============================================================================= PHUK MAGAZINE - Phile 0 of 10 ============================================================================= Welcome to the second issue of P/H-UK magazine, an ezine for the Hackers & Phreakers in the United Kingdom. Distrubition of PHUK#1 has gone excedingly well,please keep it up ! Dr. Kaos has managed to upload PHUK#1 to a few BBS's and apprently it has spread like wild fire since giving out the first issure at the December 2600 meeting. The D.A! has been able to distrubute PHUK#1 to a few eduacational establishments through a few of his data courier agents. Also the D.A! has cunningly spread it through covert means by leaving it on computers in directorys called SEX , SEXGAMES AND PORN . This is due to the fact the file is called PHUK01.ZIP which sounds a little rude and and should get people to be a little curious , who said a little anarchy does not work ! ;-) Well on to the contents , this issure we have a report on the 2600 SE meeting that was sent in by THE PRANKSTER which was received on 01-04-95 with all the local gossip of the south east. Also we have the second part of the BT MANUAL which I know you have all be en waiting for.More answer phone antics by HILO , and a lot more so I won't spoil the surprise ! STANARD DISCLAIMER ================== THIS IS AN ALPHA COPY OF PHUK#2 ..... NO RESPONSIBILITY CAN BE HELD FOR THE ACTIONS OF PHUK READERS WHO USE THE INFORMATION WITHIN UNWISELY !! SO SAY THE PHREAKERS / HACKERS UNITED KINGDOM EDITORIAL MANAGEMENT OR PHUKEM FOR SHORT ;-) . ============================================================================= P / H - U - K -- C O N T E N T S ============================================================================= 0: INTRO: You're reading it! ----------------------------------------------------------------------------- 1: EDITORIAL: Time for revolution ? ----------------------------------------------------------------------------- 2: NEWSBYTES: UK News ----------------------------------------------------------------------------- 3: HACKING THE BASICS - Death's Apprentice ! ----------------------------------------------------------------------------- 4: UK HACKER'S CONFERNCE: ----------------------------------------------------------------------------- 5: ANSWERPHONE - The Audioline 815 Digital Answer System - Hilo ----------------------------------------------------------------------------- 6: INTERNET SHOPPING AT THE LINK - Korporate Konsumer ----------------------------------------------------------------------------- 7: PHONE CARDS AROUND THE GLOBE - Korporate Mole ----------------------------------------------------------------------------- 8: BT Computer Security Manual Part 2 - Mrs. Brady of Doncaster ----------------------------------------------------------------------------- 9: Notes & Queries: A question & Answer Forum ----------------------------------------------------------------------------- 10: OUTRO: Next Issue .... Real soon now , we hope!! ----------------------------------------------------------------------------- +++ EOF ============================================================================= PHUK MAGAZINE - Phile 1 of 10 ============================================================================= ----------------------------------------- TIME FOR REVOLUTION ? - Phuk-Ed ----------------------------------------- Well what do you know a second issue of PH-UK has finally arrived , isn't that amazing ! How things have changed since the last time an issue was let loose on the computer underground . History will soon be made when we have our first Hackers Conference in July , (Details are in the ezine) , I can hardly wait what the media are going to say ! I mean , all those hackers and phreakers in the same location at the same time in full view of the press and MI5 ... ;-) How will the UK cope after such an event , what disasters are in the pipeline to be blamed on electronic terrorism by teenage technocrats . I can just see the the headlines in The Sun now .... but wait , what does the UK have to fear . Are the any hackers and phreakers actively doing what they do best ? If they are then