 |
Over the years as
telephone switches evolved, setting up calls between parties changed from - |
|
|
|
|
A switchboard operator at
the telephone company central office plugging in, and pulling out jacks between the
parties... |
|
|
|
|
To cumbersome mechanical
devices that performed many of the same tasks... |
|
|
|
|
To the modern electronic
switches which, without an outward sign of motion, do the same job as its forebears...
only a lot faster and a lot better. |
|
|
|
|
It should be noted that in
addition to these modern telephone switches being found in telephone company
facilities, they are also found at businesses subscribing to a large number of telephone
lines. I have seen them at all sorts of facilities including law firms, hotels,
telemarketing offices, hospitals, manufacturers and local government offices. |
|
|
|
|
Let's take a little closer
look at these modern electronic switches that do all these wonderful things. |
|
|
|
|
OK, we already established
that although we see no sign of motion, these modern electronic switches perform the same
switching functions as did the mechanical device and the human it replaced. We can't see
two lines being connected as we might have 50 years ago, but we know that the two lines do
indeed get connected. |
|
|
|
|
If you are not sure about
that, think about how you managed to get connected to this web site. You typed something
in your computer or you clicked your mouse, and like magic we are connected. You could
probably not find my computer and I know that I could never find your computer, yet here
we are. How did this happen? |
|
|
|
|
|
We would all answer
somewhat differently depending upon our knowledge of computer science, but when we got
down to basics we would have to agree that computers, and instructions to those computers
deserve the credit for this feat. |
|
|
|
|
You might argue that phone
lines and satellites and microwave links and a myriad of other devices played a major part
in our getting together and you would be right! |
|
|
|
|
|
But when we talk about all
these other high tech contraptions aren't we talking about things that are controlled by
computer circuits and software? Just because it is not sold at Comp USA, does not mean
that it is not at least part computer! There are countless everyday examples of these
types of gadgets -- your VCR, your car, your video camera, your cell phone and your copy
machine, all use computer type circuitry and they all receive instructions -- some from
you, and some built in. |
|
|
|
|
|
|
Now lets get back the
modern electronic switch that handles our phone calls. I took this long detour because
some people seem to have a terrible time accepting the fact that this modern electronic
switch is nothing more than a special purpose computer. As a computer, it has
certain qualities. |
|
|
|
|
It follows instructions
given to it by software that is installed by the manufacturer or modified locally.. |
|
|
|
|
If the software permits
it, it can follow the instructions of an outside source, such as a tone on a
keypad depressed 3000 miles away. |
|
|
|
|
It operates by stealth.
That is, it does its job of say, connecting two phone lines without moving any wires, or
looking to the naked eye, any different before, during, or after completion of the phone
call. Certainly, the phone company keeps a record of the fact you made a long distance
phone call and spoke for 45 minutes -- trust them to do that. Of course there might even
be a little red light on a circuit board that comes on when the two lines are connected,
but, as a practical matter, the computerized electronic switch is a machine that
operates by stealth. |
|
|
|
|
Once in a while it needs
maintenance. We'll have more to say about that in a few minutes. |
|
|
|
|
|
Now enter the innovators.
These are the guys who come up with things like Caller ID, Call Blocking, Caller ID
Blocking, Call Forwarding, Three Way Calling, etc. etc. And as you would expect, with
some programming instructions, the modern, computerized electronic telephone switch
is assigned to handle these chores. |
|
|
|
|
|
Many years ago, I learned
that to be a good investigator, among other things, one had to "emphasize his (or
her) empathy". |
|
|
|
|
Let's apply that approach
by putting ourselves in the position of the "Bad Guy". We'll call him
Mr.
Bad. |
|
|
|
|
Mr. Bad makes a
living eavesdropping on large law firms involved in major litigation, big dollar mergers
and acquisitions. He sells that ill gotten, but usually reliable, information to the
opposition. Why go after law firms? The answer is simple. Where else could he count
on getting an unending flow of information pertaining to big dollar negotiations? The very
nature of a lawyer's job, normally makes it impossible to cut him out of the loop.
