
TELECOM Digest     Thu, 18 Nov 93 04:02:00 CST    Volume 13 : Issue 766

Inside This Issue:                        Moderator: Patrick A. Townson

    Toll Fraud on French PBXs -Phreaking :-) (Jean-Bernard Condat)
    Sprint Upgrading Internet Backbone (John D. Gretzinger)
    Finally Got REAL Phone Service (Jack Decker)
    Research Assistant - High Speed Wireless Networking Research (Joseph Evans)
    Announcement of New Moderator (Dennis G. Rears)
----------------------------------------------------------------------

From: cccf@altern.com (cccf)
Subject: Toll Fraud on French PBXs - Phreaking :-)
Date: Wed, 17 Nov 93 14:48:59 EST


In France it is estimated that PBX trunk fraud (toll fraud) costs
companies over $220 million a year. Criminal phreakers figure out how
to access PBXs owned by businesses and then sell long-distance calling
capacities provided by these systems to the public. In European
markets where PSTN to PSTN connections are illegal it has not to date
been such an issue. However, for a number of reasons this is likely to
change.

Trunk to trunk connection barring through PBXs is expected to be
deregulated throughout Europe.

The telecom industry has done more this year to prevent toll fraud
than any other time. Yet, toll fraud losses will top more than $2
billion again this year. If you aren't doing anything to prevent being
hit, it's not a matter of if you'll be hit, it's when you'll be hit
and for how much. So, here are some low-cost ways to stop toll
fraud-or at least lessen the blow if you do get hit.

Increasing numbers of international companies have private networks
and provide DISA (Direct Inward System Access) access to employees.
Such companies are prime victims for phreaking. For example, a phone
hacker can access the network in the UK, France, or Germany and break
out in another country where it is legal to make trunk to trunk calls,
and from that point they can call anywhere in the world.

Voice mail is taking off across Europe. This, together with DISA, is
one of the most common ways phreakers enter a company's PBX.

Raising these issues now and detailing precautionary measures will
enable companies to take steps to reduce such frauds.  The following
looks at the current situation in France.

In France a whole subculture, like a real phone underground culture,
of these technology terrorists is springing up on city streets. Stolen
access codes are used to run call-sell operations from phone booths or
private phones. The perpetrators offer international calls for circa
FF 20, which is considerably less than it could cost to dial direct.
When calls are placed through corporate PBXs rather than carrier
switches, the companies that own the PBXs end up footing the bill.

What are the warning signs that your own communication systems are
being victimized by toll fraud? In inbound call detail records, look
for long holding times, an unexplained increased in use, frequent use
of the system after normal working hours, or a system that is always
busy. In records of outbound calls, look for calls made to unusual
locations or international numbers, high call volumes, long duration
of calls, frequent calls to premium rate numbers and frequently
recurring All Trunks Busy (ATB) conditions.

Toll fraud is similar to unauthorized access to mainframe computers or
hacking. Manufacturers such as Northern Telecom have developed
security features that minimize the risk of such theft.

Telecommunication managers, however, are the only ones who are ensure
that these features are being used to protect their systems from
fraud.

Areas of Intrusion Into Corporate Systems:

PBX features that are vulnerable to unauthorized access include call
forwarding, call prompting and call processing features. But the most
common ways phreakers enter a company's PBX is through DISA and voice
mail systems.  They often search a company's rubbish for directories
or call detail reports that contain a companies own '05' numbers and
codes. They have also posed as system administrators or France Telecom
technicians and conned employees into telling them PBX authorization
codes. More sophisticated hackers use personal computers and modems to
break into data bases containing customer records showing phone
numbers and voice mail access codes, or simply dial '05' numbers with
the help of sequential number generators and computers until they find
one that gives access to a phone system.

Once these thieves have the numbers and codes, they can call into the
PBX and place calls out to other locations. In many cases, the PBX is
only the first point of entry for such criminals. They can also use
the PBX to access company's data system. Call-sell operators can even
hide their activities from law enforcement officials by using
PBX-looping-using one PBX to place calls out through another PBX in
another state.

Holding the Line-Steps That Reduce Toll Fraud:

Northern Telecom's Meridian 1 systems provide a number of safety
features to guard against unauthorized access. It is the most popular
PBX phreaked in France. The following information highlights Meridian
1 features that can minimise such abuse.


