This is part two, the final part, in a short series about the attack in Bombay/Mumbai Part one here
We looked at the story of the possibility that someone tried fooling the Pakistani president with a fake phone call tht almost started a hot war between Pakistan and Indian. In this post we explore some technical aspect of how a hoax could go down and fool some basic protection system.
Click Read More see the details
Lets say someone wanted to fool a government in to believing a phone call is coming from somewhere else. How can it be done? Its easier then it seems. The Pakistan Goverment claims one of the ways they where able to verify the phone call was using CLI (caller’s line identification) which you might know by its more common name in the US, Caller ID.
“It is not possible for any call to come through to the president without multiple caller identity verifications,” Information Minister Sherry Rehman said in a statement.
“In fact the identity of this particular call, as evident from the CLI (caller’s line identification) device, showed that the call was placed from a verified official Phone Number of the Indian Ministry of External Affairs.”
Source: Reuters via Yahoo UK
Yet Caller ID is very easily hack and has been for a long time. The first time I heard about this was almost 6 years ago by Kevin Mitnick talking about using a PBX to fake caller ID and make his calls seem like he is calling from the White House, and he mentions this in his book The Art of Deception: Controlling the Human Element of Security. Today its easier using VOIP and Asterisk, an open source PBX.
This has not stopped others from putting trust in the very weak Caller ID system. For the longest time your cell phone company might have been using caller ID as the ONLY thing protecting your voice mails. For a while some phone providers would allow you to check your voice mail without any pin code as they would check if your caller ID was the one that belonged to your voice mail account. Well if you could fake a caller ID, you could almost take control of anyones voice mail. I have in the past written an post on a forum about this,http://www.dslreports.com/forum/remark,14661279. You can read mover over at wiki page on Caller ID spoofing
While Pakistan government has claimed they have used other systems to verify the phone call, the repeating theme is they heavily relied on Caller ID and not on the other standards of verifying phone calls. According again to the Reuters article the same caller may have tried to call Sec of State Rice of the United States and the call was rebuffed due to the fact it failed the required security checks. This indicated more then likely the Pakistani were negligent at lest in checking the phone call was authentic or not. And this comes down to a more important aspect about any type of security, the human factor. If rules and protocols where kept in place, maybe this story would not have happen. If you read any of Mitnick’s books you would know the Humans tend to be the worst thing for security and sometimes all it takes is some social engineering to convince a person in to believing what you want them to believe. No Jedi mind tricks, just basic talking.
A good example of Social Engineering is an old “TheBroken” ep on how to trick a pizza joint in to giving you a free pizza
Well this could get longer then it should be but I will try to keep it simple. First is better diplomatic relationship between Pakistan and Indian would be a great step forward in cooling and preventing something like this happening. On NPR: Talk of the Nation from 12/11/2008, Richard Haass, president of the Council on Foreign Relations, described the Pakistan-Indian diplomatic ties as one of the most underdeveloped of two nations who are at odds with each other, more so then the USSR-USA during the Cold War. A secure “hotline” be it a phone or some other forum of communications would be a great step. Physical security is one that can provided the greatest amount of trust.
But their should be an open system for world leader to easily communicate with each other quickly and securely. In the public security model we have PKI as a way one can use to verify the true identify of someone. But how would you apply this on a world model? Who would be the CA? The UN? Well thats for another post =P