|
Telecomm Security (by Howard Fuhs)
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From <@uga.cc.uga.edu:[email protected]> Sun Dec 11 20:30:07 1994
Return-Path: <<@uga.cc.uga.edu:[email protected]>>
Received: from uga.cc.uga.edu by mail.netcom.com (8.6.9/Netcom)
id UAA29382; Sun, 11 Dec 1994 20:29:24 -0800
Received: from UGA.CC.UGA.EDU by uga.cc.uga.edu (IBM VM SMTP V2R2)
with BSMTP id 3345; Sun, 11 Dec 94 23:24:55 EST
Received: from UGA.CC.UGA.EDU (NJE origin LISTSERV@UGA) by UGA.CC.UGA.EDU (LMail V1.2a/1.8a) with BSid 8481; Sun, 11 Dec 1994 23:24:37 -0500
Received: from NIU.BITNET by VMD.CSO.UIUC.EDU (LISTSERV release 1.8a) with NJE
id 0387 for [email protected]; Sun, 11 Dec 1994 22:22:52 -0600
Date: Sun, 11 Dec 94 22:17 CST
To: cudigest%[email protected]
From: Cu Digest ([email protected]) <TK0JUT2%[email protected]>
Subject: Cu Digest, #6.104
Message-ID: <CUDIGEST%[email protected]>
Sender: [email protected]
Status: O
Computer underground Digest Sun Dec 11, 1994 Volume 6 : Issue 104
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Retiring Shadow Archivist: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Copy Reader: Laslo Toth
CONTENTS, #6.104 (Sun, Dec 11, 1994)
File 1-- Telecomm Security (by Howard Fuhs)
File 2-- Cu Digest Header Information (unchanged since 25 Nov 1994)
CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
----------------------------------------------------------------------
Date: Tue, 22 Nov 94 03:01:00 UTC
From: [email protected]
Subject: File 1--Telecomm Security (by Howard Fuhs)
Telecommunication Security
Copyright (C) 7/1994 by Howard Fuhs
Howard Fuhs Elektronik
Rheingaustr. 152
65203 Wiesbaden - Biebrich
Germany
Tel: +49 611 67713
D2: +49 172 6164336
Fax: +49 611 603789
CompuServe: 100120,503
Internet: 100120.503@compuserve.com
The material presented is implicitly copyrighted under various national and
international laws and is for information purposes only.
Information in this document is subject to change without notice and does
not represent a commitment on the part of Howard Fuhs Elektronik.
Free public distribution is permitted with the following conditions:
1) No editing of any kind is permitted!
2) Distribute the entire document, as is, or do not distribute at all!
3) No fee of any kind may be charged for such copying. "Media and
other Service Charges", such as those charged by user
groups and commercial entities, are not allowed!
4) It's source and co-operative nature should be duly referenced.
No part of this publication may be published by Magazines, Journals or any
other professional non-profit or profit organization in
any form, without prior written permission from Howard Fuhs.
1. Abstract
2. The Underground
2.1 The Technical Equipment
2.1.1 Red Box, Blue Box and other boxes
2.1.2 War Dialer
2.1.3 Modem
2.1.4 Legal Tone Dialer
2.1.5 Lock Picks
2.1.6 Scanner
3. Potential Targets
3.1 Dial-In Lines with Modem
3.1.1 Countermessures
3.2 Toll Free Numbers
3.2.1 Toll Free Number for Marketing Purposes
3.2.2 Toll Free Numbers with Dial Out Lines
3.3 Voice Mailbox Systems
3.4 Wireless Phones
3.5 Pager Systems
3.6 Shoulder Surfing
3.7 Answering Machines
4. How/where do they get their Informations?
4.1 Social Engineering
4.2 Trashing
4.3 Underground Publications
4.4 World-wide Computer Networks
4.5 Internal Computer Networks of Telecom Companies
5. Conclusions
1. ABSTRACT
-----------
Everybody is discussing Data Security, Computer Security and Anti-Virus
Measures to make certain that systems and data remain clean and safe.
Companies spend considerable amounts of money and time on data security
experts, fail-safe plans, security hardware and software but often forget a
major leak in their security plans: Telecommunication Security.
Many companies argue that the local telecom company is responsible for
telecom security, and at first sight they are right. But the problem of
telecom security is more complex than even the telecom companies will
admit. Especially government operated telecom companies have a tendency to
take telecom security somewhat lightly, and it can happen that they won't
believe you even if you can demonstrate the weaknesses of their systems
(this actually did happen in Germany). Their official statement is always:
"Our system is secure and not vulnerable".
