P1 Security

Philippe Langlois of P1 Security presented to an audience of 200+ executives from telecom, banking, government and industry at the Malaysian Communications And Multimedia Commission in October this year.
This was the third event in the Network Security Industry Talk 2011 Series  organized by the Malaysia Regulator (MCMC) in collaboration with HITB. The event is hosted by SKMM, the Network Security Center of MCMC.

P1 Security will be presenting at the HITBSecConf on Attacking The GPRS Roaming eXchange (GRX).

In this presentation, we’ll see how GRX/GPRS infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech.

We will demo some of the attacks on a simulated “PS Domain” network, that is the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.

P1 Security will be presenting a conference at Hack.lu 2011 on Denial of Services in Telecom operators and infrastructures, Banks and Internet Applications. We’ll present real world example and new techniques of how DoS is conducted in 2011. This is not about DDoS, botnet and zombies. We will focus on new attacks that target Telecom operators, ISPs, Banks and important applications. Sadly there are many simple ways to take down telecom, banking and internet infrastructure. We will present some generalized approach to these new form of Denial of Service and tools / examples. There will be notably some example of Denial of Service in NGN, LTE Advanced as well as in legacy SS7. Some demo and examples of our QuantSS7 tools will be presented as well as demo of PTA for Availability.

On may 5th, at Hotel Intercontinental Paris, P1 Security will present the current state of intrusions in telecom environments, from the big Mobile Network Operator down to the simple company with iPBX or even just using another provider for VoIP. The event is organized by CNIS Mag.

P1 Security will be one of the speaker on the 28th of April 2011 for the round table on Digital Self Defence. Focusing on the notion of retaliation, what is allowed by law? What are the current practices? Can we have a glimpse on the future?

Philippe Langlois will present there how Telecom industry and large corporation on the Internet defend actively their perimeters and respond to offenses. This event will take place at the European Circle for Security of Information Systems, Pavillon Cambon-Capucines, 46 rue Cambon 75001 Paris.

For more information:

http://www.lecercle.biz/Portals/3/secured/agendaevent.aspx?f_id_event=36

P1 Security’s Philippe Langlois will be Keynote Speaker at Italian Security Summit, Milano, Italy on the 16 of March. Talking about the security dynamics of IT, Internet and Telecom security, Philippe will give an insight on subterranean dynamics that drive the fraud and attackers and on the other hand the security industry. Come meet us.

Also, Philippe will give with its partner @Mediaservice’s top security expert Raoul Chiesa a private briefing on Telecom security and frauds, with specific insights on how current security teams combat upcoming fraud and Telecom Advanced Persistent Threats. Register by contacting us with you organization and contact details.

P1 Security will be present on Mobile World Congress 2011 in Barcelona, Spain from 16th to 17th of February at Megapay’s booth No. 2.1D68, Hall 2-1. We will make an annoucement there of the great news that are happening for us.

This GSMA event is the most important for the telecom industry, come and meet us to discuss our products in the telecom security assessment, audit and risk rating.

Stay connected, register on our mailing list or contact us.

Philippe Langlois will present a workshop at Hack.LU 2010 conference in Luxembourg on SS7 Security called “SS7 and Telecom Core Network Weaknesses, Attacks and Defenses” on Wednesday 27.10.2010.

In this workshop, we propose to make people practice SS7 message creation, injection and network topology understanding. We will see what kind of vulnerabilities affect SS7 and Telecom signaling networks, how networks are structured and what can be an attack plan on the network. Amongst other things, we will address the case of current attacks performed by a) malicious people with fraud and extortion goals, b) crackers who want to take control of some equipments, c) nation states who want to take control of telecom critical infrastructure for strategic advantages or d) intelligence services who may be interested in silently taking advantage of not well known SS7 structure in order to gain valuable intelligence or perform tactical operations.

This workshop mixes limited theory and practice, using open source tools as well as closed source systems.

