News items for tag voip - Koos van den Hout

2015-09-11 Microsoft support scammers are back, or never went away 2 years ago
Today a missed call from +99994723523. There is no country code +999 so this is as fake as it can be for a caller-id.

And still caller-id is treated as very valuable evidence by the police, but that is a different rant.

A google search for the number suggests this is a number used by the Microsoft support scam. Nobody was available to be scammed.

Tags: , , ,
2014-02-05 (#) 4 years ago
SIP scanning going on again, probably related to Security advisory: suspected telephone misuse in fritzbox systems. My Internet provider xs4all uses fritz!box devices by default and I already heard about one case of abuse.

The SIP scan in tshark:
Frame 376 (457 bytes on wire, 457 bytes captured)
    Arrival Time: Feb  5, 2014 18:00:07.447662000
    [Time delta from previous captured frame: 36.927214000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 6100.139111000 seconds]
    Frame Number: 376
    Frame Length: 457 bytes
    Capture Length: 457 bytes
    [Frame is marked: False]
    [Protocols in frame: sll:ip:udp:sip]
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src: 188.138.41.34 (188.138.41.34), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 441
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 53
    Protocol: UDP (0x11)
    Header checksum: 0x475e [correct]
        [Good: True]
        [Bad : False]
    Source: 188.138.41.34 (188.138.41.34)
    Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 5079 (5079), Dst Port: sip (5060)
    Source port: 5079 (5079)
    Destination port: sip (5060)
    Length: 421
    Checksum: 0xc761 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Session Initiation Protocol
    Request-Line: OPTIONS sip:100@xxx.xxx.xxx.xxx SIP/2.0
        Method: OPTIONS
        [Resent Packet: False]
    Message Header
        Via: SIP/2.0/UDP 62.75.212.215:5079;branch=z9hG4bK-1039150734;rport
            Transport: UDP
            Sent-by Address: 62.75.212.215
            Sent-by port: 5079
            Branch: z9hG4bK-1039150734
            RPort: rport
        Content-Length: 0
        From: "sipvicious"<sip:100@1.1.1.1>;tag=3532356663346361313363340132393433303934303439
            SIP Display info: "sipvicious"
            SIP from address: sip:100@1.1.1.1
            SIP tag: 3532356663346361313363340132393433303934303439
        Accept: application/sdp
        User-Agent: friendly-scanner
        To: "sipvicious"<sip:100@1.1.1.1>
            SIP Display info: "sipvicious"
            SIP to address: sip:100@1.1.1.1
        Contact: sip:100@62.75.212.215:5079
            Contact Binding: sip:100@62.75.212.215:5079
                URI: sip:100@62.75.212.215:5079\r
                    SIP contact address: sip:100@62.75.212.215:5079\r
        CSeq: 1 OPTIONS
            Sequence Number: 1
            Method: OPTIONS
        Call-ID: 37933976157019277147119
        Max-Forwards: 70
Source IPv4 was 188.138.41.34, Plusserver AG. Interesting pointer at IPv4 address 62.75.212.215, a different IPv4 range at Plusserver AG.

Tags: , ,
2013-10-24 (#) 4 years ago
Interesting incoming caller-id in the logs: 003960. Country code 396 is the Vatican so maybe their switchboard got tired of the calls by phreakers and started calling back. Not that I ever did such a thing. The conclusion that this was faked is more appropiate.

Tags: , ,
2013-08-14 (#) 4 years ago
An interesting twist in the microsoft support scam calls: 7 call attempts within 2 seconds. So asterisk can only forward the first 2 calls to the isdn phones in the house and the next five go to voicemail instantly.
sqlite> select src,start,answer,end from cdr where .. order by start;
0016077329064|2013-08-14 13:12:16|2013-08-14 13:12:47|2013-08-14 13:12:53
0016308599364|2013-08-14 13:12:16|2013-08-14 13:12:47|2013-08-14 13:12:52
0015852439807|2013-08-14 13:12:17|2013-08-14 13:12:18|2013-08-14 13:12:40
0017187455293|2013-08-14 13:12:17|2013-08-14 13:12:18|2013-08-14 13:12:23
0016073249764|2013-08-14 13:12:17|2013-08-14 13:12:17|2013-08-14 13:12:23
0016073639777|2013-08-14 13:12:17|2013-08-14 13:12:17|2013-08-14 13:12:22
0016265749227|2013-08-14 13:12:17|2013-08-14 13:12:17|2013-08-14 13:12:22
Bug in the call handling on the scamming side? Nobody was available to be scammed.

Tags: , , ,
2013-05-13 (#) 4 years ago
De laatste tariefsverhoging van KPN voor het vaste net, met als excuus uitleg:
Steeds minder mensen maken gebruik van de vaste telefoon waardoor de kosten per gebruiker stijgen. Daarom zijn wij genoodzaakt om enkele tarieven te verhogen.
maakte het tijd om een portering aan te vragen naar een VoIP aanbieder. Per maand betaal ik voor ISDN1 met belvrij weekend straks EUR 23.43 (was EUR 21.24).

