It only depends on how fine-grained your idea of "single point" is.

      As far as DoS'ing a "router", how exactly is that different than what happens to routers now? Happens all the time now, so what else is new? :)

      • Re:Switches, Packets, and Script Kiddies, Oh My! (Score:1, Insightful)

        by Anonymous Coward

        Agreed 100%. I'm a former telco engineer now in the ISP world. It's funny to see how many Slashdot groupies and script kiddies think the telco infrastructure is going to crumble tommorrow to IP. I agree completely that the old one trunk, one call paradigm has a limited lifespan, but the IP world is built on a very weak foundation. ISPs and the IP networking world in general have a lot to learn about building mission-critical systems, testing, and offering services that actually work. (Case in point, how many telco switches crashed on 9/11 versus websites and ISP infrastructure ?)

        As for the SS7 security posts, SS7 is no more venerable than BGP, and it operates on basically the same priniciple as trusting your neighbor.

        The IP world is basically one big cluster f*ck that somehow works. The telcos are big, clumsy, and slow to implement new technology, but they're that way for a reason. God help us when your telephone service depends on cron jobs and BIND.

  • The bells have been broken up for years and the only result has been the degradation of technology. We need the new small guys to step up to the plate and create something new and different and stop relying on the old outdated equipment the bells are using to continue to dominate the markets. The only way systems will be secure is if you create new, secure systems that are designed specifically to be secure. There will never be a completely secure system, at least not any time soon, but let's innovate and put a little more effort into improving or recreating what we have. Finally the VoIP guys are starting to create bigger and better methods and systems that require less bandwidth, are more reliable, and are more secure than the current system. The innovation is coming, but I've played with Cisco's VoIP system and I can tell you that even with their CCIEs there were a few weaknesses that were prominent in the new systems, though I admit that it isn't finished yet. The point is, as long as the new companies rise up to challenge the bells with the bells own equipment nothing is going to happen. There will be no improvement, no innovation, and there will be more exploits and increased knowledge of these systems that can be exploited.
    • "The bells have been broken up for years and the only result has been the degradation of technology." This statement clearly demonstrates the ignorance of meggito, the poster. I have dealt with telephone since the days of hand cranked ringer codes and the upgrade to operator placed calls. Technology took off like a skyrocket with the end of the ATT monopoly, and attempts by Ma Bell to stall progress suffered ignominious defeat in all three branches of the federal government. Plain Old Telephone Service might have suffered (I don"t think so), but technology has zoomed from 110 baud teletype to ADSL and from operator switch boards to sophisticated computers and equipment able to interface across international borders and their widely differing standards, including voltages, frequencies, coding, and impedances. I like the new order.
      • This statement clearly demonstrates the ignorance of meggito, the poster. I have dealt with telephone since the days of hand cranked ringer codes and the upgrade to operator placed calls. Technology took off like a skyrocket with the end of the ATT monopoly, and attempts by Ma Bell to stall progress suffered ignominious defeat in all three branches of the federal government. Plain Old Telephone Service might have suffered (I don"t think so), but technology has zoomed
        Well, perhaps. From the viewpoint of Joe and Jane user, or Small Business Inc., how exactly have things "improved"? In 1970 you received somewhat overpriced telephone service from an arrogant and unresponsive bureaucracy - but that service was 100% reliable, of very high quality, and was managed by an organization that did actually spend some of its excess loot thinking about things like long-term planning, stability, disaster preperation, the future, etc.

        Today, we can choose from a bewildering array of "services", most of which we don't need, that appear to have a lower unit price but which after fees, surcharges, fees on fees, fees on surcharges, and opportunity costs of fighting through your bill (we have a full-time person doing that now) generally turn out to be more expensive than they were in 1970. And we receive these services from organizations which are not only just as arrogant as the Bell companies of 1970, but which often don't even bother to answer their phones and which can't find a person to fix your problem even when they do bother to answer. And which also tend to disappear overnight, taking your wonderful "services" with them.

        And, of course, the old Bell companies are still there (dealt with Verizon lately?), as arrogant and as profitable as ever.

        Now what was that "progress" you mentioned?

        sPh

  • When did Bruce Sterling [rice.edu] write The Hacker Crackdown [eff.org]? Ten years ago? This isn't exactly news. Incidentally, read Sterling's book if you haven't already -- it covers the early days of hacking AT&T unix systems, phone phreaking, the history of the US Secret Service and more. The EFF has it in a dozen-odd formats, there's an ebook [peanutpress.com] version for the PalmReader [peanutpress.com], and just for grins you can even get it of The WELL's Gopher [sf.ca.us] server(!).