DISA Security:

The DISA feature allows users to access a company's PBX system from
the public network by dialing a telephone number assigned to the
feature. Once the system answers the DISA call, the caller may be
required to enter a security code and authorisation code. After any
required codes are entered, the caller, using push button tone
dialling, is provided with the calling privileges, such as Class of
Service (COS), Network Class of Service (NCOS) and Trunk Group Access
Restrictions (TGAR), that are associated with the DISA DN or the
authorisation code entered.

To minimize the vulnerability of the Meridian 1 system to unauthorized
access through DISA, the following safeguards are suggested:

1) Assign restricted Class of Service, TGAR and NCOS to the DISA DN;

2) Require users to enter a security code upon reaching the DISA DN;

3) In addition to a security code, require users to enter an authorization
code. The calling privileges provided will be those associated with the
specific authorization code;

4) Use Call Detail Recording (CDR) to identify calling activity
associated with individual authorization codes. As a further
precaution, you may choose to limit printed copies of these records;

5) Change security codes frequently;

6) Limit access to administration of authorization codes to a few,
carefully selected employees.

Meridian Mail Security:

Northern Telecom's Meridian Mail voice messaging system is also
equipped with a number of safeguarding features. The features that
allow system users to dial out; Through Dial, Operator Revert and
Remote Notification (Outcalling) should be controlled to reduce the
likelihood of unauthorised access. The following protective measures
can be used to minimise tool fraud:

Voice Security Codes -

Set security parameters for ThroughDial using the Voice Security
Options prompt from the Voice Systems Administration menu. This prompt
will list restricted access codes to control calls placed using the
Through-Dial function of Meridian Mail. An access code is a prefix for
a telephone number or a number that must be dialled to access outside
lines or long-distance calling. If access codes are listed as
restricted on the Meridian Mail system, calls cannot be placed through
Meridian Mail to numbers beginning with the restricted codes. Up to ten
access codes can be defined.

Voice Menus -

With the Through-Dial function of Voice Menus, the system
administrator can limit dialling patterns using restricted dialling
prefixes. These access codes, which are defined as illegal, apply only
to the Through-Dial function of each voice menu. Each Through-Dial
menu can have its own restricted access codes. Up to ten access codes
can be programmed.

Meridian Mail also allows system administrators to require that users
enter an Access Password for each menu. In this way, the Through-Dial
menu can deny unauthorized callers access to Through-Dial functions,
while allowing authorised callers access.

Additional Security Features -

The Secured Messaging feature can be activated system-wide and
essentially blocks external callers from logging to Meridian Mail. In
addition, the system administrator can establish a system-wide
parameter that forces user to change their Meridian Mail passwords
within a defined time period. Users can also change their passwords at
any time when logged in to Meridian Mail.

System administrator can define a minimum acceptable password length
for Meridian Mail users. The administrators can also determine the
maximum number of times an invalid password can be entered before a
log-on attempt is dropped and the mailbox log-on is disabled.

Some of the features that provide convenience and flexibility are also
vulnerable to unauthorized access. However, Meridian 1 products
provide a wide array of features that can protect your system from
unauthorised access.

In general, you can select and implement the combination of features
that best meets your company's needs.

General Security Measures:

Phone numbers and passwords used to access DISA and Meridian Mail
should only be provided to authorized personnel. In addition, call
detail records and other reports that contain such numbers should be
shredded or disposed of in an appropriate manner for confidential
material. To detect instances of trunk fraud and to minimize the
opportunities for such activity, the system administrator should take
the following steps frequently (the frequency is determined on a per
site basis according to need):

1) Monitor Meridian 1 CDR output to identify sudden unexplained increases in
trunk calls. Trunk to trunk/Tie connections should be included in CDR output;

2) Review the system data base for unauthorised changes;

3) Regularly change system passwords, and DISA authorisation and security
codes;

4) Investigate recurring All Trunks Busy (ATB) conditions to determine
the cause;

5) If modems are used, change access numbers frequently, and consider
using dial-back modems;

6) Require the PBX room to be locked at all times. Require a sign-in
log and verification of all personnel entering the PBX room.

Two Practical Cases:

Bud Collar, electronic systems manager with Plexus in Neenah, Wis.,
transferred from its payphone operations branch. As the PBX manager,
he's blocked all outside access to his Northern Telecom Meridian 1 and
meridian Mail. Just in case a phreaker does gain access, Collar
bought a $600, PC-based software package from Tribase Systems in
Springfield, NJ, called Tapit. With Tapit, Collar runs daily reports
on all overseas call attempts and completions. But the drawback to
Tapit is that by itself it has no alarm features, so if a phreaker
does get in, Collar won't know about it until he runs the next report.
Tribase does offer Fraud Alert with alarms for $950, but Collar chose
not to use it.

