Jump to content


Photo
- - - - -

Should spoofing services be regulated?


  • Please log in to reply
18 replies to this topic

#1 Infinite51

Infinite51

    SUP3R 31337

  • Members
  • 155 posts
  • Location:Chicago, IL

Posted 01 April 2009 - 04:34 PM

I am in the process of writing a report on spoofing services and am gathering information both from 911 call center (PSAP), in addition to other people that may be affected by these services. I wanted to hear from the Network Security community on this?

In any regards I think the facts of spoofing services fairly exhausted and everyone on this board understands that using spoofing services for nefarious purposes can land you in jail. However, I thought I would address HR. 251 bill, which if brought up in senate would have undeniably been passed. The bill would have made it difficult for the general public or any individuals to use these services with the intent commit identity theft, make harassing calls or defraud any person.

If you will recall when one of these service providers first introduced call spoofing in early 2004; only licensed private investigators, lawyers, domestic abuse shelters were permitted to utilize these service.

I would be interested in hearing the communities perspective on this bill, and since the two year time period has elapsed whether a similar bill should be re-introduced?


The original bill introduced by Eliot Engel (D) U.S. Representative of New York’s 17th District. Along with original testimony before the

http://energycommerc...n_caller_id.wax :

http://www.govtrack....d?bill=h110-251

"6/12/2007--Passed House amended.
Truth in Caller ID Act of 2007 - Amends the Communications Act of 1934 to make it unlawful for any person in the United States, in connection with any telecommunication service or VOIP (voice over Internet protocol) service, to cause any caller identification service to transmit misleading or inaccurate caller identification information ("spoofing") with the intent to defraud or cause harm. Prohibits construing these provisions to prevent blocking caller identification or to authorize or prohibit law enforcement or U.S. intelligence agency activities."

#2 decoder

decoder

    Very Friendly

  • Agents of the Revolution
  • 1,609 posts
  • Country:
  • Gender:Male
  • Location:New York

Posted 01 April 2009 - 05:01 PM

I am in the process of writing a report on spoofing services and am gathering information both from 911 call center (PSAP), in addition to other people that may be affected by these services. I wanted to hear from the Network Security community on this?


PSAP's should be able to see whether they are dealing with a cell phone / landline, etc. and whether the BTN matches the Caller ID. If it shows to be a landline number, with non-matching numbers, they would know there is something wrong.

Not that it makes any difference because, as far as I know, none of the "swatters" called 911 centers. I'm pretty sure that was just an invented "fact."

In any regards I think the facts of spoofing services fairly exhausted and everyone on this board understands that using spoofing services for nefarious purposes can land you in jail. However, I thought I would address HR. 251 bill, which if brought up in senate would have undeniably been passed. The bill would have made it difficult for the general public or any individuals to use these services with the intent commit identity theft, make harassing calls or defraud any person.


Um, by making it difficult for anyone to spoof for any purpose? it's already illegal to "commit identity theft, make harassing calls." But "defraud any person" means anything under the sun. That's beyond absurd. Why would you need such a law? You don't.

If you will recall when one of these service providers first introduced call spoofing in early 2004; only licensed private investigators, lawyers, domestic abuse shelters were permitted to utilize these service.


Yes, for absolutely no other reason than a desire to specialize in providing those entities a service and not have to deal with general public noob customers.

This law would be monumentally useless and would only ever pass based on the ignorance of the lawmakers. The things mentioned are already illegal. but that's not enough for crooked law enforcement types. They want nothing more but to waste time, money and effort.

#3 Infinite51

Infinite51

    SUP3R 31337

  • Members
  • 155 posts
  • Location:Chicago, IL

Posted 01 April 2009 - 05:54 PM

PSAP's should be able to see whether they are dealing with a cell phone / landline, etc. and whether the BTN matches the Caller ID. If it shows to be a landline number, with non-matching numbers, they would know there is something wrong.

Not that it makes any difference because, as far as I know, none of the "swatters" called 911 centers. I'm pretty sure that was just an invented "fact."




