TELECOM Digest Thu, 18 Nov 93 04:02:00 CST Volume 13 : Issue 766 Inside This Issue: Moderator: Patrick A. Townson Toll Fraud on French PBXs -Phreaking :-) (Jean-Bernard Condat) Sprint Upgrading Internet Backbone (John D. Gretzinger) Finally Got REAL Phone Service (Jack Decker) Research Assistant - High Speed Wireless Networking Research (Joseph Evans) Announcement of New Moderator (Dennis G. Rears) ---------------------------------------------------------------------- From: cccf@altern.com (cccf) Subject: Toll Fraud on French PBXs - Phreaking :-) Date: Wed, 17 Nov 93 14:48:59 EST In France it is estimated that PBX trunk fraud (toll fraud) costs companies over $220 million a year. Criminal phreakers figure out how to access PBXs owned by businesses and then sell long-distance calling capacities provided by these systems to the public. In European markets where PSTN to PSTN connections are illegal it has not to date been such an issue. However, for a number of reasons this is likely to change. Trunk to trunk connection barring through PBXs is expected to be deregulated throughout Europe. The telecom industry has done more this year to prevent toll fraud than any other time. Yet, toll fraud losses will top more than $2 billion again this year. If you aren't doing anything to prevent being hit, it's not a matter of if you'll be hit, it's when you'll be hit and for how much. So, here are some low-cost ways to stop toll fraud-or at least lessen the blow if you do get hit. Increasing numbers of international companies have private networks and provide DISA (Direct Inward System Access) access to employees. Such companies are prime victims for phreaking. For example, a phone hacker can access the network in the UK, France, or Germany and break out in another country where it is legal to make trunk to trunk calls, and from that point they can call anywhere in the world. Voice mail is taking off across Europe. This, together with DISA, is one of the most common ways phreakers enter a company's PBX. Raising these issues now and detailing precautionary measures will enable companies to take steps to reduce such frauds. The following looks at the current situation in France. In France a whole subculture, like a real phone underground culture, of these technology terrorists is springing up on city streets. Stolen access codes are used to run call-sell operations from phone booths or private phones. The perpetrators offer international calls for circa FF 20, which is considerably less than it could cost to dial direct. When calls are placed through corporate PBXs rather than carrier switches, the companies that own the PBXs end up footing the bill. What are the warning signs that your own communication systems are being victimized by toll fraud? In inbound call detail records, look for long holding times, an unexplained increased in use, frequent use of the system after normal working hours, or a system that is always busy. In records of outbound calls, look for calls made to unusual locations or international numbers, high call volumes, long duration of calls, frequent calls to premium rate numbers and frequently recurring All Trunks Busy (ATB) conditions. Toll fraud is similar to unauthorized access to mainframe computers or hacking. Manufacturers such as Northern Telecom have developed security features that minimize the risk of such theft. Telecommunication managers, however, are the only ones who are ensure that these features are being used to protect their systems from fraud. Areas of Intrusion Into Corporate Systems: PBX features that are vulnerable to unauthorized access include call forwarding, call prompting and call processing features. But the most common ways phreakers enter a company's PBX is through DISA and voice mail systems. They often search a company's rubbish for directories or call detail reports that contain a companies own '05' numbers and codes. They have also posed as system administrators or France Telecom technicians and conned employees into telling them PBX authorization codes. More sophisticated hackers use personal computers and modems to break into data bases containing customer records showing phone numbers and voice mail access codes, or simply dial '05' numbers with the help of sequential number generators and computers until they find one that gives access to a phone system. Once these thieves have the numbers and codes, they can call into the PBX and place calls out to other locations. In many cases, the PBX is only the first point of entry for such criminals. They can also use the PBX to access company's data system. Call-sell operators can even hide their activities from law enforcement officials by using PBX-looping-using one PBX to place calls out through another PBX in another state. Holding the Line-Steps That Reduce Toll Fraud: Northern Telecom's Meridian 1 systems provide a number of safety features to guard against unauthorized access. It is the most popular PBX phreaked in France. The following information highlights Meridian 1 features that can minimise such abuse. DISA Security: The DISA feature allows users to access a company's PBX system from the public network by dialing a telephone