Computer underground Digest Sun Nov 21 1993 Volume 5 : Issue 88 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copy Editor: Etaoin Shrdlu, III CONTENTS, #5.88 (Nov 21 1993) File 1--Michael Elansky ("Ionizer") Sentenced / Saga ends File 2--Electronic Bill Of Rights and Responsibilities File 3--Student sues to regain Internet access File 4--Toll Fraud on French PBXs--Phreaking File 5--Brendan Kehoe File 6--Advertise your skills! Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: ftp.funet.fi in pub/doc/cud. (Finland) UNITED STATES: aql.gatech.edu (128.61.10.53) in /pub/eff/cud etext.archive.umich.edu (141.211.164.18) in /pub/CuD/cud ftp.eff.org (192.88.144.4) in /pub/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud ftp.warwick.ac.uk in pub/cud (United Kingdom) KOREA: ftp: cair.kaist.ac.kr in /doc/eff/cud COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Sun, 21 Nov 1993 14:12:31 EST From: Sue D'Onym Subject: File 1--Michael Elansky ("Ionizer") Sentenced / Saga ends ((MODERATORS' NOTE: The Elansky case has ended. Michael Elansky was sentenced to 28 months in prison, which--with "good time" and credit for time served--should make him eligible for release under Connecticut law in about 10 months. The charges relating to First Amendment issues that bothered many of us were not pursued by the prosecution, perhaps in part because of the incisive and accurate reporting by John Moran of the Hartford Courant. Moran's work established him as one of the rare media reporters whose knowledge of computers and related issues gives them considerable credibility. Thanks to the Connecticut readers who sent over the edited story)). SOURCE: Hartford Courant (Nov. 20, 1993) By: John M. Moran, Courant Staff Writer Michael Elansky's volatile mixture of computers and pyrotechnics backfired Friday when a Superior Court judge sentenced him to 28 months in prison. Judge Thomas P. Miano said Elansky, a 21-year-old West Hartford resident, remains dangerous because he still hasn't curbed his impulse to dabble in explosives. "You've got to accept responsibility for what you do, it's that simple," Miano said. Elansky has been jailed at Hartford Correctional Center since August on charges of illegally maintaining bomb-making instructions on his computer bulletin board. At the time, he also was facing other charges, including conspiracy to commit burglary and two counts of violating his probation. Bail was set at $500,000, which Elansky could not meet. ((The article explains that Elansky pled guilty in October, agreeing to terms that included no more than three years in prison, and that prosecution and defense attorneys have spend the last few weeks debating the final sentence)). In recent weeks, friends and family testified that Elansky was interested in odd topics, but that he was not dangerous or destructive. Prosecution witnesses, however, painted a far different picture of a man they said repeatedly broke the law while experimenting with explosives. In reaching his decision, Miano said he was troubled by evidence that Elansky had lied to police, to the court, to his parents and to others. But Miano also was disturbed at the prospect of sending to prison someone who had the potential to straighten out his life. "I can candidly say... that I have agonized more over this matter than any other matter that I can remember," the judge said. ((The article explains that the judge decided on imprisonment and long probation as necessary for Elansky to "change his ways.")) On both probation violations, Elansky was sentenced to 28 months in prison and probation for five years. Conditions of his probation include the following: * A ban on Elansky allowing anyone under 18 years old to use his computer bulletin board, which was known as "The Ware House." * A ban on Elansky, whose computer nickname is the "Ionizer," placing pyrotechnic information or another other harmful information on his bulletin board. * A requirement that a probation officer have complete freedom to search Elansky's computer system to ensure the requirements have not been violated. * Evaluation by a mental health counselor. * 100 hours of community service for each year on probation. Throughout the sentencing, a pale and thin Elansky stood silently at the defense table. His father, David Elansky, and grandmother, Debra Elansky, sat behind him in the courtroom. "I know you're not happy with it," Miano told Elansky after the sentence was pronounced. "I know you expected to walk out with your parents. No more." The conspiracy to commit burglary charges and the charges relating to bomb-making instructions on the computer bulletin board were not pursued. Elansky will almost certainly get credit for the 3 1/2 months he's already served in jail. In addition, he will be able to apply for parole after he has served half of the prison term. was surprised and disappointed by the sentencing. "It's not going to make him a better person by keeping him in jail," he said. Brown, the defense attorney, said he had asked for a lesser sentence, but respected the judge's treatment of the case. "It was obvious to me that the judge certainly spent a great deal of time on this case, which is all a defendant can really ask for," he said. ((The article concludes by summarizing the disappointment that the parents and defense attorney expressed)). ------------------------------ Date: 12 Nov 1993 16:34:28 U From: "Anne" Subject: File 2--Electronic Bill Of Rights and Responsibilities [I'm forwarding this to CuD with the permission of Frank Connolly of The American University. Information on how to contact him is at the end of this document. -abh] ++++++++++++++++++ The following document might be of interest to members of the Computer Underground Digest. Called the Bill of Rights and Responsibilities for Electronic Learners, it is a model policy statement regarding the rights and responsibilities of individuals and institutions regarding computers and electronic networks in education. Although the project was begun as part of EDUCOM, it is now an initiative of the American Association of Higher Education (AAHE). Your comments and suggestions for gaining consideration and discussion of the Bill on campuses, in school districts and professional forums would be appreciated. To retrieve the text via ftp do the following: 1. FTP to ftp.american.edu 2. Give your id as . . . . . . anonymous 3. As your password use . . . your email address Once accepted to the system, 4. Change directories by entering cd au 5. To retrieve the file type get brrec.text =============== TEXT OF BILL FOLLOWS =========================== PREAMBLE In order to protect the rights and recognize the responsibilities of individuals and institutions, we, the members of the educational community, propose this Bill of Rights and Responsibilities for the Electronic Community of Learners. These principles are based on a recognition that the electronic community is a complex subsystem of the educational community founded on the values espoused by that community. As new technology modifies the system and further empowers individuals, new values and responsibilities will change this culture. As technology assumes an integral role in education and lifelong learning, technological empowerment of individuals and organizations becomes a requirement and right for students, faculty, staff, and institutions, bringing with it new levels of responsibility that individuals and institutions have to themselves and to other members of the educational community. ARTICLE I: INDIVIDUAL RIGHTS The original Bill of Rights explicitly recognized that all individuals have certain fundamental rights as members of the national community. In the same way, the citizens of the electronic community of learners have fundamental rights that empower them. Section 1. A citizen's access to computing and information resources shall not be denied or removed without just cause. Section 2. The right to access includes the right to appropriate training and tools required to effect access. Section 3. All citizens shall have the right to be informed about personal information that is being and has been collected about them, and have the right to review and correct that information,. Personal information about a citizen shall not be used for other than the expressed purpose of its collection without the explicit permission of that citizen. Section 4. The constitutional concept of freedom of speech applies to citizens of electronic communities. Section 5. All citizens of the electronic community of learners have ownership rights over their own intellectual works. ARTICLE II: INDIVIDUAL RESPONSIBILITIES Just as certain rights are given to each citizen of the electronic community of learners, each citizen is held accountable for his or her actions. The interplay of rights and responsibilities within each individual and within the community engenders the trust and intellectual freedom that form the heart of our society. This trust and freedom are grounded on each person's developing the skills necessary to be an active and contributing citizen of the electronic community. These skills include an awareness and knowledge about information technology and the uses of information and an understanding of the roles in the electronic community of learners. Section 1. It shall be each citizen's personal responsibility to actively pursue needed resources: to recognize when information is needed, and to be able to find, evaluate, and effectively use information. Section 2. It shall be each citizen's personal responsibility to recognize (attribute) and honor the intellectual property of others. Section 3. Since the electronic community of learners is based upon the integrity and authenticity of information, it shall be each citizen's personal responsibility to be aware of the potential for and possible effects of manipulating electronic information: to understand the fungible nature of electronic information; and to verify the integrity and authenticity, and assure the security of information that he or she compiles or uses. Section 4. Each citizen, as a member of the electronic community of learners, is responsible to all other citizens in that community: to respect and value the rights of privacy for all; to recognize and respect the diversity of the population and opinion in the community; to behave ethically; and to comply with legal restrictions regarding the use of information resources. Section 5. Each citizen, as a member of the electronic community of learners, is responsible to the community as a whole to understand what information technology resources are available, to recognize that the members of the community share them, and to