Depending on the PSAP they may or may not have the technology to identify the calling party. For example in large metropolitan areas such as Chicago's PSAP, they have upgraded to enhance 911 services. Which can provide whether the calling party, is calling from a cell phone/ landline based on BTN. However in rural areas, the local sheriff’s dispatch takes the call or rural PSAP operator who does not have the same technology. Or simply put the department does not have the funds to upgrade their facilities.

Edited by Infinite51, 01 April 2009 - 05:58 PM.


#4 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,201 posts
  • Gender:Male

Posted 02 April 2009 - 08:36 PM

However in rural areas, the local sheriff’s dispatch takes the call or rural PSAP operator who does not have the same technology. Or simply put the department does not have the funds to upgrade their facilities.



Actually, even if the dispatch center doesn't have e911 capabilities, or even SS7 of any sort, there's really no excuse not to be sending class of service digits. Digits preceeding the caller's number to identify their class of service have been used well before there were even any commercial digital switches in the public switched telephone network. If the switches that home on the 911 tandem aren't provisioned to do that already, it'd be extremely simple to reconfigure them to do just that (come on, this is a feature that's been around for a good thirty years now, any digital switch is going to have it), or have the manufacturer release a patch to allow them to. Not to mention the BTN field is irrelevant, since a lot of the spoofing services pass the CPN as the exact same thing anyway.

Yeah, the people running the show with the 911 network shouldn't just sit there with their thumbs up their asses, but is this really such a hard problem to fix without regulation? As I've mentioned before, one of the more popular spoofing services is already doing their part to notify people when a call is spoofed to one of the many PSAPs given out on google for people to abuse. Hell, I even did my part to stop tards from calling suicide hotlines on my toll-free diverter. Instructing 911 operators to call the person back isn't exactly a hard thing to do either for that matter. If everyone's willing to work together, there's a lot of easy solutions to this problem.

If you will recall when one of these service providers first introduced call spoofing in early 2004; only licensed private investigators, lawyers, domestic abuse shelters were permitted to utilize these service.


...and if you'll recall one of the swatting cases, one of them had access to private investigator resources.

#5 Infinite51

Infinite51

    SUP3R 31337

  • Members
  • 155 posts
  • Location:Chicago, IL

Posted 03 April 2009 - 01:11 AM

Actually, even if the dispatch center doesn't have e911 capabilities, or even SS7 of any sort, there's really no excuse not to be sending class of service digits. Digits preceeding the caller's number to identify their class of service have been used well before there were even any commercial digital switches in the public switched telephone network. If the switches that home on the 911 tandem aren't provisioned to do that already, it'd be extremely simple to reconfigure them to do just that (come on, this is a feature that's been around for a good thirty years now, any digital switch is going to have it), or have the manufacturer release a patch to allow them to. Not to mention the BTN field is irrelevant, since a lot of the spoofing services pass the CPN as the exact same thing anyway.

Yeah, the people running the show with the 911 network shouldn't just sit there with their thumbs up their asses, but is this really such a hard problem to fix without regulation? As I've mentioned before, one of the more popular spoofing services is already doing their part to notify people when a call is spoofed to one of the many PSAPs given out on google for people to abuse. Hell, I even did my part to stop tards from calling suicide hotlines on my toll-free diverter. Instructing 911 operators to call the person back isn't exactly a hard thing to do either for that matter. If everyone's willing to work together, there's a lot of easy solutions to this problem.


The dispatch center or Police department does not have a choice to dispatch a SWAT team or Police cruiser. If there was an actual emergency and the PD/sheriff refused to respond they would be responsible. In the Chad Ward case, police responded SEVERAL times to the same residence of course by the fifth or sixth time they only sent one Police officer, but they were still required. I also recall a minor in Florida who these conspirators did not particularly like on the conference/party lines and they targeted him, threatening the young kid several times as well. In that particular case, some of the conspirators got upset at me, because I felt that the minor should be able to participate in the conference call as long as he was doing nothing illegal. And up until that point, the only thing I personally heard that was somewhat questionable was that this minor may have tapped into his neighbors phone service using a makeshift Harris butt set in order to steal phone service.

