Computer underground Digest Sun Dec 11, 1994 Volume 6 : Issue 104 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Retiring Shadow Archivist: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copy Reader: Laslo Toth CONTENTS, #6.104 (Sun, Dec 11, 1994) File 1-- Telecomm Security (by Howard Fuhs) File 2-- Cu Digest Header Information (unchanged since 25 Nov 1994) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. ---------------------------------------------------------------------- Date: Tue, 22 Nov 94 03:01:00 UTC From: gui.gordon@GENIE.GEIS.COM Subject: File 1--Telecomm Security (by Howard Fuhs) Telecommunication Security Copyright (C) 7/1994 by Howard Fuhs Howard Fuhs Elektronik Rheingaustr. 152 65203 Wiesbaden - Biebrich Germany Tel: +49 611 67713 D2: +49 172 6164336 Fax: +49 611 603789 CompuServe: 100120,503 Internet: 100120.503@compuserve.com The material presented is implicitly copyrighted under various national and international laws and is for information purposes only. Information in this document is subject to change without notice and does not represent a commitment on the part of Howard Fuhs Elektronik. Free public distribution is permitted with the following conditions: 1) No editing of any kind is permitted! 2) Distribute the entire document, as is, or do not distribute at all! 3) No fee of any kind may be charged for such copying. "Media and other Service Charges", such as those charged by user groups and commercial entities, are not allowed! 4) It's source and co-operative nature should be duly referenced. No part of this publication may be published by Magazines, Journals or any other professional non-profit or profit organization in any form, without prior written permission from Howard Fuhs. 1. Abstract 2. The Underground 2.1 The Technical Equipment 2.1.1 Red Box, Blue Box and other boxes 2.1.2 War Dialer 2.1.3 Modem 2.1.4 Legal Tone Dialer 2.1.5 Lock Picks 2.1.6 Scanner 3. Potential Targets 3.1 Dial-In Lines with Modem 3.1.1 Countermessures 3.2 Toll Free Numbers 3.2.1 Toll Free Number for Marketing Purposes 3.2.2 Toll Free Numbers with Dial Out Lines 3.3 Voice Mailbox Systems 3.4 Wireless Phones 3.5 Pager Systems 3.6 Shoulder Surfing 3.7 Answering Machines 4. How/where do they get their Informations? 4.1 Social Engineering 4.2 Trashing 4.3 Underground Publications 4.4 World-wide Computer Networks 4.5 Internal Computer Networks of Telecom Companies 5. Conclusions 1. ABSTRACT ----------- Everybody is discussing Data Security, Computer Security and Anti-Virus Measures to make certain that systems and data remain clean and safe. Companies spend considerable amounts of money and time on data security experts, fail-safe plans, security hardware and software but often forget a major leak in their security plans: Telecommunication Security. Many companies argue that the local telecom company is responsible for telecom security, and at first sight they are right. But the problem of telecom security is more complex than even the telecom companies will admit. Especially government operated telecom companies have a tendency to take telecom security somewhat lightly, and it can happen that they won't believe you even if you can demonstrate the weaknesses of their systems (this actually did happen in Germany). Their official statement is always: "Our system is secure and not vulnerable". If the lines and switching systems are vulnerable, it is the responsibility of the telecom company to correct this. The average telecom customer has little or no influence on this level of security, but what about telephone equipment owned and operated by other companies? This type of equipment is also vulnerable, in many cases more vulnerable than telecom lines and switching systems. In this case it is the responsibility of the company owning the equipment to prevent misuse of the installed system or network. Most companies do not even know that their telecom equipment is vulnerable. To close that security gap it is necessary to know which techniques to use and whom to deal with. 2. THE UNDERGROUND ------------------ People who try to break the security of telecom systems call themselves "phreaks" or "phreakers". Phreaks are usually technically very knowledgeable about telephone systems, and their main intention is to make calls around the world free of charge. Whether an individual, the telephone company or some other company has to pay for their abuse does not concern them. Phone phreaks often look for companies operating dial-in lines with modems, toll free numbers or voice mailbox systems, because they assume that the telephone bill of a company of this character is so high that the abuse of the system will not be detected because of a slightly increased bill. Often phreaks are organised in loose groups and most of them are trading their secrets over computer networks to other interested phreaks. This means that if someone discovers a new and interesting or challenging telephone number, information about it is often spread all over Europe within 24 hours. The consequence of dissemination of this type of information is that an increasing number of phreaks will try to abuse the published telephone number or telephone system. If the misuse is only detectable through an increasing telephone bill, it may go undetected for several months in the worst cases, depending on the frequency of invoicing used by the utility supplier. 