If the lines and switching systems are vulnerable, it is the responsibility
of the telecom company to correct this. The average telecom customer has
little or no influence on this level of security, but what about telephone
equipment owned and operated by other companies? This type of equipment is
also vulnerable, in many cases more vulnerable than telecom lines and
switching systems. In this case it is the responsibility of the company
owning the equipment to prevent misuse of the installed system or network.
Most companies do not even know that their telecom equipment is vulnerable.
To close that security gap it is necessary to know which techniques to use
and whom to deal with.
2. THE UNDERGROUND
------------------
People who try to break the security of telecom systems call themselves
"phreaks" or "phreakers". Phreaks are usually technically very
knowledgeable about telephone systems, and their main intention is to make
calls around the world free of charge. Whether an individual, the
telephone company or some other company has to pay for their abuse does not
concern them.
Phone phreaks often look for companies operating dial-in lines with modems,
toll free numbers or voice mailbox systems, because they assume that the
telephone bill of a company of this character is so high that the abuse of
the system will not be detected because of a slightly increased bill.
Often phreaks are organised in loose groups and most of them are trading
their secrets over computer networks to other interested phreaks. This
means that if someone discovers a new and interesting or challenging
telephone number, information about it is often spread all over Europe
within 24 hours.
The consequence of dissemination of this type of information is that an
increasing number of phreaks will try to abuse the published telephone
number or telephone system. If the misuse is only detectable through an
increasing telephone bill, it may go undetected for several months in the
worst cases, depending on the frequency of invoicing used by the utility
supplier.
2.1 THE TECHNICAL EQUIPMENT
---------------------------
The computer underground, in that case better known as the phreakers, uses
a wide variety of electronic gadgets, gizmos and devices to abuse telecom
equipment and lines, to manipulate switching systems and to break through
digital firewalls. Knowledge of these devices is very important for company
security staff because they must know what to look for.
2.1.1 RED BOX, BLUE BOX, WHITE BOX AND OTHER BOXES
--------------------------------------------------
All these colourfully named boxes are devices designed to cheat telecom
equipment. Most of them are (sometimes modified) tone diallers or self-made
electronic devices, all having several functions. To provide free calls
from public phone booths one of the types is able to emulate the insertion
of a coin (works only in the USA), another box can emulate the audible
code-signals used to communicate between switching systems or to switch the
telephone line into special modes (which differ from system to system) for
maintenance staff, who normally has more privileges in a telecom switching
system than ordinary users. Boxes are also available to send a false caller
ID to telecom equipment used to display the telephone number of the caller.
Also most private telecom equipment may be programmed by means of such a
tone-dialler or box. The consequence is that a phreaker is able to alter
the program and thus work mode of telecom equipment in a company from a
remote location.
All these types of boxes are described in underground publications, and
they are relatively easy to build or to modify.
A serious legal problem in connection with these boxes is that their use is
not traceable under normal circumstances. The phreaker is over 98% sure not
to get caught. Even if he should get caught it is hard to produce legal
evidence proving his abuse of telecom lines and equipment. In most cases
an expert is needed to identify a suspicious device as being in fact a box
intended to misuse telecom lines. Possession of such devices is only
illegal in a few countries (USA, Canada).
2.1.2 WAR DIALLER
-----------------
A war dialler is a computer program used to automatically dial all
telephone numbers within a range defined by the phreaker using it. While
doing this the war dialler produces a log file listing for each individual
number who or what picked up the phone (modem, human, busy, fax, not in
use, etc.). Log files of this type, listing interesting free-call numbers,
are regularly posted on some computer networks and thus made publicly
available. List keepers in nearly every country with toll free numbers
update this type of log file at least on a monthly basis.
In some countries (e.g. the USA) war diallers are illegal. In one case
innocent-looking software was used to hide a war dialler. A
password was simply needed to invoke the hidden function of the war dialler,
and everybody who had seen the movie "War games" knew the password (the
name of Prof. Falken's son).
2.1.3 MODEM
-----------
A modem is a widespread hardware device and not primarily intended to be used
for something illegal. In most cases, however, a modem may be used to
war-dial numbers without a special war-dial program, and without technical
alterations it can also emulate tones, which can be used to cheat switching
systems. A modem is also necessary to hack computer systems etc.
