The LOD/H Technical Journal, Issue #3: File 11 of 11 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ $ $ Network News & Notes $ $ $ $ Compiled from Comp.Risks Digest $ $ by $ $ The Mentor $ $ $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Comp.Risks Digest is a USENET distributed newsletter on risks to the public from computer-related systems. It is frequently one of the first places that bugs in operating systems show up. These are some of the more interesting posts that have appeared in the past month. ---------------------------------------------------------------------------- Date: Wed, 5 Oct 88 12:35:37 EDT From: Dave Wortman Subject: Emergency Access to Unlisted Telephone Numbers The article below was originally posted to misc.consumers. I thought it might be of interest to RISKS readers as an example of a well-thought-out set of administrative procedures designed to balance the needs of protection of privacy and response to emergency situations. ======================================================================= All examples in this message pertain to Illinois Bell Telephone Company, which covers the Chicago metropolitan area, and quite a bit of the rest of Illinois. There are three types of phone numbers which do not appear in the printed and publicly available directory: (1) Too new to list (2) Non-listed (3) Non-pub. [discussion of types (1) and (2) deleted.] The third category of numbers not in the phone book or available from the Directory Assistance Bureau are non-published numbers. Non-pub numbers are NOT available at the Directory Assistance level. Inquiries about same which are input into a DA terminal simply come up with a message that 'at the customer's request, the number is not listed in our records; the number is non-published.' Well, who does keep non-pub records then? The Business Office has no handy way to retrieve them, since they depend on an actual phone number when they pull up a record to discuss an account. Once a service order is processed, the number and associated name are no longer available to the average worker in the central office. There was for several years a small group known as the 'NonPub Number Bureau' which at the time was located in Hinsdale, IL. Needless to say, the phone number to the NonPub Number Bureau was itself non-published, and was only available to specified employees at Bell who were deemed to have a 'need to know'. Now I think with all the records being highly computerized, the keepers of the non-pub phone numbers are themselves scattered around from one phone office to another. When there is some specific need for an employee at the phone company to acquire the non-published number of a subscriber, then certain security precautions kick into place. Only a tiny percentage of telephone company employees are deemed to have a 'need to know' in the first place; among these would be the GCO's (Grup Chef Operators), certain management people in the central offices, certain people in the Treasury/Accounting office, andof course, security representatives both from Illinois Bell and the various long distance carriers, such as AT&T/Sprint/MCI. Let us have a hypothetical example for our Correspondent: Your mother has taken seriously ill, and is on her deathbed. Your brother is unable to reach you to notify you of this because you have a non-pub number. When his request for the number has been turned down by Directory Assistance, simply because they do not have it, he asks to speak with a supervisor, and he explains the problem. He provides his own name and telephone number, and the supervisor states he will be called back at a later time. The supervisor does not question if in fact an emergency exists, which is the only valid reason for breaking security. The supervisor may, if they are doing their job correctly, ask the inquirer point blank, "Are you stating there is an emergency situation?". Please bear inmind tat the law in Illinois and in many other states says that if a person claims that an emergency exists in order to influence the use (or discontinuance of use) of the telephone when in fact there is no emergency is guilty of a misdemeanor crime. You say yes this is an emergency and I need to contact my brother/sister/etc right away. The supervisor will then talk to his/her supervisor, who is generally of the rank of Chief Operator for that particular facility. The Chief Operator will call the NonPub people, will identify herself, and *leave her own call back number*. The NonPub people will call back to verify the origin of the call, and only then will there be information given out regards your brother's telephone number. It helps if you know the *exact* way the name appears in the records, and the *exact* address; if there is more than one of that name with non-pub service, they may tell you they are unable to figure out who it is you want. The NonPub person will then call the subscriber with the nn-published number and explain to tem what has occurred: So and so has contacted one of our operators and asked for assistance in reaching you. The party states that it is a family emergency which requires your immediate attention. Would it be alright if we give him/her your number, *or would you prefer to call them back yourself?