...and if you'll recall one of the swatting cases, one of them had access to private investigator resources.


Yes, I am quite aware of the swatting cases. As my insurance company & lawyers are requesting documentation and police reports of some of these individuals. However,
that was not the intention of having reform to address these problems. The one individual Jason Throwbridge who is serving out his sentence for illegally using these services,
was to paraphrase the Judge 'was one of the more intelligent individuals.' That is not the crux of my argument as he was using his investigator/ dept collections resources illegally. Call it what you may, however these conspirators in my professional opinion were committing domestic terrorism, by unlawfully deploying emergency personal when a threat did not exist.

The way I had interpreted the past proceedings before Congress- having spoofing/Voip carriers, have similar regulatory requirements that (CLEC or RBOCS) have is not a bad thing. If the service was opened to all licensed and credentialed individuals, it would cut down on the minors and other individuals who are using these services to commit criminal or illegal acts. Furthermore, by having the means to track these individuals and monitor their use, it would free up local/state/federal law enforcement resources. The issue as I see it today is that the service’s are too cheap, by design do not have the ability to monitor live calls to see if certain phrases are used, and can be used to cause a lot of damage very easily.

Edited by Infinite51, 19 October 2009 - 10:59 AM.


#6 shizzle

shizzle

    elite

  • Members
  • 113 posts
  • Location:USA

Posted 05 April 2009 - 06:35 AM

First, we spoofed a IP address.
Then we spoofed a CID.

One day we shall spoof a transmission from some distant, remote space station to not pay the $29.99 per minute to 'phone home'.

Give my love to the 'law makers' :-P

#7 decoder

decoder

    Very Friendly

  • Agents of the Revolution
  • 1,609 posts
  • Country:
  • Gender:Male
  • Location:New York

Posted 05 April 2009 - 12:38 PM

The way I had interpreted the past proceedings before Congress- having spoofing/Voip carriers, have similar regulatory requirements that (CLEC or RBOCS) have is not a bad thing. If the service was opened to all licensed and credentialed individuals, it would cut down on the minors and other individuals who are using these services to commit criminal or illegal acts. Furthermore, by having the means to track these individuals and monitor their use, it would free up local/state/federal law enforcement resources. The issue as I see it today is that the service’s are too cheap, by design do not have the ability to monitor live calls to see if certain phrases are used, and can be used to cause a lot of damage very easily.


There is no such thing as a "spoofing carrier." It's just VoIP, period. The past proceedings before Congress were either huge misconceptions by the FCC, or deliberate lies in order to make spoofing illegal. I'm siding with deliberate lies.

Everything you said about having the ability to monitor live calls for keyphrases, etc. has absolutely nothing to do with caller id spoofing.

#8 Infinite51

Infinite51

    SUP3R 31337

  • Members
  • 155 posts
  • Location:Chicago, IL

Posted 05 April 2009 - 08:47 PM

Let me clear up some facts. VoIP (Voice over IP) providers are not regulated by the FCC nor do they have to go through the regulatory processes a CLEC or RBOC would have to go through. From working for both CLEC's and RBOC's I can tell you first hand, that generally those providers do NOT allow at least their VOIP customers to send out any Calling Party Number, as they can receive large fines if false 911 calls are made across their networks or if the police are dispatched to the wrong address. You ask how large, in some cases the fines alone are in access of $100,000. Voice over Ip providers or spoofing services, however do not have the same restrictions or regulations and cannot be fined by the FCC. If you wanted to start DecoderCall tomorrow, you could form a business, purchase a soft switch, place it in a carrier hotel (sign an interexchange agreement with a sip provider) and you’re in business. You do not have to apply for licenses in each state like a CLEC would, you wouldn't have to provide months of book keeping records, executive resumes, and pay each state licensing fees.

