BSidesROC - 2024 - Lies, Telephony, and Hacking History - Matt Scheurer

good afternoon we're gonna get started with our last presentation of the day in this room um I'm going to introduce Matt Sher and I'm going to start by thanking him for being a sponsor or being a speaker uh because our speakers and sponsors volunteers everybody makes this happen so that's just a little token of appreciation you're welcome uh Matt Sher is a host is a show host for the threat real podcast and also works as an assistant vice president of computer security and incident response in a large Enterprise environment Matt has many years of Hands-On technical experience including digital forensics and incident response dfir he volunteers as a hacking is not a crime Advocate and

as a technical Mentor for the women's security Alliance he has presented numerous information security topics at many technology meetup groups prominent information and security and hacker conferences including Keynotes at the information security Summit and queen citycon Matt is also a 2019 comspark quote Rising Tech Stars award unquote winner and was named a quote top 12 hacking influencer unquote by Bishop fox in 2023 Welcome Matt thank you Kathy really appreciate it great to be here at bides Rochester My Hope here is I can put the Rock in besides Rock so with that uh my my name is Matt sheer uh you can get the slides they are live now if you go to slides. dfirm mat.com that will take you to my

GitHub repo and you can get a copy of the slide deck today uh I can Blitz through a lot of this uh actually the bio I gave uh the organizers was is now out of date because as of yesterday I submitted the offer letter I am now full vice president of computer security inant response uh but if you do want to get a hold of me on LinkedIn uh do reach out and and then also on the X social media platform formerly called Twitter at C3 RKA and uh always post wherever I'm speaking and the things I'm doing so uh give me a follow send me a connection request all that good stuff be happy to

uh chat with anybody about anything uh I do uh volunteer uh like Kathy said uh hacking is not a crime Advocate that just simply says I agree with their mission statement that the perjorative of the term hacker gets quoted when it's really they're talking about cyber criminals hacking is not a crime is saying look hacking is cool cyber crime is crime um also uh this didn't make the bio either but I'm a uh board member for the Warren County Career Center uh back home in Ohio where I'm from and uh also wsa technical Mentor uh great Organization for women's security Alliance uh feel free to get the slides check out these websites um I'm here talking about

myself uh everything I say is all me and nothing to do with my employer so let's talk about social engineering uh some believe that social engineering dates all the way back to the Garden of Eden but whatever you personally believe deception and trickery have likely been with us all for a very long time social engineering and Technology social engineering intertwined with technology by tele well telefony inspiring phone freaking we're going to talk a lot about phone freaking in this talk uh the telephone system blossomed into the world's first interconnectable Global Network before the days of Internet we had the telephone system that could connect people around the world and that was a marvelous thing and

there are a lot of steps along the way we're going to talk about those uh telephone companies or we just call them Telos for short phone freaking I'm going to talk at length about this um so I have tried beautifully hard to get the stuff right uh I have I will tell you if you ask me 21 till I die is how old I am but uh some of this stuff predates me some of it does not uh we'll just leave it there uh but timelines are a little fluid here because different geographic regions had access to different technology Stacks so for example the telephone system in New York City was going to be radically

different than say rural Montana just because of density popul population uh Demand on the systems all those type of things uh starting the 19th century and onward uh telephone companies hired switchboard operators and these were people that sat at a switchboard and literally moved cables from Jack to Jack to make these calls connect and uh you know many of the early subscribers communicated what were called party lines and what a party line was was on your street they might say hey okay you are ring number five person here you're ring number three you were given a number so when the phone rang X number of times you would know that was for you uh but there was no expectation of

privacy because if you were supposed to be ring number five and you heard it ring three times well you could pick up an Eaves drop and being on a party line you you sort of knew that so you had to be a little careful what you said because you never knew uh who or or when somebody might be listening in on the calls um late 19th century and early 20th century uh that's where we got the Stroger step by step or X I'm sorry sxs switches and these switches continued to grow in footprint during the early 20th century this was uh introducing electromechanical to the system and it was beginning of automation uh there were a lot of

advancements and automation after this point uh we're going to touch on those U 1940s 1950s this is where it started starts getting really interesting because AT&T developed automation using audible tones for longdistance call routing and so these multifrequency signals on the switches were assigned to telephone digit numbers and then they use single frequency tones for the status signaling on the lines and uh we'll talk a little bit about uh tones that would uh let you seize a trunk for example these advancements pav the way for phone freaking blue boxes in the future and so in the 1950s and 1960s uh beginning around the mid 20th century telephone companies began more widely deploying circuit switching Technologies

such as panel and crossbar these switches with reliable transistors paved the way for viable dual tone and multifrequency or DTMF support often referred to as touchtones on phones now before we had touch tones uh if I do a site survey here in the room I'm not going to point anybody out but I brought some relics with me to uh to show here I'm going to go out in a limb and say that some people have probably never seen one of these in person touched one used one in real life this is a rotary dial telephone now the way this phone worked is if I wanted to dial a 555 prefix I put my finger or if I had long nails