* Based on the answer given, the number is either relayed back to the Chief Operator, or a message is rlaedback saying the non-pub customer has been notified. If the customer says it is okay to pass his number, then the Chief Operator will call you back, ask who YOU are, rather than saying WHO she wants, and satisfied with your identification will give you the number you are seeking or will advise you that your brother has been given the message by someone from our office, and has said he will contact you. Before the NonPub people will even talk to you, your 'call back number' has to be on their list of approved numbers for that purpose. A clerk n the Business Office cannot imitate a Chief Operator for example, simply because NonPub would say that the number you are asking us to call back to is not on our list. "Tell your supervisor what it is you are seeking and have them call us..." Other emergency type requests for non-pub numbers would be a big fire at some business place in the middle of the night, and the owners of the company must be notified at their home; or a child is found wandering by the police and the child is too young to know his parent's (non-pub) number. They will also handle non-emergency requests, but only if they are of some importance and not frivolous in nature. You have just come to our city to visit and are seeking a long lost friend who has a non-pub number; you are compiling the invitations to your high school class fiftieth re-union and find a class member is non-pub. Within certain reasonable limits, they will pass along your request to the desired party and let them make the choice of whether to return the call or not. But always, you leave your phone number with them, and in due time someone will call yo back to report what has been said or done. You would be surprised -- or maybe you wouldn't -- at the numerous scams and [........] stories people tell the phone company to get the non-pub number of someone else. Fortunately, Bell takes a great deal of pride in their efforts to protect the privacy of their subscribers. Patrick Townson, The Portal Syse(TM) uunet!portal!cup.portal.com!Patrick_A_Townson ----------------------- Date: Tue, 4 Oct 88 18:01:58 CDT From: linnig@skvax1.csc.ti.com Subject: More on monitoring Cellular Phones Alan Kaminsky (ark%hoder@CS.RIT.EDU) writes: > When a phone detects a paging message with > its own address, it broadcasts a page response message. This response is > received by all the cells in the system, and the signal strength is measured. > The cell receiving the strongest response is assumed to be the cell in which > the phone is located, an unused frequency in that cell is assigned, and the > phone call is switched to a transceiver in that cell. Ah, but could the phone company send out a page without a following "ring them" message? If they could, then they could periodically poll your position, and your faithful cellular phone would report it without your knowledge. > As for business competitors monitoring calls you place on your cellular > telephone, to find out your clients' phone numbers: This is perfectly > possible.... One hopes the FCC, police, etc. > would prevent anyone from offering such a product commercially. Well, the communication privacy act recently passed prevents you from intercepting the audio side of the cellular phone conversation, but I doubt if it prevents you from picking up the dialing info. I think such a device might be considered in the same class as a "pen register." Pen registers record the numbers called on a telephone circuit. I believe the Supreme Court doesn't even require a search warrant to place a pen register on a phone. It may be quite legal to record the phone numbers dialed by a cellular phone. Someone with a law background want to comment? Mike Linnig, Texas Instruments ------------------------------ Date: Fri, 7 Oct 88 09:00:08 edt From: Henry Cox Subject: Reach Out and Touch Someone... TEENS RUN UP TELEPHONE BILL OF $650,000 [From the Montreal Gazette, 7 October 1988] LAS VEGAS (AP) - Ten teenage hackers may have run up $650 000 in telephone calls by tricking phone company computers, and their parents could be liable for the tab, authorities said. "They reached out, all right," assistant U.S. Attorney Russel Mayer said of the hackers, nine 14-year-olds and one 17-year-old. "They reached out and touched the world." Tom Spurlock, resident agent in charge of the Las Vegas Secret Service office, said the teen agers engaged in "blue boxing," a technique that enabled them to talk to fellow hackers throughout Europe. "They were calling numbers that were in the ATT system, and their (computer) programs would allow them