Erica Ocker, telecom supervisor at Phico Insurance in Mechaniscsburg,
PA, also wanted to block all of her outside ports. But she has
maintenance technicians who need routine access, so she needed a way
to keep her remote access ports open, without opening up her Rolm 9751
to toll fraud. The solution is to buy LeeMah DataCom Security Corps's
TraqNet 2001. For $2,000, Ocker got two secured modems that connect to
her maintenance port on her PBX and to her Rolm Phone Mail port. When
someone wants to use these features, they dial into the TraqNet and
punch in their PIN number. TraqNet identifies the user by their PIN
and asks them to punch in a randomly selected access code that they
can only get from a credit card-sized random number generator, called
an InfoCard. That access code matches the codes that are generated
each time the TraqNet is accessed. The TraqNet 2001 is a single-line
model that supports up to 2,304 users for $950. More upscale can
support up to 32 lines and run call detail reports, but they cost as
much as $15,000.  InfoCards each cost an additional $50.

Conclusions:

The ultimate solution will be, as I read in a French consultancy
review, <to program the PBX ACD agent ports as toll denied.>

The more pleasant story directly linked with French phreaking was the
night that I saw on my TV screen in Paris a luxurous computer ad for
the Dell micro-computers. At the end of the ad, a toll-free number was
presented in green: 05-444-999. I immediately phoned this number ...
and found the well-known voice of all French Northern Telecom's
Meridian Mail saying in English: "For technical reasons, your call
cannot be transferred to the appropriate person.  Call later or leave
a message after the tune." The dial of 0* gave the open door to more
than Dell information. My letter to this company already is without
(free voice-) answer!


Jean-Bernard Condat, General Secretary
Chaos Computer Club France [cccf]
First European Hacking, Phreaking & Swapping Club
Address: B.P. 8005, 69351 Lyon cedex 08, France.
Phone: +33 1 47874083; Fax: +33 1 47874919; E-mail: cccf@altern.com

------------------------------

From: JOHN.D.GRETZINGER@sprint.sprint.com
Date: 17 Nov 93 16:53:35-0500
Subject: Sprint Upgrading Internet Backbone


Pat -

This just came across our internal network and looks to be of
interest.

On another note, dial access to SprintLink is currently being tested
and should be available the first quarter of next year.  More on that
as it becomes available.


John D. Gretzinger
+1.310.797.1187
+1.310.4430.1761 (FAX)
I don't speak for Sprint, and they don't speak for me.

   <<<<<<<<<<<<<<<<forwarded message>>>>>>>>>>>>>>>>>>>>>>>>>>

    
SPRINT UPGRADES SPEED, CAPACITY OF INTERNET BACKBONE SERVICE 
    
   WASHINGTON, Nov. 16, 1993 -- Sprint today became the first
carrier-based Internet service provider to announce plans to upgrade
its transmission network -- SprintLink(SM) -- to accommodate transit
speeds of 45 megabits per second by the first quarter of next year.
The upgrade includes cutting-edge routing and network management
technologies that significantly improve the network's performance.
 
   The SprintLink network upgrade anticipates the transition of
Internet traffic from the National Science Foundation network, NSFNet,
to commercial service providers, which is expected to begin in spring
of 1994.  The NSFNet is the U.S. backbone for the Internet, the global
"network of networks" that interconnects more than 18,000 networks and
over 2,000,000 host computers worldwide.

    One of the first phases in the network upgrade is a cooperative
test with the NSF to transfer some of its global transit services
across the new Sprint backbone.  The test builds on Sprint's existing
role as the international connections manager for the NSFNet, through
which it already carries most of NSFNet's international traffic.

    As the international connections manager for the NSFNet, Sprint
has the most comprehensive global routing tables of any service
provider -- the "road maps" of the information highway.  To further
enhance the network's ability to route information, Sprint will
replace existing routers with Cisco 7000 routers, one of the
industry's highest performing models.

     Sprint also is embedding Silicon Graphics' Indigo(R) workstations
within its network hubs to manage "domain name" service.  These
powerful systems maintain the extensive and ever-changing list of
"domains" -- user groups or networks -- on the Internet and their
corresponding addresses, from regional research networks to public
electronic messaging service providers.

     Sprint has developed a "flat" network architecture -- a
streamlined design that sends information through fewer levels of
equipment, permitting higher speeds, less chance of failure and the
smooth transition to future services, including Asynchronous Transfer
Mode.  In 1994, high-bandwidth customers will be able to connect to
SprintLink using Sprint's ATM service through any of Sprint's more
than 300 network points of presence in the United States.