they must be very covert operations ! More like that there are few hardcore hackers and phreakers playing with the system then you would imagine . There are a few that are cloning cellular phones but they are doing it for a profit and not for the sheer thrill of it . What about computer penetrations then , no , nobody there either due to the fact that a certain teenage hacker got caught hacking the Penatagon and frightened off half of the computer undergroud into states of paranoia . If you want proof then look at the numbers going to the 2600 meetings ! Although it has been reported by CERT that hackers are loners that do not work together sharing information on computer penetration and other technical wizardary . If that is the case how can all the hackers attending the event learn anything ? I think it is time for change , time for us to work together as brothers in the technilogical revolution that is happening NOW ! Share the information people and let the UK really be a nation that is just as advanced as the USA in our hacking and phreaking exploits . Phuk-Ed. +++ EOF ============================================================================= PHUK MAGAZINE - Phile 2 of 10 ============================================================================= ------------ UK NEWSBYTES ------------ -- FIRST EVER 2600 SE MEETING RAIDED BY POLICE The scene is set , saturday 18th of March there would be the first 2600 meeting in the South East of London.Slowly members of the phreaking and hacking community meet up at the Roebuck pub.Alcholic beverages were consumed and hacking / phreaking information was discussed openly ! (WOW !). All was going fine until a small group of fruit machine hackers disturbed the atmosphere by blantly and openly abusing a lone fruit machine.Verbal obsenties and threats were showered upon the confused bar staff , who looked on helplessly unwilling to face a vilent confrontation. The 2600 memebers tried to keep a low profile by drinking more beer as they thought it would help. As each person tried to drink ecah other under the table , the fruit machine hackers fled into the night. A fruit machine medic was called for and procceded to examine said machine. After much probing and examination , he proclaimed that yes , the machine had obviously benn tampered with ! It was at this point that unknowingly to the 2600 members the police were called for. When two police officers from the the nearby constabulury walked through the door all 2600 members not suffering from mild cardiac arrests , did what most people would have done in similiar circumstances . More alchol was ordered very quickly . Statements were taken from the bar staff concerned . A finger was pointed in our direction by one of the police officers and a hidden two finger salute was sent back.It seemed that a proper communications protocol had been established . The police officer kept pointing and we kept sending hidden binary. Just as we thought we were going to be arrested one of the bar maids jumped to our defence by saying we had nothing to do with said incident and had been very good patrons of said establishment as we had consumed large volumes of alcoholic beverages. With this new piece of information the police officers duly left and we drank more beer. All in all the night had been a memorable event and yes we going back next month ....hic ! We need the alchol to get over the shock ....hic! +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [from CTW, 20-03-95] -- AMERICAN GIANT JOINS ELSPA AFTER HACKER BUST AT&T , the global computer and communications firm , has become an associate member of ELSPA , following a successful operation by the trade body's crime unit which uncovered extensive telephone calling card fraud . The operation , which led to two arrests in the USA and one in the UK , began when ELPSA investigators discovered a cache of over 50,000 stolen AT&T calling card numbers on a bulletin board . Computer hackers were using the numbers to call all over the world , at AT&T's expense , in order to download illegaly pirated material . +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- UK VERSION OF WIRED Well I think you all know that there is