number assigned to the feature. Once the system answers the DISA call, the caller may be required to enter a security code and authorisation code. After any required codes are entered, the caller, using push button tone dialling, is provided with the calling privileges, such as Class of Service (COS), Network Class of Service (NCOS) and Trunk Group Access Restrictions (TGAR), that are associated with the DISA DN or the authorisation code entered. To minimize the vulnerability of the Meridian 1 system to unauthorized access through DISA, the following safeguards are suggested: 1) Assign restricted Class of Service, TGAR and NCOS to the DISA DN; 2) Require users to enter a security code upon reaching the DISA DN; 3) In addition to a security code, require users to enter an authorization code. The calling privileges provided will be those associated with the specific authorization code; 4) Use Call Detail Recording (CDR) to identify calling activity associated with individual authorization codes. As a further precaution, you may choose to limit printed copies of these records; 5) Change security codes frequently; 6) Limit access to administration of authorization codes to a few, carefully selected employees. Meridian Mail Security: Northern Telecom's Meridian Mail voice messaging system is also equipped with a number of safeguarding features. The features that allow system users to dial out; Through Dial, Operator Revert and Remote Notification (Outcalling) should be controlled to reduce the likelihood of unauthorised access. The following protective measures can be used to minimise tool fraud: Voice Security Codes - Set security parameters for ThroughDial using the Voice Security Options prompt from the Voice Systems Administration menu. This prompt will list restricted access codes to control calls placed using the Through-Dial function of Meridian Mail. An access code is a prefix for a telephone number or a number that must be dialled to access outside lines or long-distance calling. If access codes are listed as restricted on the Meridian Mail system, calls cannot be placed through Meridian Mail to numbers beginning with the restricted codes. Up to ten access codes can be defined. Voice Menus - With the Through-Dial function of Voice Menus, the system administrator can limit dialling patterns using restricted dialling prefixes. These access codes, which are defined as illegal, apply only to the Through-Dial function of each voice menu. Each Through-Dial menu can have its own restricted access codes. Up to ten access codes can be programmed. Meridian Mail also allows system administrators to require that users enter an Access Password for each menu. In this way, the Through-Dial menu can deny unauthorized callers access to Through-Dial functions, while allowing authorised callers access. Additional Security Features - The Secured Messaging feature can be activated system-wide and essentially blocks external callers from logging to Meridian Mail. In addition, the system administrator can establish a system-wide parameter that forces user to change their Meridian Mail passwords within a defined time period. Users can also change their passwords at any time when logged in to Meridian Mail. System administrator can define a minimum acceptable password length for Meridian Mail users. The administrators can also determine the maximum number of times an invalid password can be entered before a log-on attempt is dropped and the mailbox log-on is disabled. Some of the features that provide convenience and flexibility are also vulnerable to unauthorized access. However, Meridian 1 products provide a wide array of features that can protect your system from unauthorised access. In general, you can select and implement the combination of features that best meets your company's needs. General Security Measures: Phone numbers and passwords used to access DISA and Meridian Mail should only be provided to authorized personnel. In addition, call detail records and other reports that contain such numbers should be shredded or disposed of in an appropriate manner for confidential material. To detect instances of trunk fraud and to minimize the opportunities for such activity, the system administrator should take the following steps frequently (the frequency is determined on a per site basis according to need): 1) Monitor Meridian 1 CDR output to identify sudden unexplained increases in trunk calls. Trunk to trunk/Tie connections should be included in CDR output; 2) Review the system data base for unauthorised changes; 3) Regularly change system passwords, and DISA authorisation and security codes; 4) Investigate recurring All Trunks Busy (ATB) conditions to determine the cause; 5) If modems are used, change access numbers frequently, and consider using dial-back modems; 6) Require the PBX room to be locked at all times. Require a sign-in log and verification of all personnel entering the PBX room. Two Practical Cases: Bud Collar, electronic systems manager with Plexus in Neenah, Wis., transferred from its payphone operations branch. As the PBX manager, he's blocked all outside access to his Northern Telecom Meridian 1 and meridian Mail. Just