<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I didn’t realize that either until we switched SS7 providers recently. Our former one (Whom I am beginning to miss, truth be told) made it impossible to exchange signaling traffic with anything that you didn’t have a route built (and paid) for, which is how it’s been as far as I know since I got into this biz nearly two decades ago.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>However, our new SS7 provider apparently lets any SS7 point code communicate with ours, as we started seeing random traffic from unknown point codes shortly after we switched providers. We reported it and they blocked that traffic, but in the process it became clear that they let anything through until and unless we ask them to block it. There’s also language in our ICA with them that says that if we are communicating with any point code that we haven’t purchased a route for, they have the right to back-bill it one they discover it.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>We’re in a contract now for three years, but at the end of it we may switch back to the original provider for this and other reasons. SS7 certainly feels a lot less secure than it did before. Luckily, our Class 5 End Office switch does not provide any data nor redirection capabilities over SS7 such as those exploited in the article. We also found that while we received the traffic from the unknown point code, our switch did not respond because we did not have a route built for it on the switch. But it still means that a DOS attack may be possible, and it feels like assigning our switch a public IP without a firewall in place, which makes me crazy.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Mike<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Mike Ray, MBA, CNE, CTE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Astro Companies, LLC<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>11523 Palm Brush Trail #401<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Lakewood Ranch, FL 34202<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>DIRECT: call or text 941 600-0207<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><a href="http://www.astrocompanies.com"><span style='color:#0563C1'>http://www.astrocompanies.com</span></a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Christopher Aloi [mailto:ctaloi@gmail.com] <br><b>Sent:</b> Friday, April 22, 2016 9:28 PM<br><b>To:</b> Kidd Filby <kiddfilby@gmail.com>; Mike Ray, MBA, CNE, CTE <mike@astrocompanies.com><br><b>Cc:</b> VoiceOps <voiceops@voiceops.org><br><b>Subject:</b> Re: [VoiceOps] SS7<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>I didn't realize you can now connect to another company without ordering the route-set from a third party. How does this work ? I feel old ! <o:p></o:p></p><div><div><p class=MsoNormal>On Fri, Apr 22, 2016 at 2:40 PM Kidd Filby <<a href="mailto:kiddfilby@gmail.com">kiddfilby@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Comic Sans MS"'>Very well said Mike.<br><br>Back In The Day... Interconnection between 2 companies had to occur via a 3rd party, like Illuminet. Their had to be SS7 gateway providers and that's all they were allowed to do. Route SS7 traffic between LEC/ILEC/CLEC networks. Oh... do I remember the pains... Gateway-Screened... CNAM database corruption, LIDB services not provided.... Still makes my head hurt.<o:p></o:p></span></p></div></div><div><div><p class=MsoNormal><span style='font-family:"Comic Sans MS"'>Kidd<o:p></o:p></span></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Fri, Apr 22, 2016 at 12:28 PM, Mike Ray, MBA, CNE, CTE <<a href="mailto:mike@astrocompanies.com" target="_blank">mike@astrocompanies.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>It seems to me that this SS7 vulnerability issue is just the latest result of all of the de-regulation that’s been going on for the past… two decades or so. There was a time that you could not buy commercial access to the SS7 network; to get that access you had to be a real carrier. Also, back at that time, inter-company SS7 signalling could only occur on established, ordered signaling routes where both parties placed an order to open the route between them. Therefore, this would not have been possible back then because the carrier would not have ordered a route to the hacker’s point code(s) and it therefore would not exist.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>If I am a US local carrier in 2001, I have no need to order a signaling route to a German carrier either so even the hacker having full access to a German carrier’s network would not compromise my network. (in response to the nation-state issue) To get a call to Germany, I signal to the access tandem or IXC switch I’ve chosen to interconnect with in the US and that switch signals upstream, etc.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>If we were not on this path of de-regulation where whatever makes commercial sense for one company can open up the whole SS7 network to un-trusted parties, we likely wouldn’t be here. At some point, a decision was made somewhere to allow this loosy-goosy inter-company signaling over the SS7 network between two point codes that would not, under the original implementation of SS7, be able to talk to each other in the first place.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>If the drumbeat of “solve everything with IP!” continues, I hope that at least it gets solved by establishing something close to what the VPF was supposed to be, and not just a general dumping of all voice traffic across the internet between carriers. That certainly wouldn’t bode well for reliability or security.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Mike</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Mike Ray, MBA, CNE, CTE</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Astro Companies, LLC</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>11523 Palm Brush Trail #401</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Lakewood Ranch, FL 34202</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>DIRECT: call or text <a href="tel:941%20600-0207" target="_blank">941 600-0207</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><a href="http://www.astrocompanies.com" target="_blank"><span style='color:#0563C1'>http://www.astrocompanies.com</span></a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> VoiceOps [mailto:<a href="mailto:voiceops-bounces@voiceops.org" target="_blank">voiceops-bounces@voiceops.org</a>] <b>On Behalf Of </b>Dan York<br><b>Sent:</b> Thursday, April 21, 2016 3:45 PM<br><b>To:</b> Kidd Filby <<a href="mailto:kiddfilby@gmail.com" target="_blank">kiddfilby@gmail.com</a>><br><b>Cc:</b> <a href="mailto:voiceops@voiceops.org" target="_blank">voiceops@voiceops.org</a><br><b>Subject:</b> Re: [VoiceOps] SS7</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This is generally true if the calls are *unencrypted* on VoIP... <o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Thu, Apr 21, 2016 at 2:20 PM, Kidd Filby <<a href="mailto:kiddfilby@gmail.com" target="_blank">kiddfilby@gmail.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Comic Sans MS"'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Comic Sans MS"'>Also folks, don't forget, the same outcome of recording someone's call is MUCH easier to accomplish once it is VoIP. IMHO, of course. ;-)</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>... BUT... what's fascinating is the recent rise in end-to-end (e2e) encryption among IP-based communications platforms that include voice.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>WhatsApp, for instance, just completed the rollout of e2e encryption on April 5, and not just for messaging, but also for voice and video calls as well as file transfers ( <a href="https://blog.whatsapp.com/10000618/end-to-end-encryption" target="_blank">https://blog.whatsapp.com/10000618/end-to-end-encryption</a> ). Just yesterday the team behind Viber announced that they will soon have e2e encryption for all clients. The app Wire ( <a href="http://wire.com" target="_blank">http://wire.com</a> ) also does e2e encryption for voice, video and group chats.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>In a US Congress hearing this week, a Congressman asked a Dept of Homeland Security representative if e2e encryption available in apps would have prevented this interception that happened via SS7. The DHS answer was that it would mitigate the interception of the content, although the location meta-data would still be available. (You can view the exchange via the link in this tweet: <a href="https://twitter.com/csoghoian/status/722854012567969794" target="_blank">https://twitter.com/csoghoian/status/722854012567969794</a> )<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The end result is that we're definitely moving to a space where the communication over IP-based solutions will wind up being far more secure than what we had before.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Interesting times,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Dan<o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-- <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#888888'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#888888'>Dan York</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#888888'><a href="mailto:dyork@lodestar2.com" target="_blank"><span style='color:#0000CC'>dyork@lodestar2.com</span></a> <a href="tel:%2B1-802-735-1624" target="_blank">+1-802-735-1624</a> Skype:danyork</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#888888'>My writing -> <a href="http://www.danyork.me/" target="_blank">http://www.danyork.me/</a></span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#888888'><a href="http://www.danyork.com/" target="_blank"><span style='color:#0000CC'>http://www.danyork.com/</span></a></span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#888888'>http://<a href="http://twitter.com/danyork" target="_blank"><span style='color:#0000CC'>twitter.com/danyork</span></a></span><o:p></o:p></p></div></div></div></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>VoiceOps mailing list<br><a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br><a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p></div><div><p class=MsoNormal>-- <o:p></o:p></p><div><div><p class=MsoNormal>Kidd Filby<br>661.557.5640 (C)<br><a name="m_-4142437851680546911_UNIQUE_ID_SafeHtm"></a><a href="http://www.linkedin.com/in/kiddfilby" target="_blank" title="View public profile">http://www.linkedin.com/in/kiddfilby</a><o:p></o:p></p></div></div></div><p class=MsoNormal>_______________________________________________<br>VoiceOps mailing list<br><a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br><a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><o:p></o:p></p></blockquote></div></div></body></html>