Maybe an eraser into the number five hole I spin the dial from the dial pad all the way to the metal stop and I let it go now when you're listening you could actually hear those clicks and those pops you could actually hear that traversing the phone system or pulses if you will so did out of the second five put my finger back in the hole spin it back to the mstop and I let it go now I put my finger back in the number five hole I spin it back to the midle stop and I let it go that was actually work and also took a little bit of time not like today where

we can just instantly pull up a contact list and boom we have the call now what's interesting about these phones is a lot of these early phones uh what people may not realize is in the uh back in the day that the phone company actually owned the phone you were essentially leasing the equipment uh so everything on this phone is hardwired there were no module or jacks on this thing so if one of these cords got sucked up in the vacuum sweeper you actually had to make a service call to the phone company and they would have to send a technician out to essentially uh replace whatever had broken uh and if it was just simply cords uh it got to be a

common thing So eventually when these DTMF or these um dial phones uh you went from rotary to uh an actual number pad I've got one of those

so this old school uh phone uh again this would typically be at least equipment uh now instead of having to spin a dial pad around and wait I could actually just sort of punch the number pad to get the number I want and this looks probably a little more familiar to uh most people in the room what's interesting is you see this has this has modular Jacks so the phone company kind of sized up and thought you know maybe people should just be able to replace their own if we just send them a replacement and so uh technology changed uh but really these were the things that sort of um paved the way for it uh got

another fun Relic here by quick show of hands anybody here seen the movie War games all right so a good number of people in the room and if you haven't seen it definitely check it out this is an acoustic coupler this is promly featured in the movie War Games before we had all sorts of you know Wireless Technologies before we had ethernet before we had long before we had any of this stuff we didn't really have modems uh of course external modems came out and then eventually internal modems uh but this was essentially something that you would put the handset from your phone into the Cradle you would dial like you would any other number number and it would literally use

the transmit and the receive to send and receive back and forth audible tones so essentially you have on the backend system generating audible tones and what's happening with that is uh it is taking digital information encoding it to an analog signal sending it through the phone line and then the reverse process happens where it's decoding the data and that's how data was transmitted uh this gem in particular is a uh 1 1200 bod acoustic coupler and that is smoking because yeah very very common to see like 100 150 300 uh some of those 110 thank you for the correction so uh yeah uh old school stuff and uh what's interesting is even though this is

featured very prominently in the movie War games you could actually not really because it didn't have the ability to make make the calls you couldn't actually War dial with one of these so they kind of you know fudge that in there a little bit uh though it did obviously Inspire later and somebody uh one of the other speakers had mentioned tone Lok was a war dialer program that you could do those type of attacks listen for uh or scan for things uh obviously today we use Network scanners and there's any number of them and map to uh you name it Mas scan I just on and on there's all sorts of things that'll do scanning uh but back in the day

people would essentially have their modem set to uh just dial and a lot of times they just increment the number by n one and just go through a whole series of numbers to identify other modems uh so before we had uh IP scanners we had War dialers

1970s to present electromechanical switches were slowly being phased out in favor of newer digital switches so electronic switching system or ESS uh this migration digital switching was the beginning of of really the beginning of the end for analog telefony in favor of digital telefony and if you fast forward to Modern Times Obviously Voiceover IP or VoIP is quickly displacing all prior forms of uh Telecommunications there's still actually some advantages to having a conventional land line you're not dependent on power uh it'll still you know even if you lose electricity you might still have the ability to make you know it depends what it is if if a whole pole goes down or whatever but uh uh