refrain from acts that waste resources or prevent others from using them. ARTICLE III: RIGHTS OF EDUCATIONAL INSTITUTIONS Educational institutions have legal standing similar to that of individuals. Our society depends upon educational institutions to educate our citizens and advance the development of knowledge. However, in order to survive, educational institutions must attract financial and human resources. Therefore, society must grant these institutions the rights to the electronic resources and information necessary to accomplish their goals. Section 1. The access of an educational institutions to computing and information resources shall not be denied or removed without just cause. Section 2. Educational institutions in the electronic community of learners have ownership rights over the intellectual works they create. Section 3. Each educational institution has the authority to allocate resources in accordance with its unique institutional mission. ARTICLE IV: INSTITUTIONAL RESPONSIBILITIES Just as certain rights are assured to educational institutions in the electronic community of learners, so too each is held accountable for the appropriate exercise of those rights to foster the values of society and to carry out each institution's mission. This interplay of rights and responsibilities within the community fosters the creation and maintenance of an environment wherein trust and intellectual freedom are the foundation for individual and institutional growth and success. Section 1. The institutional members of the electronic community of learners have a responsibility to provide all members of their community with legally acquired computer resources (hardware, software, networks, data bases, etc.) in all instances where access to or use of the resources is an integral part of active participation in the electronic community of learners. Section 2. Institutions have a responsibility to develop, implement, and maintain security procedures to insure the integrity of individual and institutional files. Section 3. The institution shall treat electronically stored information as confidential. The institution shall treat all personal files as confidential, examining or disclosing the contents only when authorized by the owner of the information, approved by the appropriate institutional official, or required by local, state or federal law. Section 4. Institutions in the electronic community of learners shall train and support faculty, staff, and students to effectively use information technology. Training includes skills to use the resources, to be aware of the existence of data repositories and techniques for using them, and to understand the ethical and legal uses of the resources. August, 1993 * Frank Connolly The American University * * FRANK@American.EDU 119 Clark Hall * * (202) 885-3164 Washington, D.C 20016 * ------------------------------ Date: Sun, 14 Nov 93 10:51:37 CST From: peterson@ZGNEWS.LONESTAR.ORG(Bob Peterson) Subject: File 3--Student sues to regain Internet access The August 17, 1993 (Volume 5, Issue 62) issue of CuD contained a brief mention of Microsoft's termination of Mr. Gregory Steshenko, apparently due to political statements he made in newsgroups and email. Today's Dallas Morning News (Nov. 14, 1993: Vol. 145, No. 45) published a front page article, with a jump to an interior page dedicated to the story, describing Gregory Steshenko's encounter with the University of Texas at Dallas over essentially the same issue. Below I quote from the article. I enclosed my summarizations in square brackets. A sidebar on the interior page describes, at a high level, how messages flow in the Internet. (I didn't include anything from that sidebar.) Free-speech suit focuses on E-mail Emigre at UTD lost access to network By Tom Steinert-Threlkeld Staff Writer of The Dallas Morning News Gregory N. Steshenko is not sure freedom of expression will survive the digital age in the Western world. Twice in the last five months, authorities in the United States have pulled the plug on his comments on Ukrainian and Russian politics that he has posted on the Internet, a network of computer networks that spans the globe. In June, he was fired from Microsoft Corp. after the big supplier of personal computer software fielded dozens of complaints that his messages were offensive and even obscene. In October, he was disconnected again from the Internet by the University of Texas at Dallas, where he is a graduate student in electrical engineering. [Note: One of Microsoft's regional telephone support centers is located in the Dallas area, so Gregory probably didn't move after leaving Microsoft. -BP) The university withdrew his privileges after a barrage of complaints, saying his electronic messages strayed from any possible educational purposes. Mr. Steshenko has countered with a lawsuit that seeks $2 million for damages to his career. [Here the article jumps to page 28A, with the headline _Student sues UTD over access to computer network_. -BP) [... Steshenko asserts this is a First Amendment issue. -BP] The university says the matter is more basic. Mr. Steshenko simply did not follow its rules, which limit use of the Internet to exchanges related to coursework. +++ "What makes it unique is that we're talking about a brand new medium," said Shari Steele, counsel for the Electronic Frontier