2.1.4 LEGAL TONE DIALLER
------------------------
A legal tone dialler is a small device, which is usually delivered together
with an answering machine for remote control. It looks like a small pocket
calculator and has the capability to store a lot of phone numbers together
with the names and addresses of the people. Even these legal tone diallers
are able to cheat a telephone system.
For a long period of time it was possible in Germany to make phone calls from a
public pay phone without paying for the call. You
just lifted the handset and dialled the number using the tone dial device, and
you got your connection. The weakness of that pay
phone system was that a coin needed to be inserted in order to enable the
keypad of the pay phone. Thus, when you did not need the keypad to dial the
number, no coin was needed and the security system was circumvented in a
very easy manner...
Completely legal tone dial devices can be altered to produce the tones
needed to cheat the switching system. A Radio Shack dialler was alterable
in such a way, for instance. The only thing needed was to replace a crystal
used to define the tone frequencies and it was possible to transmit the
tones needed for communication between two switching sites.
2.1.5 LOCK PICKS
----------------
"What do lock picks have to do with telecom misuse?", you will ask. A lot, as
will be demonstrated! It is very interesting to see
that a lot of phreakers (especially in America) are skilled lock pickers.
Even telecom companies are getting wise and have begun to lock up all kinds
of telecom cable boxes and small switching stations situated in public
areas and not under constant surveillance.
However, our enterprising phreaker occasionally needs access to this type
of installation, and if he were to use a device that damages the lock,
everybody would know at first sight that someone broke into the
installation. Destroying the lock also means making noise, which could
attract curious bystanders or even (worst case for the phreaker) the
police. A lock picking set is not going to ruin your budget. It takes a lot
of practice to use, and it opens nearly every cheap and/or simply designed
lock.
For organisations and companies it is mandatory to choose the best locks
available, even if they are more expensive than simple ones. It only takes
a few design changes to make a lock unpickable. This forces the phreaker to
destroy the lock (thereby making the violation evident) or to give up. For
advice or support contact a security expert or a professional locksmith.
Once the phreaker has gained physical access to the installation he is able to
install any kind of cheating device, call diverters, remote switches or
even a wiretapping device or small transmitter.
Owning lock picks is not illegal, but using lock picks to gain unauthorised
access of course is.
2.1.6 SCANNER
-------------
Radio scanners are mainly used to find and listen to different frequencies
in use. A modern scanner not larger than a pack of cigarettes can cover a
frequency range from a few kHz up to 5 GHz. Scanners can be used to find
the working frequencies of cordless phones or to listen to wiretapping
devices. Many journalists are equipped with scanners to check the
frequencies of police and fire departments.
According to an EU regulation, the ownership of a scanner is legal. The
usage of scanners is regulated in laws which differ from country to
country. It is nearly impossible to prove the misuse of a scanner in court.
3. POTENTIAL TARGETS
--------------------
In this paragraph it is explained what can happen to telecom equipment and
telecom lines and how to avoid this misuse of important and expensive
company resources.
To prevent phreaking it is mandatory to know what constitute the main
targets for phreaks, which techniques they use to sneak around security
barriers and which security holes they use. To prevent this article from
becoming a "Phreaker's Tutorial" the techniques used will only be described
generally. This is no "technical in depth" article. Some technical facts
and standards differ from country to country. This is not the case with the
Euro-ISDN standard and GSM. If there is an urgent need for technical
support or advice against phreakers it is strongly recommend to contact
security experts in the field of data and telecom security.
3.1 DIAL IN LINES WITH MODEM
----------------------------
If a phreaker locates a dial-in telephone line with a modem, he will
probably switch himself into hacker mode and attempt to hack it, trying to
gain access to the company computer system. If he is not a skilled hacker
he will trade his new-found information to a person with more knowledge.
If he successfully hacks the computer system, he is often able to alter,
copy or delete data, read confidential files, read private E-Mail, spread
vira or even shut down the whole system. He will usually look for
passwords, network connections or gateways to networks like the Internet or
other world-wide networks and E-Mail services. If there are any gateways to
other networks, he will start using them and thus increase the usage costs
for the particular network. It is very likely that the hacker/phreaker
will use all features of the company computers, networks and gateways to
international networks. The simple reason is that he does not have to pay
for the use.