Attendees to this workshop must ideally come with their own laptop (Windows or Linux), a good understanding of Networking and TCP/IP. All telecom-specific terms will be explained during the workshop. Max 15 people.

Philippe Langlois will be talking at HES2010 about “Getting in the SS7 kingdom: hard technology and disturbingly easy hacks to get entry points in the walled garden” from 5pm to 6pm at MdO conference center in Paris. This talk will cover entry point discovery to real-world telecom signaling network and following exploitation using SS7 and SIGTRAN attacks to inject signaling into the Core Network of an operator. The talk will explain how critical and difficult it is to obtain a good perimeter monitoring on the SS7 and Signaling external side as well as on the internal signaling Core Network, be it Packet or Switched-oriented.

Event: SOURCE Boston 2010
Location: Boston, MA, USA
Date: April 21-23, 2010

read more | agenda

Event: 26C3
Location: Berlin
Date: December 2009

On 28th of December 2009, Philippe Langlois delivered “SCCP hacking, attacking the SS7 & SIGTRAN applications one step further and mapping the phone system” presentation for Chaos Communication Congress, in Berlin, Germany. This conference, 26C3 was one of the major conference about breakthrough in offensive and defensive computing.

Back to the good old Blue Box?

SS7 is like TCP/IP in the 1990s. It used to be quite a secure network because nobody outside the organizations (here, the mobile operators and telecom companies) were connected to it. Now it’s getting interconnected to new actors which are not that trustworthy. Somehow, hackerdom made SS7 come into existence thanks to the massive use of Blue Boxes. Now, hackerdom is getting its toy back! SS7 is nowaday more and more accessible, and as such increasingly vulnerable. So we’re getting exposed to a totally new set of protocols, as secure as TCP/IP in the 1980s. This looks like the Blue Box is coming back to life, in a very different form.

Attacking the SS7 network is fun, but there’s a world beyond pure SS7: the phone system applications themselves, and most notably what transforms phone numbers into telecom addresses (also known as Point Codes, DPCs and OPCs; Subsystem Numbers, SSNs and other various fun.), and that’s called Global Title Translation. Few people actually realize that the numbers they are punching on their phone are actually the same digits that are used for this critical translation function, and translate these into the mythical DPCs, SSNs and IMSIs. More and more data is now going through the phone network, creating more entry point for regular attacks to happen: injections, overflow, DoS by overloading capacities. And we have an ally: the mobile part is opening up, thanks to involuntary support from Motorola, Apple and Android. We’ll study all the entry points and the recent progresses in the Telecom security attacks.

download pdf

download video: mp4 – torrent – wmv

One step further toward the HLR: Attacking SS7 applications
Event: H2HC
Location: Sao Paulo, Brazil
Date: December 2009

http://www.h2hc.org.br/en/
http://www.h2hc.com.br/palestrantes.php#Speaker18

download pdf

Philippe Langlois also participated in “Hackers to CSO”, a meeting that brought together hackers, security professionals and CSO, IT decision makers, journalists in order to conduct an assessment of the maturity and current stakes of security in the enterprise in South America and globally.

He also joined the CyberWar panel where he exposed the implication of “Cyber War” in Telecom security. What are the impact of one country, one mafia group, one nationalistic cracker group directing their effort against a Telecom infrastructure? How to defend against malicious SS7 maneuvers coming from a foreign country or foreign company?

HostileWRT: Fully-Automated Wireless Security Audit Platform on Embedded Hardware
Philippe Langlois & Eugene Parkinson
Event: Hack.lu
Location: Luxembourg
Date: 2009-10-29

HostileWRT has beend presented during Hack.lu in Luxembourg. Eugene Parkinson and Philippe Langlois presented on Thursday 29.10.2009 their new development on their “Fully-Automated Wireless Security Audit Platform on Embedded Hardware” and released HostileWRT version 0.5.0 during the conference.

hack.lu info page

hack.lu agenda

download pdf