in case a phreaker does gain access, Collar bought a $600, PC-based software package from Tribase Systems in Springfield, NJ, called Tapit. With Tapit, Collar runs daily reports on all overseas call attempts and completions. But the drawback to Tapit is that by itself it has no alarm features, so if a phreaker does get in, Collar won't know about it until he runs the next report. Tribase does offer Fraud Alert with alarms for $950, but Collar chose not to use it. Erica Ocker, telecom supervisor at Phico Insurance in Mechaniscsburg, PA, also wanted to block all of her outside ports. But she has maintenance technicians who need routine access, so she needed a way to keep her remote access ports open, without opening up her Rolm 9751 to toll fraud. The solution is to buy LeeMah DataCom Security Corps's TraqNet 2001. For $2,000, Ocker got two secured modems that connect to her maintenance port on her PBX and to her Rolm Phone Mail port. When someone wants to use these features, they dial into the TraqNet and punch in their PIN number. TraqNet identifies the user by their PIN and asks them to punch in a randomly selected access code that they can only get from a credit card-sized random number generator, called an InfoCard. That access code matches the codes that are generated each time the TraqNet is accessed. The TraqNet 2001 is a single-line model that supports up to 2,304 users for $950. More upscale can support up to 32 lines and run call detail reports, but they cost as much as $15,000. InfoCards each cost an additional $50. Conclusions: The ultimate solution will be, as I read in a French consultancy review, The more pleasant story directly linked with French phreaking was the night that I saw on my TV screen in Paris a luxurous computer ad for the Dell micro-computers. At the end of the ad, a toll-free number was presented in green: 05-444-999. I immediately phoned this number ... and found the well-known voice of all French Northern Telecom's Meridian Mail saying in English: "For technical reasons, your call cannot be transferred to the appropriate person. Call later or leave a message after the tune." The dial of 0* gave the open door to more than Dell information. My letter to this company already is without (free voice-) answer! Jean-Bernard Condat, General Secretary Chaos Computer Club France [cccf] First European Hacking, Phreaking & Swapping Club Address: B.P. 8005, 69351 Lyon cedex 08, France. Phone: +33 1 47874083; Fax: +33 1 47874919; E-mail: cccf@altern.com ------------------------------ From: JOHN.D.GRETZINGER@sprint.sprint.com Date: 17 Nov 93 16:53:35-0500 Subject: Sprint Upgrading Internet Backbone Pat - This just came across our internal network and looks to be of interest. On another note, dial access to SprintLink is currently being tested and should be available the first quarter of next year. More on that as it becomes available. John D. Gretzinger +1.310.797.1187 +1.310.4430.1761 (FAX) I don't speak for Sprint, and they don't speak for me. <<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>> SPRINT UPGRADES SPEED, CAPACITY OF INTERNET BACKBONE SERVICE WASHINGTON, Nov. 16, 1993 -- Sprint today became the first carrier-based Internet service provider to announce plans to upgrade its transmission network -- SprintLink(SM) -- to accommodate transit speeds of 45 megabits per second by the first quarter of next year. The upgrade includes cutting-edge routing and network management technologies that significantly improve the network's performance. The SprintLink network upgrade anticipates the transition of Internet traffic from the National Science Foundation network, NSFNet, to commercial service providers, which is expected to begin in spring of 1994. The NSFNet is the U.S. backbone for the Internet, the global "network of networks" that interconnects more than 18,000 networks and over 2,000,000 host computers worldwide. One of the first phases in the network upgrade is a cooperative test with the NSF to transfer some of its global transit services across the new Sprint backbone. The test builds on Sprint's existing role as the international connections manager for the NSFNet, through which it already carries most of NSFNet's international traffic. As the international connections manager for the NSFNet, Sprint has the most comprehensive global routing tables of any service provider -- the "road maps" of the information highway. To further enhance the network's ability to route information, Sprint will replace existing routers with Cisco 7000 routers, one of the industry's highest performing models. Sprint also is embedding Silicon Graphics' Indigo(R) workstations within its network hubs to manage "domain name" service. These powerful systems maintain the extensive and ever-changing list of "domains" -- user groups or networks -- on the Internet and their corresponding addresses, from regional research networks to public electronic messaging service providers. Sprint has developed a "flat" network architecture -- a streamlined design that sends information through fewer levels of equipment, permitting higher speeds, less chance of failure and the smooth transition to future services, including