Even though it may be evident that a hacker/phreaker has gained access to
the corporate computer-network via a telephone line it is very difficult to
find that person. In cases like this it is necessary to work together with
the local police and the telephone company. The person in charge of the
co-operation between your company and the local authorities should be your
data security specialist. If there is no person in your company that is
able to cope with a problem of this type, it is strongly recommended to get
advice from a professional data security expert. He knows what to do and
has the necessary connections to police and telecom companies.
The telephone company has the technical equipment and can obtain permission
to trace a telephone call, and line tracing is the most successful method
to detect an intruder. Furthermore, it produces valuable evidence that can
be presented in court. If it is necessary to install a wiretapping device
this must be done by police after obtaining a warrant.
For a company to take this type of action itself, would in most cases be a
violation of the law and thus very risky business. Even if the company is
able to detect the phreaker, it would not be able to present the evidence
in court, and there would be no possibility to sue the illegal intruder.
3.1.1 COUNTERMEASURES
---------------------
First step to prevent this type of damage is to close the security gap,
e.g. by means of a password program. This must ask for the name of the
user and for a password. The password should have a minimum length of six
characters and all ASCII and/or ANSI characters should be allowed. The
program should also look for forbidden passwords like "abcde" or "qwertz".
After three attempt to gain access using an invalid user name or password
the program must inform the system administrator automatically. If the user
name is valid but the password not, the password program must cancel all
access rights for the user who is trying to gain access with an invalid
password. All users should be educated about how to choose a secure
password or how to build up his own private password selection scheme. A
personal mnemonic scheme like that is very helpful, because it serves to
prevent stupid and easy-to-guess passwords and valid passwords from being
written on Post-It papers stuck to the monitor. A password generator can
also be helpful. This type of program generates random passwords, which are
difficult to guess or hack (or remember).
Next step would be to use a call-back device (integrated in many advanced
modems). It functions by allowing users to call a particular telephone
number and type a password to the modem, which subsequently hangs up. After
validating the user name and password the computer will call the user,
using a fixed telephone number either stored in modem or computer. The user
again has to type the correct password and is then granted access. For the
method to be secure, at least two different telephone lines must be used in
order to place the call-back on a different line.
Using only one line is not 100% fool-proof. Under these circumstances a
call-back device can be circumvented by a skilled phreaker by reprogamming
the telecom switching system. In modern digital switching systems it is
possible to use the extended services to program a call diverter, so that
when a particular telephone number is dialled, the call is in fact
automatically redirected to a different subscriber. Call diverter functions
are integrated in digital switching systems and Euro-ISDN. Many cases are
known, in which a phreaker has used the call diverter functions to fool
call-back devices and redirect calls to his home phone.
One of the most secure ways to prevent intrusion is a hardware security
protocol for caller authentication and log-in procedure. This modem access
control and security hardware is installed in front of the host modem.
Callers needs a hardware key, e.g. a dongle, a chip card or a PCMCIA Card
installed in his computer in order to gain access to the host computer.
This type of modem access control system first verifies the presence and
authenticity of the hardware key. Only after successful completion of this
procedure is the user asked for his personal password. The described modem
access control system is also available for network access control to
verify local users during their log-in procedure to a network.
To prevent theft of information because of wiretapping of telephone lines
used for data communication, a good modem access security and control
system should be able to scramble and encrypt the transmitted data. This
kind of encryption is most often performed by an onboard chip and not by
software running on the computer system, although both types are known.
This can be a factor of importance, because software en/decryption slows
down a computer system as the number of dial-in lines is increased.
It is recommended to use all the above described techniques in combination
to prevent illegal intrusion by a phreaker/hacker.
3.2 TOLL FREE NUMBERS
---------------------
Toll free numbers are a very attractive target for phreakers, because it
costs nothing to call a number like that, incoming calls being paid for by
the company operating the toll free number.
It doesn't even cost anything to scan all available toll free numbers to
find out who or what picks up the phone. So it is easy to find out which
numbers are connected to fax machines, modems, are not in use, are used in
voice mailbox systems, etc.
To perform the scanning, the phreaker needs about one night and a "war
dialler" scanning program as described above.
Toll free numbers can normally be divided into a few groups with different
purposes.
3.2.1 TOLL FREE NUMBER FOR MARKETING PURPOSES
---------------------------------------------
This type of number is normally connected to a play-back device, which plays a
promotion text when called. These numbers are often
promoted in big advertisements in newsletters and journals and normally
only available for a couple of weeks.
It would be totally wrong to assume a number like that to be without risk.