     ATM currently allows data transmission at 45 megabits per second
 -- fast enough to send a 400-page book across the country in one
second.

    "The tremendous growth of users on the Internet is fueling the
demand for higher-speed, easily upgradable commercial services," said
Don Teague, general manager for Sprint's Government Systems Division,
which manages the company's business with the federal government.
"This upgrade takes our network service to the next technological
plane -- those high-bandwidth services required to support the
research and scientific community, as well as a growing number of
commercial users engaged in electronic commerce and other leading-edge
information technologies."

     Sprint is a diversified international telecommunications company
with more than $10 billion in annual revenues and the United States'
only nationwide all-digital, fiber-optic network.  Its divisions
provide global long distance voice, data and video products and
services, local telephone services to more than six million subscriber
lines in 19 states, and cellular operations that serve 42 metropolitan
markets and more than 50 rural service areas.
    
    
      Silicon Graphics and Indigo are registered trademarks of 
      Silicon Graphics Inc.

------------------------------

From: ao944@yfn.ysu.edu (Jack Decker)
Subject: Finally Got REAL Phone Service
Date: 18 Nov 1993 06:31:36 GMT
Organization: Youngstown State/Youngstown Free-Net
Reply-To: ao944@yfn.ysu.edu (Jack Decker)


It has been almost a year since I moved into GTE land, and some of you
may recall that when I got my phone service, it was provided via some
obsolete (no longer manufactured) subscriber carrier equipment that
has given me all sorts of problems over the past year (on no less than
five occasions, it has gone out completely).  At one point (after I
complained to the Michigan Public Service Commission) GTE even gave me
a credit ($25 plus the equivalent of three days' service) on my phone
bill in compensation for the problems I had experienced.

Well, today they cut me onto the new system.  It's a remote unit
located probably a mile and a half away from me.  The cable between
there and the downtown central office is fiber, and between the new
unit and my home is all new underground cable, replacing aerial cable
that is being taken out of service.

After the cutover I noticed several things immediately:

1) My on-hook line voltage increased from ~15 volts to ~44 volts DC.
Also, the tip/ring polarity reversed from what it had been when I was
on the carrier.

2) So far I am getting considerably less noise and garbage on my modem
calls.

3) On voice calls, the difference is amazing!  I was actually starting
to think that I was getting hard of hearing because I had trouble
hearing people on the phone.  Suddenly, voices on the other end seem
MUCH louder and clearer.  This is also appparent with the volume of
dial tone.  My modem is set to let me hear it dial and connect, and
now when it first seizes the line the dial tone will about knock you
out of your chair compared to what it used to be.  And my mother used
to complain about not being able to hear me on the phone; I called her
tonight and she says I am much louder on her end, too.

4) I think the phone ring cadence is SLIGHTLY different ... maybe it's
my imagination, but to me it sounds like the rings are slightly
shorter (like maybe a quarter of a second or half a second shorter).
I will add that I'm probably really pushing the limit on Ringer
Equivalence Numbers on my line, but both the old and new systems seem
to be able to handle that equally well.

5) CPC now works ... before, if the CO dropped current for a moment, I
would hear a couple of faint clicks, but the voltage on my line would
remain constant.  Now, when the CO drops current, my line goes stone
cold dead for that fraction of a second.

6) And finally, the new unit still will not accept dial pulses at 20
pps.  When I mentioned this originally, I was told that this was a
design limitation of the GTD-5 switch in my central office ... that 20
pps was NOT considered a standard dialing speed, and even though some
AT&T and other switches may support it, the designers of the GTE
switches didn't feel they should.  Now, what I do not know is whether
the new remote unit (the crew out here keeps referring to it as a MUX)
actually provides dial tone itself, or simply relays dial tone from
the CO downtown.  I had sort of hoped that it would provide its own
dial tone, and would therefore support 20 pulses per second, but no
such luck.  I'd still like to know where the dial tone is really
coming from.  I did retain my same phone number, if that's any clue.

All in all I'm quite pleased so far, especially with the far better
voice quality and volume.  I think it will also make my service FAR
more reliable than it has been, assuming of course that some idiot
doesn't dig up the new fiber cable and cut it.