Foundation, a group that tries to protect the freedom of individuals who communicate by computer. She and other legal experts say that government-funded institutions, such as UTD, can't infringe First Amendment rights, even in electronic forums. [... Omitted text describing the school's position that they have the right to control how their facilities are used, the absence of relevant court rulings, the issue of permissible language in newsgroups, and the general anarchy of newsgroups.] Mr. Steshenko also retaliates against "denunciators." He has sent copies of what he says are personal attacks by on-line adversaries to the chief executive officers of their employers, such large industrial companies as Bell Communications Research Inc. and WilTel Inc. "I can take a lot in stride, but if someone sends a posting to the CEO of Bellcore (threatening) a lawsuit about me calling (him) a fool and it has implications with my position here at the company, then I'm going to get a little bit upset," said Andre Stynyk, a systems engineer at Bell Communications Research Inc., the research arm of regional Bell telephone companies. Mr. Stynyk responded by complaining to UTD. The university won't acknowledge the sources of the complaints it received. "Let's just say he (Mr. Steshenko) was not following the rules and we received complaints from the outside. After review, we determined that he should not have the privileges anymore," said UTD president Robert H. Rutford. "The rules," in this case are not those of the Internet, but those of UTD. Like other universities, UTD becomes part of the Internet by allowing outsiders into its computers and paying for the maintenance of its on-campus computing and communications network. When it allows students access to the Internet, the university requires them to sign an agreement that they only use the resources of the Internet for instructional, research or administrative purposes. [... The article quotes (acting executive director of the Internet Society) Howard Funk's assertion that the university can control how its facilities are used. Mr. Steshenko, in turn, asserts the university's interpretation of "instructional" is too narrow. -BP] In hallways, classrooms and dormitories, for instance, students are not limited to talking only about the classes they sign up for, notes Marc Rotenberg, director of the Washington office of the Computer Professionals for Social Responsibility. "It's a little bit like taking a classroom for a club meeting after classes end. Maybe the university doesn't want you doing that," but it may be hard to say students can't. This could make the Steshenko case "a good test of free speech on computer networks," he and Ms. Steele said, because the university not only is an academic institution, but receives funding from state government. [... Comments about current case law extending prohibitions on laws abridging free expression to "government-run institutions" and how the Steshenko case may expand the prohibition to electronic exchanges of ideas. The article then describes the self-regulation of Usenet, Compuserve, mailing lists, et al.] The Internet Society's Mr. Funk, for instance, says Mr. Steshenko would have avoided trouble at Microsoft and the university if he had only used a personal account to access the Internet. But Mr. Steshenko rejects that as costly and says the primary issue is the exercise of First Amendment privileges at a state-run institution. Regardless, cooler commentary may be inevitable. Mr. Stynyk, the Bell systems engineer, believes that arguments on the Internet will have to take on more "politically correct" terminology, as millions of new, nontechnical subscribers log in to the Internet. But Houston environmental scientist Larisa Streeter, whose husband's employer was also contacted by Mr. Steshenko, says the Dallas site's discourse does not "have anything to do with political correctness at all. It has to do with civil discussion." She draws the analogy to allowing a member of the Ku Klux Klan to participate in a forum on African-American affairs. "It's fine. You can have the Klan member there listening and participating and having a discussion," she said. But, Ms. Streeter says, limits should be set if racial epithets start flying because nothing is added to the discussion. Ultimately, canceling access to the Internet altogether is seen by Mr. Steshenko as an unfair abrogation of his rights as a student. He maintains that other students using their Internet accounts can join "news groups" that discuss anything from events in Haiti to sex. If he is cut off from talking about Russia and Ukraine, he feels other students shouldn't be permitted to participate in forums not related to their coursework. While the university does have a right to provide resources only for particular purposes, "it really hinges on whether or not they really don't permit the accounts to be used for anything other than the studies," Ms. Steele said. W.O. Shultz, associate general counsel for the University of Texas system, says he does not know how the accounts are used by other students or whether they have formed news groups or lists of their own. If the university consistently enforces its limits on the use of the Internet for instructional, research and administrative purposes, then it is likely on safe ground, said Henry H. Perritt