Asynchronous Transfer Mode. In 1994, high-bandwidth customers will be able to connect to SprintLink using Sprint's ATM service through any of Sprint's more than 300 network points of presence in the United States. ATM currently allows data transmission at 45 megabits per second -- fast enough to send a 400-page book across the country in one second. "The tremendous growth of users on the Internet is fueling the demand for higher-speed, easily upgradable commercial services," said Don Teague, general manager for Sprint's Government Systems Division, which manages the company's business with the federal government. "This upgrade takes our network service to the next technological plane -- those high-bandwidth services required to support the research and scientific community, as well as a growing number of commercial users engaged in electronic commerce and other leading-edge information technologies." Sprint is a diversified international telecommunications company with more than $10 billion in annual revenues and the United States' only nationwide all-digital, fiber-optic network. Its divisions provide global long distance voice, data and video products and services, local telephone services to more than six million subscriber lines in 19 states, and cellular operations that serve 42 metropolitan markets and more than 50 rural service areas. Silicon Graphics and Indigo are registered trademarks of Silicon Graphics Inc. ------------------------------ From: ao944@yfn.ysu.edu (Jack Decker) Subject: Finally Got REAL Phone Service Date: 18 Nov 1993 06:31:36 GMT Organization: Youngstown State/Youngstown Free-Net Reply-To: ao944@yfn.ysu.edu (Jack Decker) It has been almost a year since I moved into GTE land, and some of you may recall that when I got my phone service, it was provided via some obsolete (no longer manufactured) subscriber carrier equipment that has given me all sorts of problems over the past year (on no less than five occasions, it has gone out completely). At one point (after I complained to the Michigan Public Service Commission) GTE even gave me a credit ($25 plus the equivalent of three days' service) on my phone bill in compensation for the problems I had experienced. Well, today they cut me onto the new system. It's a remote unit located probably a mile and a half away from me. The cable between there and the downtown central office is fiber, and between the new unit and my home is all new underground cable, replacing aerial cable that is being taken out of service. After the cutover I noticed several things immediately: 1) My on-hook line voltage increased from ~15 volts to ~44 volts DC. Also, the tip/ring polarity reversed from what it had been when I was on the carrier. 2) So far I am getting considerably less noise and garbage on my modem calls. 3) On voice calls, the difference is amazing! I was actually starting to think that I was getting hard of hearing because I had trouble hearing people on the phone. Suddenly, voices on the other end seem MUCH louder and clearer. This is also appparent with the volume of dial tone. My modem is set to let me hear it dial and connect, and now when it first seizes the line the dial tone will about knock you out of your chair compared to what it used to be. And my mother used to complain about not being able to hear me on the phone; I called her tonight and she says I am much louder on her end, too. 4) I think the phone ring cadence is SLIGHTLY different ... maybe it's my imagination, but to me it sounds like the rings are slightly shorter (like maybe a quarter of a second or half a second shorter). I will add that I'm probably really pushing the limit on Ringer Equivalence Numbers on my line, but both the old and new systems seem to be able to handle that equally well. 5) CPC now works ... before, if the CO dropped current for a moment, I would hear a couple of faint clicks, but the voltage on my line would remain constant. Now, when the CO drops current, my line goes stone cold dead for that fraction of a second. 6) And finally, the new unit still will not accept dial pulses at 20 pps. When I mentioned this originally, I was told that this was a design limitation of the GTD-5 switch in my central office ... that 20 pps was NOT considered a standard dialing speed, and even though some AT&T and other switches may support it, the designers of the GTE switches didn't feel they should. Now, what I do not know is whether the new remote unit (the crew out here keeps referring to it as a MUX) actually provides dial tone itself, or simply relays dial tone from the CO downtown. I had sort of hoped that it would provide its own dial tone, and would therefore support 20 pulses per second, but no such luck. I'd still like to know where the dial tone is really coming from. I did retain my same phone number, if that's any clue. All in all I'm quite pleased so far, especially with the far better voice quality and volume. I think it will also make my service FAR more reliable than it has been, assuming of course that some idiot doesn't dig up the new fiber cable and cut it. As for the carrier box that was hanging on the utility pole out front, it's still there. I think they