2.1 THE TECHNICAL EQUIPMENT --------------------------- The computer underground, in that case better known as the phreakers, uses a wide variety of electronic gadgets, gizmos and devices to abuse telecom equipment and lines, to manipulate switching systems and to break through digital firewalls. Knowledge of these devices is very important for company security staff because they must know what to look for. 2.1.1 RED BOX, BLUE BOX, WHITE BOX AND OTHER BOXES -------------------------------------------------- All these colourfully named boxes are devices designed to cheat telecom equipment. Most of them are (sometimes modified) tone diallers or self-made electronic devices, all having several functions. To provide free calls from public phone booths one of the types is able to emulate the insertion of a coin (works only in the USA), another box can emulate the audible code-signals used to communicate between switching systems or to switch the telephone line into special modes (which differ from system to system) for maintenance staff, who normally has more privileges in a telecom switching system than ordinary users. Boxes are also available to send a false caller ID to telecom equipment used to display the telephone number of the caller. Also most private telecom equipment may be programmed by means of such a tone-dialler or box. The consequence is that a phreaker is able to alter the program and thus work mode of telecom equipment in a company from a remote location. All these types of boxes are described in underground publications, and they are relatively easy to build or to modify. A serious legal problem in connection with these boxes is that their use is not traceable under normal circumstances. The phreaker is over 98% sure not to get caught. Even if he should get caught it is hard to produce legal evidence proving his abuse of telecom lines and equipment. In most cases an expert is needed to identify a suspicious device as being in fact a box intended to misuse telecom lines. Possession of such devices is only illegal in a few countries (USA, Canada). 2.1.2 WAR DIALLER ----------------- A war dialler is a computer program used to automatically dial all telephone numbers within a range defined by the phreaker using it. While doing this the war dialler produces a log file listing for each individual number who or what picked up the phone (modem, human, busy, fax, not in use, etc.). Log files of this type, listing interesting free-call numbers, are regularly posted on some computer networks and thus made publicly available. List keepers in nearly every country with toll free numbers update this type of log file at least on a monthly basis. In some countries (e.g. the USA) war diallers are illegal. In one case innocent-looking software was used to hide a war dialler. A password was simply needed to invoke the hidden function of the war dialler, and everybody who had seen the movie "War games" knew the password (the name of Prof. Falken's son). 2.1.3 MODEM ----------- A modem is a widespread hardware device and not primarily intended to be used for something illegal. In most cases, however, a modem may be used to war-dial numbers without a special war-dial program, and without technical alterations it can also emulate tones, which can be used to cheat switching systems. A modem is also necessary to hack computer systems etc. 2.1.4 LEGAL TONE DIALLER ------------------------ A legal tone dialler is a small device, which is usually delivered together with an answering machine for remote control. It looks like a small pocket calculator and has the capability to store a lot of phone numbers together with the names and addresses of the people. Even these legal tone diallers are able to cheat a telephone system. For a long period of time it was possible in Germany to make phone calls from a public pay phone without paying for the call. You just lifted the handset and dialled the number using the tone dial device, and you got your connection. The weakness of that pay phone system was that a coin needed to be inserted in order to enable the keypad of the pay phone. Thus, when you did not need the keypad to dial the number, no coin was needed and the security system was circumvented in a very easy manner... Completely legal tone dial devices can be altered to produce the tones needed to cheat the switching system. A Radio Shack dialler was alterable in such a way, for instance. The only thing needed was to replace a crystal used to define the tone frequencies and it was possible to transmit the tones needed for communication between two switching sites. 