Jr., a Villanova University professor of information technology law. [... UTD investigates student use of the Internet only when they get a complaint, which could leave an opening for Mr. Steshenko's suit, which he drafted and filed himself. -BP] If the university does not know how its students are using the Internet, it is "going to have a very hard time saying" it is not granting students the right to participate in electronic forums on whatever subjects they please, Mr. Perritt said. "If the university's argument is that "we claim the power to control the use of our resources and direct the resources only for certain purposes," then I don't see what that has to do with the complaints. Then they have a duty to know what's going on," he said. [End of article, which also features a four column by 5" photo of Mr. Steshenko in front of an IBM PS/2. The writer, Mr. Tom Steinert-Threlkeld, covers technology stories for the paper. -BP] Bob Peterson Waffle BBS: peterson@ZGNews.LoneStar.Org P.O. Box 865132 Internet: peterson@csc.ti.com TelCo: 214 995-6080 Plano, Tx USA 75086-5132 BBS: 214 596-3720 @ speeds to 14400 (HST & V.32bis) ------------------------------ Date: Tue, 16 Nov 93 14:48:59 EST From: cccf@ALTERN.COM(cccf) Subject: File 4--Toll Fraud on French PBXs--Phreaking Toll Fraud on French PBXs - Phreaking In France it is estimated that PBX trunk fraud (toll fraud) costs companies over $220 million a year. Criminal phreakers figure out how to access PBXs owned by businesses and then sell long-distance calling capacities provided by these systems to the public. In European markets where PSTN to PSTN connections are illegal it has not to date been such an issue. However, for a number of reasons this is likely to change. Trunk to trunk connection barring through PBXs is expected to be deregulated throughout Europe. The telecom industry has done more this year to prevent toll fraud than any other time. Yet, toll fraud losses will top more than $2 billion again this year. If you aren't doing anything to prevent being hit, it's not a matter of if you'll be hit, it's when you'll be hit and for how much. So, here are some low-cost ways to stop toll fraud-or at least lessen the blow if you do get hit. Increasing numbers of international companies have private networks and provide DISA (Direct Inward System Access) access to employees. Such companies are prime victims for Phreaking. For example, a phone hacker can access the network in the UK, France, or Germany and break out in another country where it is legal to make trunk to trunk calls, and from that point they can call anywhere in the world. Voice Mail is taking off across Europe. This, together with DISA, is one of the most common ways phreakers enter a company's PBX. Raising these issues now and detailing precautionary measures will enable companies to take steps to reduce such frauds. The following looks at the current situation in France. In France a whole subculture, like a real phone underground culture, of these technology terrorists is springing up on city streets. Stolen access codes are used to run call-sell operations from phone booths or private phones. The perpetrators offer international calls for circa FF 20, which is considerably less than it could cost to dial direct. When calls are placed through corporate PBXs rather than carrier switches, the companies that own the PBXs end up footing the bill. What are the warning signs that your own communication systems are being victimised by toll fraud? In inbound call detail records, look for long holding times, an unexplained increased in use, frequent use of the system after normal working hours, or a system that is always busy. In records of outbound calls, look for calls made to unusual locations or international numbers, high call volumes, long duration of calls, frequent calls to premium rate numbers and frequently recurring All Trunks Busy (ATB) conditions. Toll fraud is similar to unauthorised access to mainframe computers or hacking. Manufacturers such as Northern Telecom have developed security features that minimise the risk of such theft. Telecommunication managers, however, are the only ones who are ensure that these features are being used to protect their systems from fraud. Areas of Intrusion Into Corporate Systems PBX features that are vulnerable to unauthorised access include call forwarding, call prompting and call processing features. But the most common ways phreakers enter a company's PBX is through DISA and voice mail systems. They often search a company's rubbish for directories or call detail reports that contain a companies own 05 numbers and codes. They have also posed as system administrators or France Telecom technicians and conned employees into telling them PBX authorisation codes. More sophisticated hackers use personal computers and modems to break into data bases containing customer records showing phone numbers and voice mail access codes, or simply dial 05 numbers with the help of sequential number generators and computers until they find one that gives access to a phone system. Once these thieves have the numbers and codes, they can call into the PBX and place calls out to other locations. In many cases, PBX is only the first point of entry for such criminals. They can also use the PBX to access company's data system. Call-sell operators