a UK version of WIRED , but correct me if you think differently but it sucks big time . I am sorry but the UK issure does not cut the mustard and I doubt if I will continue to buy the UK version but instaed I think I will stick with the US one . If you have different views the write in and let us know why you think it is worth a good read . +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ That's all for this ish, don't forget, NEWSBYTE exists on contributions from its readers, so send your snippets, comments etc to PHUK magazine at anon19143@anon.penet.fi, where we will do our best to include them in the next issue. +++ EOF ============================================================================= PHUK MAGAZINE - Phile 3 of 10 ============================================================================= HACKING THE BASICS ------------------ So you want to be a hacker ? Silly question if you are reading this you you must think , well I had to ask ! Okay , well where do you start ? The equipment is useful I suppose or you would not be reading this phile so you must know some thing about computers or at least the computer you are using . But to hack you need just a little more than the equipment , you also need information and a lot of common sense ! For example , do you know your local hacker at work or in school ? You do ! Well how many times have you gone up to them and asked how do you hack or how do you manage to do that . After a while they will get fed up and clam up about information they might of shared with you . Your not the only one who wants to know there is probabiliy a few dozen people who keep asking the same old questions time after time . There is a simple solution to get on side of your mentor , STOP ASKING DUM QUESTIONS ! Simple isn't it . Okay , you might think well how do I learn if I don't have a hacker for a teacher ? READ A LOT OF BOOKS AND MAGAZINES !!! Go to the library get out anything on hackers or hacking or general computer books and read them and take notes on any thing you might think will come in useful . Read computer related magazines , you might read some already if you own a computer and look at the comms section , I know that during 1994 there was a lot of Internet related information being written . Learn the jargon , do a lot of research , let your friends know that you are into computers and to let you know if they hear of any computer related news in the press or on TV . Then at least you will be able to hold a decent conversation with your local hacker and at least sound knowledgable . Right how to hack without getting caught ! Simple DON'T HACK ! Sounds stupid you think , well not really . Use a little bit of common sense , try a hacker trainer , in the old days of computers there was a computer game called SYSTEM 15000 for the ZX Spectrum and I know of a program for the Atari ST called NAARJEK . The basic idea of the game is to hack your way in to a computer system by any means neccessary . If you find that you get fed up easily then hacking is not for you . The advantages of this is that you gain experience of hacking without the risk of getting caught and two you will not run up a huge phone bill learning some of the basics . There are other computer hacking simulators about for other home computers or if you want you could even write your own in BASIC or another computing language and set a challenge to all you friends to break into the system . Get them to write a hacking trainer that you can try your hand to get into their system . At the very least it will get you programming and teach you part of the HACKER ETHIC , " Always yield to the hands-on imperative ! " Also you can try programs like MINIX or LINUX to learn UNIX and get a feel of the UNIX operating system and you can also set it up to learn other hacking skills . There are also PC emulators so you can try the MS DOS / PC DOS operating system and learn a few commands . Right now you are ready for some real hacking , try your work or school computer network system , put the things you have learned into practice and try to gain entry or access to other computer users accounts or disk areas . If you are at school or in a place of