Nosbig.net

Yesterday afternoon, my girlfriend discovered a particularly large volume of voicemails on her phone, after having cleaned out her mail box just 36 hours prior.  She listened to several blank voicemails, as well as one from someone who wanted us to return their call…

I began investigating by looking into the metadata for the voicemails which were left; all were from unusual phone numbers outside of our area code.  My next trip was to the CDR records and my provider’s call history.  These sources showed that over 1000 phone calls were attempted to be connected through our phone system to various communities around the country.  Two patterns emerged while looking at the details of the calls:

• The calls were being generated in a non-sequential pattern; clearly an unscrupulous telemarketer was war-dialing to South Carolina, Michigan, and Virginia.
• All of the outbound calls were originating with my girlfriend’s CallerID.

So, I knew what was going on, but I had yet to determine to how this incident occured.  Further digging revealed that the Linksys ATA being used internally was lagging significantly and intermittently.  It was a moment of epiphany; I understood where the problem was, and I could take action to address it.

Several years ago, I installed an Asterisk server to provide home phone service with a company that provided an IAX trunk.  At the time, all we were using softphones to make and receive calls.  Over time, I upgraded to a Cisco 7940 for myself and an analog cordless phone on a Linksys ATA for my girlfriend.  At the time I installed the ATA, I had not used a significant amount of security of the SIP peer registration, as the network was firewalled from the Internet.

Fast forward to 5 months ago…  I obtained a business phone service through a major provider using SIP.  Due to their configuration, I was required to open the SIP and RTP ports to the general Internet and forward them to my Asterisk server.

Now, we return to the present time.  Several days ago, this telemarketer scanned my router, found open SIP ports, and began to issue a brute-force attack against my Asterisk server.  The telemarketer scanned every possible 3 and 4 digit peer name, was able to find the Linksys ATA’s peer name, and was quickly able to brute-force the password.  With this information, the telemarketer was able to register as that peer and make calls outbound, according to the dialplan configured for my girlfriend.  My Cisco’s peer was not impersonated, but it would not be likely to be responsible for outbound calling due to the unique dialplan I am using.

With the understandng of what has happened, I could work to correct and block the means by which this telemarketer was using my phone system and service:

1. I unloaded chan_iax.so to remove the possibility of additional phone calls being made.
2. I then enabled a moderate amount of security, particularly a random password for each of my SIP devices.
3. Next, I modified my firewall configuration to drop all packets through my router which contained the IP address from which the attack came.
4. I then re-enabled the IAX phone service by reloading the chan_iax.so module.

After the initial security containment, I turned my focus to handling the inbound phone calls being returned based upon the messages left with the various victims around the country.  I recorded an announcement indicating what had happened and that the compromise was taken care of.  Finally, I crafted the dialplan to play this announcement to every caller not from a local phone number.

Overall, this breach was not as extensive as it could have been, but it does illustrate that security must be vigilantly monitored and maintained.  My complacency in the security of my network ultimately led to this incident.  Fortunately, it does not seem to have led to any major financial loss to any party, including myself.

Over the course of the last few months, I have come across a few projects that I have not taken the opportunity to work on, and I really should. The following projects are on my short list of things to do:

• Obtaining and reflashing a Linksys WRT54G router, either the GL or GS.
• Playing with and/or hacking a LaFonera wireless access point
• Building my power lockout device for my ham radio
• Building a PC for my car with wireless capability for a media center
• Building a decent amateur radio station, including packet station
• Building a podcast station
• Upgrade my radio license to General Class

At some point in the future, I want to do some kind of podcast. But before I would commit to that, I need to find a topic that I can regularly update and contribute. Part of the issue of the lack of updates is the company for which I work. MCPR has me doing some very interesting things, but they are marketable ideas that I have to keep quiet. The only project that I can talk about is our Asterisk dabblings. We are offering the ability to connect analog or IP phones to the system and connect to about any outbound media out there, including SIP trunks.

But much beyond that, I don’t have the ability to talk about the details of what I do at work with the world at large, between protecting our clients’ privacy and not wanting to give any competitors any ideas about our strategy.

