Tag Archive for FCC

Scary SS7 Flaw Strikes Banks

Scary SS7 Flaw Strikes BanksLost in last month’s hub-bub over WannaCry ransomware was the revelation that hackers had successfully exploited the SS7 “flaw” in January 2017. In May reports surfaced that hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities in Signaling System 7 (SS7). SS7 is a standard that defines how to public phone system talks to itself to complete a phone call.

Telephone system Signaling System 7 The high-tech heist was initially reported by the German newspaper Süddeutsche Zeitung (auf Deutsch). The attack was  a sophisticated operation that combined targeted phishing emails and SS7 exploits to bypass two-factor authentication (2FA) protection. This is the first publicly known exploit of SS7 to intercept two-factor authentication codes sent by a bank to confirm actions taken by online banking customers.

According to ars technica the attack began with traditional bank-fraud trojans. These trojans infect account holders’ computers and steal the passwords used to log in to bank accounts. From there, attackers could view account balances, but were prevented from making transfers without the one-time password the bank sent as a text message. After stealing the necessary login details via phishing emails, the perpetrators leveraged the SS7 flaw to intercept the associated mTAN (mobile transaction authentication numbers) authentication codes sent to the victims — messages notifying them of account activity — to validate the transactions and remain hidden, investigators say.

Central office equipmentGerman Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyber attacks to the newspaper. Ars says, in the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity of phone numbers.

O2 Telefonica confirmed to Help Net Security that the attackers were able to gain access to the network of a foreign mobile network operator in January 2017. The attackers likely purchased access to the foreign telecommunications provider – this can apparently be done for less than 1,000 euros – and have set up call and SMS forwarding.

Ford Road CO in Dearborn Mi is the Oregon officeTwo-factor authentication (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are.  2FA provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices and online accounts, because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users’ data from being accessed by hackers who have stolen a password database or used phishing campaigns to get users’ passwords.

News of the incident prompted widespread concern online. Security advocates railed against the popular and continuous use of text messages to authenticate account information while growing evidence suggests that SS7 is an unsafe channel to deliver such data. Security experts told ars that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.

Cris Thomas, a strategist at Tenable Network Security warns in the article:

Two-factor authenticationWhile this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems … Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to…

Cyber security researchers began issuing warning about this flaw in late 2014 about dangerous flaws in SS7. I wrote about the SS7 flaw in September of 2016  and in March 2107. Maybe this will be the wake up call for the carriers. One industry insider quipped:

This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed … The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security.

man-in-the-middle attackIn 2014 security researchers first  demonstrated that SS7 could be exploited to track and eavesdrop on cell phones. This new attack is essentially a man-in-the-middle attack on cell phone communications. It exploits the lack of authentication in the communication protocols that run on top of SS7.

Developed in 1975, today, over 800 telecommunications companies around the world, including AT&T (T) and Verizon (VZ), use SS7 make sure their networks interoperate. This technology has not kept up with modern times.  In May 2017, Wired published an article which explains some of the ways to secure SS7. Overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop the attacks. Researchers Wired spoke to suggest that adding encryption to SS7 would shield network traffic from prying eyes and bolster authentication. Both of these changes are unpopular with the carriers, because they cost money and can impact the network core, so don’t expect any network changes to address the SS7 flaw anytime soon.

Carriers should use SS7 firewall to secure the SS7 networkThe Register reports that the FCC’s Communications Security, Reliability and Interoperability Council found that the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol has security holes too.

In March 2017, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security’s John Kelly requesting that DHS investigate and provide information about the impact of SS7 vulnerabilities to U.S. companies and governmental agencies. Kelly has not responded to the letter, according to the Wired article.

Of course the TLA’s would never use this “flaw” in SS7 to spy on us.

The Guardian says that given that the SS7 vulnerabilities reside on systems outside of your control, there is very little you can do to protect yourself beyond not using the services.

PoliticianThey recommend for text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s (AAPL) iMessage, Facebook‘s (FB) WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network to protect your messages from surveillance.

For calls, the Guardian recommends using a service that carries voice over data rather than through the voice call network. This will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.

protect yourself Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

AT&T Already Profits from Net Neutrality

AT&T Already Profits from Net NeutralityIn further proof that no matter what – the huge corporations always win, AT&T (T), one of the most vocal opponents to net neutrality has already started to profit from it. FierceTelecom is reporting that AT&T’s new reclassification under Title II of the Communications Act as part of new net neutrality rules are working in the mega-Bell’s favor.

The article says regulator’s cited Title II to justify a ruling for AT&T. The FCC ruling said AT&T should be awarded damages for being overcharged by two Michigan based rural telcos for interstate access services. Now the FCC has to set how much money AT&T should receive from East Lansing based Great Lakes Comnet (GLC) and Westphalia Telephone Company (WTC). The FCC wrote in its order, “We agree with AT&T.”

Initially, AT&T asked for a $12 million refund and wants to avoid paying an additional $4.3 million that Westphalia and Great Lakes claim the telco owes them. The author explains that the FCC argued that AT&T was billed unlawfully because of Section 201(b) of the Communications Act. This is the part of Title II that says: “All charges, practices, classifications, and regulations for and in connection with such communication service, shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful.”

Ironically, during the run-up to net neutrality decision,  AT&T, Verizon (VZ), Comcast (CMCSA) and other telcos claimed that regulation would hurt their profits, which seems like mis-information BS. The FierceTelecom article reports that the FCC said that it won’t set specific price caps or tell service providers what they can charge for service, consumers can complain to the FCC if their provider is overcharging them for service.

FierceTelecom also points to an Ars Technica report, that Verizon (VZ), another outspoken critic of applying Title II to broadband services, ironically used its common carrier status for POTS services to build its FiOS fiber-to-the-home (FTTH) network. Besides leveraging Title II to get access to utility poles and rights-of-way to string up fiber, Verizon raised consumer phone rates to fund the fiber build.

rb-

This could be written-off as unintended consequences or is it? Is the goobermnet in bed with the Telco’s and all the net neutrality hub-bub was just a show?

Quoting MLive

the leaders making our laws, writing our budgets and setting the agenda are not widely seen as effective … there’s a serious and alarming lack of leadership …

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Net Neutrality – We Win

Let the lawsuits begin!

Net Neutrality - We Win

In addition to the lawyers, lining up to squash Net Neutrality, Michigan’s own Fred Upton—who holds personal investments in AT&T, Comcast, and Verizon—has introduced anti-Net Neutrality legislation that eliminates the FCC’s authority to regulate internet service providers and could crush the agency’s ruling and allow AT&T (T), Comcast (CMCSA) and Verizon (VZ) to rule the Internet at our cost to grow their profits.

rb-

I have already seen an ad on BrightHouse cable from Broadband For America, (whose membership page is empty) claiming that the FCC ruling will force them to raise taxes. Here come more imaginary “Regulatory re-captureprofits fees.

For right now, this is a rare win for the 99% in post 9-11 ‘murica. Just follow the money.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

 

ISPs – Brits Speed U.S. Squabble

ISPs - Brits Speed U.S. SquabbleBritish Telecom has announced its plan to transform the UK broadband landscape from superfast to ultrafast. CircleID reports that the company plans to deliver much faster broadband for homes and small businesses via a widespread deployment of “G.fast” (G.9701) — a technology the company will pilot test this Summer. G.fast is aimed to help BT deliver ultrafast speeds of up to 500 Mbps to most of the UK within a decade. Deployment will start in 2016–2017, BT says.

US broadbandThe day before, the FCC announced that they have re-defined the meaning of broadband in the United States. Under the new definition, US broadband has changed from a measly 4 Mbps down and 1 Mbps up to an anemic 25 Mbps down and 3 Mbps up. There will be little impact for the end user, because this is just gooberment posturing. This will put the US in some low rank internationally. While the UK global telecom giant BT sets its sites on 500 Mbps. The FCC’s presser states that the ruling is meaningless. Their own document says:

… its 25/3 benchmark as a standard to measure the progress of broadband deployment. However, the benchmark is not a minimum speed requirement and does not prevent broadband service providers from advertising or describing slower service as broadband.

Follow the moneyNot surprisingly, 100% of US ISP’s are against this redefinition of broadband the cable lobby is opposed to the FCC’s plan. Ars Technica reports that the Telecommunications Association (NCTA) wrote in an FCC filing Thursday (PDF) that, “Customers do just fine with lower speeds.”

In addition to the CableCo lobby’s opposition, PCWorld reports that Republicans blasted the FCC report and new definition of broadband.

rb-

The Register notes how little things have changed. Haters are going to hate. In 2008, Commissioner Robert McDowell opposed increasing the speed definition of broadband from 200Kbps to 768Kbps. McDowell today represents Washington DC law firm Wiley Rein and appeared last week in Congress arguing that the FCC should not introduce net neutrality rules.

Do you want Comcast in charge of the web? Support net neutrality.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Koch Money Fights Net Neutrality

Koch Money Fights Net NeutralityThe Sunlight Foundation reports that a “shadowy” group inundated the FCC with letters opposing net neutrality during the commission’s second-round commenting period in September. The deluge of manufactured opposition accounted for more than half of the total anti-net neutrality comments according to an article on FierceCable.

The article says that questions arose when 60 percent of the second-round comments opposed equity on the Internet after first-round commenting had been so overwhelmingly supportive of net neutrality. The Sunlight Foundation analyzed 1.6 million anti-net neutrality letters received by the Federal Communications Commission with natural language processing technology and identified the nonprofit behind the anti-net neutrality. Most of the missives were tied to a group called American Commitment. The nonpartisan Sunlight Foundation says multi-billionaire industrialists Charles and David Koch back American Commitment.

The Koch brothers, who are the ultra-rich radical right-wing owners of many common household products including:

  • American Greetings
  • Angel Soft
  • Angel Soft Ultra
  • Brawny paper towels
  • Dixie products
  • Insulair cups
  • Mardis Gras napkins
  • Perfect Touch cups, paper products
  • Quilted Northern
  • Sparkle paper towels
  • Vanity Fair napkins & paper towels
  • Zee Napkins

According to the Sunlight Foundation, 99% of respondents in round one demanded that the FCC support net neutrality. In round two of the FCC comment period, comments opposing net neutrality rose to 60%. The Sunlight Foundation investigated this huge swing in citizen sentiment and wrote:

We attribute this shift almost entirely to the form-letter initiatives of a single organization, American Commitment, who are single-handedly responsible for 56.5 percent of the comments in this round

rb-

If you don’t buy Angel Soft TP or Georgia Pacific drywall, the Koch’s are active in many ways in Michigan (and the rest of the country I’m sure). They polluted areas of Detroit by creating mountains of pet coke along the banks of the Detroit River. They pushed Snyder to withhold support for Detroit’s bankruptcy plans and backed the failed Senate campaign of Terry Lynn Land.

It is never good for normal people when the 1% get involved. The Koch brothers are definitely 1%, out to screw the rest of the world and make some money at the same time. Get involved, defend internet freedom in Michigan and the best of the world.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.