February 4, 2010 by admin Filed under Business Sector, Hack
This article was very intriguing since there were two hackers, one with the knowledge in VoIP PBX systems and dialing-plans, and the other with the knowledge of hacking into unprotected data networks. They were able to go undetected for such a long time. With the correct Incident Response Tool Kit and the right monitoring tools, the companies hacked could have stopped this early and could have avoided the $1.4 million loss.
According to authorities, Edwin Andrew Pena, a Venezuelan native living in Miami, and 23 yr old hacker Robert Moore from Spokane, Washington, engaged on VoIP fraud activities, beginning in 2004 until 2006, that brought Pena a profit of $1 million and Moore only $20K. Pena, who created the master plan, hired Moore to do most of the hacking. They were both arrested in 2006 but Pena made a $100,000 bail and then promptly disappeared. Moore was given a two year prison term and fined $150K. In February of 2009, an authority located and arrested Pena in Mexico, and was extradited to the U.S in October. He pleaded guilty to one count of wire fraud and one conspiracy to commit fraud. At this time he is facing a maximum sentence of 25 years in a federal prison and a fine of $500k. On February 10th of 2010, Judge Wigenton continued Pena’s detention without bond pending his sentencing, which is scheduled for May 14, 2010.
The attacks were made against VoIP gateways using the H.323 signaling protocol, but not those using SIP, he says. The pair also scanned known corporate IP addresses for machines that might be vulnerable to their attacks, Moore says. Pena purchased a 2GB database of corporate IP addresses and their subnet ranges for $800, he says.
“The way we got into them is that most of the telecom administrators were using the most basic password - Cisco, Cisco or admin, admin. They weren’t hardening their boxes at all,” Moore says.
Pena and Moore found many devices on the Internet with exposed SNMP ports that allowed probing for private information. “There were various object identifiers in the management database that would allow you to see critical information on a Cisco [router], like maybe [the] gateway where it’s routing to so we would know where to choose our target,” he says.
The object identifiers also helped them identify exactly what make and model machine they had found, and they used that information to research vulnerabilities those machines are known to have so they could exploit them, he says.
He also wrote search strings that he fed into Google seeking exposed Web interfaces on devices, and that proved fruitful as well. “It was really easy actually to launch these things from Google to find these peoples’ switches,” Moore says.
Even though they took advantage of the VoIP system, they accessed it through the Network systems that were not secure. With the correct Incident Response Toolkit,the response team would have been able to find how an intruder compromised the system, what the intruder did after gaining unauthorized access, when he begin the intrusion, whether the intruder still had access and to what degree of the intrusion. They could have detected users logging in at unusual hours, failed logins, users logging in from unfamiliar sites, and unusual errors. Utilizing Live CDs like Back Track, Ubuntu with Snort and other similar tools would have been very valuable at the time.