2.1.5 LOCK PICKS ---------------- "What do lock picks have to do with telecom misuse?", you will ask. A lot, as will be demonstrated! It is very interesting to see that a lot of phreakers (especially in America) are skilled lock pickers. Even telecom companies are getting wise and have begun to lock up all kinds of telecom cable boxes and small switching stations situated in public areas and not under constant surveillance. However, our enterprising phreaker occasionally needs access to this type of installation, and if he were to use a device that damages the lock, everybody would know at first sight that someone broke into the installation. Destroying the lock also means making noise, which could attract curious bystanders or even (worst case for the phreaker) the police. A lock picking set is not going to ruin your budget. It takes a lot of practice to use, and it opens nearly every cheap and/or simply designed lock. For organisations and companies it is mandatory to choose the best locks available, even if they are more expensive than simple ones. It only takes a few design changes to make a lock unpickable. This forces the phreaker to destroy the lock (thereby making the violation evident) or to give up. For advice or support contact a security expert or a professional locksmith. Once the phreaker has gained physical access to the installation he is able to install any kind of cheating device, call diverters, remote switches or even a wiretapping device or small transmitter. Owning lock picks is not illegal, but using lock picks to gain unauthorised access of course is. 2.1.6 SCANNER ------------- Radio scanners are mainly used to find and listen to different frequencies in use. A modern scanner not larger than a pack of cigarettes can cover a frequency range from a few kHz up to 5 GHz. Scanners can be used to find the working frequencies of cordless phones or to listen to wiretapping devices. Many journalists are equipped with scanners to check the frequencies of police and fire departments. According to an EU regulation, the ownership of a scanner is legal. The usage of scanners is regulated in laws which differ from country to country. It is nearly impossible to prove the misuse of a scanner in court. 3. POTENTIAL TARGETS -------------------- In this paragraph it is explained what can happen to telecom equipment and telecom lines and how to avoid this misuse of important and expensive company resources. To prevent phreaking it is mandatory to know what constitute the main targets for phreaks, which techniques they use to sneak around security barriers and which security holes they use. To prevent this article from becoming a "Phreaker's Tutorial" the techniques used will only be described generally. This is no "technical in depth" article. Some technical facts and standards differ from country to country. This is not the case with the Euro-ISDN standard and GSM. If there is an urgent need for technical support or advice against phreakers it is strongly recommend to contact security experts in the field of data and telecom security. 3.1 DIAL IN LINES WITH MODEM ---------------------------- If a phreaker locates a dial-in telephone line with a modem, he will probably switch himself into hacker mode and attempt to hack it, trying to gain access to the company computer system. If he is not a skilled hacker he will trade his new-found information to a person with more knowledge. If he successfully hacks the computer system, he is often able to alter, copy or delete data, read confidential files, read private E-Mail, spread vira or even shut down the whole system. He will usually look for passwords, network connections or gateways to networks like the Internet or other world-wide networks and E-Mail services. If there are any gateways to other networks, he will start using them and thus increase the usage costs for the particular network. It is very likely that the hacker/phreaker will use all features of the company computers, networks and gateways to international networks. The simple reason is that he does not have to pay for the use. Even though it may be evident that a hacker/phreaker has gained access to the corporate computer-network via a telephone line it is very difficult to find that person. In cases like this it is necessary to work together with the local police and the telephone company. The person in charge of the co-operation between your company and the local authorities should be your data security specialist. If there is no person in your company that is able to cope with a problem of this type, it is strongly recommended to get advice from a professional data security expert. He knows what to do and has the necessary connections to police and telecom companies. The telephone company has the technical equipment and can obtain permission to trace a telephone call, and line tracing is the most successful method to detect an intruder. Furthermore, it produces valuable evidence that can be presented in court. If it is necessary to install a wiretapping device this must be done by police after obtaining a warrant. For a company to take this type of action itself, would in most cases be a violation of the law and thus very risky business. Even if the company is able to detect the phreaker, it would not be able to present the evidence in court, and there would be no possibility to sue the illegal intruder. 