[asterisk-biz] ANI

Steve Totaro stotaro at totarotechnologies.com
Tue May 13 15:18:01 CDT 2008 

On Tue, May 13, 2008 at 1:06 PM, Trixter aka Bret McDanel
<trixter at 0xdecafbad.com> wrote:
> On Tue, 2008-05-13 at 12:41 -0400, Steve Totaro wrote:
>  > Nitzan,
>  >
>  > Maybe you are unaware that all of this could be done with *absolutely*
>  > no way to trace it back to the "Culprit".
>  >
>  > If you cannot trace it back to the culprit AND more importantly, clear
>  > the INNOCENT, then more regulation is needed.
>  >
>
>  I agree to a point, I dont think more regulation is needed, I think a
>  fairer approach of not charging people out of suspicion but rather facts
>  would clear more innocent even if it lets some guilty get away.  The
>  feds have a 96% plea rate give or take.  This is because they threaten
>  people with really long sentences and offer pleas of minimal sentences,
>  many who have given up on fighting accept the plea out of desperation
>  and not because they believe they are guilty.  Of those that go to trial
>  75% loose in the federal system, often because of dirty tricks used and
>  a bunch of retired postal employees as jurors.  One of the first tactics
>  that the feds use is to dry up your income so you cant afford a real
>  lawyer and end up with a public defender.  Seizing funds (or at least
>  freezing them), ensuring you get fired, etc are all standard tactics.

Very true about their tactics...   It is, what it is, for now.  Voting
and being vocal is the only way this will change it certainly will not
happen overnight.

An ANI that was not spoofable would go a long way to creating
reasonable doubt if explained to a jury.

CDRs showing spoofed CID/ANI certainly would make a public defender
suggest opting for the plea even if not admissible in court.  If it
did go to trial and the CDRs with CID/ANI are deemed admissible, then
I am afraid someone may go to the Federal "Spa" for a bit (and if it
was under the "Patriot Act", they may be in the "Spa" for a very long
time.)

>
>  If there is regulation it needs to be that the government will play fair
>  in prosecution, if this happens you will see many more people walk when
>  the evidence just isnt there, rather than conviction because the
>  government says so.
>
>  Generally more regulation only leads to more "criminals" some of whom
>  are unintended consequences of a poorly written law.  It generally does
>  little to actually stop innocent convictions, or halt an undesirable
>  action.

Sad but true.

>
>
>  > This make more sense:
>  > Open WiFi AP (or cracked WEP)  ---->  hacked Asterisk box (who sets the
>  > CID/ANI ----> Telco  ------>  terminated to the PSTN
>  >
>
>  open/cracked wifi device using voip device -> itsp that takes paypal or
>  credit cards and does instant activation -> pstn
>
>  paypal and credit cards are stolen all the time, and are probably more
>  plentiful than vulnerable voip systems (asterisk or not) so the attack
>  vector is larger than in your example.

I was thinking along the lines of thousands of calls, so an Asterisk
box would be ideal.  It is not very hard to find Asterisk boxen wide
open with the prevalence of newbs with Trixbox or whatever.  Also
getting root via various exploits is pretty easy when there is no
active admin.

>
>
>
>  > Be sure to delete appropriate logs on the hacked Asterisk boxen and just
>  > to be safe, spoof your laptop's MAC address.  Perform your exploit
>  > somewhere inconspicuous and a good distance from "home, then clean your
>  > laptop by using DBAN http://dban.sourceforge.net/ which is DoD 5220.22-M
>  > compliant, before re-installing your OS"......
>
>  this step also could be removed, certain the clean up, but if you can
>  really get in and out without anyone noticing, bounce around to
>  different locations, use proxies, etc tracing it back to the user of the
>  access point becomes difficult and unless you enter the US or UK where
>  they can search the contents of your laptop "because they feel like it"
>  wiping it isnt always required.

(Sorry, US Centric when in the US, no witnesses either)

>
>  fyi eteraser does DoD compliant wipes of free and slack space on windows
>  boxes, and if you use a wifi phone or ATA or something that way there
>  generally arent logs to even require this step.  And many of the wifi
>  phones look like mobiles so it wouldnt look as odd, but you may not have
>  as much ability to set clid/ani to said itsp provider.

Again, still looking for large volume, an ATA or SIP phone is cracker jacks.

Here is one, install Asterisk on your laptop, open/cracked wifi/stolen
paypal or cc, launch, then follow the hard drive wipe instructions.

You could always use your butt set to get into a phone closet too
(might have a network jack or even be one and the same as the "data
center".

I work in the DC area and am almost always asked to sign in but they
never check ID.  I could put any name, and the butt set and outfit has
worked as credentials to almost every building with a couple of
exceptions.  They are generally the places that have you exit your
vehicle, open the trunk, run a mirror on wheels under the car, check
the interior and glove box.

You could certainly order some free Verizon business cards from
www.vistaprint.com.

OK, I am done writing.  Any more might get me or someone else in trouble.

>
>  --
>  Trixter http://www.0xdecafbad.com     Bret McDanel
>  Belfast +44 28 9099 6461        US +1 516 687 5200
>  http://www.trxtel.com the phone company that pays you!
>
>

Thanks,
Steve Totaro

More information about the asterisk-biz mailing list