OffTopic: Telecom Fraud

[Dovid Bender]

Hi All,

I am wondering if a bit of public shaming may help. I every so often get
calls from the "verizon wireless fraud prevention dept". It's scammers
calling me (and others) telling them there was fraud on their account. This
gets people worked up and fooled into giving out data that they normally
wouldn't. This allows the fraudsters to then order devices under the
victims name. They spoof their caller ID to that of Verizons. I understand
there is currently no fix (though lets hope that SHAKEN/STIR fixes it one
day). but at the very least why can't Verizon drop these calls at their
edge. If they see the B-Number as being their client and the A number being
theirs but coming from elsewhere why can't they just drop the call?

If anyone has any insight I would love to hear it.

TIA.

Regards,

Dovid

Re: OffTopic: Telecom Fraud

[Valdis Klētnieks]

On Tue, 23 Apr 2019 15:55:43 -0400, Dovid Bender said:

> day). but at the very least why can't Verizon drop these calls at their
> edge. If they see the B-Number as being their client and the A number being
> theirs but coming from elsewhere why can't they just drop the call?

Probably for the same exact reasons why BCP38 isn't more widely deployed.

Re: OffTopic: Telecom Fraud

[Paul Timmins]

I guarantee you that if carriers were made civilly or criminally liable 
for allowing robodialers to operate on their network, this sort of issue 
would end practically overnight. Robodialer calling patterns are 
obvious, and I'd imagine any tech could give you a criteria to search 
for in the CDR streams to identify them and shut them off in hours.


Problem is, they're lucrative to provide services to, and there is 
immunity on the carrier's part to these sorts of issues. SHAKEN/STIR 
nonwithstanding (I don't think we'll see widespread adoption of this 
within a decade, even with a government mandate as there's still a 
massive embedded base of switches that can't support it and never will).


It may be incredibly frustrating, but there's plenty of money to be made 
in prolonging the problem.


-Paul

On 4/23/19 3:55 PM, Dovid Bender wrote:

Hi All,

I am wondering if a bit of public shaming may help. I every so often 
get calls from the "verizon wireless fraud prevention dept". It's 
scammers calling me (and others) telling them there was fraud on their 
account. This gets people worked up and fooled into giving out data 
that they normally wouldn't. This allows the fraudsters to then order 
devices under the victims name. They spoof their caller ID to that of 
Verizons. I understand there is currently no fix (though lets hope 
that SHAKEN/STIR fixes it one day). but at the very least why can't 
Verizon drop these calls at their edge. If they see the B-Number as 
being their client and the A number being theirs but coming from 
elsewhere why can't they just drop the call?


If anyone has any insight I would love to hear it.

TIA.

Regards,

Dovid

Re: OffTopic: Telecom Fraud

[Dovid Bender]

On Tue, Apr 23, 2019 at 4:18 PM Paul Timmins  wrote:

> I guarantee you that if carriers were made civilly or criminally liable
> for allowing robodialers to operate on their network, this sort of issue
> would end practically overnight. Robodialer calling patterns are
> obvious, and I'd imagine any tech could give you a criteria to search
> for in the CDR streams to identify them and shut them off in hours.
>
> Problem is, they're lucrative to provide services to, and there is
> immunity on the carrier's part to these sorts of issues. SHAKEN/STIR
> nonwithstanding (I don't think we'll see widespread adoption of this
> within a decade, even with a government mandate as there's still a
> massive embedded base of switches that can't support it and never will).
>
> It may be incredibly frustrating, but there's plenty of money to be made
> in prolonging the problem.
>
>
That was my thought as well. From what I heard last 50% of the calls are
fraud. That's a lot of money that they are collecting on origination. I
also saw this
https://www.multichannel.com/news/comcast-and-att-test-anti-robocalling-tech
and
did  a test. A client owned a Comcast number and had ATT. I set the CLI to
the Comcast number and it showed up on the ATT phone as I set it. You would
think if ATT had the tools in place at the very least it wouldn't display
the number.

Re: OffTopic: Telecom Fraud

[Mel Beckman]

Dovid,

You are correct that your message is off topic. I respectfully ask that you 
honor the rules of this mailing list and refrain from off topic posts. They 
simply add noise to an otherwise useful and highly germane experts resource.

-mel beckman

On Apr 23, 2019, at 1:24 PM, Dovid Bender 
mailto:do...@telecurve.com>> wrote:



On Tue, Apr 23, 2019 at 4:18 PM Paul Timmins 
mailto:p...@telcodata.us>> wrote:
I guarantee you that if carriers were made civilly or criminally liable
for allowing robodialers to operate on their network, this sort of issue
would end practically overnight. Robodialer calling patterns are
obvious, and I'd imagine any tech could give you a criteria to search
for in the CDR streams to identify them and shut them off in hours.