#9 decoder

decoder

    Very Friendly

  • Agents of the Revolution
  • 1,609 posts
  • Country:
  • Gender:Male
  • Location:New York

Posted 05 April 2009 - 09:57 PM

Let me clear up some facts. VoIP (Voice over IP) providers are not regulated by the FCC nor do they have to go through the regulatory processes a CLEC or RBOC would have to go through. From working for both CLEC's and RBOC's I can tell you first hand, that generally those providers do NOT allow at least their VOIP customers to send out any Calling Party Number, as they can receive large fines if false 911 calls are made across their networks or if the police are dispatched to the wrong address. You ask how large, in some cases the fines alone are in access of $100,000. Voice over Ip providers or spoofing services, however do not have the same restrictions or regulations and cannot be fined by the FCC. If you wanted to start DecoderCall tomorrow, you could form a business, purchase a soft switch, place it in a carrier hotel (sign an interexchange agreement with a sip provider) and you’re in business. You do not have to apply for licenses in each state like a CLEC would, you wouldn't have to provide months of book keeping records, executive resumes, and pay each state licensing fees.


And you shouldn't have to. All of that shit is in place for CLECs because they are utilizing physical copper lines. VoIP isn't, that's why it's different.

And why should a spoofing service have the same restrictions as a telco when they aren't a service provider. This is what the FCC was too retarded to figure out at first, but they eventually did.

#10 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,201 posts
  • Gender:Male

Posted 05 April 2009 - 10:36 PM

Actually, the FCC has started to become a bit more stringent with VoIP, they're starting to make providers pay universal service fees.

From working for both CLEC's and RBOC's I can tell you first hand, that generally those providers do NOT allow at least their VOIP customers to send out any Calling Party Number, as they can receive large fines if false 911 calls are made across their networks or if the police are dispatched to the wrong address.


Seriously? Clearly you haven't heard of GreatCalling. plz2 use the search feature. What about, say, any old business with a PRI? What is it technically that limits them from setting any old number? The school I go to, for example. has a DID block owned by an independent company, despite the fact their outbound calls go out on a PRI on a Verizon switch. Considering that the PRI is at the district office, and several different districts use it to call out, wouldn't the telco be complaining? Not to mention every calling card company and their dog passes ANI the same way it was received. Surely something like that would require the telco to be okay with the company sending out a different number every minute, if not in a shorter amount of time. What about these SIP providers we're talking about to begin with? Surely they need somewhere to originate the call from to pass it into the PSTN. Whatever company that has an interconnection agreement with them must be okay with that as well. Wouldn't it be much more economical to pass the penalty onto the customer should that ever happen?

To go back to the spoofcard case again, there were enough SWATs on there to send whoever was originating those calls onto the PSTN down into the ground if they were really fined that much. I see no reason why the carrier wouldn't have cut them off if it was so much of an issue that they stopped dispatching SWAT teams to hostage situations.

#11 Infinite51

Infinite51

    SUP3R 31337

  • Members
  • 155 posts
  • Location:Chicago, IL

Posted 05 April 2009 - 10:45 PM

I think the major issue is that business owners pay upwards of $500-600 for a PRI, and $5,000-10,000 for a PBX, and knowing that the calls made on those pbx’s can easily be traced back to them would not engage in criminal activity. For example at your school do you have direct access into the pbx system, i.e can you connect your asterisk box up to the T1/pri line?

Obviously, the same cannot be said of a minor or even adult who can for 15cents a minute "spoof" any number he wants and feel that the call is somewhat anonymous. I hear about cases of kids using spoofing services to commit criminal activities with spoofing services all of the time, and I would venture to guess maybe 10% of the perpetrators actually are charged. Because, either the Police aren't aware of what is going on or the victims refuse to press charges. I would be interested in hearing your opinion?

#12 decoder

decoder

    Very Friendly

  • Agents of the Revolution
  • 1,609 posts
  • Country:
  • Gender:Male
  • Location:New York

Posted 06 April 2009 - 12:16 AM

I think the major issue is that business owners pay upwards of $500-600 for a PRI, and $5,000-10,000 for a PBX, and knowing that the calls made on those pbx’s can easily be traced back to them would not engage in criminal activity. For example at your school do you have direct access into the pbx system, i.e can you connect your asterisk box up to the T1/pri line?

