Hacker Newsnew | comments | ask | jobs | submit | teagoat's commentslogin

I'll start by saying that I approve of security testing networks and the telco industry could do with more of it. I agree that security can be lax sometimes.

Sure, Telco SS7 networks and the equipment within them are just like any other in that there can be bugs that cause it to go down.

However, there are much higher barriers for entry to get an SS7 network link (c.f. a connection to the internet) and you're not going to keep it for very long if all you're doing is sending out SS7 messages crashing HLRs left, right and center.

I'm assuming that the packet he's talking about is a fuzzing attack and only affects a particular vendor's HLR and may have even been fixed by now. So if everyone in the world used the same vendor, all used the same software version and you had unfettered access to all of them, then yes, you could crash all of the HLRs in the world.

And really?... "World's HLR". Well I'm glad someone is nice enough to host a HLR for the world. And apparently crashing the "World's HLR" will stop one country's communication. Oh noes! Which one is it?! I hope it's not mine! And I'd be interested to see how crashing a HLR stops my landline and my internet connection from functioning.


acdha 551 days ago | link

The question I had is whether the femtocell claim is true - those are much easier to get access to. I'd like to believe that they're correspondingly more locked down but there is rather a long track record of telcos botching basic security design.


noselasd 551 days ago | link

The presentation linked at the bottom , http://conference.hitb.org/hitbsecconf2012kul/materials/D1T1... contains hints of numerous holes they've found in various networks, to among other things get access to an SS7 network.


philpraxis 551 days ago | link

Re : barrier to entry

You're wrong: it's extremely (and increasingly) easy to hack an operator in say africa or asia and then use their SS7 interconnection to send traffic.

Of course, DoS is the thermonuclear option. Most of the attacks are much more silent. Btw, before we released our IDS there even were no detection equipment available for operators.


philpraxis 551 days ago | link

See the comment on the article for the right quotes.

Of course, it's only one or more hlr per network and per country. Now you're right for the hlr affecting only Mobiles and not ADSL nor fixed lines.


It's not the end of the world though. You're browsing on your android phone and suddenly it dials an unexpected number and you can see that it starts 900XXXXXXX or 976XXXXXXX. Most people are going to hang up pretty quickly. Sure, you might be out of pocket for up to $10 (I don't actually know how much mobile carrier charge for the connection charge), but it's not the same as losing all your data.

A more common attack vector to make money on compromised accounts would be setting up a call forward to an international number and then dialing the subscribers phone number. Illegal low cost calling cards often steal service by doing this. If there was a way to also retrieve the user's phone number, I can imagine a system where you dial the calling card company, input your code and the number you want to dial.... It tells you that it's trying to connect you and that it may take a couple of minutes... It snares the next person caught out on the website, sets their call forward to the number you want to dial, then dials that subscriber for you and connects. So then it's charging the wireless subscriber for your international call, and even if they then disable the call forward on their account, until you hang up, it's still charging them for the call forward.


When you say "Imagine if comments were displayed like this instead", you realise that you can simply modify the colour scheme of your editor to make it so, right?

And I still don't think that solves your "problem". Even if they appear brighter colours, then it's still very easy to phase them out so that you're just focused on the code. It's only when the comment colours begin to hurt your eyes that I find it distracting.


I was interested in how they were detecting monitors and whether they were just picking out any anomalous peers (say ones that don't accept connections). I was also wondering if the paper was going to be obviously flawed and funded by some copyright agency with the aim of articles such as the one we just read being created. I still wouldn't rule it out, but I feel that the methodology was sound.

To summarize for others indicators were:


1. The proportion of a subnet that has been seen in BitTorrent swarms. Monitoring agencies may use a large proportion of their subnet for monitoring.

2. The length of time a peer spends in a swarm. Monitors may spend more time in the swarm than regular file-sharers.

3. The number of different (IP, port, infohash) combinations per IP address. Monitoring agencies may operate many clients from a single IP address.

4. Whether a peer reported by a tracker accepts incoming connections. Monitors may block all incoming connection attempts. (((This was discarded as an unreliable indicator)))

5. The number of swarms in which IP addresses from a particular subnet appear. Monitoring agencies may monitor many torrents from their subnet.

6. The number of times the same (IP, port) pair is observed concurrently in different swarms.

... we found 1,139 IP addresses that were in the top first percentile for all four features (((1,2,3 and 5))) IP addresses assigned to a company named Checktor [3], which offers commercial BitTorrent monitoring services, and 16 addresses assigned to a medium-sized computer security consultancy company that does not publicly acknowledge monitoring BitTorrent. Another subnet, which we saw in over 500 swarms, belongs to a company that advertises itself as providing “intellectual property advice” ... We also found two subnets assigned to hosting companies ... We speculate that copyright enforcement companies are using these hosting companies as a front to disguise their identities. We also identified a number of IP addresses allocated to large ISPs, such as Vodafone, Etisalat and SingNet. ... This feature (((6))) found IP addresses assigned to Peer Media Technologies [16] (a well-known copyright enforcement agency) monitoring seven Harry Potter ebook and movie torrents, and the INRIA research institution [10], which had been overlooked by features 1–5 because so few torrents were being monitored, and because a very small proportion of INRIA’s subnet was being used for monitoring """

I didn't read too much further into their methodology for detecting "direct monitoring" other than to see a pretty graphic showing peer lying about their download completion.


fludlight 589 days ago | link

Direct link to the paper: http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf

You can find the lead researcher's other papers here: http://www.cs.bham.ac.uk/~tpc/home.html


Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library