As for the carrier box that was hanging on the utility pole out front,
it's still there.  I think they intend to collect them all at once.  I
suggested to the guys that they could take it down and back their
truck over it a few times, but the said it would probably be reused
elsewhere.  I definitely pity whoever gets stuck with that thing next! :-)


Jack

------------------------------

Subject: Research Assistant - High Speed Wireless Networking Research
From: evans@hamming.uucp (Joseph B. Evans)
Date: 17 Nov 93 17:14:16 CDT
Organization: Elec. Eng. & Comp. Sci., Univ. of Kansas


                 Graduate Research Assistant (GRA)
                              for
              High Speed Wireless Networking Research

                       University of Kansas
       Department of Electrical Engineering and Computer Science
      Telecommunications and Information Sciences Laboratory (TISL) 
                        Lawrence, Kansas

TISL is looking for qualified, creative individuals with a desire to
pursue graduate research and education in high speed wireless link and
networking technologies. The position requires an undergraduate or MS
degree in EE, ECE, or CS with credentials for admission to the
University of Kansas Graduate School.  Good communication skills,
strong self-motivation, and the ability to work as part of a team are
required.  A background in communications systems and/or networking is
desired.  The individual will join a team of faculty and students
pursuing sponsored research in high speed wireless communications
networks and in the hardware and software development of a prototype
high speed wireless Asynchronous Transfer Mode (ATM) system.

This position is an opportunity to develop the telecommunications
technology of the future.  TISL has state-of-the-art communications
and computing facilities.  We are a founding member of the MAGIC
gigabit testbed and have experiential ATM and long distance SONET
facilities.  Within TISL, faculty and students address challenging
research issues in various aspects of telecommunications, ranging from
high speed networks to wireless communications systems and advanced
spread spectrum techniques.  The interaction between the laboratory
and the other EECS faculty contribute to the stimulating intellectual
environment.

The University of Kansas is located in Lawrence, a city of about
75,000 people, which is situated in the rolling hills of eastern
Kansas, about an hour's drive from Kansas City.  The city of Lawrence
has a long history and retains may interesting reminders of its
colorful past.  The community has 1,257 acres of public parks, indoor
and outdoor community swimming pools, an arts center, an historical
museum, and an active community education and recreation program.

Interested applicants should submit two copies of both a resume and
cover letter requesting application forms to:

Dr. Victor S. Frost
Professor of Electrical and Computer Engineering
Director, Telecommunications and Information Sciences Laboratory 
University of Kansas
2291 Irving Hill Road
Lawrence, KS 66045-6929
Phone: (913) 864-4833
FAX: (913) 864-7789
e-mail: frost@eecs.ukans.edu

------------------------------

Date: Wed, 17 Nov 93 15:11:17 EST
From: Dennis G. Rears <drears@Pica.Army.Mil>
Subject:  Announcement of New Moderator


    I will relinquish Moderator duties of the Computer Privacy Digest
in a couple of weeks. Prof. L. P. Levine <levine@blatz.cs.uwm.edu>
will take over as the new Moderator of the Computer Privacy Digest
(comp.society.privacy) sometime in the next few weeks.  Currently we
are working on the transition.  A message will go out shortly on the
new addresses.

  The primary reason I am leaving the group is time.  In the last few
months I have not had the time to adequately perform the duties of
being a Moderator.

  I would like to thank all the people who have contributed to the
Digest and those people who have provided me with pointers on making
the Digest better.  I have for the most part enjoyed moderating the
group.  I will miss the off-line discussions I have had with many of
you.

  The CPD had it origins in the telecom-privacy mail list which I set
up in August of 1990.  Telecom-priv started out to address concerns of
Caller Id.  It was an outgrowth of a discussion that was started on
the TELECOM Digest.  The telecom privacy mail list was merged into the
Computer Privacy Digest on 27 April 1992.  According to the October
USENET readership report comp.society.privacy is read by about 44,000
people, 73% of USENET sites receive this and is ranked at 683.  I have
about 500 subscribers/exploder lists.  I think we have come a long way
since the first issue was published in April 1992.

  I wish Professor Levine good luck in his new role.  I plan to assume
a role as Official Lurker.


   Dennis G. Rears
MILNET:   drears@pica.army.mil     UUCP:  ...!uunet!cor5.pica.army.mil!drears
INTERNET: drears@pilot.njin.net    USPS:  Box 210, Wharton, NJ 07885
Phone(home): 201.927.8757    Phone(work): 201.724.2683/(DSN) 880.2683
USPS:        SMCAR-FSS-E, Bldg 94, Picatinny Ars, NJ 07806


[Moderator's Note: I'm sure all telecom readers join me in thanking you
for your splendid service over the past three years. Best wishes to you
in your future endeavors and to your successor as Moderator.   PAT]

------------------------------

End of TELECOM Digest V13 #766
******************************



******************************************************************************