Problem is, they're lucrative to provide services to, and there is
immunity on the carrier's part to these sorts of issues. SHAKEN/STIR
nonwithstanding (I don't think we'll see widespread adoption of this
within a decade, even with a government mandate as there's still a
massive embedded base of switches that can't support it and never will).

It may be incredibly frustrating, but there's plenty of money to be made
in prolonging the problem.


That was my thought as well. From what I heard last 50% of the calls are fraud. 
That's a lot of money that they are collecting on origination. I also saw this 
https://www.multichannel.com/news/comcast-and-att-test-anti-robocalling-tech 
and did  a test. A client owned a Comcast number and had ATT. I set the CLI to 
the Comcast number and it showed up on the ATT phone as I set it. You would 
think if ATT had the tools in place at the very least it wouldn't display the 
number.

Re: OffTopic: Telecom Fraud

[Mel Beckman]

From the NANOG mailing list FAQ:

“You can help keep NANOG's signal-to-noise ratio high by subscribing to the 
nanog-offto...@lists.blank.org list, and 
migrating digressive conversations there. To subscribe, send mail to 
nanog-offtopic-subscr...@lists.blank.org
 and reply to the confirm message it will generate.”

-mel via cell

On Apr 23, 2019, at 1:53 PM, Mel Beckman 
mailto:m...@beckman.org>> wrote:

Dovid,

You are correct that your message is off topic. I respectfully ask that you 
honor the rules of this mailing list and refrain from off topic posts. They 
simply add noise to an otherwise useful and highly germane experts resource.

-mel beckman

On Apr 23, 2019, at 1:24 PM, Dovid Bender 
mailto:do...@telecurve.com>> wrote:



On Tue, Apr 23, 2019 at 4:18 PM Paul Timmins 
mailto:p...@telcodata.us>> wrote:
I guarantee you that if carriers were made civilly or criminally liable
for allowing robodialers to operate on their network, this sort of issue
would end practically overnight. Robodialer calling patterns are
obvious, and I'd imagine any tech could give you a criteria to search
for in the CDR streams to identify them and shut them off in hours.

Problem is, they're lucrative to provide services to, and there is
immunity on the carrier's part to these sorts of issues. SHAKEN/STIR
nonwithstanding (I don't think we'll see widespread adoption of this
within a decade, even with a government mandate as there's still a
massive embedded base of switches that can't support it and never will).

It may be incredibly frustrating, but there's plenty of money to be made
in prolonging the problem.


That was my thought as well. From what I heard last 50% of the calls are fraud. 
That's a lot of money that they are collecting on origination. I also saw this 
https://www.multichannel.com/news/comcast-and-att-test-anti-robocalling-tech 
and did  a test. A client owned a Comcast number and had ATT. I set the CLI to 
the Comcast number and it showed up on the ATT phone as I set it. You would 
think if ATT had the tools in place at the very least it wouldn't display the 
number.

[FYI] Call for Presentations European Peering Forum 14 (EPF14) // NANOG

[Arnold Nipper]

Dear Community

This is the Call for Presentations European Peering Forum 14 (EPF14)

AMS-IX, DE-CIX, LINX and Netnod are happy to host the 14th European
Peering Forum (EPF) in Tallinn, Estonia from the 16th - 18th
September 2019. The event will welcome up to 300 peering managers and
coordinators from networks connected to the host Internet exchanges.
Besides an interesting topical agenda, the three-day event
accommodates room for attendees to meet on a one-to-one basis to
discuss bilateral peering business opportunities.

The programme committee will be looking for presentations and
lightning talks related to peering and technical topics of
interconnection. Your presentation should address

 * Interconnection Automation
 * Regional Peering
 * Interconnection / Peering Internet Governance and Regulatory Topics
 * Economic and Product Trends
 * Peering / Interconnection strategies
 * Interesting findings about Peering / Interconnection
 * 400GE and beyond


Submissions
===

Presentations must be of a non-commercial nature. Product or
marketing heavy talks are strongly discouraged.

Submissions of presentations should be made to the programme
committee . Please include:

 * Author's name and e-mail address
 * Presentation title
 * Abstract
 * Slides (if available)
 * Time requested (max. 30 minutes incl. Q&A)


Deadlines
=

Presentation Abstract Deadline  15/07/2019 12:00 UTC
Final Selection of Speakers 26/07/2019
Presentation Slides Submission Deadline 02/09/2019 12:00 UTC


More information about the event and other activities around EPF14
may be found at

 * https://peering-forum.eu/

 * https://www.facebook.com/groups/1486607564933665/


Best regards
Arnold
-- 
Arnold Nipper
email: arn...@nipper.de
mobile: +49 172 2650958





signature.asc
Description: OpenPGP digital signature

Comcast storing WiFi passwords in cleartext?