eduacation then you might have a NIMBUS 186 network running . These are particular easy to abuse if you already have an account on them as you can use a back door to your classmates area ! (ASK ME AT THE 2600 MEETINGS IF YOU WANT TO KNOW MORE !) Very handy if you are to lazy to do your own work then copy someone elses ! Well I think I will leave it there for now ! But I will say if you think you can do better then this article then type it up and send it to PH-UK ! A FEW THINGS YOU MIGHT LIKE TO READ ! ( HINT !! ) ------------------------------------------------- THE HACKER'S HANDBOOK - A BIT DATED NOW BUT STILL A GOOD READ IF YOU CAN FIND IT ! (E-BOOK) APPROACHING ZERO - A GOOD READ TO TEACH YOU ABOUT THE RISKS OF HACKING (E-BOOK) SECRETS OF A SUPERHACKER - VERY AMERICAN ! BUT HAS A LOT OF GOOD INFO ! 2600 THE HACKER QUARTERLY - HARD TO FIND PHRACK - AVAILABLE ON THE INTERNET ( SEE THE D.A ! FOR THE E-BOOKS ) This phile is copyright of DEATH 'S APPRENTICE of H.A.D.E.S. , 1995 +++ EOF ============================================================================= PHUK MAGAZINE - Phile 4 of 10 ============================================================================= ACCESS ALL AREAS Hacking Conference 1st - 2nd July, 1995 (Saturday & Sunday) King's College, London, UK -------------------------------WHAT-IT-IS--------------------------------- The first UK hacking conference, Access All Areas, is to be run in London later this year. It is aimed at hackers, phone phreaks, computer security professionals, cyberpunks, law enforcement officials, net surfers, programmers, and the computer underground. It will be a chance for all sides of the computer world to get together, discuss major issues, learn new tricks, educate others and meet "The Enemy". -------------------------------WHERE-IT-IS-------------------------------- Access All Areas is to be held during the first weekend of July, 1995 at King's College, London. King's College is located in central London on The Strand and is one of the premier universities in England. -----------------------------WHAT-WILL-HAPPEN----------------------------- There will be a large lecture theatre that will be used for talks by computer security professionals, legal experts and hackers alike. The topics under discussion will include hacking, phreaking, big brother and the secret services, biometrics, cellular telephones, pagers, magstrips, smart card technology, social engineering, Unix security risks, viruses, legal aspects and much, much more. Technical workshops will be running throughout the conference on several topics listed above. A video room, equipped with multiple large screen televisions, will be showing various films, documentaries and other hacker related footage. The conference facilities will also include a 10Mbps Internet link connected to a local area network with various computers hanging off of it and with extra ports to connect your laptop to. ------------------------------REGISTRATION-------------------------------- Registration will take place on the morning of Saturday 1st July from 9:00am until 12:00 noon, when the conference will commence. Lectures and workshops will run until late Saturday night and will continue on Sunday 2nd July from 9:00am until 6:00pm. ----------------------------------COST------------------------------------ The price of admission will be 25.00 (approximately US $40.00) at the door and will include a door pass and conference programme. -----------------------------ACCOMMODATION-------------------------------- Accommodation in university halls of residence is being offered for the duration of the conference. All prices quoted are per person, per night and include full English breakfast. SINGLE TWIN WELLINGTON HALL 22.00 16.75 Special prices for British and Overseas university students, holding current student identification, are also available - please call King's Campus Vacation Bureau for details. All bookings must be made directly with the university. They accept payment by cash, cheque and credit card. To making a booking call the following numbers... KING'S CAMPUS VACATION BUREAU Telephone : +44 (0)171 351 6011 Fax : +44 (0)171 352 7376 ----------------------------MORE-INFORMATION------------------------------ If you would like more information about Access All Areas, including pre-registration details then please contact one of the following... Telephone : +44 (0)973 500202 Fax : +44 (0)181 224 0547 Email : info@phate.demon.co.uk ============================================================================= PHUK MAGAZINE - Phile 5 of 10 ============================================================================= ------------------------------------------------------ ANSWERPHONES - AUDIOLINE 815 DIGITAL ANSWERING MACHINE ------------------------------------------------------ Instruction manual for the Audioline 815 Digital Answering System Remote Access ------------- 1. Dial the telephone number. 2. Listen to the OGM and subsequent beep , but instead of leaving a message enter the remote access code , (depress for at least 3 seconds). NOTE: You will not hear the OGM if the total recording time has has been filled . 3. The 815 will replay your messages to you. Every 3 minutes the 815 will automatically check that you are still listening by pausing and prompting you to enter your access code . If you do not enter the code , the remote sequence will be terminated and the system will save the messages and return to the answer mode . Options at the end of the remote playback ----------------------------------------- At the end of thw message playback you will hear a double beep followed by a 10 second decision period. 1. To repeat you messages enter the remote access code . 2. To save the current messages hang up the phone . 3. To cancel current messages and rest the system ,WAIT FOR A SECOND BEEP , enter the remote access code and hang up the phone . Turning on the system remotely ------------------------------ 1. Call the system and allow it to ring for 16 times . 2. The system will respond with a continuous tone for about 3 seconds . The system automatically switches to answering mode . Of course that is all very well but what if you don't know the access code , well it is a single digit and you will find it on the sticker underneath the unit. Most people will leave the instruction manual to the machine with the phone directories , logical huh ? HILO +++ EOF ============================================================================= PHUK MAGAZINE - Phile 6 of 10 ============================================================================= Internet Shopping with DIXONS LINK ---------------------------------- You know that most LINK shops have modems & inet links available ... .. no? well wander in when they're not too busy and browse ... or maybe when they're busy ... whenever you get left alone to play with their pc's and modems ...:) Here's a couple of files off the machine in the local LINK ... not a lot, but maybe useful to somebody out there. One is a 'global internet dial access phone list', and the other is the set up strings for loads of modems to dial into the internet. Hope its useful. Korporate Konsumer ***************************************************** * IBM Global Network Internet dial access phone list ***************************************************** 01-2144020 Austria Vienna 078-154643 Belgium Brussels 011-884-2870 Brazil Sao Paulo 1-604-380-2777 Canada Victoria 1-604-683-3416 Canada Vancouver 1-403-429-7125 Canada Edmonton 1-403-266-4013 Canada Calgary 1-306-525-4022 Canada Regina 1-204-956-4701 Canada Winnipeg 1-519-667-2225 Canada London 1-416-491-7112 Canada Toronto 1-613-233-4360 Canada Ottawa 1-514-931-0180 Canada Montreal 1-418-648-8684 Canada Quebec 1-902-492-8683 Canada Halifax 1-800-308-3173 Canada fee 800 90-4582133 Finland Helsinki 1-43051999 France Paris (east) 1-47760055 France Paris (west) 040-6301861 Germany Hamburg 030-7231021 Germany Berlin 0711-7800264 Germany Stuttgart 03-3505-5885 Japan Tokyo 020-6692333 Netherlands Amsterdam 079-219206 Netherlands Zoetermeer 66803850 Norway Oslo 93-4140122 Spain Barcelona 94-4157922 Spain Bilbao 981-266388 Spain La Coruna 91-5190938 Spain Madrid 91-4130003 Spain Madrid 98-5275755 Spain Oviedo 948-177809 Spain Pamplona 943-217577 Spain San Sebastian 95-4280710 Spain Sevilla 96-3616611 Spain Valencia 976-212018 Spain Zaragoza 