His office is a choke point of valuable information of many of his clients. Rather than
target a number of major clients who might deal in valuable information on a sporadic
basis, he targets the lawyer's office and waits for the information to come to
him. |
|
|
|
|
|
Now, lets inventory the
ingredients that have been assembled. |
|
|
|
|
We have computerized
control of the phone system. |
|
|
|
|
We have built in special
features such as three way calling. |
|
|
|
|
We have a need for
occasional maintenance of the phone system. |
|
|
|
|
We have a potentially
profitable target. |
|
|
|
|
And, last but not least,
we have the unscrupulous and resourceful, Mr. Bad. |
|
|
|
|
|
Mr. Bad can now
attack the phone system and start collecting that valuable information. |
|
|
|
|
First, he must identify
the lawyer or lawyers who have the type of practice that would put he or she on the inside
of major business deals. There are a million ways to do that... newspapers, magazines, law
directories, the internet, pretext inquiries of other lawyers, local lawyers watering
holes, etc. For the sake of this discussion, we'll call the lawyer whose phone we
are going to tap, Mr. Target. |
|
|
|
|
Next,
Mr. Bad
should try to identify Mr. Target's assigned phone number. It might appear in a
local Bar Association directory. If not, there are other ways to skin this cat.
These range from a bit of "social engineering" of the receptionist, to
dialing another member of the firm at random and acting as if the caller is a good friend
of Mr. Target. who was somehow connected to the wrong number. If the first call
of that kind does not surface Mr. Target's assigned phone number, the second or
third one will. If that doesn't work there are many other places that
Mr. Target
has used his assigned office phone because he wants to keep his home phone number private.
In the final analysis, Mr. Bad does not have to worry or expend much
effort on this phase, because failure to get this number will not hold up the operation.
This is merely a potentially useful intermediate step in identifying
Mr.
Target's "station number". He needs the "station number" so that
he can, using the computerized switch, take control of Mr. Target's phone.
He can always find that station number once he busts into the computerized switch... and
that is his next move. |
|
|
|
|
We have mentioned the fact
that these computerized switches need maintenance. But, we have not mentioned that in most
cases, laziness and greed on the part of those who provide the the maintenance service
lays the entire system open to hostile penetration and control! |
|
|
|
|
Mr. Target might
look at that charge and conclude that it had no basis in fact. After all the computerized
phone switch is located in the telephone equipment room, a locked room deep inside his
office complex. The office itself was equipped with the latest and best in security and
alarm devices and his trusted and very protective Office Manager had the only keys
to the telephone equipment room. Such a conclusion by Mr. Target would be a
grievous error! |
|
|
|
|
Mr. Bad is not
concerned about all of Mr. Target's physical security devices and protective
employees. Unlike Mr. Target, Mr. Bad knows that the company that
provides maintenance to the switch has connected a modem to the switch so that they can
phone in maintenance instructions to the switch from any place that has a telephone. The
modem we are describing is not unlike the one that you used to call up this web site and
turn to this page. |
|
|
And now,
Mr. Bad
is in the home stretch. He has only to dial up the modem and take control of the
computerized switch! Once in control of the switch, he can tell it to perform many tasks.