[Töma Gavrichenkov]

Hi NANOG,

Here's an issue raised today:
https://security.stackexchange.com/questions/207895/how-does-comcast-know-my-wifi-password

Apparently there's a concern with customers that their seemingly
private passphrases, entered in their own boxes, are being shared with
the upstream ISP without an explicit customer consent, and are kept in
the ISP database for an unspecified period of time. Is it there by
design?

if so, then maybe some tweaks are necessary?

--
Töma

Re: Comcast storing WiFi passwords in cleartext?

[Seth Mattinen]

On 4/23/19 16:46, Töma Gavrichenkov wrote:

Apparently there's a concern with customers that their seemingly
private passphrases, entered in their own boxes, are being shared with
the upstream ISP without an explicit customer consent, and are kept in
the ISP database for an unspecified period of time. Is it there by
design?

if so, then maybe some tweaks are necessary?



Don't use the built in wifi AP on a cable modem combo would be my first 
reaction.


~Seth

Re: Comcast storing WiFi passwords in cleartext?

[Töma Gavrichenkov]

On Wed, Apr 24, 2019 at 3:07 AM Seth Mattinen  wrote:
> Don't use the built in wifi AP on a cable modem combo would be my first
> reaction.

Totally correct, but that's what s/he claims to have already taken care of!

--
Töma

Re: Comcast storing WiFi passwords in cleartext?

[Laurent Dumont]

It's not exactly clear from the StackExchange post but if the end-user is
also using Comcast as an ISP, then I guess the modem simply re-registered
under the new customer and is happily providing the visibility to Comcast?

On Tue, Apr 23, 2019 at 8:34 PM Töma Gavrichenkov  wrote:

> On Wed, Apr 24, 2019 at 3:07 AM Seth Mattinen  wrote:
> > Don't use the built in wifi AP on a cable modem combo would be my first
> > reaction.
>
> Totally correct, but that's what s/he claims to have already taken care of!
>
> --
> Töma
>

Re: Comcast storing WiFi passwords in cleartext?

[Luke Guillory]

OP said they logged into their account and went to the security portion of the 
portal. So one can assume they're the ISP or I don’t see the point in asking 
how Comcast would know the info.


Luke
Ns



Sent from my iPad

On Apr 23, 2019, at 8:05 PM, Laurent Dumont 
mailto:laurentfdum...@gmail.com>> wrote:


It's not exactly clear from the StackExchange post but if the end-user is also 
using Comcast as an ISP, then I guess the modem simply re-registered under the 
new customer and is happily providing the visibility to Comcast?




On Tue, Apr 23, 2019 at 8:34 PM Töma Gavrichenkov 
mailto:xima...@gmail.com>> wrote:
On Wed, Apr 24, 2019 at 3:07 AM Seth Mattinen 
mailto:se...@rollernet.us>> wrote:
> Don't use the built in wifi AP on a cable modem combo would be my first
> reaction.

Totally correct, but that's what s/he claims to have already taken care of!

--
Töma

Re: Comcast storing WiFi passwords in cleartext?

[Peter Beckman]

On Wed, 24 Apr 2019, Luke Guillory wrote:


OP said they logged into their account and went to the security portion
of the portal. So one can assume they're the ISP or I don’t see the point
in asking how Comcast would know the info.


It is entirely possible that an account separate and hidden from the
customer account would be able to access the administrative controls of the
router. It is also plausible that the access does not use a
username/password to authenticate but another, hopefully secure method.

One could make this access secure by:

1. Ensuring any connection originated from Company-controlled IP space
2. Username/Password are not provided to the CS agent but is merely a
button they press, after properly authenticating themselves as well
as authenticating the customer, that would pass a one-time use
token to access the device
3. Every token use was logged and regularly audited
4. Keys were regularly and in an automated fashion rotated, maybe even
   daily

If such precautions are taken, it is their router and it is their service,
seems reasonable that Comcast should be able to log into their router and
change configs.

Beckman
---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: Comcast storing WiFi passwords in cleartext?

[Peter Beckman]

On Tue, 23 Apr 2019, Peter Beckman wrote:


On Wed, 24 Apr 2019, Luke Guillory wrote:


OP said they logged into their account and went to the security portion
of the portal. So one can assume they're the ISP or I don’t see the point
in asking how Comcast would know the info.