yeah it's getting getting more rare for the uh old traditional phone service to be around phone freakers who are and were the phone freaks uh these were people who enjoyed exploring phone systems they also enjoyed experimenting with technology some were obsessed with learning the science and technology behind telephones and phone Networks phone freaking often became a Gateway or Bridge towards becoming a computer hacker or vice versa in war dialing and if you look at the previous points you might start to think wow this sounds an awful lot like a hacker and you'd be right uh and so a lot of times you had phone freaks that were sort of they'd already explored the phone system but now computer technology

was becoming more affordable so they might move into computer hacking because it was sort of the next thing uh and conversely people might start off wanting to hack things but they didn't want to uh you know if they're going to war dial they don't want to pay a big phone bill so they uh would uh learn phone freaking so often times one led to the the other uh vice versa U the objectives of phone freaking uh for some it's just that got to know that learning that thirst for knowledge uh for others it's meeting and speaking with other phone freaks pretty small communities your chances are that you have another phone freak in the neighborhood maybe but probably not so

you would have to find other phone freaks hiding out on the uh phone system uh essentially stand standing up Bridges to uh cross communicate with one another and and meet other phone freaks and really discuss things pranks and Mischief I can't undersell this one too much yeah you might like to sort of try to get back at the person you don't like but that's almost secondary to messing with your friends or you know people you don't have a beef with but you just like to mess with them because you mess with each other back and forth and it's just you know it when you're immature in particular it's just sort of what you do and and tragically uh we don't grow

completely out of it at least I maybe haven't but uh making free phone calls to anyone anywhere uh was really a primary drive and I have to explain this because I know some people in the audience stealing phone service why would anybody do that because with my cell phone I have a flat rate unlimited plan I can call just about anyone anywhere talk as much as I want doesn't cost me any more or any less if I don't bother doing that but think about this uh long distance back in the day in particular would run upwards of a dollar a minute imagine the amount of screen time you probably have on your own personal phone every day what if you had to pay a

dollar a minute for every minute you were looking at the phone you would either stop using your phone or you would try to figure out ways of not having to pay that right so so uh the other thing to know is that uh you know particularly if you were younger and if your parents saw that you ran up a $400 phone bill in 20th century money you were going to be in bigger trouble than that time my boss yelled at me and grounded me for an entire month when I tried to file an expense report for this

outfit this is not a list that has all the movies um but I wanted to highlight these in particular because they had very prominent phone freaking they didn't just talk about it but they actually kind of demoed it a bit so three days of condor was released in 1975 with Robert Redford in it and uh he has a scene in there where he essentially is convincing the telephone company to do things to his bidding and they actually believe that he works for the phone company so he's able to talk them into to doing just that war games I talked about earlier is released in 1983 old movie fantastic though and some of it still actually stands up pretty well

to today uh hackers was released in 1995 we'll talk about red boxing here in a little bit uh they definitely covered that um Pirates of Silicone Valley was a uh made for TV movie uh released on the Turner networks Apple got their start before before they were Apple computer Steve wnac was building blue boxes and they were selling them so that people could make free phone calls and I didn't put sneakers in the list but probably deserves honorable mention but there wasn't actually there was some talk about freaking stuff there wasn't any actual demos of realistic there was a hollywoodized version um but uh that was that was mostly fictional uh still a fantastic movie

though so some classic phone freak tools uh we're going to talk about these so musical instruments and whistles uh and then there were freaker boxes there were a bunch of these I'm going to talk about three of them in particular uh blue boxes beige boxes and red boxes uh payones we're going to talk about payones tape recorders and then scanners and radios so phone switching and tones early phone systems used audible control tones as we talked about some musical instrument notes would pass as recognizable switch signal tones and sometimes you'd have to play two notes on a musical instrument together to get that dual tone uh some people were able to whistle um the tones a lot of the

early phone freaks actually were visually impaired and so they spent a lot of time sort of honing their skills on whistling tones that they could then use to control the phone system and then Captain Crunch serial actually was uh giving people oops a a boson whistle that uh what people figured out was this dual tone and if you covered the uh the inside port on this thing and blew it that would produce a perfect 26 HZ tone that they could then use to seize a trunk on a phone system as the beginning of being able to make that free phone call now I don't have a blue box with me uh but these generated 2600 Herz tones

among others and they were used for controlling phone switches and gave users the ability to place free phone calls and again I talked about how Apple computer first started selling these to uh people that wanted them and that sort of money helped seed what became Apple beige boxes I'm going to talk about this quite a bit uh so beige boox is simply a lineman's handset or a homemade variety thereof and it was used to connect to a phone wiring block uh and it can be used to tap in the phone line or connect a new extension onto a discovered phone block now this is a real deal lineman's handset you can buy these they're pretty expensive to be