The following incident happened during a large German electronics and
computer exhibition:
A leading software company advertised a toll-free number to call for
information about the computer virus problem. Each caller heard a tape with
information denouncing ownership and distribution of illegal copies of
software, emphasising the risk of catching a computer virus. The
advertisements were placed in journals normally read by business people and
not by phreakers.
After the number had been propagated by a phreaker through
computer-networks like the FIDO net, more and more people started to call
it with a war-dialler. The result was a rapidly increasing telephone bill
for the company, because when the war-diallers called the number, the phone
was picked up by the play-back device and the telecom company added one
more call to the bill. The war-diallers hung up the phone a few seconds
later and started to dial the same number again. This unexpected massive
cost overrun forced the software company to shut down the line after a very
short period of time.
In a case such as this nothing can be done to prevent that kind of misuse.
3.2.2 TOLL FREE NUMBER WITH DIAL OUT LINES
------------------------------------------
A toll-free number with dial-out lines will attract phreakers like honey a
brown bear. These systems are mainly used to limit expenses in companies,
whose employees travel extensively. They make it possible for the employees
to reach their company free of charge (the company pays for the call), and
they can place (often world wide) calls by means of the dial-out function
of the toll-free number. These calls are debited the company. Phreakers use
the system the same way the employees do. They route all their calls
through a toll-free system with dial-out lines, because this costs the
phreaker nothing. The company thus targeted has to pay the expenses.
Two things can be done to prevent misuse of this type of system.
First of all it is mandatory to keep the toll free number with all its
functions secret. Regular users should be informed on a need-to-know basis.
They also should be told to keep the number secret. Keeping the number
secret, however, does not mean that it will not be detected by phreakers.
Bear in mind that it costs a phreaker nothing to scan for toll-free numbers
on a regular base (eg. each month).
The second thing to do is to secure the system with individual access
codes, which must be entered through the telephone key-pad. The length of
this individual access code must be minimum 6 digits. Currently, most
toll-free systems with dial out lines are not protected by access codes.
Most companies rely on no strangers calling the toll-free number and
attempting to invoke hidden functions by trial and error. This is a false
sense of security. All phreakers try out things like this, because it costs
them no money to mess around with the system for as long as they want. In
principle they have all the time they want to look for hidden functions.
Most of the functions like dial-out lines are invoked by pressing one
single digit on the key-pad. A few systems use two digits. This despite the
fact that it will only take a phreaker a few minutes to discover how to
(mis)use a toll-free system. In the worst of cases the toll-free system
even features a voice menu telling callers which options are available in
the system. In this case it is not even necessarty to use trial and error.
If it is suspected that a phreaker misuses a toll-free system with dial-out
lines it is best to contact the police and take legal action. The police in
co-operation with the telecom company possesses the technical and legal
means to trace the phreaker.
3.3 VOICE MAILBOX SYSTEMS
--------------------------
For the past few years the use of voice mailbox systems in Europe has been
increasing. Voice mailbox systems must be divided into two different types:
Toll-free voice mailbox systems used by many types of companies, and voice
mailbox systems from companies providing party lines, dating lines and
other, mostly expensive, services. Normally a phreaker will primarily
select the toll-free voice mailbox system. If no toll-free voice mailbox
is available he probably has the knowledge and the technical capability to
call a voice mailbox of a service provider in an illegal toll-free way.
The problem, however, is not which voice mailbox system he will call, but
how he will use it.
To understand how to misuse a voice mailbox system, the basic system use
must be understood. A voice mailbox is like a house. When you enter the
house your host welcomes you. The host in this case is a voice menu
explaining all the functions of the system. To choose one of these
functions you just have to press the corresponding button of the key-pad.
Having made a selection you will leave the entrance and enter a "room".
Each room is dedicated to a special topic. Topics can be live discussions
with as many people as are in the room, public message areas, private
message areas, playing a game, etc. A large voice mailbox system can have
more than 100 different "rooms". If the number is not toll free, the
phreaker uses techniques to call the voice mailbox system free of charge
anyway.
If the voice mailbox is interesting, easy to hack and fits his needs, the
phreaker has a lot of uses for such a system. It has been evidenced by
court trials that phreakers use voice mailbox systems as their
"headquarters", to meet, to discuss, to have conferences with up to 20
persons participating at the same time, to leave messages to other
phreakers or to deposit and share knowledge. They waste system resources
without paying for it. In some cases all dial-in lines were busy, so no
paying customer was able to connect to the system.
