Thursday, March 17, 2011

CALL FORGING

Caller ID Forging the practice of causing the telephone network to display a number on the recipient's caller ID display which is not that of the actual originating station; the term is commonly used to describe situations in which the motivation is considered nefarious by the speaker. Just as e-mail spoofing can make it appear that a message came from any e-mail address the sender chooses, caller ID forging can make a call appear to have come from any phone number the caller wishes. Because people are prone to assume a call is coming from the number (and hence, the associated person, or persons), this can call the service's value into question.

To use a typical service, a customer pays in advance for a PIN allowing them to make a call for a certain amount of minutes. To begin, the customer dials from any phone the toll free number given to them by the company and enters their PIN. They are then asked to enter the number they wish to call and the number they wish to appear on the caller ID. Once the "customer" selects the options, the call is then bridged and the person on the other end assumes someone else is calling them.

Many Caller ID forging service providers also allow customers to initiate spoofed calls from a web-based interface in addition to calling a toll free number and entering the ten digit number you want to display followed by the ten digit number you want to call. Some providers allow you to enter the name you would like to display along with the spoofed Caller ID number but in most parts of the United States for example, whatever name the local phone company has associated with the spoofed Caller ID number is the name that shows up on the Caller ID display.

Using a web-based spoofing form involves creating an account with a provider, logging in to their website and completing a form. Most companies require the following basic fields:

1: Source number 2: Destination number 3: Caller ID number

Once the user completes this form and clicks a button to initiate the call, the source number is first called. Once the source number line is picked up, the destination is then called and bridged together.

Some providers also offer the ability to record calls, change your voice and send SMS text messages.

Methods:

Caller ID is forged through a variety of methods and different technology. The most popular ways of spoofing Caller ID are through the use of Voice over IP or PRI lines.

Another method of spoofing is that of emulating the Bell 202 FSK signal. This method, informally called orange boxing, uses software that generates the audio signal which is then coupled to the telephone line during the call. The object is to deceive the called party into thinking that there is an incoming call waiting call from the spoofed number, when in fact there is no new incoming call. This technique often also involves an accomplice who may provide a secondary voice to complete the illusion of a call waiting call. Because the orange box cannot truly spoof incoming caller ID prior to answer, and relies to a certain extent on the guile of the caller, it is considered as much a social engineering technique as a technical hack.

Other methods include switch access to the SS7 network, and social engineering telephone company operators into placing calls for you from the desired phone number. Another method that is not used as often is VXML which was gaining popularity before VoIP took over.

History:

Many people do not realize that Caller ID Forging has been around since Caller ID was created. For over a decade Caller ID forging was used mainly by businesses with access to expensive PRI (Primary Rate Interface) telephone lines provided by local telephone carriers. A single PRI line can provided businesses with up to 23 telephone lines and all of these lines are capable of having unique telephone numbers. Caller ID forging, in it’s most basic form, was typically used by businesses to display one main telephone number on all outgoing calls, even though those calls were not really originating from those numbers.

In the early 2000’s phone hackers, also known as “phone phreaks” or “phreaks”, began using Orange boxing to attempt to spoof Caller ID. Orange boxing is done by using a device, usually special computer software, to send a series of tones down the line during the first few seconds of a phone call, attempting to emulate the Caller ID signal sent from the telephone office. Orange boxing is very crude and unreliable, as it has to be done within a short timeframe at the beginning of a call. Phone phreaks, without access to PRI lines or blind line services at the time, thought the technique was clever.

In late 2003 and early 2004 the same phone phreaks began to explore a relatively new platform for developing voice applications, known as VoiceXML or VXML, which was offered by companies such as Voxeo.

In 2005 a handful of new sites allowing you to spoof your Caller ID were quietly launched. Some of the sites were PiPhone.com, CallNotes.net, SecretCalls.net, StayUnknown.com, SpoofTech.com, SpoofTel.com, and SpoofCard.com.

Towards the end of May, another site, TheZeroGroup.com, launched offering Caller ID spoofing, amongst it's other phone related services. TheZeroGroup's site claims they are hosted off-shore to avoid any legal issues that may arise.

On June 13th the U.S. House of Representatives passed the "Truth in Caller ID Act of 2007" which would make it "unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information with the intent to defraud or cause harm." A similiar bill was passed onto the Senate in April, but the Senate hasn't acted on either of the bills yet.

In India,we do not have any law which is related to the crime made by hoaxters by spoofing caller id.







Orkut Server Side Session Handling Problems:

Overview:

1. Orkut fails to expire the orkut_state session cookie from the server side even when the
user logs off from Orkut upon clicking "Sign-Out" from the application. The cookie is
cleared from the client side (browser), but is not cleared from the server side. If reused,
it provides access to the user's Orkut account.

2. Upon logging in again, a new orkut_state session cookie is created, but the old session
cookies still stay active on the server side. Therefore, any session cookie can be reused
to gain access to the user's Orkut account.

Details:

When any user logs into “orkut.com” . data of cookie will be generated on server and it will be sent back to user after successful authentication process on server. If I come to know about cookie data of any victim remotely then I can access victim’s account without password ( and even user id).


After an access to victim's account, I can edit his/her social,personal,professional,contact profiles,i can also have an access to his/her albums,videos,testimonials.i can even stop victim to access his/her account by editing the contact email.

My aim is not to hack the orkut account and damaged any victim's data, but to create awareness among the people about the security risks over social networking websites.

Recently I had been interviewed by HEADLINES TODAY and I have proved live that any orkut account can be hacked. I am also going to do half an hour live show on AAJTAK.

More Details will be covered in LIVE demonstration.

Gmail Server Side Session Handling Problems:

Overview:

1. Gmail fails to expire the GX session cookie from the server side even when the user
logs off from Gmail upon clicking "Sign-Out" from the application. The cookie is
cleared from the client side (browser), but is not cleared from the server side. If reused,
it provides access to the user's Gmail account.

2. Upon logging in again, a new GX session cookie is created, but the old session cookies
still stay active on the server side. Therefore, any session cookie can be re-used to
gain access to the user's Gmail account.

The above article given by http://gprsinformation.blogspot.com/2010/08/call-forging-caller-id-forging-practice.html

No comments:

Post a Comment