honest with you but these were what the telephone technicians would actually carry around the folks that would climb onto the poles and work on the telephone lines and they would use these to test and when you look at these um they have all the the features on here of you know mo what most phones would have uh these had the ability to switch because DTMF that I talked about earlier with the touch tones that was sort of a a phased roll out from community community uh so this had a uh um touchtone a TT switch side so it would emulate or what was called pulse dialing it would emulate rotary dial phone service or Dialing for that type of

service and then you had you know the uh dual pulse or I'm sorry digital pulse which were you know just dialing the uh numbers these are actually very durable I could probably beat dents into the podium and this thing would still just work uh these have alligator clips uh two of them on the end and these are very sharp and Pokey so with this you could actually if you found a phone line you could actually clip into it that would enable you to tap the line without actually disconnecting any wires or fooling around with it and you could mute this so the person unlike the party line where there was no assumed privacy uh people could actually you know tap

phones uh there's actually a interesting case I talked about with somebody I I sort of plug in the shoutouts at the end uh where they kind of got into trouble this was the phone company but they tapped somebody's line without off authorization from the FCC because the local police department had asked them to uh but uh you know these were hard to come by back in the day I wouldn't endorse it but maybe you could find an unlocked van that would maybe have one of these and uh you know kind of uh sneak it out of there uh something like that um you might be able to dumpster dive it uh or you may have a relative

that worked and then retired something like that but they're pretty hard to come by and if you were sort of you know if you didn't have money for or the resources for something like this well you can do a uh home variety here which is uh and this is ideal because this is a regular phone uh but everything in here including the switch Hook is on the handset piece the uh base is really just a plastic cradle it doesn't do anything other than uh because the plastic molding uh presses the switch hook down it hangs it up and this had mute and a bunch of other stuff and so what you do is You' take

something like this uh basically uh cut off the uh the Jack and you would U you know splice in some alligator clips um you know solder these on there and uh sort of this is a very cheap DIY version of the lineman's handset and this was accessible to uh pretty much anybody uh the other thing you could do if if you had those is you could uh essentially you know if you found or if you were patrolling around a building maybe on the inside of it uh we talk about reconnaissance a lot in uh offensive security circles that was sort of the uh you know precursor to that right if you could find a phone

block that you could you know sort of clip onto uh you could give yourself an extension uh you could make calls on there you could do uh all sorts of manner of stuff I was kind of curious I uh looked on a certain large online retailer and for less than $20 delivered to your house you can actually get a uh test phone uh which is really just a beige box that you could actually buy without even having to make your own uh and what's really cool about this is I remember having different cables one would have a jack on it some that would have alligator clips if you had a modular Jack phone you could switch

between the two what they actually have is they actually have alligator clips uh sort of spliced into the wire and you have the rj11 jack that you could plug in so it wouldn't matter if you found a uh a wiring block or if you found a uh you know a jack that you wanted to test out um this is sort of one of these it's so simplistic and yet genius and I look at that and think why didn't I think of that back in the day because how handy and again very inexpensive deliver to your house today uh you don't have to make your own you can just order order it uh cheap enough now outside of alligator clips if

you want to give yourself a more permanent connection uh you had some options and uh this is a punchdown tool this particular punchdown tool has the uh um old 66 block this is a reversible um on you know on point if you will and uh yeah also had the 110 block and here in the back is the uh blade if you want to cut cable which you would generally have to do with the 66 block um now the interesting thing is the 110 block is actually one side of it is bladed the other side is not so when you were using a punch down tool like this you have to be very careful to actually get the

blade side on the excess part of the cable because if you didn't you would cut the wire short it would fall right off the block and you'd feel really stupid I might know that from personal experience so but yeah very simply uh you put your wire on the Peg and push it down punch it down and uh you could uh go ahead and give yourself a little more permanent connection that might look less out of place than something with alligator clips on

it payones were once very commonplace they have largely disappeared but once upon a time these were everywhere and there were some advantages to using a pay phone as a freak uh they provided a physical layer of separation from home uh if you're doing bad stuff today you might use a VPN so or a proxy or tour or something like that to sort of hide where your true origin is um that's a lot harder to do from your home phone so payones were great because it had that physical layer of Separation so you're not doing the bad stuff uh directly from where you are physically located uh it also offered a layer of anonymity to their users so you could make calls to