ISDN is een hele mooie technologie, en ik vind het jammer om er minder mee te doen, maar de tarieven zijn dusdanig dat het de moeite is om met VoIP te gaan bellen. SIP geeft me zeker bij een provider die het goed implementeert en weet dat er mensen asterisk gebruiken vergelijkbare signalering en informatie. Een Internet aansluiting willen we toch altijd wel hebben dus de telefonie kan daar ook overheen.

Tags: , ,
2013-05-03 (#) 4 years ago
Upside of using asterisk for the home telephony: it's quite easy to browse the call detail records and do some calculations on them. So when our fixed line provider came with yet another price increase it was time to shop around for better options. And comparing rates is a lot easier when you have an exact log of how many calls for how long to which destinations were made in the previous months.

I'll miss the high level of control and call-progress indication ISDN offers, but prices for SIP accounts are a lot better and call-progress for SIP is comparable to ISDN.

Tags: , ,
2013-03-03 (#) 5 years ago
Interesting new twist between all the attempts to reach Palestinian cell phone numbers: one try to reach the US embassy in The Hague. I guess someone attempting to abuse my SIP server thought maybe just international calls are blocked and used a number which is easy to find from abroad. Incoming audio was recorded, but it's a recording of pure silence.

Tags: , , ,
2012-12-23 (#) 5 years ago
Vandaag een PTT Ericsson model 51 DTMF geleerd met behulp van de DTMF omzetter van picbasic.nl met ondersteuning voor PTT Ericsson model 51. Een wandtoestel wat een ontwerp is uit 1951. Het toestel wat we onderhanden hadden had een productiedatum 'VII 1964', vermoedelijk dus juli 1964. De PTT W65 is de opvolger hiervan.

Na het werkend krijgen van de DTMF omzetter hebben we het toestel aangesloten op een Cisco ATA 186 die gekoppeld is met de asterisk testcentrale zodat we de sprekende klok in asterisk en het weerbericht in asterisk konden bellen. En natuurlijk de telefoon laten rinkelen!

Tags: , , ,
2012-10-09 (#) 5 years ago
I just found Intercept Service with Jane Barbe where ElmerCat has put a lot of time and energy into saving, splitting and digitizing phone phreaking recordings. My first thought was to take the Jane Barbe recordings and set up a few intercepts of my own. Maybe for playing with the people who try to break in to my asterisk testserver or (more constructive) to set up a Jane Barbe intercept service which can be used on Collectors*Net.
Found (unsurprisingly) via "1000 Abstract Machines" ... and a New Generation of Phone Phreaks? - The History Of Phone Phreaking.

Update: Ok, using the 'Jane Barbe' digits in Asterisk isn't very hard. Download the .mp3 files from soundcloud and convert them to the asterisk .gsm format:
$ mkdir janebarbe
$ sox JB-0-neutral.mp3 -r 8000 -c 1 janebarbe/0.gsm
..
$ sox JB-is-not-in-service.mp3 -r 8000 -c 1 janebarbe/is-not-in-service.gsm 
$ sox JB-the-number-you-have-reached.mp3 -r 8000 -c 1 janebarbe/the-number-you-have-reached.gsm
And put that entire janebarbe directory in the directory where asterisk expects the digit files for language 'janebarbe' which is /usr/share/asterisk/sounds/digits/janebarbe/ in the 'old' directory structure and /usr/share/asterisk/sounds/janebarbe/digits/ in the 'new' directory structure. Look at Asterisk multi-language - voip-info.org for details on directory structures.

Using the digits is now simple, a test:
exten => s,1,Answer()
exten => s,n,Wait(1)
exten => s,n,Playback(digits/janebarbe/the-number-you-have-reached)
exten => s,n,Set(CHANNEL(language)=janebarbe)
exten => s,n,SayDigits(1234567890)
exten => s,n,Playback(digits/janebarbe/is-not-in-service)
exten => s,n,Hangup
Will have Jane Barbe telling you what you expect. This can be used as an invalid-number intercept.

Tags: , , , , ,
2012-08-26 (#) 5 years ago
Ik heb een echte originele T65 draaischijftelefoon te pakken gekregen. Productiedatum april 1985. Ik ga hem nog schoonmaken. In een simpele test kwam ik al gauw achter een te verwachten probleem: de ATA die ik gebruik voor VoIP experimenten, een cisco ata 186, snapt geen pulsedialing. Maar voor inkomende gesprekken is deze telefoon al goed genoeg. Misschien handig voor inkomende gesprekken op Collectors*Net!

Later viel me trouwens iets op aan de productiedatum: in juni 1978 hadden we thuis al een telefoon met druktoetsen en dtmf. Maar dtmf ondersteuning werd in Nederland gefaseerd ingevoerd, toen ik in 1984 stage liep bij kpn telecom waren er nog electromechanische centrales in Utrecht die geen dtmf ondersteuning hadden.

Update 2012-08-28: Een echte T65 draaischijftelefoon is voor iedereen bereikbaar: bij de webwinkel van het Staatsbedrijf der Posterijen, Telegrafie en Telefonie zijn ze te koop. Prachtige website met de nodige Nederlandse telefoonhistorie met een knipoog.