He may decide to avail himself of one of the system's amenities. For example, he may issue
instructions to the switch to use the built in "Three Way Calling" feature. In
that manner, each time Mr. Target picked up his phone, Mr. Bad would be
a third party, silently listening and recording the conversation! We have
intentionally omitted three intermediate tasks that Mr. Bad must perform. Before
he can take control of the switch he must get the phone number of the modem, and if it is
password protected, the password. In addition, he can expect the switch itself to be
password protected, so he will need that password as well. Because this is intended as an
expose and not a blueprint for wiretapping, we are not going to to lay out how those tasks
can be accomplished -- suffice to say, that part takes knowledge and skill, but is
not a major undertaking. |
|
|
|
|
|
How can one defend against
this penetration scenario? |
|
|
|
|
One cost-free and
effective solution would be to remove the maintenance modem from the system. It is there
only as a convenience to the people who maintain the system. Obviously, they will not be
happy with such a suggestion because it would mean that someone would have to respond to
the facility, in person, to perform the required maintenance. That costs money. If money
is the only issue, paying a little extra for in person maintenance, sounds like a pretty
worthwhile expenditure. |
|
|
If I were to get rid of
the modem, would that protect me from eavesdropping? |
|
|
|
|
There is no "magic
bullet" that will protect you from all eavesdrops. You can only make yourself
a more difficult target. This is a common sense step in that direction. |
|
|
|
|
|
We started this section
with the caption "A Dirty Little Secret" and we did indeed reveal a seldom
acknowledged fact -- large computerized switches in offices were vulnerable to hostile
control! Now, for the rest of the story!! |
|
|
|
|
Large computerized
switches at telephone companies employ the same general type of technology and are
vulnerable to the same type of attack! Obviously, this is the last thing that the
telephone companies want to admit. The liability is devastating. So, if you made inquiry
of the phone companies they would deny that it is possible. It would be nice if we could
believe them, I can't. |
|
|
|
|
In Las Vegas there are a
number of legal businesses called "Out-Call Services". They send "Dancing
Girls" (or Boys) to the hotel rooms of guests willing to pay the $125-$250 per hour
for a nude dancer. There can be little question that these services are merely fronts for
prostitution, which is illegal in Las Vegas. Nevertheless, the owners of these services
stay clear of the law by delivering only dancing and not prostitution. The owner of the
Out-Call Service gets the lions share of the $125-$250 dancing fee. If there is to be any
prostitution, it comes about after direct negotiation between the hotel guest and
the dancer. I am given to understand that if she does engage in prostitution, she
keeps all of that money. |
|
|
|
|
What has all this got to
do with the vulnerability of telephone company switches to outside control? Just this -
the Out-Call Services have been victims -- and we believe perpetrators, of illegal
penetrations and control of telephone company central office switches! |
|
|
|
|
The Out-Call Services are
very profitable and very competitive. We have received numerous complaints from various
Out-Call Service operators stating that calls from hotel guests are being diverted to a
competitor who has been able to hack into a telephone company central office switch. Do we
believe these stories? You bet!! |
|
|
|
|
One Out-Call services
operator admitted to us that he had hired a hacker, who after penetrating the
telephone company central office computer, shut down a competitor on a four day holiday
weekend. During that four day period, when a customer called the competing business, he
either got a busy signal or had his call diverted to the phone of the Out-Call Service
operator who had hired the hacker. |
|
|
|
|
One telephone company security official
bragged that not only did he know that telephone company central office switches had been
hacked into, he had been instrumental in the arrest and conviction of the perpetrator of
such a scam. |
|
|
|
|
A federal law enforcement official told
us that there was no doubt in his mind that such penetrations had taken place. |
|
|
|
|
A countermeasures expert in the UK told
us that he had been approached by the government of another NATO country interested in
acquiring the technology and techniques used to facilitate such attacks. |
|
|
|
|
I was tempted to publish
the URL of a web site, that, as of this writing, contains a "How To..." article
about hacking into a computerized telephone switch and controlling it. Since our purpose
is not to aid those who would break the law, I decided against it. |
|
|
|
|
So there you have the rest
of the story... the second half of the Dirty Little Secret... Some say that
Telephone company central office switches have been hacked into and controlled by
unauthorized persons!! On the other side we have the telephone companies saying that
their security measures are so effective that such a penetration is not possible. Who do
you believe? |
|
|
|
Today is July 2, 1999. It
has been about 2 months since the "Dirty Little Secret" first appeared on
our web site. This morning's Las Vegas Review Journal, page 1B, contains additional
evidence in support of our contention that phone systems are being hacked into. The
following are pertinent excerpts from that Review Journal article. It makes me wonder how
long the phone companies will be able to live in denial. |
|
|
Out-Call
case nets guilty plea |
A
reputed torture expert admits a role in a mob-backed conspiracy to seize command of a
valley industry. |
|
A reputed torture expert from
Florida entered a guilty plea Thursday and became the first of six defendants to admit
playing a role... Vincent Congiusti, 49... pleaded guilty to a
single charge... Congiusti...told the judge he came to Las Vegas from Tampa Florida at the
request of Mario Stephano, whom authorities have described as an associate of the Gambino
crime family. The defendant said that Stephano told him he knew someone in the
outcall service industry who was having a problem with some of his competitors.
The competitors were using a computer expert to divert telephone calls
from that person's business to their own.
(emphasis
added)
|
Free Consultation Phone
702-453-4500 E-Mail - Investigations@LasVegasPI.com |