people from a pay phone and you might have plot that might have plausible diability like I don't know the phone rang I picked it up there was somebody on the other end we just chatted for a bit uh it was a really strange call I don't know why they called me you know it it's very hard to prove intent you could actually call payones and they would ring you so you could do that in Reverse if there was somebody you wanted to chat with you could say hey be at this pay phone on this corner at this time and uh again it's that layer of anon you know anonymity where hey I was just walking by this uh you know this

phone outside the uh you know the quickmart here and lo and behold it started ringing so I picked up I had no idea who it was calling that thing uh and so you had that layer of deniability now I didn't bring an entire pay phone with me that had have been hard to fit in the suitcase however I do have an official pay phone handset and what's cool about this is you see it's got the armored cable here and it's actually lined with a uh steel cable to reinforce it to make sure people didn't just rip it off the phone or break the uh line uh those sort of things uh what's kind of cool is when you look at it it's just a

standard like RJ9 Jack that you would plug into any phone uh so I do have the handset from a legit pay phone here uh and so uh yeah red boxes uh red boxing was used by phone freaks to load fake money into payones by playing tones into the handset's mouthpiece thus enabling users to place free phone calls from the too owned and operated pay phones now talked about 21 till I die right may have generated these tones myself with the tone generator long ago than apparently I was alive but I I do promise it is true that I do did generate these tones uh Once Upon a Time and so here in the United States we had

a dual tone I'm going to go ahead and play this so if you heard that that was a quarter on a pay phone once upon a time you could just play those tones pick up the phone handset play them in and load it up with fake money to make your calls uh we're actually not all you know looking at the geographically we're not that far from Canada Canada also you could have red box tones they were a little different though they're single ton so you probably heard the difference between the United States payones versus Canadian payones and I also have uh you know UK 10 p and 50 P piece of the British pound uh you know had all these

tones and so later on the phone company wised up so it was always a cat and mouse game and at a certain point you B basally had to have an established call because it wouldn't just listen in to when the uh handset was picked up until There Was An established call so it became an exercise in Social Engineering where you'd get an operator on the call you'd ask for a number and then they'd give you the number and like h i don't my pen isn't writing or the dial pad on this phone is disgusting there's like chewing gum on I don't want to touch that can you transfer the call okay sure just deposit deposit some money into the

to the phone so it's is simply as uh you know playing the playing the tone into the mouthpiece and then you could make your call because they couldn't really tell the phone operator if you actually put real money in at that point or if it was just simply tones so some people weren't Adept at building Hardware tone generators that were in a portable format and so if you weren't Adept at creating hardware and building your own circuits um you could actually hear those tones on the phone when they were happening and so you could actually record them and use a tape recorder and then play them back now we didn't call those things replay attacks back in the

day modern times replay attacks we have things like session cookies and packets and any sort of authorization token that you can play back and get access uh so while we didn't call it a replay attack back in the day it's exactly what it was and so there's a couple adapters I brought with

me if you had access to the phone jacks um this was kind of Handy this uh you could actually put in line uh this essentially just uh sort of split splits off the uh signal so you plug in the uh line cord on the one end you've got a uh plug on the other end so this is sitting right in between you can think of it like a modern or like a well not Mo modern times you can think of like a network tap uh this would do essentially the same thing and what would happen is it would essentially split off the Audio Communications into a uh you know Jack here that we could plug into a mic Jack

or a line in Jack on a recorder and capture it that way so if you had access to the Jacks this was uh really optimal for that sort of thing uh you may not have access to the Jacks like we looked at the hardwire thing uh payones were hardwired uh so sometimes you may not have access to Jacks to do that um so we had these uh essentially these are the pickup coil and it's an inductor coil with a suction cup on the end of it and the way this works is you would just put this suction cup onto the uh phone and this would stick if I got a little wet here it would anyway and

again here's our line cord to get the audio out into a recorder and again once you'd recorded whatever tones you needed you could play them back simply by playing back from the recorder uh so these pickup coils were extremely helpful whenever you didn't have access to the modular Jacks scanners and radios uh were capable of listening in a Wireless Communications and eavesdropping on conversations so the earliest mass-produced cordless phones operated in the 43 to 50 megahertz range uh people would unwittingly bug themselves not even realizing it uh most common radio scanners would be capable of listening in on phone calls that people would just not even give a second thought they would just start talking so