Tags: , , ,
2012-04-26 (#) 5 years ago
There is demand for VoIP over IPv6 so the excuse "there is no demand" or "you're the first one to ask" is no longer true: VoIP6 provider wanted in the Netherlands. Get in touch with them when you are serious.

Tags: , ,
2012-02-07 (#) 6 years ago
Fun with someone trying to route sip calls through an asterisk server during my vacation: she or he tried 86 times to reach the same London number, 36 times matched patterns which triggered my scripts to play random your call could not be completed messages, which probably explains why the person kept trying. Maybe I can add some of the new patterns.

Tags: , ,
2012-01-11 (#) 6 years ago
Post-mortem overview of a broken-into asterisk install: Asterisk hack post-mortem - Tom Keating tncnet. Nice article, showing how researching a system after a break-in can go from one strange thing to another. Using asterisk .call files to make calls is an interesting new approach to me.

Interesting patterns in trying to reach mobile numbers in the Middle-East. Patterns I have seen several times before on an asterisk server. Keep it safe, especially on asterisk where this can cost real money.

Found via @teamcymru on twitter.

Tags: , , ,
2012-01-10 (#) 6 years ago
Good overview of VoIP, tools for scanning and possible attacks: VoIP Penetration Testing & Security Risk - Infosec resources.

Tags: , ,
2012-01-06 (#) 6 years ago
More attempts to reach Palistinian telephone numbers (+972) via my SIP server, exactly like the attempts last July to reach Palestina mobile numbers. But the upstream audio is the same professional-sounding voice as I heard last December trying to reach a US number. An interesting combination of factors.

So I'm asking the lazywebs: does someone recognize this voice?
Listen to audio attachment:
MP3 media: Wrong number incoming golden voice (rightclick, select save-as to download)

Tags: , , ,
2011-12-09 (#) 6 years ago
Another weird thing recorded on the SIP honeypot: Something which to me sounds like a recording of a voice artist (or 'golden voice'). It was an attempt to use the server from a Palestinian IP to reach +1-404-260-5390, a US phone number for a conferencing system. The recording is attached: note that the audio is very choppy, probably due to packet-loss between the originator in Palestina and my server.
Listen to audio attachment:
MP3 media: Wrong number incoming golden voice (rightclick, select save-as to download)

Tags: , , ,
2011-11-28 (#) 6 years ago
Like in July, attempts to reach Jawwal telecom mobile numbers in Palestina via an asterisk server. But this time with incoming audio, I hear kids in the background and some talking. Very garbled: lots of packet loss on the line and the audio clips. So somebody got a bit of a disappointment when this route for free calls wasn't working out.

Tags: , , ,
2011-07-26 (#) 6 years ago
An article which reads like the reporter got introduced to low-security VoIP trunks and caller-id spoofing services for the first time: Authorities say 911 call in Wyckoff hoax came from fake, computer-generated phone number - NorthJersey.com.
The 911 caller whose hoax prompted a tense police standoff in a quiet Wyckoff neighborhood used a computer to mask the origin of the call, authorities said Sunday.
A computer crime expert is quoted:
[..] the 911 call likely originated from a so-called IP phone that makes calls over the Internet. Such phones are increasingly common and allow users to choose the phone number that would appear on caller identification devices [..]
They hope to trace the user back to the original IP of the SIP call. I wish them lots of luck finding the IP in the first place: I don't think a lot of the 'wholesale SIP trunking' or 'Caller-ID spoofing services' will log them. They might have more chance of finding the account and the billing information.

Found via Attack on 'Cyberbullying' critic prompts raid by armed cops - The Register.

Tags: , ,
2011-07-24 (#) 6 years ago
Most of the attempts at toll fraud through an asterisk server set to catch and record these are lately for a number matching +97259xxxxxxx which according to Telephone numbers in Israel - Wikipedia is a 'Jawwal' mobile number in Palestina. Interesting... not a really expensive call to make but I can imagine a certain interest in hard-to-trace calls to that part of the world, especially since these seem to be routed via Israel. According to the explanation on Telephone numbers in the Palestinian territories - Wikipedia +970 is also the country code for Palestina but it depends on which country you are calling from whether +970, +972 or both work. Politics in phone numbers. The +970 route was never tried via my asterisk.

Tags: , , ,
2011-07-18 (#) 6 years ago
First good catch after updating the scripts for capturing the audio on attempts at toll fraud through an asterisk server, some calls with incoming audio logged to disk, and some with absolute silence. The calls with audio have serious noise in the background, my best guess is airco noise. But some typing can be heard, some other sounds and one even with a word at the end. I added some audio from that last one.

Boiler-room type telecoms fraud operation? You decide!

What this does mean to me is that someone is actually doing real work to find opportunities for routing calls without paying. This is not an automated script, this is an actual person doing the work.
Listen to audio attachment:
MP3 media: Wrong number airco noise (rightclick, select save-as to download)

Tags: , , ,
  Older news items for tag voip ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps