Skip Links

Network World

Paul McNamara

'Swatting' case shows need to ban caller-ID spoofing

Fake calls to 911 cause untold trouble, land teen an 11-year sentence

By Paul McNamara on Tue, 06/30/09 - 8:47am.

What Matthew Weigman and his cohorts did went so far beyond "pranks" -- or even hacking -- as to leave little room to question the sentence he received yesterday.

From an IDG News Service story on our site:

Matthew Weigman, 19, was part of a group of telephone hackers that met up on telephone party lines and was associated with more than 60 "swatting" calls to 911 numbers across the country. Weigman, known as "Little Hacker," became involved in telephone hacking around age 14 and continued to operate until last year.

Swatters make prank 911 calls, but they use spoofing technology to make it appear as though the call is being made from a victim's house. The idea is to harass their targets, preferably by having police show up at their door, guns drawn.

The details make clear once again the dangers of caller-ID spoofing -- which remains legal in most of the country -- as we've written about here, here and here.

Lawmakers in New York and Louisiana have recently taken steps to control the practice.

Two years ago I wrote a post scoffing at members of Congress who were pushing legislation to outlaw caller-ID spoofing. I was wrong; they were right. People who abuse caller-ID need to know they're breaking the law.

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

2009's 25 Geekiest 25th Anniversaries.

Want a city job? Fork over your usernames and passwords.

5 online "marketing opportunities" hospitals are missing.

Don't know when to go? RunPee.com fills the void.

Google ran out of bandwidth? ... No, we're talking failure to communicate.

4chan users trigger DDoS attack ... against 4chan?

What does security software have to do with swine flu?

Snopes.com gets an "A" from fellow fact-checkers.

Reason No. 2 to resist filing a complaint with the FCC.

Tweeting with "Star Trek" actor sparks kitchen fire?

40% of geeks surveyed admit to working ... how many hours?

I suppose you are right.

0
By Stew (not verified) on Tue, 06/30/2009 - 9:05am.

You know, a few years ago I figured it was no big deal. Back in the day some of my geeky friends were avid phreakers but I always figured, so what? After all, they really weren't hurting anyone. However at some point it changed. What had at one time been a kind of game and a sort of social party line on the trunk became more sinister. In this day and age the risk has become too great. When it hurts people, it isn’t playing any more.

Utterly Stupid

0
By Television Spy (not verified) on Thu, 07/02/2009 - 10:43am.

Wow it's insane to think that police and ems wouldn't have some sort of callerid sniffer to detect whether it was real or not.

You can't spoof caller ID to

0
By Anon (not verified) on Tue, 06/30/2009 - 11:05am.

You can't spoof caller ID to 911. 911 uses an entirely different system based on ANI. The ANI can not be (easily) spoofed. If they were unable to trace the calls, the 911 operators/technicians are extremely incompetent. (Because the ANI shows up right on the screen, there is no way around it)

evidently you can

0
By Stew (not verified) on Tue, 06/30/2009 - 4:21pm.

That sounds reasonable but there are several reported cases of 911 being spoofed, so I called up Frank, (one of our in-house telecom techs) to see what he thought. He said it was possible to spoof 911 especially if you logged in with a service account. The Ellis kid in Washington evidently hacked the Lake Forest 911 system. Frank said that all 911 systems are not alike but believes you would almost certainly have to have system access to pull this off.

So was this really a spoof or a hack?

http://www.ocregister.com/news/home-emami-county-1894171-ellis-system

Spoof vs. Hack

0
By Anon (not verified) on Tue, 06/30/2009 - 4:48pm.

WHAT he did was a spoof. HOW he did it might have required hacking or might have been simpler than that.

you are wrong. There are

0
By Anon (not verified) on Tue, 06/30/2009 - 8:11pm.

you are wrong. There are plenty of hungry, dirty voip wholesalers inside and outside the US that are happy to sell network access to criminal gangs running asterix-based voip pbxs to make autodialler calls by the millions, and they do not verify whether their customers are pulsing fake ani. And bigger wholesalers, like Level 3, Qwest, XO and Verizon then buy that traffic and drop it across the country, reading the fake ani and delivering fake cid to grandmas in their kitchens who are extraordinarily vulnerable because they have never seen spam, don't own a computer, and are incapable of imagining a world where professional fraudsters are simply given access to them.
There are access providers that cater to the ANI-free crowd.

So only criminals use spoofing?

0
By Anon (not verified) on Thu, 07/02/2009 - 8:32am.

Brilliant, I use caller ID spoofing every day for my business with my criminally oriented asterisk PBX. I use it so when my employees call customers from their cell phones their caller ID shows up as our single business number. But I'm just a criminal I guess.

You're not a criminal

0
By Jellodyne (not verified) on Thu, 07/02/2009 - 11:34am.

But that doesn't make unlimited spoofing a good idea. What if one of your competitors started calling your customers from your 'single business number'? Or if a scam artist used your single business number to use the credibility of your business to a scam random members of the public. Unless there's a mechanism in place to ensure the people spoofing your number are your salespeople or someone you'd want to spoof your number you're better off not allowing anyone to do so.

In the email world the mechanism is SPF/SenderID, but there's no framework is in place to implement a similar system for voice calls.

I think the way that they

0
By BobC (not verified) on Thu, 07/02/2009 - 9:22am.

I think the way that they spoofing is the physical address mapping to ANI handed to the PSAP. This is where the VoIP solutions (Vonage, Skype, etc.) allow you to register your address for E-911 services without any validation of IP address location to area. This is hard to control since the VoIP endpoint can be easily moved to a different address that what is registered. Especially if this is used with a softphone application.

Ummm yeah..

0
By Telephone Tech (not verified) on Thu, 07/02/2009 - 9:56am.

Actually, it can be spoofed, and it's not terribly complicated.
I was shown how it works, and it's entirely possible. Granted the 911 operator could be ignorant. However, their computer would read that the phone call is coming from the home. So yeah, all of it can be spoofed, I work on the back end of a phone company, and it's very possible. If the preason really wanted to, they could.

1234next ›last »

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Buzzblog