there they think since they're talking on their own phone and this isn't the Partyline days of old they would think that they have private Communications but they really might not if somebody's actually listening in uh the early cell phones operated in the 800 MHz range and what was interesting is that uh eventually United States government had laws to and people referred to them as cell blocked scanners so if you had a scanner and it would typically the more expensive fancier ones that would operate in the 800 MHz range uh everything at a certain point had to be sold had to not be able to listen in on cellular um frequencies what was interesting is Canada had a lot of the same frequencies

same steppings and that sort of stuff but they didn't have that law on their books so if you could find an old 800 MHz scanner that was grandfathered in you were golden you could uh listen into cell conversations there may have been a few people that went across the border to Canada to buy a you know little radio scanner and smuggled across the border and also a lot of the baby moniters had overlapping channels to those old cordless phones and people would have these in their houses and they would talk about anything and everything and this is literally this device is capturing every part of the conversation in the room and just broadcasting it out plainly for anybody

that happens to be listening in the neighborhood uh and so sort of scar because people are bugging themselves not even stopping to think somebody could actually be recording this or listening in on this stuff have no idea now I didn't bring like any of my old big bulky scanners with me but I did bring a couple sdrs software defin

radios and so I have these These are USB devices uh this is sort of the real old school like gen One new um software defin radio these would definitely listen in 800 MHz 900 MHz stuff pretty easily uh these won't actually get those lower bands for the uh old cordless phones and the old baby monitors that sort of thing um but they did start to pick up when 900 MHz cordless phones became prevalent uh and so these would would do that today this is a uh more modern newer generation like version three of the RTL sdrs uh and these are pretty darn inexpensive uh used to be radio scanners that was pretty pricey uh but these things you

can get them usually like around 20 bucks depending what kind of quality you're looking for and what kind of bandwidth you're looking to cover so the uh telephone companies themselves didn't uh they weren't capable of doing anything and everything that customers wanted so a lot of organizations particularly larger organizations would have their own phone switches uh these were the private Branch exchange uh PBX systems uh these were obviously much smaller than what the telephone companies had uh they were typically owned and operated by the organizations and private businesses themselves uh or they might contract with the company to install a pvx and manage it for them um but uh this enabled offices to be able

to more easily have extensions internally where people could call internally uh with one another not everybody needed that did that direct dial number uh in order to do that uh they also offered services like holding calls UNH holding calls so they offered the organizations a lot of options that uh you know including later on voicemail which I'll touch on in a minute that they couldn't get directly from the phone company at the time so PPX abuse and hacking because hey if it's connected to the phone system people have tried tried to hack it right uh enumerating Company employee phone directory abuse now if you want to do ENT It's relatively easy you can try to Google anybody in this room you may

or may not get interesting results back if they've got an accurate profile in LinkedIn you can learn a lot about a person uh by scanning LinkedIn you can Target a specific company and say show me who works there you know I'm going to look for certain job titles before the days of LinkedIn and all of that uh you had dial by name on a lot of phone systems so you could actually call in and start dialing the uh on the number pad uh like the first or the first three letters of last names and just kind of get the whole list and it would spit out the names you can get the details you could find out who was

working in a place what their extension was uh and so it became a way for phone freaks to enumerate company directories uh compromising voic mailboxes and listening to save messages was another thing that happened so a lot of times people were set up with a voicemail box and the extension was also the PIN to get into their voicemail it's a good thing that we don't use default passwords in today's Times oops and or they would be very easy to guess and so you could call call in and literally listen to other person's messages and you know they would be none the wiser and you could take all the notes you want you could record the

stuff like we talked about um but if you compromised a PBX you could also set up an unauthorized voicemail box now you can pretend to be an employee you have an extension right so you can start calling people and prech social engineering and hey this is Johnny I'm I'm new here and I was told to reach out to you by so and so uh please give me a call I'm looking for this particular information if you could get that to me I'd appreciate it person calls them they because they have their extension they don't get an answer they leave it in a voicemail well now they can go back later on and retrieve that message learn

whatever they want to know and we you know talked about we've seen this a lot now with uh you know these wailing attacks and and sort of Vishing people that might have the you know ability to transfer money in organizations that sort of thing uh this predates that but it was you know often used for all manner of Nefarious purposes uh this is one of my own personal favorites um the transfer to extension 91 or nine plus whatever country code you would want um so if I call an organization and say hi my name is Tim Smith I work with AT&T I need you to I'm we're doing a test I I need you to transfer me to extension 91