3.1.1 COUNTERMEASURES --------------------- First step to prevent this type of damage is to close the security gap, e.g. by means of a password program. This must ask for the name of the user and for a password. The password should have a minimum length of six characters and all ASCII and/or ANSI characters should be allowed. The program should also look for forbidden passwords like "abcde" or "qwertz". After three attempt to gain access using an invalid user name or password the program must inform the system administrator automatically. If the user name is valid but the password not, the password program must cancel all access rights for the user who is trying to gain access with an invalid password. All users should be educated about how to choose a secure password or how to build up his own private password selection scheme. A personal mnemonic scheme like that is very helpful, because it serves to prevent stupid and easy-to-guess passwords and valid passwords from being written on Post-It papers stuck to the monitor. A password generator can also be helpful. This type of program generates random passwords, which are difficult to guess or hack (or remember). Next step would be to use a call-back device (integrated in many advanced modems). It functions by allowing users to call a particular telephone number and type a password to the modem, which subsequently hangs up. After validating the user name and password the computer will call the user, using a fixed telephone number either stored in modem or computer. The user again has to type the correct password and is then granted access. For the method to be secure, at least two different telephone lines must be used in order to place the call-back on a different line. Using only one line is not 100% fool-proof. Under these circumstances a call-back device can be circumvented by a skilled phreaker by reprogamming the telecom switching system. In modern digital switching systems it is possible to use the extended services to program a call diverter, so that when a particular telephone number is dialled, the call is in fact automatically redirected to a different subscriber. Call diverter functions are integrated in digital switching systems and Euro-ISDN. Many cases are known, in which a phreaker has used the call diverter functions to fool call-back devices and redirect calls to his home phone. One of the most secure ways to prevent intrusion is a hardware security protocol for caller authentication and log-in procedure. This modem access control and security hardware is installed in front of the host modem. Callers needs a hardware key, e.g. a dongle, a chip card or a PCMCIA Card installed in his computer in order to gain access to the host computer. This type of modem access control system first verifies the presence and authenticity of the hardware key. Only after successful completion of this procedure is the user asked for his personal password. The described modem access control system is also available for network access control to verify local users during their log-in procedure to a network. To prevent theft of information because of wiretapping of telephone lines used for data communication, a good modem access security and control system should be able to scramble and encrypt the transmitted data. This kind of encryption is most often performed by an onboard chip and not by software running on the computer system, although both types are known. This can be a factor of importance, because software en/decryption slows down a computer system as the number of dial-in lines is increased. It is recommended to use all the above described techniques in combination to prevent illegal intrusion by a phreaker/hacker. 3.2 TOLL FREE NUMBERS --------------------- Toll free numbers are a very attractive target for phreakers, because it costs nothing to call a number like that, incoming calls being paid for by the company operating the toll free number. It doesn't even cost anything to scan all available toll free numbers to find out who or what picks up the phone. So it is easy to find out which numbers are connected to fax machines, modems, are not in use, are used in voice mailbox systems, etc. To perform the scanning, the phreaker needs about one night and a "war dialler" scanning program as described above. Toll free numbers can normally be divided into a few groups with different purposes. 3.2.1 TOLL FREE NUMBER FOR MARKETING PURPOSES --------------------------------------------- This type of number is normally connected to a play-back device, which plays a promotion text when called. These numbers are often promoted in big advertisements in newsletters and journals and normally only available for a couple of weeks. It would be totally wrong to assume a number like that to be without risk. The following incident happened during a large German electronics and computer exhibition: A leading software company advertised a toll-free number to call for information about the computer virus problem. Each caller heard a tape with information denouncing ownership and distribution of illegal copies of software, emphasising the risk of catching a computer virus. The advertisements were placed in journals normally read by business people and not by phreakers. After the number had been propagated by a phreaker through computer-networks like the FIDO net, more and more people started to call it with a war-dialler. The result was a rapidly increasing telephone bill for the company, because when the war-diallers called the number, the phone was picked up by the play-back device and the telecom company added one more call to the bill. The war-diallers hung up the phone a few seconds later and started to dial the same number again. This unexpected massive cost overrun forced the software company to shut down the line after a very short period of time. In a case such as this nothing can be done to prevent that kind of misuse. 