intend to collect them all at once. I suggested to the guys that they could take it down and back their truck over it a few times, but the said it would probably be reused elsewhere. I definitely pity whoever gets stuck with that thing next! :-) Jack ------------------------------ Subject: Research Assistant - High Speed Wireless Networking Research From: evans@hamming.uucp (Joseph B. Evans) Date: 17 Nov 93 17:14:16 CDT Organization: Elec. Eng. & Comp. Sci., Univ. of Kansas Graduate Research Assistant (GRA) for High Speed Wireless Networking Research University of Kansas Department of Electrical Engineering and Computer Science Telecommunications and Information Sciences Laboratory (TISL) Lawrence, Kansas TISL is looking for qualified, creative individuals with a desire to pursue graduate research and education in high speed wireless link and networking technologies. The position requires an undergraduate or MS degree in EE, ECE, or CS with credentials for admission to the University of Kansas Graduate School. Good communication skills, strong self-motivation, and the ability to work as part of a team are required. A background in communications systems and/or networking is desired. The individual will join a team of faculty and students pursuing sponsored research in high speed wireless communications networks and in the hardware and software development of a prototype high speed wireless Asynchronous Transfer Mode (ATM) system. This position is an opportunity to develop the telecommunications technology of the future. TISL has state-of-the-art communications and computing facilities. We are a founding member of the MAGIC gigabit testbed and have experiential ATM and long distance SONET facilities. Within TISL, faculty and students address challenging research issues in various aspects of telecommunications, ranging from high speed networks to wireless communications systems and advanced spread spectrum techniques. The interaction between the laboratory and the other EECS faculty contribute to the stimulating intellectual environment. The University of Kansas is located in Lawrence, a city of about 75,000 people, which is situated in the rolling hills of eastern Kansas, about an hour's drive from Kansas City. The city of Lawrence has a long history and retains may interesting reminders of its colorful past. The community has 1,257 acres of public parks, indoor and outdoor community swimming pools, an arts center, an historical museum, and an active community education and recreation program. Interested applicants should submit two copies of both a resume and cover letter requesting application forms to: Dr. Victor S. Frost Professor of Electrical and Computer Engineering Director, Telecommunications and Information Sciences Laboratory University of Kansas 2291 Irving Hill Road Lawrence, KS 66045-6929 Phone: (913) 864-4833 FAX: (913) 864-7789 e-mail: frost@eecs.ukans.edu ------------------------------ Date: Wed, 17 Nov 93 15:11:17 EST From: Dennis G. Rears Subject: Announcement of New Moderator I will relinquish Moderator duties of the Computer Privacy Digest in a couple of weeks. Prof. L. P. Levine will take over as the new Moderator of the Computer Privacy Digest (comp.society.privacy) sometime in the next few weeks. Currently we are working on the transition. A message will go out shortly on the new addresses. The primary reason I am leaving the group is time. In the last few months I have not had the time to adequately perform the duties of being a Moderator. I would like to thank all the people who have contributed to the Digest and those people who have provided me with pointers on making the Digest better. I have for the most part enjoyed moderating the group. I will miss the off-line discussions I have had with many of you. The CPD had it origins in the telecom-privacy mail list which I set up in August of 1990. Telecom-priv started out to address concerns of Caller Id. It was an outgrowth of a discussion that was started on the TELECOM Digest. The telecom privacy mail list was merged into the Computer Privacy Digest on 27 April 1992. According to the October USENET readership report comp.society.privacy is read by about 44,000 people, 73% of USENET sites receive this and is ranked at 683. I have about 500 subscribers/exploder lists. I think we have come a long way since the first issue was published in April 1992. I wish Professor Levine good luck in his new role. I plan to assume a role as Official Lurker. Dennis G. Rears MILNET: drears@pica.army.mil UUCP: ...!uunet!cor5.pica.army.mil!drears INTERNET: drears@pilot.njin.net USPS: Box 210, Wharton, NJ 07885 Phone(home): 201.927.8757 Phone(work): 201.724.2683/(DSN) 880.2683 USPS: SMCAR-FSS-E, Bldg 94, Picatinny Ars, NJ 07806 [Moderator's Note: I'm sure all telecom readers join me in thanking you for your splendid service over the past three years. Best wishes to you in your future endeavors and to your successor as Moderator. PAT] ------------------------------ End of TELECOM Digest V13 #766 ****************************** ****************************************************************************** Downloaded From P-80 International Information Systems 304-744-2253