08-6320224 Sweden Stockholm 01-433-0320 Switzerland ZÅrich 01179-292037 UK Bristol 0131-5570465 UK Edinburgh 0171-9280771 UK London (South Bank) 0161-9621452 UK Manchester 01926-497855 UK Warwick 1-404-885-5580 US Atlanta, GA 1-617-247-6754 US Boston, MA 1-303-442-0842 US Boulder, CO 1-312-245-0156 US Chicago, IL 1-214-620-9180 US Dallas, TX 1-810-827-7240 US Detroit, MI 1-713-993-7226 US Houston, TX 1-213-687-7247 US Los Angeles, CA 1-305-529-4700 US Miami, FL 1-612-338-3988 US Minneapolis, MN 1-212-644-4153 US New York, NY 1-201-265-0681 US Paramus, NJ 1-215-564-5918 US Philadelphia, PA 1-919-380-4300 US Raleigh, NC 1-314-621-9290 US ST. Louis, MO 1-415-979-0319 US San Fran, CA 1-206-382-0552 US Seattle, WA 1-813-877-1117 US Tampa, FL 1-202-293-5076 US Washington, DC 1-800-933-3997 US fee 800 ****************************************************** * IBM Global Network Internet registration phone list ****************************************************** 008-811-094 Australia Registration 0660-6832 Austria Registration 1-800-463-8331 Canada Registration 0800-1-1997 Belgium Registration 011-884-2870 Brazil Registration 8001-8278 Denmark Registration 0800-114465 Finland Registration 0590-8561 France Registration 0130-821202 Germany Registration 1-800-709-905 Ireland Registration 1678-72031 Italy Registration 060-228488 Netherlands Registration 0800-105765 New Zealand Registration 800-11783 Norway Registration 900-994443 Spain Registration 020-795181 Sweden Registration 155-9222 Switzerland Registration 0800-614012 United Kingdom Registration 1-800-933-3997 US Registration NOW FOR THE MODEM SET UP LIST ----------------------------- ********************************************** * IBM Global Network Internet dial modem list ********************************************** Alliance V.32 AT&F AT&C1&D2\B1\C5\D0\N3\Q1\V0S7=60 Anchor 2400E AT&F ATE1Q0V1X4&C1&D2S7=30S0=0 Apex PCMCIA AT&F ATE0&K3 Apex V.32, V.32bis Data/Fax AT&F ATE0S11=50X4\N7\Q3\V2&C1&D2 Apex 9600 Data/Fax AT&F ATE0S11=50X4\N7\Q3\V2&C1&D2 Arima AT&F ATE0Q0V1&C1&D2&K3 AT&T DataPort 14.4 AT&F ATE0Q0V1X4&C1&D2&R0S11=50 AT&T Model 4000 AT&F ATE1Q0V1X1S7=60S0=0 ATI 2400etc AT&F1 AT&C1&D2X6S7=60S11=60S9=10S10=18 ATI 2400etc V.42 AT&F2 AT&C1&D2X6S7=60S11=60 ATI 9600etc AT&F2 AT&C1&D2X6S7=60S11=60 Avatech 2400E AT&F ATE1Q0V1X4&C1&D2S7=60S11=55S0=0 BSM Quik Com MNP AT&F AT\Q3\J0\N3%C1&C1&D2S7=60S0=0 Cardinal 2400 MNP AT&F AT\Q3\N3\J0\C1S0=0S7=60S11=55 Cermetek 2400 R/2400 SPC AT&F ATE1Q0V1X4S7=60S11=55S0=0 Codex 2264 AT&F AT&C1&D2*FL3*XC1*PT0&R0 Compaq Enhanced Int. V.42bis AT&F AT&C1&D2X4W1S7=60S11=60&Q5S46=2&K3S36=7 Compaq Enhanced Internal Modem AT&F AT&C1&D2X4W1S7=60&Q5S46=2&K3S36=7 CompuCom Speedmodem AT&F2 AT*H1\N3\Q3%C1&C1&D1S7=60S11=55S0=0 Default AT&F ATE0Q0S0=0V1X1&C1&D2 Digicom 9624LE AT&F AT*F3 Digicom DSI9624 AT&F AT*F3*E1&C1S0=0S7=60S11=55 Digicom DSI9624 Plus AT&F AT*F3*E9&C1S0=0S7=60S11=55 Eagle V.32 Data/Fax AT&F ATE0Q0V1X4&B0&C1&D2&M0&R2*F3 Everex Carrier 96/24 AT&F AT\Q3\N3\J0\V1\C1S7=60S11=55 Everex EV941 AT&F ATE1V1Q0X4&C1&D2&I1S7=60S11=55 Everex Evercom 24e AT&F ATE1Q0V1X4&C1&D2S7=60S11=55S0=0 Everex Evercom 24e+ (MNP 5) AT&F ATQ0V1X4&C1&D2\Q3\C1\N3\J0\V1 Forval IM14400 AT&F AT&C1&D2\J0\N3\Q3\V1S7=60S11=55 GVC Super Modem 2400 MNP-5 AT&F AT\V1%C1\C1\J0\N3\Q3S0=0S7=60S11=60 GVC Super Modem 9600 V.32 AT&F ATE1V1Q0X4&C1&D2%C1\C1\G0\J0\N3\Q3\V1S11=55S7=60 Hayes Personal Modem 2400 AT&F ATE1Q0V1X4&C1&D2S0=0 Hayes Smartmodem 2400/2400B AT&F ATE1Q0V1X4&C1&D2S7=60S11=55S0=0 Hayes Smartmodem Optima 144 + FAX 144 AT&F ATE0Q0V1W2X4&Q9S95=46 Hayes Smartmodem Optima 14400FX AT&F ATE0Q0V1W2X4&Q9S95=46 Hayes Smartmodem Optima 28800 AT&F ATB75E0Q0V1W2X4&D2&Q9S37=11S11=50S95=46 Hayes Smartmodem Optima 9600FX AT&F ATE0Q0V1W2X4&Q9S95=46 Hayes Smartmodem V Series 2400 AT&F AT&C1&D2S7=60S11=55 Hayes Smartmodem V Series 9600 V.32 AT&F AT&C1&D2S7=60S11=55 Hayes Ultima Smartmodem 14400 AT&F ATE0&D2 Hayes Ultra 14400 AT&F AT&C1&D2S7=60S11=55 Hayes Ultra 9600 AT&F AT&C1&D2S7=60S11=55 Hayes V Series 2400/2400B V.42 AT&F AT&C1&D2&K3S7=60S11=55&Q5S36=3 Hayes V Series 9600/9600B V.42 AT&F AT&C1&D2&K3S7=60S11=55&Q5S36=7 IBM (PNB) 9600 Internal AT&F ATE0Q0X4S11=50&C1 IBM 7855 (12000 bps) AT&F