It is also interesting to see how the phreakers used system resources. As
mentioned above, a voice mailbox is like a house, a house with easy-to-pick
or no locks in the doors. The business of the service provider requires the
voice mailbox to be easy to use without big security installations. The
voice mailbox must be an open house for everybody, and that makes it easy
for the phreaker.
First a phreaker will look for hidden functions in the voice mailbox.
Hidden functions are normally used to reprogram the voice mailbox from a
remote location. Commonly, hidden functions are available to increase the
security level of certain rooms and for creating new rooms with new
possibilities and features. With knowledge of the hidden functions of a
system, the phreaker can create new rooms for meetings with other
phreakers, and he is able to raise the security level of such rooms so that
only insiders can gain access. Increasing the security level means
assigning an access code to a room. Without knowledge of the access code
the room cannot be entered. Thus, he is able to create a voice mailbox
inside the voice mailbox for a closed user group, "Entrance for phreakers
only".
This voice mailbox for phreakers can be used to post calling card numbers,
private messages for other phreakers, the newest access codes for other
voice mailbox systems, the newest tricks on how to cheat the telephone
system, etc.
All owners of voice mailbox systems can do is to watch the traffic inside
his system and look for changes such new rooms suddenly appearing. From a
pratical point of view it is very difficult to increase the security of a
voice mailbox without causing problems for paying users. In case of misuse
it is necessary to co-operate with a security expert and the local
authorities to limit financial losses.
3.4 CORDLESS PHONES
-------------------
It is very easy today to set up a complete telephone system in a small
company, using only cordless telephones and that is one of the reasons for
the sales of cordless phones rapidly increasing throughout Europe. However,
only a few people know how dangerous it can be to use a cordless phone,
especially for company purposes. This type of wireless phones can be
divided into two groups. The first group employs a transmission frequency
around 48 MHz and is mainly used in the USA. It can be used legally in some
European countries as well. The second group employs a frequency in the
870 - 940 MHz range. This type is mainly used in European countries.
The first major problem with wireless phones is that anybody with a
suitable scanner can listen in on the conversation. A good scanner needs
less than 30 seconds to find the correct frequency. This is a major
weakness inherent to these systems, which can of course be fatal to a
company. A new standard for European cordless phones (870 - 940 MHz) has
emerged. These phones automatically scramble the transmitted signal between
handset and base station. With this system in place, nobody with a scanner
can stumble over the phone conversation by accident, but this standard
still is not foolproof. The scrambling method employed by the system can
comparatively easily be circumvented by a knowledgeable person with only a
minimum of extra hardware. The American type cordless telephones (48 - 49
MHz) are the most unsecure devices available. They can easily be scanned as
described as mentioned above. There is no signal scrambling standard, and
they do not even check to see the handset and the base station in use match
each other.
Only very few cordless phones allow signal scrambling at all. In most cases
this is just an option, the scrambling device must be bought separately and
this is designed in a very cheap and thoroughly unsecure manner. It is no
problem to circumvent this quality of scrambling with a little hardware.
99% of the American phones are without any scrambling option, they can't be
made more secure, even if the customer wishes to do so.
This cordless phone type opens the door to the possibility of misuse of a
very special character because of a major system design flaw. Handset and
base station are communicating on a fixed frequency between 48 and 49 MHz.
The problem is that a handset works with all base stations set to the same
frequency as the handset. It has become very popular in the USA when making
a call first to switch off the base station and check if there is another
basis station in the area, which can be reached by the handset. In this
case it is very easy to use a base station belonging to someone else. And
this person has to pay for the phone calls made by a stranger in the same
house or area. It has also been seen that handsets were modified in a way
so as to work on different frequencies, thus enabling the owner of the
handset to make phone calls through a number of different base stations in
his area. The usual range of a cordless phone is about 300 meters.
To prevent this kind of misuse the European cordless telephones are working
in a slightly different way. The first difference is that the phone does
not use a single fixed frequency. European phones are using a wide range of
frequencies which are divided into channels. When the handset is picked up,
it first finds out which channels are in use and whichare available. The
first available channel will be used.
The next built-in security is a validation between handset and base
station. Every few seconds the handset is checking, if it is using a base
station having a correct id-number and vice versa. If the handset or the
base station does not receive the correct id-number the connection will be
disconnected immediatly. This feature makes it nearly impossible that a
handset uses two or more different base stations within its range. The
usual range of an European cordless phone is about 300 meters in an area
free of obstructions, and about 50 meters inside buildings.
3.5 PAGER SYSTEMS
-----------------
Pager systems are not directly abuseable, but if the pager in use has a
character display so that it can receive complete messages or telephone
numbers and not just beep, the messages are subject to easy interception by
a person with the necessary knowledge and hardware. Telephone numbers have
been known to be intercepted by "prankster", who later called the numbers
and was rude to whoever answered. This has happend in the USA, but no
European cases are known to the author. Nothing can be done to prevent
this kind of misuse.
3.6 SHOULDER SURFING
--------------------
A phreaker is mainly interested in making telephone calls without having to
pay, and in our modern world of plastic money it is very easy for skilled
people to accomplish this. To achieve his goal, a phreak is always looking
for Calling Card Codes. Major international telephone companies (like AT&T,
MCI, SPRINT and also the German TELEKOM) are issuing calling cards to
interested customers. Just dial the service number of the telecom company
and give them your credit card number and you will get your calling card.
Using a calling card is very easy. Dial the toll-free number specified by
the calling card company and the operator will ask you for your calling
card number and the phone number you wish to call. In some cases there is
an automatic operator and the calling card number must be entered using the
key-pad or tone dialler. After verification of the calling card number
(similar to a credit card number) you will get connected immediately.
If a card holder uses his calling card from a public phone all the phreaker
has to do is spotting the number on the card, watching the number being
entered on the key-pad or simply listening, if the number has to be told to
an operator.
Holders of calling cards should protect these the same way he protects
credit cards. If the calling card number is spread about in the
underground, a few thousand Dollars of damage to the holder of the card can
easily be the result.
If the card holder discovers that his calling card number is misused, he
must notify the card issuing company immediately. The calling card number
subsequently becomes invalid and a new calling card is issued to the card
holder. However, until the card company has been notified, the holder is
liable for the damage.
3.7 ANSWERING MACHINES
----------------------
Answering machines are nothing special. We are routinely using them every
day without ever reading the operating manual. This is why we know almost
nothing about a few special features built into most answering machines to
make our lives more comfortable.
One of these features is the remote access function used to check who
called and left a message, or to change the message played back when people
call. Remote access is accomplished by means of a tone dialler and a two or
three digit access code. This fact makes it easy for a stranger to hack the
access number within minutes, gain access to the answering machine and
listen to the recorded messages. The default factory access code setting
for most answering machines is no big secret among phreakers. There is
also a digit sequence for three digit access codes available, which fits
99% of the needs. This sequence was made by a tiny little Turbo Pascal
program, and both were published over computer networks.
For a couple of reasons it rarely ever happens that a phreaker tries to
hack an answering machine. Firstly, it costs him money, because normally
no private person owns a toll free number. Secondly, in 99% of the cases
there are no big secrets to find on an answering machine. So, it's a waste
of time for the phreaker.
Another built-in feature of a modern answering machine is a monitoring
option. This option is normally protected by a two or three digit code and
allows a caller to listen to the room in which the answering machine is
installed. This is a useful option for parents, who are away from home and
want to learn what the children are doing (sleeping or partying), and it is
a very useful option for a curious phreaker, who wishes to invade the
privacy of people's homes. The problem gets even bigger when the answering
machine is installed in a company office. In that case it is possible for
the phreaker to obtain vital and confidential information about the company
and its future plans.
The only way to prevent misuse of these options and features is to buy an
answering device without them.
4. HOW / WHERE DO THEY GET THEIR INFORMATION?
---------------------------------------------
People often wonder what makes it possible to a phreaker to get his
knowledge. There is nothing strange to it, however. It is a result of some
tricky research or well-organised public libraries.
Most of the information used by a phreaker is legally and freely accessible
in libraries and book stores. Only in very few cases the phreaker has to
behave like Jim Phelps in "Mission Impossible". The technical standards
from the former telephone system standardising organisation CCITT
constitute a very interesting source of information for a phreaker. They
are available in every good university library and describe international
telecom standards like tone frequencies (used to develop the coloured
boxes). Most telecom companies are also publishing technical journals for
service technicians. These journals are normally available to anybody, who
might wish to subscribe.