to `jump' ATT's circuits, allowing them to call anywhere in the world." The expensive shenanigans came to light when local phone company officials discovered unusual activity on nine Las Vegas phone lines, Spurlock said. He said federal agents obtained warrants and searched the nine homes. The teenagers weren't taken into custody or charged, but their computers were seized. Henry Cox ------------------------------ Date: Fri, 07 Oct 88 13:35:03 -0400 From: davis@community-chest.mitre.org Subject: Computer Security and Voice Mail From the Oct 6 Washington Post. From a news item "Hackers Find New Way to Tap Long-Distance Phone Lines". Zotos International Co. received two consecutive $75,000 phone bills, due to use of their automated answering system by hackers. Zotos' switchboard automatically routes incoming calls to the proper department. Hackers found a way to circumvent the system to place outgoing long-distance calls, in some cases to Pakistan and Senegal. In this case the calls were traced to Pakistani businesses in New York. However, police officials told Zotos that they must catch the hackers in the act in order to prosecute. The telephone company informed Zotos' mangement to pay the bills, and collect from the susspected hackers via the civil courts. In the same article, a related Los Angeles case of misuse of an electronic switchboard system by outsiders described 'capture' of 200 of a company's password-secured voice mail accounts. Outsiders, in this cases a dope ring and a prostitution ring, gained access by guessing the 4-digit passwords and changing them. The hackers backed off only when 'Federal authorities' began tracing calls. The article quotes security experts as recommending systems including several access codes. Also, major companies are adding software to detect changes in calling patterns. ------------------------------ Date: 6 Oct 88 09:45 From: plouff%nac.DEC@decwrl.dec.com (Wes Plouff) Subject: Re: Risks of Cellular Phones Recent writers to RISKS, starting with Chuck Weinstock in issue 7.57, have focused on the risk of vehicle location by cellular telephone systems. In my opinion, they exaggerate this risk and underestimate another risk of mobile phones, the complete lack of privacy in radio transmissions. Roughly 10 years ago I designed vehicle location controller hardware and firmware used in the Washington-Baltimore cellular demonstration system. That system led directly to products sold at least through the first waves of cellular system construction a few years ago. Since cellular base stations have intentionally limited geographic coverage, vehicle location is a requirement. This limitation is used to conserve radio channels; one cell's frequencies can be re-used by others far enough away in the same metropolitan area. The cell system must determine which cell a mobile user is located in when he begins a call, and when during a conversation a vehicle crosses from one cell into another. Cells are set up perhaps 3 to 20 miles in diameter and range from circular to very irregular shapes. Cellular phone systems are designed with ample margins so that statistically very few calls will be lost or have degraded voice quality. Making this system work does not require anything so fancy as triangulation. Vehicle location needs to be only good enough to keep signal quality acceptably high. John Gilmore explained in RISKS 7.58 how this works while the mobile phone is on-hook. During a conversation, the base station periodically measures the signal strength of an active mobile in its cell. When the signal strength goes below a threshold, adjacent cells measure the mobile's signal strength. This 'handoff trial' procedure requires no interaction with the mobile. If the mobile was stronger by some margin in an adjacent cell, both the mobile phone and the cellular exchange switch are ordered to switch to a channel and corresponding phone line in the new cell. Since base stations commonly use directional antennas to cover a full circle, mobiles could be reliably located in one third of the cell area at best. Distance-measuring techniques advocated by AT&T were not adopted because the added cost was too high for the modest performance gain. Certainly a cellular phone system can locate a mobile at any time, and always locates a mobile during a conversation. But the information is not fine-grained enough to implement some of the schemes imagined by previous writers. A more important risk is the risk of conversations being intercepted. The public airwaves are simply that: public. Scanner radios can easily be found or modified to cover the cellular band, and listeners will tolerate lower signal quality than cellular providers, hence one scanner can listen to cell base stations over a wide area. The communications privacy law is no shield because listeners are undetectable. To bring this back to risks of computers, automated monitoring and recording of selected mobile phones is probably beyond the