Life Diary – The Security Farce (Part III)

This post is in continuation to my experiences with the security industry. To view previous post in the series  here.

It was my fifth semester. My HOD and mentor Prof. B.V. Buddhadev referred me to a company named Pam Technologies Pvt. Ltd. At PAM Tech I was taking care of the security of their location tracking web portal. Meanwhile, there was a project related to VoIP which was bottlednecked because the team working on the project had just quit. Seeing my curiosity, my mentor BVB sir put me into the VoIP project. It was an interesting experience. Since I had hands-on experience of Linux systems for a few years it took very less time for me to grasp the open source telephony platform, Asterisk. I built an entire telephony system from the scratch with an interactive voice response just like customer center. It was integrated to ASP.NET Web Service via Mono.NET i.e. .NET for the Linux platform.

My college LDCE has a techfest called Teqnix. As a part of Teqnix they had already announced a Security and Ethical Hacking workshop. But they were still looking for speakers.  Finally they asked me.

Now since I was working on Asterisk I was away from this security stuff and I also wanted someone more experienced to come over. So I passed it to Sunny Vaghela.

 

I was there at the day of the event. Sunny was all “suited up”. Surprisingly his assistant was even more suited up, with a noticable “bluetooth headset” on his ear. Remember this was 2009 and those devices still looked geeky. Sunny greeted all the faculties who were “lined up” and shook his right hand with them while placing a visiting card in the left ones.  I was just seeing things – had never seen such stuff before.

Sunny opened his laptop and connected it with that Reliance Datacard.

No connectivity.

We opened some windows. Still no luck.

“I can’t show demo without the internet”, he says.

“It’s okay, show the presentation”, I consoled. He asked me to copy the presentation file on a pendrive. For the record the PPT is still with me. I copied it to the laptop connected to the projector and moved away from the scene.

The presentation was on Mobile Spoofing – his classic signature, it was on SMS forging and Call forging. It was boring for me, I felt like a highschool student in kindergarten. Anyway I had taken leave from office for an hour so I returned back.

 

Back at home I opened the presentation. It grabbed my interest because it had some info about spoofing calls via Asterisk, which I was working upon. Now I had already tried caller ID spoofing by that time. Technically it was possible, Operationally it wasn’t. The Department of Telecom had made it mandatory to use original source phone number over PSTN and GSM lines.

 

And here this guy was showing call spoofing. This was the code that was interesting:

Download Asterisk@ home or Asterisk server from website.

Configure it.

Add the followinf into Config file.

exten => 33,1,Answer
exten => 33,2,AGI(cidspoof.agi)

Change CID information in the extension.conf file.
Start Asterisk Again.
Dial extention with the spoofed number.

I was like ROFL. The entire text had been copied from this document created way back in 2005.

I later discuss with him on chat:
Me: btw… i saw ur ppt… back then… on call spoofing… the AGI script was like just a single line
Sunny: ppt should always have limited info
 me: but it was a call to another script
<no reply for infinity>
He then uses the same thing as a news item on News24 with his influence. He was giving a real demo this time. Along with him was Mr. Pavan Duggal, eminent cyber lawyer.
I was watching the show and laughing – he had used some third party website providing spoofing service and he was showing as if it was his magic. See what he said:
me: anyway… tht news24 thing… which site u used
Sunny: it was not site. it was asterisk ka kamal
me: lol dont tell me u had a CTI card attached to ur laptop
Sunny: voip jet provides me iax termination
 me: hehe
Sunny: bro trust me, it was using iax termination service only
me: but u know what…. if u have an indian BRI or PRI line, u cant actually spoof the CLID
Sunny: u can
 me: i have done it on tata and bsnl. i had tried simultaneous calls on 13 numbers as per requirement of the stress test also, using asterisk server as a forwarding station… failed to relay the input CLID all bcoz of tata’s PRI
Sunny: give me tata number i will show u
me: i am talking about a PRI Line dude… not a normal PSTN line. according to DoT PRI lines have constraints of 10 digit number and compulsory CLID exposure
Sunny: i knw dat, thats what they have defined
 me: and since we wanted a country code also… due to international constraints… we had to make a work-around
Sunny: but anyone can display CLID upto 15 number
It might seem a normal geek talk. Except that I was talking to a guy who had spooked the entire nation by exposing his limited knowledge. I finally concluded – he’s no different than the ones who copy stuff from the internet, put in presentations and build stories.
I was glad I didn’t accept the partnership offer that he had extended me after I left PAM Tech. The reason was, I am not fame hungry, and I have different motives. This is again a long story. I need to rush home now, will write it later.

7 thoughts on “Life Diary – The Security Farce (Part III)

    1. Yes now I remember the name. Nothing against him though. I just wanted to bring into light some facts 😛

  1. Sakkhad che boss.. I will Use this story for the people who adore sunny for his knowledge and also for the fame hungry people.. thanks for sharing.

  2. They are not geeks they are money and (fake)fame hungry guy… I never believed any of this stupid guy how runs so called CEH…. you don’t need a certificate to be a geek .. you just need passion ,,, And you explained about spoofed call same goes for SMS spoofing you cant spoof sms from phone as source MSISDN and Timestamp is embeded in SMS PDU after msg reaches SMS gatway (Ref mobile computing ashok talukdar) … so technically call and sms spoofing is 100% possible by theory but it needs certain access which a normal user is lacking … thus systems are still secure ….

    call spoofing
    http://www.crazycall.net/

    free spoofed trial call
    http://www.spooftel.com/freecall/index.php (don’t know if it still works i used this in 2008-9)

    There was another good free VOIP by BT which allows free outbound PSTN calls and number of features but the service is down now (voipuser.org)

Leave a Reply

Your email address will not be published. Required fields are marked *