4.1 SOCIAL ENGINEERING
----------------------
Some phreakers specialise in getting information through social
engineering. Social engineering means in this case that a phreaker will
phone up a person and pretend to be an employee of the telecom company (or
some other important and well-known company), give an important reason for
his call and subsequently ask for passwords, account numbers, technical
data, specifications or whatever he is after. During his attempt to collect
information the phreaker will appear very polite, trustworthy and adult
even if he is just 16 years old. This type of information pillaging is
done mostly by phone, and they are very often successful.
First rule of telecom security to prevent misuse of social engineering.
Nobody (!) needs your passwords, confidential account details, calling card
numbers or any other type of confidential information. All requests for
confidential information by phone should always be refused.
People from telecom companies are able to identify themselves with special
ID cards, and even these people do not need confidential information. If
they need to test something they have their own service access accounts for
telephone lines and switching systems.
Again. Nobody has to ask for confidential information via telephone even if
he gives very good reasons!
4.2 TRASHING
------------
In the course of court cases against prominent phreakers it has become
evident that they went out to "trash" telecom companies or other targets,
which had their interest. To "trash" in this connections means searching
through trash cans for diskettes with software or papers carrying technical
knowledge for insiders, telephone numbers, passwords, access codes, planned
installations, etc., etc.
The rule here is that no paper carrying information that could be important
to outsiders should be thrown away. A good countermeasure is to install
freely accessible paper shredders (e.g. one on each floor). Furthermore,
the employees should be educated about paper security and advised to use
the paper shredders.
The important rule to apply here, and this particularly goes for old
back-up diskettes and tapes, is: If it is not economical to guard it, it is
economical to destroy it. In other words, any company policy regarding
archiving must contain rules regarding destruction of old archives. Simply
throwing these out is rarely sufficient.
4.3 UNDERGROUND PUBLICATIONS
----------------------------
Some people are publishing more or less regularly issued underground
magazines about phreaking which are also distributed through modem
accessible Bulletin Board Systems as computer files. Every phreaker is
welcome to contribute articles for such an underground magazine. One of the
foremost publications in this category is Phrack, which is so popular that
it has received an ISSN number in the USA and is published on a regular
basis.
4.4 WORLD-WIDE COMPUTER NETWORKS
--------------------------------
There are only a few innovative phreakers in each country. These phreakers
are developing the leading technology of phreaking. Most of them share
their knowledge with other people interested in phreaking via computer
networks and bulletin board systems. It is thus no big problem to find
information about phreaking, which means that malicious information gets
spread rapidly to a large audience.
4.5 INTERNAL COMPUTER NETWORKS OF TELECOM COMPANIES
---------------------------------------------------
If the phreaker is also a skilled hacker he probably knows ways to access
the internal computer network of a telecom company in search for
informations. A famous case in the USA was the stealing and publishing of a
document about the 911 Emergency Service from the computer network of a
telecom company. This case ended in court.
5. CONCLUSIONS
--------------
Telecom equipment is a vital resource for any company, and no company can
permit a stranger to alter or abuse their telecom system. As described in
this article there are many ways to abuse telecommunication equipment, and
to prevent abuse from occurring it is absolutely necessary to check out the
weakness and vulnerability of existing telecom systems. If it is planned to
invest in new telecom equipment, a security plan should be made and the
equipment tested before being bought and installed. Every serious
manufacturer of telecom equipment will assist with answering the question
of telecom security, but it is also recommended to consult a independent
source of information, such as an information security expert.
It is also mandatory to keep in mind that a technique which is discribed as
safe today can be the most unsecure technique in the future. Therefore it
is absolutly important to check the function of a security system once a
year and if necessary update or replace it.
------------------------------
Date: Thu, 23 Oct 1994 22:51:01 CDT
From: CuD Moderators <[email protected]>
Subject: File 2--Cu Digest Header Information (unchanged since 25 Nov 1994)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send a one-line message: SUB CUDIGEST your name
Send it to [email protected] or [email protected]
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.
EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown)
In ITALY: Bits against the Empire BBS: +39-461-980493
In LUXEMBOURG: ComNet BBS: +352-466893
UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
uceng.uc.edu in /pub/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/cud/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
JAPAN: ftp.glocom.ac.jp /mirror/ftp.eff.org/Publications/CuD
ftp://www.rcac.tdi.co.jp/pub/mirror/CuD
The most recent issues of CuD can be obtained from the NIU
Sociology gopher at:
URL: gopher://corn.cso.niu.edu:70/00/acad_dept/col_of_las/dept_soci
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
------------------------------
End of Computer Underground Digest #6.104
************************************
|
|
