Call Spoofing: So easy, even famous people do it!

A simple but effective call spoofing technique has hit the main stream. Former high profile Dolce & Gabbana publicist Ali Wise used a phone call spoofing service called SpoofCard to listen to her ex-boyfriend's voicemails. The service hides the phone number you're calling from, routes the call through their server, and spoofs the caller ID with any 10-digit number. Several years ago, Paris Hilton was also in the news for allegedly using SpoofCard to listen her friends' voicemails. Voicemail users that do not have a passcode prompt even for calling from their own number are vulnerable to this technique.

I tested the SpoofCard iPhone app, and using only the 'first 5 minutes free' I was able to prove that it does everything it claims. I called myself, spoofing the number with another 10-digit number, and disguised my voice using the built-in voice modifier. The choice of "man" or "woman" isn't good. I would know it wasn't a real voice... Unless I was expecting a call from the DaVinci Virus in Hackers. (But phishing scams are prime for automated messages) The call recording feature works perfectly and portably. With very little effort I had voicemail access without password prompting. The only part that didn't work as expected was routing the call through Google Voice. It came up "Unknown."

Besides listening to voicemails, there are reasons to be concerned. Two weeks ago, Elizabeth Wharton and I led a discussion at the Atlanta chapter meeting of NAISG about Identity Theft using Social Networks. One case in point I experienced personally. The attacker had already obtained the login credentials of a Facebook user in my friends list. They approached me via chat under my friend's name. They claimed that they had been mugged while on a trip to London and wanted to borrow $400 to pay the hotel bill. Since I knew the whereabouts of my friend, the attack ended there. But what if I wasn't so sure? Would a call from my friend's phone convince me? Since many Facebook users keep their phone numbers in their profile, this opens huge door for phishing attackers. Remember that Identity Theft is not attributed to one large vulnerability but rather to dozens of innocuous details displayed freely around the Internet. Being able to appear officially like they're calling from any other number may be the last piece the attacker needs to convince you to give up crucial information.

So should SpoofCard be able to continue this service? Their record shows that they've been keeping their nose clean for years, and even won the lawsuit against 123spoof.com for using "spoof" in their business name. Their website claims the most appropriate use for this tool is in places like doctors offices that want to have multiple numbers but don't want to appear confusing to the customers. While this sounds perfectly reasonable, I question whether this service is the optimal way to do that. They do not support misuse of the product, and "if there is illegal activity and we are served with a subpoena, we will cooperate with the court or law enforcement agency." It looks like for now the responsibility is still in our hands to be smart and protect ourselves with instinct and good judgment. (And take your phone number off the Internet!)

Peter Principle

The Peter Principle is the principle that "In a Hierarchy Every Employee Tends to Rise to His Level of Incompetence." It was formulated by Dr. Laurence J. Peter and Raymond Hull in their 1969 book The Peter Principle. Whether intentionally or inevitably, every person who is doing a great job will be promoted until they no longer have that job. The promotion is not necessarily to a more difficult job, but it is not the job the person was trained to do. For example, a management position is a different skill set than how a programmer has proven themselves.

When we apply this principle to cybersecurity, it is referred to as "The Generalized Peter Principle." It was observed by Dr. William R. Corcoran while testing hardware in a nuclear plant. He observed the tendency to continue to use what was familiar even to the point of not being useful. People want to use old devices for new problems. Take anti-virus software for example. I was recently asked "Why, if I run A/V, do I keep getting pop-up ads on my computer?" We rely on the software to "quarantine" viruses, and it does it so well that we want Adware Blocking as well. And as long as we don't have ads, we want to block Spyware. And really we want to be notified every time there's a new call to the internet. Meanwhile, the only thing it ever did very well was scan email attachments.

In the workplace, the solution is to forgo promotions in favor of pay increases, or to offer training for the new position. In software, the solution is to recognize what problems the program is actually solving, and find separate, new solutions for new problems. Avoid product creep by building a custom arrangement instead of the all-in-one quick fix.

Hack

In 2002, there was a television show released by CBS called Hack. I had never heard of it before, and when I saw on the guide that a show dramatizing hacking was playing, I got excited. Unfortunately, the show has nothing to do with infosec. After watching it for a while, waiting patiently to see some media portrayed hacking, I couldn't figure out what it was about at all. Wikipedia finally clued me in. The show is about a hack, meaning a taxi driver.

I had never heard anyone call a taxi driver a "hack." It turns out that "hack" or "hacking" has quite a few different meanings. In dictionary.com the definition I was hoping to see, "To alter a computer program," was indeed there, but it seems to be missing something. It also means "To mutilate," "To train a falcon," and "To rent a horse by the hour." And surely we hope that the word doesn't just mean "an artist who exploits his or her talents to produce mediocre work for money."

If hacking is the cornerstone of our industry, shouldn't there be a better word for it? Or maybe just better tv shows.

Hon Hai = Foxconn

In wireless scanning, you often see "Hon Hair Precision Industry Co., Ltd." show up as the name for the manufacturer of the wireless devices. I've always wondered who the heck they were. I finally got around to Googling the company name and found the easy answer: Foxconn.

All WiFi (and Ethernet) adapters contain a 24-bit manufacturer ID. These are registered with the IEEE. You can look up any ID to find out the manufacturer at the site http://standards.ieee.org/regauth/oui/.

Most of the names are obvious, such as Apple or IBM. However, some are more obscure, such as Hon Hai Precision. While Hon Hai seems to be a popular manufacturer of WiFi equipped computers, I have never heard of them.

As this Wikipedia article explains, Hon Hai is the company better known as "Foxconn", which by a recent estimate is the #132 largest company in the world. It is big contract manufacturer of computer equipment. Some is sold under their own names, such as Foxconn motherboards or Leadtek graphics cards, but they mostly manufacture stuff for other companies. Currently, they build the MacBook, iPhone, Palm Pre, and the Amazon Kindle. They make the PlayStation 3, Wii, and XBox 360. They are one of the largest notebook manufacturers that are sold under brand names of other companies like HP. (This blog post was written on a MacBook Air, made by Foxconn, and posted while tethered through an iPhone, made by Foxconn).

Many of the notebooks made by Foxconn will contain the "Hon Hai" manufacturer ID. However, a company such as Apple has tighter control over it's branding: all the MacBooks and iPods Foxconn makes contain the Apple manufacturer ID.

So, in summary, when you see in your wireless scanner "Hon Hai Precision", think "Foxconn", or more specifically "a Windows notebook manufactured by Foxconn for a different brand company like HP".