Date: Wed, 12 Aug 92 14:13 PDT
From: john@ZYGOT.ATI.COM(John Higdon)
Subject: File 5--Bell System Policies (John's Response 2)

jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) responds:

> It's neither easy nor quick to plug all the holes in 'swiss cheese'. The
> point I'm trying to make is that we've been working on it for a number
> of years and are continuing to work on it and that we've made good progress.

Yes, and it is important to separate "inherent insecurity" from
"sloppiness". The matter of inband signaling (from which the
publication "2600" derives its name) involved an imbedded, virtually
uncorrectable security hole. Most of these, thank heaven, are becoming
history.

But Pac*Bell, among others, is still just a wee bit sloppy on the
administrative level. Just one example:

After having eight of my residence phone numbers changed, I suddenly
realized that my Pac*Bell Calling Card was invalid. I called the
business office and explained that I wanted a new card. No problem. In
fact, I could select my own PIN. And if I did so, the card would
become usable almost immediately.

Do you see where I am going with this? No effort was made to verify
that I was who I claimed to be, even though my accounts are all
flagged with a password. (When I reminded the rep that she forgot to
ask for my password, she was highly embarrassed.) If I had been Joe
Crook, I would have a nice new Calling Card, complete with PIN, of
which the bill-paying sucker (me) would not have had any knowledge. By
the time the smoke cleared, how many calls to the Dominican Republic
could have been made?

When will Pac*Bell do something about this wide, gaping security hole?
I will tell you: when losses become significant, and/or the press gets
wind of it and some notable, visible cases go to court. So, you want
to go into the "Call Back to your Homeland Cheap" business? Call the
Pac*Bell business office, tell the rep you want a calling card for a
particular number (perferably one you do not get the bill for) and
select your own PIN (one that you can easily remember :-).

So, Pac*Bell, do you want to sue me for publishing "sensitive"
information? Or do you want to plug the hole and fix the problem? I
think by now you get the point.

Downloaded From P-80 International Information Systems 304-744-2253