3.2.2 TOLL FREE NUMBER WITH DIAL OUT LINES ------------------------------------------ A toll-free number with dial-out lines will attract phreakers like honey a brown bear. These systems are mainly used to limit expenses in companies, whose employees travel extensively. They make it possible for the employees to reach their company free of charge (the company pays for the call), and they can place (often world wide) calls by means of the dial-out function of the toll-free number. These calls are debited the company. Phreakers use the system the same way the employees do. They route all their calls through a toll-free system with dial-out lines, because this costs the phreaker nothing. The company thus targeted has to pay the expenses. Two things can be done to prevent misuse of this type of system. First of all it is mandatory to keep the toll free number with all its functions secret. Regular users should be informed on a need-to-know basis. They also should be told to keep the number secret. Keeping the number secret, however, does not mean that it will not be detected by phreakers. Bear in mind that it costs a phreaker nothing to scan for toll-free numbers on a regular base (eg. each month). The second thing to do is to secure the system with individual access codes, which must be entered through the telephone key-pad. The length of this individual access code must be minimum 6 digits. Currently, most toll-free systems with dial out lines are not protected by access codes. Most companies rely on no strangers calling the toll-free number and attempting to invoke hidden functions by trial and error. This is a false sense of security. All phreakers try out things like this, because it costs them no money to mess around with the system for as long as they want. In principle they have all the time they want to look for hidden functions. Most of the functions like dial-out lines are invoked by pressing one single digit on the key-pad. A few systems use two digits. This despite the fact that it will only take a phreaker a few minutes to discover how to (mis)use a toll-free system. In the worst of cases the toll-free system even features a voice menu telling callers which options are available in the system. In this case it is not even necessarty to use trial and error. If it is suspected that a phreaker misuses a toll-free system with dial-out lines it is best to contact the police and take legal action. The police in co-operation with the telecom company possesses the technical and legal means to trace the phreaker. 3.3 VOICE MAILBOX SYSTEMS -------------------------- For the past few years the use of voice mailbox systems in Europe has been increasing. Voice mailbox systems must be divided into two different types: Toll-free voice mailbox systems used by many types of companies, and voice mailbox systems from companies providing party lines, dating lines and other, mostly expensive, services. Normally a phreaker will primarily select the toll-free voice mailbox system. If no toll-free voice mailbox is available he probably has the knowledge and the technical capability to call a voice mailbox of a service provider in an illegal toll-free way. The problem, however, is not which voice mailbox system he will call, but how he will use it. To understand how to misuse a voice mailbox system, the basic system use must be understood. A voice mailbox is like a house. When you enter the house your host welcomes you. The host in this case is a voice menu explaining all the functions of the system. To choose one of these functions you just have to press the corresponding button of the key-pad. Having made a selection you will leave the entrance and enter a "room". Each room is dedicated to a special topic. Topics can be live discussions with as many people as are in the room, public message areas, private message areas, playing a game, etc. A large voice mailbox system can have more than 100 different "rooms". If the number is not toll free, the phreaker uses techniques to call the voice mailbox system free of charge anyway. If the voice mailbox is interesting, easy to hack and fits his needs, the phreaker has a lot of uses for such a system. It has been evidenced by court trials that phreakers use voice mailbox systems as their "headquarters", to meet, to discuss, to have conferences with up to 20 persons participating at the same time, to leave messages to other phreakers or to deposit and share knowledge. They waste system resources without paying for it. In some cases all dial-in lines were busy, so no paying customer was able to connect to the system. It is also interesting to see how the phreakers used system resources. As mentioned above, a voice mailbox is like a house, a house with easy-to-pick or no locks in the doors. The business of the service provider requires the voice mailbox to be easy to use without big security installations. The voice mailbox must be an open house for everybody, and that makes it easy for the phreaker. First a phreaker will look for hidden functions in the voice mailbox. Hidden functions are normally used to reprogram the voice mailbox from a remote location. Commonly, hidden functions are available to increase the security level of certain rooms and for creating new rooms with new possibilities and features. With knowledge of the hidden functions of a system, the phreaker can create new rooms for meetings with other phreakers, and he is able to raise the security level of such rooms so that only insiders can gain access. Increasing the security level means assigning an access code to a room. Without knowledge of the access code the room cannot be entered. Thus, he is able to create a voice mailbox inside the voice mailbox for a closed user group, "Entrance for phreakers only". This voice mailbox for phreakers can be used to post calling card numbers, private messages for other phreakers, the newest access codes for other voice mailbox systems, the newest tricks on how to cheat the telephone system, etc. All owners of voice mailbox systems can do is to watch the traffic inside his system and look for changes such new rooms suddenly appearing. From a pratical point of view it is very difficult to increase the security of a voice mailbox without causing problems for paying users. In case of misuse it is necessary to co-operate with a security expert and the local authorities to limit financial losses. 3.4 CORDLESS PHONES ------------------- It is very easy today to set up a complete telephone system in a small company, using only cordless telephones and that is one of the reasons for the sales of cordless phones rapidly increasing throughout Europe. However, only a few people know how dangerous it can be to use a cordless phone, especially for company purposes. This type of wireless phones can be divided into two groups. The first group employs a transmission frequency around 48 MHz and is mainly used in the USA. It can be used legally in some European countries as well. The second group employs a frequency in the 870 - 940 MHz range. This type is mainly used in European countries. The first major problem with wireless phones is that anybody with a suitable scanner can listen in on the conversation. A good scanner needs less than 30 seconds to find the correct frequency. This is a major weakness inherent to these systems, which can of course be fatal to a company. A new standard for European cordless phones (870 - 940 MHz) has emerged. These phones automatically scramble the transmitted signal between handset and base station. With this system in place, nobody with a scanner can stumble over the phone conversation by accident, but this standard still is not foolproof. The scrambling method employed by the system can comparatively easily be circumvented by a knowledgeable person with only a minimum of extra hardware. The American type cordless telephones (48 - 49 MHz) are the most unsecure devices available. They can easily be scanned as described as mentioned above. There is no signal scrambling standard, and they do not even check to see the handset and the base station in use match each other. Only very few cordless phones allow signal scrambling at all. In most cases this is just an option, the scrambling device must be bought separately and this is designed in a very cheap and thoroughly unsecure manner. It is no problem to circumvent this quality of scrambling with a little hardware. 99% of the American phones are without any scrambling option, they can't be made more secure, even if the customer wishes to do so. This cordless phone type opens the door to the possibility of misuse of a very special character because of a major system design flaw. Handset and base station are communicating on a fixed frequency between 48 and 49 MHz. The problem is that a handset works with all base stations set to the same frequency as the handset. It has become very popular in the USA when making a call first to switch off the base station and check if there is another basis station in the area, which can be reached by the handset. In this case it is very easy to use a base station belonging to someone else. And this person has to pay for the phone calls made by a stranger in the same house or area. It has also been seen that handsets were modified in a way so as to work on different frequencies, thus enabling the owner of the handset to make phone calls through a number of different base stations in his area. The usual range of a cordless phone is about 300 meters. To prevent this kind of misuse the European cordless telephones are working in a slightly different way. The first difference is that the phone does not use a single fixed frequency. European phones are using a wide range of frequencies which are divided into channels. When the handset is picked up, it first finds out which channels are in use and whichare available. The first available channel will be used. The next built-in security is a validation between handset and base station. Every few seconds the handset is checking, if it is using a base station having a correct id-number and vice versa. If the handset or the base station does not receive the correct id-number the connection will be disconnected immediatly. This feature makes it nearly impossible that a handset uses two or more different base stations within its range. The usual range of an European cordless phone is about 300 meters in an area free of obstructions, and about 50 meters inside buildings. 3.5 PAGER SYSTEMS ----------------- Pager systems are not directly abuseable, but if the pager in use has a character display so that it can receive complete messages or telephone numbers and not just beep, the messages are subject to easy interception by a person with the necessary knowledge and hardware. Telephone numbers have been known to be intercepted by "prankster", who later called the numbers and was rude to whoever answered. This has happend in the USA, but no European cases are known to the author. Nothing can be done to prevent this kind of misuse. 