  • Really though... (Score:3, Interesting)

    by SkyLeach ( 188871 ) on Monday March 11, 2002 @10:26AM (#3142331) Homepage
    I don't want to cause a scare and I really don't want the FBI, CIA or anyone else comming to grill me but this information needs to be added...

    I used to work for a very large telecomm company and part of my job was to write software which helped to design networks for some of the largest companies in the US. I throw out the name AOL not because I worked on their network, but because they were one of the mid-sized networks, not the "big ones".

    My points are these.

    1.) It is very easy to get a map of ALL the major telecomm switching locations and backup generators.

    2.) Security is pretty lax, so most dedicated hackers and any mailroom worker could get the information.

    3.) Most POP locations are not even manned, much less guarded. A half-dozen backhoes and some cell phones would be enough to coordinate the destruction of about 90% of our telecomm system.

    4.) The weak point of every single network is the location of the equipment, not the pipe itself. Some people may argue that there is backup equipment. BS. There is NO backup equipment to replace those locations. The demand to keep up with new technology (DWDM, WLCS, and other cramming technologies) always exceeds the networks' staff, time, and budget. If the equipment was taken out in even a small percentage of the major backbone locations the entire network would fail, and it would be down for a very long time.
    • I'll second this idea.

      I used to work designing data networks for the New York Stock Exchange and associated companies, brokerages, etc... One of the biggest problems was that almost all of our telco services were provided out of one or two buildings. One of those buildings was the West St. CO which was heavily damaged during the 9/11 attack was one of the primary reason the stock exchange had to close for several days.

      The only way to avoid this CO was to build our own telco infrastructure. We had to buy (not lease) 250 pair of fiber in a large ring around NYC to avoid the West St. CO. We looked at leasing the fiber but all the companies wanted to run the connection into West St.

      We then used point to point microwave link to backup key portions of the fiber ring.

      It turned out that all this still wasn't enough. One network connected to the Internet via a single major ISP via multiple POP (from multiple data centers around NYC) and no two connections were supposed to have any common physical circuits. We even paid extra for this, but the had all circuit running through the West St. CO. From the IP layer and Circuit IDs it looked like everything was ok, but the telco didn't maintain physical diversity.

  • I work for a Telco (Score:1, Informative)

    by Anonymous Coward
    I'm a Sr. Technical Manager with a BIG phone company. While I agree that the protocols involved in telephony(SS7 and IP) are insecure, it is VERY difficult to get into our infrastructure. All signaling rides on our own pipe and it is in NO WAY attached, F/W or gateway onto the internet. SS7 is used for call setup and services. It only exists between Co to CO. There is no way an outsider could tap it. IP is ONLY used for provisioning and maintenance. Even if you get in onto the Central Office IP network, you could do Nothing. SS7 is a very flat and complex protocol. Script Kiddies would pull out every strand of their hair before they figure out SS7 and its various operations. We have a very extensive surveillance system from Agilent called AcceSS7. Let's put it this way, if you are doing toll fraud or anything you should not be doing, We'll see it.
    What bothers me is the future of telephony. Our switches (5ESS, DMS-100, ESWD) are approaching end of life and will eventually(5 years) be replaced by soft switches, media gateways, gateway controllers and likes of VoIP, RTP, SIP, H.323, etc. The signaling will be not only within the CO but also to the end station. This will be a security architecture nightmare......Just my $.02

  • I work for a Telco (Score:1, Informative)

    by jloukinas ( 304314 )
    I work for a Telco and our security is terrible. The only time something gets replaced is when you can no longer get parts. Most of the hardware switched stuff like actual line circuits are in good shape but someone could cause lots of bad things to happen having access to billing and switching servers. The stuff that actual send commands to those switches telling them what to do!

  • 12B?! (Score:3, Insightful)

    by _ph1ux_ ( 216706 ) on Monday March 11, 2002 @08:39PM (#3146078)
    I dont buy that. 12 billion in fraud? no.

    Maybe I would feel a little more compasionate for these companies were it not for the *many* times they have ripped me off, over charged me, pretended to offer a special deal that they would only uphold if you called them up and complained about not getting what you were promised.

    I say screw the phone co's and all other companies that have similar slimy practices. Good for those that have ripped them off for 12B. VOIP anyone... there are still companies out there that, even though have shitty executives, (www.quicknet.net) are offering voip services at affordable rates.

Slashdot Top Deals

"No matter where you go, there you are..." -- Buckaroo Banzai

Close