Obviously, the same cannot be said of a minor or even adult who can for 15cents a minute "spoof" any number he wants and feel that the call is somewhat anonymous. I hear about cases of kids using spoofing services to commit criminal activities with spoofing services all of the time, and I would venture to guess maybe 10% of the perpetrators actually are charged. Because, either the Police aren't aware of what is going on or the victims refuse to press charges. I would be interested in hearing your opinion?


If you are using spoofing for anonymity to hide illegal shit you're doing, you can also just buy a regular phone card for much cheaper rates and accomplish the same goal. Should that be illegal too?

#13 trey b.

trey b.

    Will I break 10 posts?

  • Members
  • 6 posts
  • Location:Terre Haute, Indiana

Posted 06 April 2009 - 03:58 PM

911 (last that I knew locally) uses ANI1.

That and I'm not sure why someone would want to call 911 spoof'd anyway.

"omgomgomg i has muh bike in muh ass."
-What about this jank ass number you're calling from?!
"uhhhhhhh."

Edited by trey b., 06 April 2009 - 03:59 PM.


#14 Sidepocket

Sidepocket

    mad 1337

  • Members
  • 124 posts
  • Location:USA, NJ

Posted 07 April 2009 - 01:06 AM

[2 cents]

I hate this thing because it's another excuse to limit a fairly obvious system flaw that has been going on for ages now while allowing the police and military to exploit that system flaw and not go to jail like the rest of us. AKA for freedom!

[/2 cents]

#15 Infinite51

Infinite51

    SUP3R 31337

  • Members
  • 155 posts
  • Location:Chicago, IL

Posted 07 April 2009 - 04:46 AM

After speaking with AT&T/Verizon/Sprint today...

Since, I am in the process of having them trace several harassing phone calls investigated. And from my own experience, acting on behalf of customers who had fraud issues, at several large telecommunications, providers on similar fraud issues. It isn't something that is going to change, and those customers who do get harassing calls from VOIP customers are going to have to be very patient and have significant legal representation. Or you had better hope they have suffered significant damage, or have Police/Telco fraud reports and even then it is a major pain.

With that said, some good professions to look into that will be instrumental in dealing with these and new technological problems would be Lawyers with IT experience (CISSP, CCNA's, ect), Lawyers that practice family law (since there seems to be significant people that like to allege adultery and abuse these spoofing services to do so), Forensic investigators, state/local/Federal law enforcement professionals with Unix/Linux or specialized skills, and last but not least Telco Fraud Investigators.

#16 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,201 posts
  • Gender:Male

Posted 07 April 2009 - 10:52 PM

I think the major issue is that business owners pay upwards of $500-600 for a PRI, and $5,000-10,000 for a PBX, and knowing that the calls made on those pbx's can easily be traced back to them would not engage in criminal activity. For example at your school
do you have direct access into the pbx system, i.e can you connect your asterisk box up to the T1/pri line?


Actually, I've seen people advertising voice T1s for about half the price you speak of. I guess it depends on the source. Every so often you can even find an SL-1 going for about $800 on eBay, cabinet, line cards and all. Either way, I can think of a few spoofing companies that already have a number of data T1s. If it boiled down to bypassing harsh regulation, I'm sure it wouldn't take them very long to move at least a few over to voice, or at the very least start multiplexing voice and data over them.

I would be interested in hearing your opinion?