3.6 SHOULDER SURFING -------------------- A phreaker is mainly interested in making telephone calls without having to pay, and in our modern world of plastic money it is very easy for skilled people to accomplish this. To achieve his goal, a phreak is always looking for Calling Card Codes. Major international telephone companies (like AT&T, MCI, SPRINT and also the German TELEKOM) are issuing calling cards to interested customers. Just dial the service number of the telecom company and give them your credit card number and you will get your calling card. Using a calling card is very easy. Dial the toll-free number specified by the calling card company and the operator will ask you for your calling card number and the phone number you wish to call. In some cases there is an automatic operator and the calling card number must be entered using the key-pad or tone dialler. After verification of the calling card number (similar to a credit card number) you will get connected immediately. If a card holder uses his calling card from a public phone all the phreaker has to do is spotting the number on the card, watching the number being entered on the key-pad or simply listening, if the number has to be told to an operator. Holders of calling cards should protect these the same way he protects credit cards. If the calling card number is spread about in the underground, a few thousand Dollars of damage to the holder of the card can easily be the result. If the card holder discovers that his calling card number is misused, he must notify the card issuing company immediately. The calling card number subsequently becomes invalid and a new calling card is issued to the card holder. However, until the card company has been notified, the holder is liable for the damage. 3.7 ANSWERING MACHINES ---------------------- Answering machines are nothing special. We are routinely using them every day without ever reading the operating manual. This is why we know almost nothing about a few special features built into most answering machines to make our lives more comfortable. One of these features is the remote access function used to check who called and left a message, or to change the message played back when people call. Remote access is accomplished by means of a tone dialler and a two or three digit access code. This fact makes it easy for a stranger to hack the access number within minutes, gain access to the answering machine and listen to the recorded messages. The default factory access code setting for most answering machines is no big secret among phreakers. There is also a digit sequence for three digit access codes available, which fits 99% of the needs. This sequence was made by a tiny little Turbo Pascal program, and both were published over computer networks. For a couple of reasons it rarely ever happens that a phreaker tries to hack an answering machine. Firstly, it costs him money, because normally no private person owns a toll free number. Secondly, in 99% of the cases there are no big secrets to find on an answering machine. So, it's a waste of time for the phreaker. Another built-in feature of a modern answering machine is a monitoring option. This option is normally protected by a two or three digit code and allows a caller to listen to the room in which the answering machine is installed. This is a useful option for parents, who are away from home and want to learn what the children are doing (sleeping or partying), and it is a very useful option for a curious phreaker, who wishes to invade the privacy of people's homes. The problem gets even bigger when the answering machine is installed in a company office. In that case it is possible for the phreaker to obtain vital and confidential information about the company and its future plans. The only way to prevent misuse of these options and features is to buy an answering device without them. 4. HOW / WHERE DO THEY GET THEIR INFORMATION? --------------------------------------------- People often wonder what makes it possible to a phreaker to get his knowledge. There is nothing strange to it, however. It is a result of some tricky research or well-organised public libraries. Most of the information used by a phreaker is legally and freely accessible in libraries and book stores. Only in very few cases the phreaker has to behave like Jim Phelps in "Mission Impossible". The technical standards from the former telephone system standardising organisation CCITT constitute a very interesting source of information for a phreaker. They are available in every good university library and describe international telecom standards like tone frequencies (used to develop the coloured boxes). Most telecom companies are also publishing technical journals for service technicians. These journals are normally available to anybody, who might wish to subscribe. 