It is entirely possible that an account separate and hidden from the
customer account would be able to access the administrative controls of the
router. It is also plausible that the access does not use a
username/password to authenticate but another, hopefully secure method.

One could make this access secure by:

   1. Ensuring any connection originated from Company-controlled IP space
   2. Username/Password are not provided to the CS agent but is merely a
   button they press, after properly authenticating themselves as well
   as authenticating the customer, that would pass a one-time use
   token to access the device
   3. Every token use was logged and regularly audited
   4. Keys were regularly and in an automated fashion rotated, maybe even
  daily

If such precautions are taken, it is their router and it is their service,
seems reasonable that Comcast should be able to log into their router and
change configs.


... such that the access of the Wifi Password which is likely stored in
plain text on the router is accessed by Comcast in a secure manner and not
stored in plain text in their internal databases.

But I'm guessing probably it's just cached in plain text in their internal
DBs.

Get your own router if you're worried about your Wifi Password being known
by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't
supported on the router...

---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: Comcast storing WiFi passwords in cleartext?

[Yang Yu]

On Tue, Apr 23, 2019 at 4:48 PM Töma Gavrichenkov  wrote:

> Apparently there's a concern with customers that their seemingly
> private passphrases, entered in their own boxes, are being shared with
> the upstream ISP without an explicit customer consent, and are kept in
> the ISP database for an unspecified period of time. Is it there by
> design?

Not sure what the concern is here. Cable model with builtin WiFi
(managed WiFi) is part of the service you signed up for and you are
free to use your own WiFi solutions. Chances are the CPE is rented
from ISP... Are you expecting the passphrase to get stored as a one
way hash?

Arris Touchstone has TR-069 connecting to ACS for configuration/management.

This platform is ridiculously insecure and the web interface
essentially does SNMP read/write over HTTP.
https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html

Re: Comcast storing WiFi passwords in cleartext?

[Christopher Morrow]

On Tue, Apr 23, 2019 at 10:35 PM Peter Beckman  wrote:

> ... such that the access of the Wifi Password which is likely stored in
> plain text on the router is accessed by Comcast in a secure manner and not

you've seen TR-069 right?

:( 

RE: Comcast storing WiFi passwords in cleartext?

[Luke Guillory]

Yes it's in the router, accessed via the following MIB.



Name arrisRouterWPAPreSharedKey
OID  .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2
MIB  ARRIS-ROUTER-DEVICE-MIB
Syntax   OCTET STRING (SIZE (8..64))
Access   read-write
Status   current

Descri   Sets the WPA Pre-Shared Key (PSK) used by this service set.  This
   value MUST be either a 64 byte hexadecimal number, OR an 8 to 63
   character ASCII string.


Which returns the following.


OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10004
Value: F2414322EE3D9263
Type: OctetString

OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10003
Value: F2414322EE3D9263
Type: OctetString

OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10002
Value: F2414322EE3D9263
Type: OctetString

OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10001
Value: F2414322EE3D9263
Type: OctetString





Ns







-Original Message-
From: Peter Beckman [mailto:beck...@angryox.com]
Sent: Tuesday, April 23, 2019 9:35 PM
To: Luke Guillory
Cc: Laurent Dumont; NANOG
Subject: Re: Comcast storing WiFi passwords in cleartext?

On Tue, 23 Apr 2019, Peter Beckman wrote:

> On Wed, 24 Apr 2019, Luke Guillory wrote:
>
>> OP said they logged into their account and went to the security
>> portion of the portal. So one can assume they're the ISP or I don’t
>> see the point in asking how Comcast would know the info.
>
> It is entirely possible that an account separate and hidden from the
> customer account would be able to access the administrative controls
> of the router. It is also plausible that the access does not use a
> username/password to authenticate but another, hopefully secure method.
>
> One could make this access secure by:
>
>1. Ensuring any connection originated from Company-controlled IP space
>2. Username/Password are not provided to the CS agent but is merely a
>button they press, after properly authenticating themselves as well
>as authenticating the customer, that would pass a one-time use
>token to access the device
>3. Every token use was logged and regularly audited
>4. Keys were regularly and in an automated fashion rotated, maybe even
>   daily
>
> If such precautions are taken, it is their router and it is their
> service, seems reasonable that Comcast should be able to log into
> their router and change configs.

... such that the access of the Wifi Password which is likely stored in plain 
text on the router is accessed by Comcast in a secure manner and not stored in 
plain text in their internal databases.

But I'm guessing probably it's just cached in plain text in their internal DBs.

Get your own router if you're worried about your Wifi Password being known by 
Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't supported on 
the router...

---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---