please so that nine would get the person in outside line one is the prefix to dial a longdistance number if I call a business and they transfer me to 91 and I use the number pad to dial whatever number I actually want I'm not getting build for that it's the company that I snookered into doing this that's going to get the phone bill for that so that was a common tactic uh in some phone systems you had to dial eight to get out sideline but once you figured out what it was I would say nine was more common uh and then eight was was sort of secondary but if you could call up a receptionist or whoever and convince

them to do that uh you could make your free long well free for you longdistance phone calls now the interesting thing about phone bills back in the day is they were typically a month and a rear so if I did sketchy stuff in January I would have no idea that sketchy stuff happen until I'm looking at the bill in March for whatever happened in in January so they get away with it for you know a pretty good window of time uh call forwarding uh if you were able to compromise a PBX you could just simply get an extension and have it forward to a long-distance number or any number you want you could then call in you know transfer or you

know get that dial that extension and get routed to wherever and again you're not the one getting build for it it's whatever organization so call forwarding got abused a lot and uh diverters were uh essentially like if you had an answering service like think of a medical office where they operate 9 to5 and after that it goes to an answering service or it did back in the day where the person would pick up take whatever notes memo yes somebody needs uh refill on their prescription for whatever and they would get back to the doctor what would happen though is if that person hung up but the diverter was misconfigured where it left the Line open the person could hang out uh after

uh talking to the answering service and then they would have an open dial tone where again they could dial the number uh and essentially get free calls off of somebody else so phone fre crad trft dumpster diving uh or sometimes referred to as trashing uh very common and prevalent back in the day not just to get free Hardware that may have gotten discarded uh passwords pins that people would tend to throw away those kinds of things uh manuals particularly like at a telephone company and you might think well why would somebody want old Telco gear manuals a lot of it boiled down to social engineering because in order to convince somebody you work for the phone

company and I need to disconnect phone service here here or I need to transfer the phone service from this physical address to this physical address maybe because you have access to that other physical address and you want to get some free phone calls if I'm going to talk to internal Telephone Company employees I better be able to sound like another internal Telephone Company employee if I want to be convincing in that um and so call routing loops and three-way calling used for eavesdropping and pranks uh what we often now think of is man the middle or Aver are in the middle attacks uh again we didn't call those things that back in the day but if

somebody had three-way calling um you could essentially uh mess with people a lot um you could uh you know hop on piggyback Eaves drop uh all manner of things and it was you know very much uh something PE you know people could use for that uh and we talked a little bit about social engineering phone operators and our Telo employees that was just one example uh calling card Fraud and Abuse used to be very prevalent uh so the idea is it's it's similar to a credit card except you call a toll-free number from a pay phone or any phone you put in your number you put in whatever the pin on the card is and it doesn't build

wherever you made you know whoever's equipment you made the call on it will actually back build a your own personal thing uh and again it was helpful so you didn't have to carry a whole bunch of change or your your very own Red Box around the payones uh you would have a calling card and so people used to steal swap these things uh today we have password dumps right all over the dark web and and these credential dumps and all that sort of thing same thing happened with calling cards that those were really coveted so Telo countermeasures they didn't just sit back and take it they uh kept updating what they did in response to what phone freaks were doing uh and

so you know a lot of the freaking techniques by the early 80s didn't work anymore uh for the most part uh so old phone freaking methods the various color boxes became Obsolete and unusable now some people we talked about those three boxes and a bunch of others some people would combine those features you know might have a combo blue box and red box call it a rainbow box but really any of these other boxes um just quit working uh as the phone company's caught on uh and so the countermeasures forc the phone freaks to do what continually adjust their taac tactics midst The Changing Times Obviously this hasn't stopped today when we think of uh cyber

criminals and what the threat actors are doing they figure out something they can exploit easily we put in our actions to counteract that are mitigating compensating controls uh whatever that might be so then they have to go back to the draw drawing board readjust their tactics to get away with the same thing uh and so that's nothing new that's been going on for a very long time so changes um switchboard operator career opportunities were mostly displaced by technology in recent decades not too surprising the market saturation of mobile phones made deploying and maintaining payones financially in feasible for Telos in North America so that's why they've disappeared largely from the landscape uh I almost sort of