can even hide their activities from law enforcement officials by using PBX-looping-using one PBX to place calls out through another PBX in another state. Holding the Line-Steps That Reduce Toll Fraud Northern Telecom's Meridian 1 systems provide a number of safety features to guard against unauthorised access. It is the most popular PBX phreaked in France. The following information highlights Meridian 1 features that can minimise such abuse. DISA Security The DISA feature allows users to access a company's PBX system from the public network by dialling a telephone number assigned to the feature. Once the system answers the DISA call, the caller may be required to enter a security code and authorisation code. After any required codes are entered, the caller, using push button tone dialling, is provided with the calling privileges, such as Class of Service (COS), Network Class of Service (NCOS) and Trunk Group Access Restrictions (TGAR), that are associated with the DISA DN or the authorisation code entered. To minimise the vulnerability of the Meridian 1 system to unauthorised access through DISA, the following safeguards are suggested: 1) Assign restricted Class of Service, TGAR and NCOS to the DISA DN; 2) Require users to enter a security code upon reaching the DISA DN; 3) In addition to a security code, require users to enter an authorisation code. The calling privileges provided will be those associated with the specific authorisation code; 4) Use Call Detail Recording (CDR) to identify calling activity associated with individual authorisation codes. As a further precaution, you may choose to limit printed copies of these records; 5) Change security codes frequently; 6) Limit access to administration of authorisation codes to a few, carefully selected employees. Meridian Mail Security Northern Telecom's Meridian Mail voice messaging system is also equipped with a number of safeguarding features. The features that allow system users to dial out; Through Dial, Operator Revert and Remote Notification (Outcalling) should be controlled to reduce the likelihood of unauthorised access. The following protective measures can be used to minimise tool fraud: Voice Security Codes Set security parameters for ThroughDial using the Voice Security Options prompt from the Voice Systems Administration menu. This prompt will list restricted access codes to control calls placed using the Through-Dial function of Meridian Mail. An access code is a prefix for a telephone number or a number that must be dialled to access outside lines or long-distance calling. If access cides are listed as restricted on the Meridian Mail system, calls cannot be placed through Meridian Mail to numbers beginning with the restricted codes. Up to 10 access codes can be defined. Voice Menus With the Through-Dial function of Voice Menus, the system administrator can limit dialling patterns using restricted dialling prefixes. These access codes, which are defined as illegal, apply only to the Through-Dial function of each voice menu. Each Through-Dial menu can have its own restricted access codes. Up to 10 access codes can be programmed. Meridian Mail also allows system administrators to require that users enter an Access Password for each menu. In this way, the Through-Dial menu can deny unauthorised callers access to Through-Dial functions, while allowing authorised callers access. Additional Security Features The Secured Messaging feature can be activated system-wide and essentially blocks external callers from logging to Meridian Mail. In addition, the system administrator can establish a system-wide parameter that forces user to change their Meridian Mail passwords within a defined time period. Users can also change their passwords at any time when logged in to Meridian Mail. System administrator can define a minimum acceptable password length for Meridian Mail users. The administrators can also determine the maximum number of times an invalid password can be entered before a log-on attempt is dropped and the mailbox log-on is disabled. Some of the features that provide convenience and flexibility are also vulnerable to unauthorised access. However, Meridian 1 products provide a wide array of features that can protect your system from unauthorised access. In general, you can select and implement the combinaison of features that best meets your company's needs. General Security Measures Phone numbers and passwords used to access DISA and Meridian Mail should only be provided to authorised personnel. In addition, call detail records and other reports that contain such numbers should be shredded or disposed of in an appropriate manner for confidential material. To detect instances of trunk fraud and to minimise the opportunities for such activity, the system administrator should take the following steps frequently (the frequency is determined on a per site basis according to need): 1) Monitor Meridian 1 CDR output to identify sudden unexplained increases in trunk calls. Trunk to trunk/Tie connections should be included in CDR output; 2) Review the system data base for unauthorised changes; 3) Regularly change system passwords, and DISA authorisation and security codes; 4) Investigate recurring All Trunks Busy (ATB) conditions to determine the cause; 5) If modems are used, change access numbers frequently, and consider using