4.1 SOCIAL ENGINEERING ---------------------- Some phreakers specialise in getting information through social engineering. Social engineering means in this case that a phreaker will phone up a person and pretend to be an employee of the telecom company (or some other important and well-known company), give an important reason for his call and subsequently ask for passwords, account numbers, technical data, specifications or whatever he is after. During his attempt to collect information the phreaker will appear very polite, trustworthy and adult even if he is just 16 years old. This type of information pillaging is done mostly by phone, and they are very often successful. First rule of telecom security to prevent misuse of social engineering. Nobody (!) needs your passwords, confidential account details, calling card numbers or any other type of confidential information. All requests for confidential information by phone should always be refused. People from telecom companies are able to identify themselves with special ID cards, and even these people do not need confidential information. If they need to test something they have their own service access accounts for telephone lines and switching systems. Again. Nobody has to ask for confidential information via telephone even if he gives very good reasons! 4.2 TRASHING ------------ In the course of court cases against prominent phreakers it has become evident that they went out to "trash" telecom companies or other targets, which had their interest. To "trash" in this connections means searching through trash cans for diskettes with software or papers carrying technical knowledge for insiders, telephone numbers, passwords, access codes, planned installations, etc., etc. The rule here is that no paper carrying information that could be important to outsiders should be thrown away. A good countermeasure is to install freely accessible paper shredders (e.g. one on each floor). Furthermore, the employees should be educated about paper security and advised to use the paper shredders. The important rule to apply here, and this particularly goes for old back-up diskettes and tapes, is: If it is not economical to guard it, it is economical to destroy it. In other words, any company policy regarding archiving must contain rules regarding destruction of old archives. Simply throwing these out is rarely sufficient. 4.3 UNDERGROUND PUBLICATIONS ---------------------------- Some people are publishing more or less regularly issued underground magazines about phreaking which are also distributed through modem accessible Bulletin Board Systems as computer files. Every phreaker is welcome to contribute articles for such an underground magazine. One of the foremost publications in this category is Phrack, which is so popular that it has received an ISSN number in the USA and is published on a regular basis. 4.4 WORLD-WIDE COMPUTER NETWORKS -------------------------------- There are only a few innovative phreakers in each country. These phreakers are developing the leading technology of phreaking. Most of them share their knowledge with other people interested in phreaking via computer networks and bulletin board systems. It is thus no big problem to find information about phreaking, which means that malicious information gets spread rapidly to a large audience. 4.5 INTERNAL COMPUTER NETWORKS OF TELECOM COMPANIES --------------------------------------------------- If the phreaker is also a skilled hacker he probably knows ways to access the internal computer network of a telecom company in search for informations. A famous case in the USA was the stealing and publishing of a document about the 911 Emergency Service from the computer network of a telecom company. This case ended in court. 5. CONCLUSIONS -------------- Telecom equipment is a vital resource for any company, and no company can permit a stranger to alter or abuse their telecom system. As described in this article there are many ways to abuse telecommunication equipment, and to prevent abuse from occurring it is absolutely necessary to check out the weakness and vulnerability of existing telecom systems. If it is planned to invest in new telecom equipment, a security plan should be made and the equipment tested before being bought and installed. Every serious manufacturer of telecom equipment will assist with answering the question of telecom security, but it is also recommended to consult a independent source of information, such as an information security expert. It is also mandatory to keep in mind that a technique which is discribed as safe today can be the most unsecure technique in the future. Therefore it is absolutly important to check the function of a security system once a year and if necessary update or replace it. ------------------------------ Date: Thu, 23 Oct 1994 22:51:01 CDT From: CuD Moderators Subject: File 2--Cu Digest Header Information (unchanged since 25 Nov 1994) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send a one-line message: SUB CUDIGEST your name Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (203) 832-8441. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) In ITALY: Bits against the Empire BBS: +39-461-980493 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ uceng.uc.edu in /pub/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/cud/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) JAPAN: ftp.glocom.ac.jp /mirror/ftp.eff.org/Publications/CuD ftp://www.rcac.tdi.co.jp/pub/mirror/CuD The most recent issues of CuD can be obtained from the NIU Sociology gopher at: URL: gopher://corn.cso.niu.edu:70/00/acad_dept/col_of_las/dept_soci COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #6.104 ************************************