get a little nostalgic and excited when I actually see a payphone uh in modern times and uh I may even be dorky enough to take pictures can't help it all right so nowadays the proliferation of unlimited and flat rate sell calling plans really eliminated for the incentive to steal phone service uh there's no incentive now or purpose of doing hard work to make free phone calls when you can already almost do that now pretty much for for all intents and purposes you can pretty much do that now uh and obviously we talked about VoIP uh really it's kind of taken over uh all the telepan services it's been trending that way for a long time now uh calling card fraud

abuse like we talked about prevalent now credit cards are a big thing uh because you can buy stuff with credit cards again no incentive for phone calls and I you I don't even know if you could even contact your phone company and say hey can I get a calling card they may not even offer those anymore uh the new underground so phone freak Bridges or those conference call party lines and virtual meeting places that we talked about have largely been abandoned in favor of newer Technologies so web conferencing platforms and many of you may remember at the start of the pandemic how big of a deal that all of a sudden Zoom bombing become when all

meetings were happening through web conferencing platform uh and sure enough all of the hosting all these web conferencing platforms had to adjust their default security settings to keep people unwanted people from just hopping in calls and doing whatever uh there's there's actually some funny stuff I've seen on YouTube for things people have done it's uh yeah good times uh encrypted communication mobile apps things like signal telegram uh obviously used very prevalently today uh dark Nets you know that those things U exist and so you know you don't tend to have the old phone freak bridges of back in the day anymore so the New Frontier data dumps and dark Marketplace used today is more prevalent than old school dumpster

diving I would say uh you could argue it's not really phone freaking kind of is mobile malware but it's an attack surface that didn't used to exist and now it does um uh and so then proxy servers VPN services and tour mostly use the cloak communication Source endpoint Origins today uh no longer pay phones no longer weird routing tricks and call forwarding from one location to the next and in the epilogue technology and telephony abuse is less of a technology hobbyist Enthusiast and prankster activity now because cyber crime is big business so you have APS and threat actor groups organized crime in nation state uh financially motivated actors uh it's no longer just the uh the prankster

having fun or trying to just Griff by and get some some you know do the things they enjoyed with uh without having to pay for it uh it's uh you know obviously serious business and we're here at a security hacker conference today uh there's vendors we have careers but there used to not be a cyber security industry it used to be about three camp of people there was law enforcement back in the day most of the time they were so woefully behind the times like literally the person on the police force that knows how to turn on a computer open and close files and stuff like that oh you know how to use a computer so you're the

computer expert uh that's how literally how bad it was back then so some larger organizations like particularly the larger Telos they might have a fraud department and they were sort of up on these things uh and then there was the computer hacker underground like those were you were one of those three camps nobody really did information security as a job you might have a security focused or minded uh conscious systems administrator that if they had time they would Harden their stuff uh but those were the more diligent ones that that did that uh modern phone freaking uh less than anybody think all forms of phone freaking have have completely faded uh reverse toll fraud still happens uh

where International and other high paying uh per minute numbers get used uh Web Conference Calls we talked about uh and then porting or Port out fraud which is migrating a phone number to a different service provider um you know and again I might be able to bribe uh this particular organization's mobile carrier and employee there to Port the number there uh and then mobile phone SIM swapping happens uh that may or may not be a different carrier but it's same very similar right where I can get somebody's information sent to my device including reset pins and all sorts of stuff you'd really own some of these entire life so I wrap up here some quick

shoutouts because it's an old school talk 2600 magazine been around since 1984 uh it's most recently for a long time now been the hacker quarterly uh Frack eing came around in 1985 and just when you think this thing is completely G gone forever I actually heard that there's a another edition of that coming out or was released either releasing soon or was released recently I haven't looked um so you know that things have changed but uh project or Phone Losers of America you can check out their website they got a lot of cool stuff project MF if you feel like you really missed out on blue box days and you wish you could go back in time this

lets you do that project MF they have plans you can build your own U blue box um out of an Arduino they have a Windows client finally textfiles.com has archived a lot of stuff Tina kazanc is a person I know she used to work in Telco fraud I've had some of the best conversations she's a good friend uh and it's it's kind of cool to get the other side of that and they Liv to bust um these smart kids doing things they didn't approve of uh I will be around after the conference for a little bit if anybody has questions I apologize I ran out of time um but I would like to thank everybody for attending and my parting

words are if you want to get good at uh doing information security learn to think like an attacker and to help with that I brought some black hats

thank you