dial-back modems; 6) Require the PBX room to be locked at all times. Require a sign-in log and verification of all personnel entering the PBX room. Two Practical Cases Bud Collar, electronic systems manager with Plexus in Neenah, Wis., transferred from its payphone operations branch. As the PBX manager, he's blocked all outside access to his Northern Telecom Meridian 1 and meridian Mail. Just in case a phreaker does again access, Collar bought a $600, PC-based software package from Tribase Systems in Springfield, NJ, called Tapit. With Tapit, Collar runs daily reports on all overseas call attempts and completions. But the drawback to Tapit is that by itself it has no alarm features, so if a phreaker does get in, Collar won't know about it until he runs the next report. Tribase does offer Fraud Alert with alarms for $950, but Collar chose not to use it. Erica Ocker, telecom supervisor at Phico Insurance in Mechaniscsburg, PA, also wanted to block all of her outside ports. But she has maintenance technicians who need routine access, so she needed a way to keep her remote access ports open, without opening up her Rolm 9751 to toll fraud. The solution is to buy LeeMah DataCom Security Corps's TraqNet 2001. For $2,000, Ocker got two secured modems that connect to her maintenance port on her PBX and to her Rolm Phone Mail port. When someone wants to use these features, they dial into the TraqNet and punch in their PIN number. TraqNet identifies the user by their PIN and asks them to punch in a randomly selected access code that they can only get from a credit card-sized random number generator, called an InfoCard. That access code matches the codes that are generated each time the TraqNet is accused. The TraqNet 2001 is a single-line model that supports up to 2,304 users for $950. More upscale can support up to 32 lines and run call detail reports, but they cost as much as $15,000. InfoCards each cost an additional $50. Conclusions The ultimate solution will be, as I read in a French consultancy review, The more pleasant story directly linked with French phreaking was the night that I see on my TV screen in Paris a luxurious computer ad for the Dell micro-computers. At the end of the ad, a toll-free number will be present in green: 05-444-999. I immediately phone to this number... and found the well-known voice of all French Northern Telecom's Meridian Mail saying in English language: "For technical reasons, your call cannot be transferred to the appropriate person. Call later or leave a message after the tune." The dial of 0* give the open door to more than... Dell informations. My letter to this company already is without (free voice-) answer! -- Jean-Bernard Condat, General Secretary Chaos Computer Club France [cccf] First European Hacking, Phreaking & Swapping Club Address: B.P. 8005, 69351 Lyon cedex 08, France. Phone: +33 1 47874083; Fax: +33 1 47874919; E-mail: cccf@altern.com ------------------------------ Date: Tue, 16 Nov 93 03:08:47 EST From: gronez@AOL.COM Subject: File 5--Brendan Kehoe Hello to everyone behind the scenes at CuD.. For anyone who didn't see it, I'd like to acknowledge Brendan Kehoe and his excellent appearance on Computer Chronicle's. Imagine my surprise as the name I have known for months now was finally given a voice. Great idea-- the more people on the Internet the better for our virtual communities. I have one question though. Why wasn't DELPHI, probably the most popular gateway to the Internet not featured on the show? I hope that you or one of you colleagues may be able to shed some light on this, Thank You ------------------------------ Date: Thu, 18 Nov 1993 22:49:17 +0000 From: 3W - Global Networking Newsletter <3W@UKARTNET.DEMON.CO.UK> Subject: File 6--Advertise your skills! 3W MAGAZINE OFFERS FREE ADVERTS FOR NETWORKERS 3W Global Networking Newsletter is offering free small ads for individuals who provide services relating to the global networks. In an attempt to widen knowledge about how to access and use the networks, 3W is starting a free adverts section as from Issue 3, Jan/Feb 1993. This section will be open to any individuals who wish to advertise their professional skills to potential users. This covers consultancy, teaching, training, info-searching, research, writing, development, setup, maintenance, management or any others that pertain directly to the new global networks. These ads will run in a section called NETWORKERS within the (Re)Source section of the magazine. All ads will consist of a Heading (max 4 words) and text (max 30 words). All ads must contain an e-mail contact address, though they may contain other contact information. All submissions must have a subject line of NETWORKERS. Mail ads to networkers@ukartnet.demon.co.uk Please note that there is no guarantee of inclusion, due to space limitations. Publishers decision is final. For information about other advertising in 3W please mail ads@ukartnet.demon.co.uk Ivan Pope Editor ivan@ukartnet.demon.co.uk +---------------------------- 3W - Global Networking Newsletter +44 (0)81 533 0818 13 Brett Rd Fax: +44 (0)81 533 0818 London E8 1JP 3W@ukartnet.demon.co.uk UK ++++++++++++++++++++++++ 3W is a bi-monthly paper-based subscription newsletter that covers the new global networks. ------------------------------ End of Computer Underground Digest #5.88 ************************************