reach of the average computer hobbyist, but easily feasible for a commercial or government organization using no part of the infrastructure whatever, just the control messages available on the air. Wes Plouff, Digital Equipment Corp, Littleton, Mass. plouff%nac.dec@decwrl.dec.com ------------------------------ Date: Wed, 12 Oct 88 20:34:01 -0700 From: davy@riacs.edu Subject: 100 digit primes no longer safe in crypto Taken from the San Jose Mercury News, Oct. 12, 1988, Page 8A: Computers able to make light work of cracking code (Los Angeles Times) Some secret codes intended to restrict access to military secrets and Swiss bank accounts may not be as safe as had been presumed, a team of computer experts demonstrated Tuesday. The team succeeded in doing what security experts thought could not be done: using ordinary computers to break down a 100-digit number into the components that produce it when multiplied together. That process, called factoring, holds the key to many security codes. Before Tuesday, experts had believed that if the number was large enough - up to 100 digits - its factoring would take about 10 months with a Cray super- computer, one of the most powerful computers in the world. But computer experts across the United States, Europe and Australia solved the problem more quickly by using 400 processors simultaneously. They linked their computers electronically and factored a 100-digit number in just 26 days. The number has two factors, one 41 digits long and the other 60 digits long. And that, according to Arjen Lenstra, professor of computer science at the University of Chicago, should be quite sobering to experts who believe they are secure with codes based on numbers that large. Lenstra headed the project, along with Mark S. Manasse of the Digital Equipment Corp.'s Systems Research Center in Palo Alto. [ quotes from experts ] Rodney M. Goodman, associate professor of electrical engineering and an expert on cryptography at the California Institute of Technology in Pasadena, described the achievement as "significant," because it means that some systems may not be as secure as had been thought. But he said it did not mean that security experts around the world would have to rebuild their systems. "All the cryptographers will do is increase the length of the number by a few more digits," he said, "because the problem gets exponentially worse as you increase the size of the number." A larger number is more cumbersome, and cryptographers had tried to kep the number as small as possible. [ explanation of the idea behind using large numbers with prime factors in cryptography ] Last year, Lenstra decided to tackle the problem on "a small scale, just to see if he could do it," according to Larry Arbeiter, spokesman for the Univ- ersity of Chicago. "It was a pure science type of effort." Several months ago, Lenstra presented his idea to Manasse, a computer re- search scientist with Digital. Manasse became so intrigued with the problem that his company agreed to fund much of the cost, including the use of more than 300 computer processors at the Palo Alto company during off-duty hours. The company manufactures DEC computers. "I was interested in the general problem of taking a program and breaking it up into small pieces" so that many could work simultaneously toward the sol- ution, Manasse said. Other computer enthusiasts from the "factoring community" clamored aboard and this fall more than 400 computers around the globe were ready to give it a try. The computers ranged in size from microcomputers to a Cray supercomputer, but even personal computers with large memories could have been used, Lenstra said. Each of the participating computers was given a different part of the problem to solve, and success came early Tuesday morning. ------------------------------ Date: 12 Oct 88 19:14:22 GMT From: spaf@purdue.edu (Gene Spafford) Subject: NSFnet Backbone Shot The following mail was forwarded to me a few minutes ago. This refers to the MCI fiber used to carry the NSFnet backbone. No wonder some of my mail has disappeared recently! [From: field inadvertently deleted?] => Date: Wed, 12 Oct 88 12:47:00 EDT => To: watchdogs@um.cc.umich.edu, ie@merit.edu => Subject: A bit of trivia => => The fiber that goes from Houston to Pittsburgh was broken due => to a gun blast....that is right, a gun blast. => Somewhere in the swamps of the Bayou (between Alabama and New Orleans) => the fiber cables are suspended above the swamps and a good ol' => boy was apparently target practicing on the cable. => => Traffic has been rerouted and when the investigation has taken place => and the cable fixed we will be put back on the original circuit. Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: Tue, 11 Oct 88 00:14 MDT From: MCCLELLAND_G%CUBLDR@VAXF.COLORADO.EDU Subject: Intersection of ANI and Voice Mail Risks Recent reports in RISKS of nefarious deeds committed by hackers who entered a system via voice mail prompted me to inquire about the voice mail security of my university's system. A year ago the U bought its own fancy switch for on-campus communications. Some of the goodies include voice mail and ANI. I tried the voice mail once but since I much prefer e-mail I long ago forgot my voice mail password (yep, only 4 digits if the hackers want to start guessing). I called the telecommunications office to determine where I needed to go in person and with how many photo ID's to get my voice mail password. Even though I hadn't identified myself, the clerk said, "Oh that won't be necessary, Mr. McClelland, I'll just change your password back to the default password and you can then change it to whatever you want." I said, "But how do you know that I'm McClelland?" He replies, "Because it shows on the digital display on my phone both the phone number and name of the caller." [Most phones are in private offices so a unique name can be attached to each number.] I tried to explain that all he really knew was that I was someone calling from the phone in McClelland's office and that I could be the janitor, a grad student, or almost anyone. But security wasn't his problem so he wasn't very concerned. I was afraid to ask how many folks never bother to change their default password. As I was about to hang up, he said, "By the way, if you check your voice mail from your own extension you don't even need to enter your password." I said , "Thanks, that's reassuring" but I don't think he caught the sarcasm. Gary McClelland ------------------------------ Date: 28 Sep 88 10:10:47 +0100 (Wednesday) From: Peter Robinson Subject: Re: Risks of cellular telephones As a radio amateur, I have always been taught that using mobile transmitters near petrol stations is bad form - the radiation from the transmitter can induce currents in nearby metalwork and perhaps cause a spark. The thought of a cellular telephone being able to transmit without the operator's consent (in response to a paging call) is, therefore, slightly RISKy. Tis cold even get worse as technology progesses. As the sunspot cycle advances, it sees plausible that transmissions will carry further and interfere with those in nearby cells (not the adjacent ones, they usually have distinct frequencies). Before long the manufacturers will introduce adaptive control where the transmitter power is adjusted dynamically to compensate for variations in the signal path between the mobile and base stations. So then when you pull into a petrol station and receive a call, the system will notice that all the surrounding metal is impairing your signal and will increase the transmitter power accordingly... Incidentally, I am not sure what power these radios use, but I would be slightly nervous about using a hand-held telephone with the antenna anywhere near my eyes if it is more than a few Watts. ------------------------------ Date: Sat, 8 Oct 88 15:59:56 MET From: "Walter Doerr" Subject: Risks of cellulr phnes Chuck Weistock writes in RISKS 7.57: > Subjec: Rsks of Cellular Phones? > > While discussing radio triangulation last nigh, the question came up: > If I dial a phone number attached to a cellular phone, how does the > cellular system know which cell should send the ring signal to the > phone? Is it a system wide broadcast, or does the cellular phone > periodically broadcast a "here I am" signal? In the 'C-Net' here in Germany, all mobile phones send a "here I am" signal whenever they move to a new cell. This information (the cell where the phone can be reached) is stored in the database of the phone's "home" base. Calls to mobile phones are routed to a computer in Frankfurt which contacts the home base computer (based on the first few digits of the mobile phonenumber), which, in turn, knows the cell the phone is currently in. > If the latter, a less than benevolent government (or phone company for > that matter) could use that information to track its citizens' cars' > whereabouts. According to an article in an electronics magazine, the German PTT was approached by a police agency, who expressed interest in the data stored in the networks computers. The article quotes a Siemens mobile telephone specialist as saying that it isn't possible topipoint the current location of a mobile phone because: - the phone must be switched on for the network to recognize it - the cells use omnidirectional antennas, so it isn't possible to determine the direction from where the mobile phone's signal came. While this is true, it is certainly possible to determine the location of a phone with an accuracy of a few miles (the size of the cell the phone is in) without using any additional direction finding methods (radio triangulation). Walter Doerr ------------------------------------------------------------------------------- End of the LOD/H Technical Journal #3 -------------------------------------------------------------------------------  Downloaded From P-80 International Information Systems 304-744-2253 12yrs+