Remember the Pena/Moore voip fraud case back in June 2006? Would you like to know how the attacks were done? And how you can protect your network?
First, for those who don't recall, this was a case where Edwin Pena was alleged to have set himself up as a voice service provider and then, with the assistance of a developer named Robert Moore, routed his customer's calls across the networks of other VoIP service providers. Pena is alleged to have stolen at least 10 million minutes from other voice service providers and made in excess of $1 million dollars. Pena subsequently fled the country (and remains even today a fugitive). We wrote about it here and also covered it in Blue Box podcasts #31 and #33 and I was a guest on a Telecom Junkies podcast back in July 2006 discussing the case.
In any event, one year later Robert Moore has been convicted for his part in the scheme and on July 24th was sentenced to a two-year term in prison, 3 years probation and a $150+K fine.
Before he reports to prison in about 6 weeks, though, Moore got in contact with Jason Huffman from The Voice Report to ask if Jason was interested in an interview. Given my prior involvement with the Telecom Junkies podcast, Jason contacted me to see if I would also be interested in coming onto the show. Both he and I were concerned about interviewing someone recently convicted (i.e. not wanting to glorify the crime or criminal), but I shared Jason's view that if we could obtain information about how the attacks were done we could potentially help people protect their systems against these type of attacks. (Jonathan was also invited and provided great feedback but was unable to attend due to scheduling issues.)
The result is a new Telecom Junkies podcast: "Interview with a VoIP Hacker" which is available for download.
As we'd discussed in our previous coverage of the case, there were really two different types of systems that were attacked:
- Voice gateways of VoIP service providers
- Servers/routers of other businesses that were compromised to hide the source of traffic going to the voice gateways
In the interview, Robert Moore confirms that all the voice gateway attacks were H.323 (no SIP was involved) and they weren't terribly sophisticated because the VoIP service providers didn't have all that much security in place.
Moore also indicates that all the other boxes (#2) were compromised primarily by easy means such as weak and easily guessable passwords - or even worse, unchanged default passwords. In some cases, there were boxes on the Internet with exposed SNMP ports that then let the attackers learn all about the box so that they could then research potential vulnerabilities. This part really had nothing whatsoever to do with VoIP but instead with really just basic IT security practices which were (and undoubtedly still are) very obviously not being followed by many folks out there.
In any event, the interview is now available for listening. Meanwhile, Moore is soon heading off to prison and Pena is still somewhere out there...
P.S. If anyone listening can identify the name of the second switch vendor that Moore indicates he went after, neither Jason nor I could identify it despite my request for the name to be repeated.
UPDATE: Thank you to all who responded (including Robert's sister here in the comments). The other switch was a Quintum Tenor - http://www.quintum.com/