Today, I am finishing up my Streaming Media Server. It will wirelessly share music streams and setting up in-house file sharing for my music.\n\nThe hardware included a Thinkpad 390E from IBM (333 MHz Pentium II, 192MB RAM, 6 GB hard drive) and a D-Link DWL-122 USB Wireless Wi-Fi Adapter. The software I am using is Debian 3.0 stable and the SlimDevices.com SlimServer software.
Continue Reading »

Of course, I had solved this problem once with Mandrake installed, but I was just lazy about getting the modem in this laptop working.

Fortunately for me, the internal Winmodem is a Lucent Technologies chipset that just happens to have a Linux driver, available at http://www.physcip.uni-stuttgart.de/heby/ltmodem/ The package was simple to install, and it works quite well, although I should try to figure out why the driver told me that it is a v.92 modem, or if this is normal with a controllerless modem.

In my last entry, I was complaining about how I wasn’t able to get my laptop to work either at home or at school.

My major problem was dealing with the issue of how to treat my wireless and wired ethernet cards (Wifi used at school and wired at home) differently for the purposes of Shorewall. It was not until reading more documentation on the Shorewall website was I able to figure out the hosts file and get my laptop to understand that the home zone was a subset of the net zone.

I decided to treat North Central as a hostile environment, though it would be less hostile than hanging this machine off a cable modem directly. Me, being the paranoid security nut that I am, chose the more secure environment. Nearly everything is closed off, particularly anything inbound not directly related to my browsing or other activities.

For home, I have opened up SSH and FTP (inbound and outbound), the two services I regularly use on my home network. If I need more, I can always add rules or take down the firewall temporarily. Of course, the same outbound connections are enabled so that I can connect to the internet using my desktop machine as a gateway.

Now that I have a better understanding of Shorewall and its internals, I have decided that it is very cool. It does a great job of blocking unusual traffic and common spoofed traffic while making it easy to configure what traffic should go through.

Over the last few days, I have been struggling with getting Shorewall to open up the holes I want in the firewall on my laptop so that I can browse the web, use AIM, and such. Defiant is behind a NAT’ed firewall at North Central, but I would prefer to not have to run without my own firewall.

TechTV just yesterday released the newest iteration of their chat, and it is quite a nice system. They decided to run Jabber on an in-house server. This is likely a wise decision due to their problem in the past with proprietary chat services.

The default and preferred method of connecting to their chat system is through their Java Jabber applet, but it is possible to connect to their server with a standard client. I will not reveal those details here, in case TechTV does not want those released, but it makes it nice to use TKabber under Linux, where Java support can get a little hairy if not set up properly.

Over the last few days, I have been having a problem with receiving my mail via fetchmail, but other methods were working fine. Since I was able to receive other sorts of internet data, web pages, IM, and the like.

Just a few minutes ago, I figured out the problem. All programs attempting to connect to the ‘lo’ interface (all my local servers) were unable to work because both my eth0 and lo interfaces were non-functional… Something knocked out my /etc/network/interfaces files, which is the Debian method for configuring all the network interfaces (except ppp). I recreated the file, and issued an ‘ifup eth0′ and ‘ifup lo’, and things seem to be working again.

Oh, I love the wireless internet stuff. I just bought a wireless card from Linksys last Thursday, and I got it set up in Linux and an using it right now to surf the 802.11b network at NC State.

Once I got the card added to /etc/pcmcia/config, it bound to the Orinoco driver, and I just pulled up an IP via DHCP. Really slick.

Sitting in the lobby, I an getting about 50KB/s, downloading OpenOffice 1.0.1. Figured it was about time to upgrade.

Next, I will have to update my main box to Debian 3.0 I feel confident enough now that I can get it installed without too much hassle.

I spent some time at Habitat today, working on the network, but was alone for the first time in a great while. The rest of the crew was out at the Richland County Fairgrounds setting up for the Home Show. Hopefully, there will be a decent amount of donations coming in. They have had an innovative idea of allowing people to sponsor a square foot of space in the home for $40.00. They will get a certificate and a small pin, in appreciation of their contributions.