To me, it seems the average adult has no more right then the average minor for a service like this. There's no doubt that a service like this is bound to get abused from time to time, as SWATing has proved. That's why these companies need to be warned of this - I used to talk to someone who had a job at one of these companies quite a lot, and nobody there outside of the people handling the subpoenas were aware that their service was being used for SWAT calls, much less that calls could be spoofed to PSAPs. Either way, spoofing can be a completely legitimate activity, and a bit of creativity makes it a lot funner. For example, have you ever heard of backspoofing wars? Basically two/more people compete to try to find some of the funniest and most off the wall CNAM listings and send it to the other person. <br>Not to mention it's great for testing technical things as well. The diverter I have set up, for example, can be used to try things that would only otherwise be legitimately possible by flying out to Hawaii or wherever just to use the phone. Take the 800-223-1104 ANAC for example. If you don't enter a password, it'll time out to a recording telling you the number has been disconnected. What some people don't realize, though, is that the recording comes from the nearest 4ESS to you equipped for mass announcement functions. No matter what you set your ANI to, you'll always get the same recording from the same place. If you try placing a call from a calling card platform that originates calls from, say, New York, though, you'll always get a New Jersey 4E. That should tell you that there not only may be more than one, whatever is handling the calls can see some other SS7 header to determine where you're calling from.

If you are using spoofing for anonymity to hide illegal shit you're doing, you can also just buy a regular phone card
for much cheaper rates and accomplish the same goal. Should that be illegal too?


Don't forget prepaid cells ;)

#17 Infinite51

Infinite51

    SUP3R 31337

  • Members
  • 155 posts
  • Location:Chicago, IL

Posted 08 April 2009 - 10:01 AM

I have found one instance recently, in the state of Connecticut where a bill has been recently introduced to criminalize spoofing when used for illegal or nefarious purposes.

http://cga.ct.gov/as...;SUBMIT1=Normal


http://cga.ct.gov/20...3-R00ET-JFR.htm
John Emra, AT&T, "appeared in support of the intent of the legislation but recommends that the committee add language making clear that there would only be a violation of the law when there is intent to defraud or cause harm so as to not criminalize legitimate actions by people to protect their personal information."

#18 Andre van dem Helge

Andre van dem Helge

    mad 1337

  • Members
  • 135 posts

Posted 01 May 2009 - 03:03 PM

I am against any sort of regulation because it will hinder or place higher burdens on the legitimate use of technology and create merely a tiny annoyance for those that already use the technology in a malicious manner.

[quote name='Infinite51' post='334817' date='Apr 1 2009, 05:34 PM']I am in the process of writing a report on spoofing services and am gathering information both from 911 call center (PSAP), in addition to other people that may be affected by these services. I wanted to hear from the Network Security community on this?

In any regards I think the facts of spoofing services fairly exhausted and everyone on this board understands that using spoofing services for nefarious purposes can land you in jail. However, I thought I would address HR. 251 bill, which if brought up in senate would have undeniably been passed. The bill would have made it difficult for the general public or any individuals to use these services with the intent commit identity theft, make harassing calls or defraud any person.[/quote]

What is the point? In 911-bombing, identify theft, making harassing calls or defrauding persons not illegal?

[quote]
If you will recall when one of these service providers first introduced call spoofing in early 2004; only licensed private investigators, lawyers, domestic abuse shelters were permitted to utilize these service.[/bquote]

Because the company had some sort of standards and didn't want everyone to have access to this, no other reason than that. Maybe their investors forced them to go that route? But if if a strict caller ID law were created, best case the providers claim some sort of "wholesaler" exception, worst case you have to go offshore for services.

#19 PhreakerD7

PhreakerD7

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 375 posts
  • Location:Using your phone line

Posted 01 May 2009 - 04:56 PM

I'm gonna take the other route on this one, actually. I can't see very much legitimate use for this service. I think spoofing services should be regulated. You should still be able to do it, and use paid services, etc. etc., but I think all authoritive and telco switches should be able to see that the call was spoofed. It shouldn't show anything more than that it was spoofed (not show the spoofed number and not the original number)

I think that makes more sense and cuts down on abuse issues. There are a couple good, legitimate uses, and those shouldn't be interefered with. But the fact of the matter is that this thing has a much higher potential for abuse than it does for the general good of the community. Just my 2 cents.




BinRev is hosted by the great people at Lunarpages!