ATS0=0E0&M0&AP8&C1&S0#X2)N3)R2)A3)M14&B8N1S25=5 IBM 7855 (9600 bps) AT&F ATS0=0E0&M0&AP7&C1&S0#X2)N3)R2)A3)M14&B8N1S25=5 IBM PCMCIA AT&F ATL3 IBM MWave Windsurfer Adapter AT&F ATE0Q0S0=0V1X1&C1&D2\N2%C1 InfoMate 212X/PC AT&F ATE1Q0V1X1S7=60S11=55S0=0 Intel 2400B AT&F ATE1V1Q0X4&C1&D2S11=55 Intel 2400B MNP AT&F AT\Q3\N3\J0\V1\C1S11=55 Intel 2400EX MNP AT&F AT\Q3\N3\J0\V1\C1S11=55 Intel 9600EX AT&F AT\Q3\N3\J0\V1\C1S11=55S7=60 Intel 14400EX AT&F AT&C1&D2S0=0S11=55 Intel 144e external modem AT&F ATL0 Intel 144i internal modem AT&F ATL0 Intel SatisFAXtion Board AT&F AT\C1\N0S11=55 Maxwell Modem 2400PC AT&F ATE1Q0V1X1S7=30S0=0 MegaHertz 14.4 Data/Fax PCMCIA AT&F ATE0&D2S11=50 MegaHertz C5144 and C596FM AT&F1 ATE0 MegaHertz T3144 and T396FM AT&F1 ATE0 MegaHertz Z3144 and Z396FM AT&F1 ATE0 MegaHertz EasyTalk 2400 AT&F ATE1Q0V1X4&C1&D2S7=60S11=55S0=0 MicroCom AX/2400 MNP4 AT&F AT\J0\Q3\N3S0=0 MicroCom AX/2400c MNP5 AT&F AT&C1&D2M1\G0\J0\Q3\N3S0=0 MicroCom AX/9612c AT&F AT\J0\Q3\N3S0=0 MicroCom AX/9612c-AX/9624c AT&F AT\J0\Q3\N3S0=0 MicroCom AX/9624c AT&F AT\J0\Q3\N3S0=0 MicroCom QX 2400t AT&F AT&C1&D2\Q3\N3\V1%C3\C1\J0S7=60 Microcom QX/V.32c AT&F ATV1&C1\Q3\J0%C3&S0&D3X4 MultiTech MultiModem 224/224PC AT&F ATE1Q0V1X4&C1&D2S7=60S11=55S0=0 MultiTech MultiModem 224E/224EC AT&F ATQ0&E1&E4&E7&E13X4$SB9600$BA0$A1S11=55 MultiTech MultiModem 224E7 V.42bis AT&F ATQ0&E1&E4&E7&E13X4$SB19200$BA0$A1S11=55 MultiTech MultiModem V.32 AT&F ATB0&E1&E4&E7&E13X4$SB19200$BA0$A1S7=60S11=55S0=0 MultiTech MultiModem V.32 EAB V.42bis AT&F ATB0&E1&E4&E7&E13X4$SB19200$BA0$A1S7=60S11=55S0=0 NEC N2431/2431C AT&F AT&C1&D2&E1S7=60S11=55 POLlCY 6.14: PRESCRIBED WARNING SCREEN AND AUTHORISATION A prescribed warning screen shall be displayed immediately after an accessor successfully completes the logon sequence. The system administrator shall set up procedures to provide written authorisation to users stating their access privileges. 6.6.5 Log on failure conditions Logon must not be permitted if: o the UID is invalid, o the UID is barred, o the password is invalid, o the UID and password combination is invalid, o the claimed UID is already active unless it is a system requirement, o the logon would contravene local policy, for example, time of day restrictions. 6.6.6 Repeated log on attempts The rate at which an adversary can make log on attempts must be limited to prevent exhaustive searching of UID and password combinations. Such an attack can be rendered imoractical bv compelling: o a modest time delay (eg. two seconds) between each individual access attempt made on any given port, and o a substantial time delay (eg. one minute) every few attempts (eg. three). This may be accomplished by including an attempt counter in the log on procedure such that no more than three attempts may be made subject only to the modest time delay, after which attempts from that port are disabled for a substantial time delay. The preferred option is that the link is actually disconnected and the user compelled to obtain reconnection. A stronger measure would be to permanently disable the UID or port with appropriate messages being sent to system log and the system administrator. In such cases the UIDs should be taken out of service automatically after a predefined number of consecutive unsuccessful access attempts - perhaps three. Before the locked-out UID can be used again, an approach has to be made to the Systems Administrator who will decide, if necessary in consultation with the Application Manager, whether to reactivate the original UID or issue a new one. This strategy is recommended for consideration only for High Impact Systems because an adversary may abuse the feature to disable all UID and/or ports causing a 'Denial of Service' problem. The running of verification utilities against system critical commands should be considered prior to reinstatement of the UID. POLICY 6.15: TERMINAL OR UID LOCKOUT When a terminal or UID is repeatedly misused in an attempt to breach a system, the terminal or UID shall be disabled and an alarm given. The period during which the terminal or UID is disabled must be commensurate with the impact of Denial of Service. 6.6.7 Recording access attempts Where possible all access attempts (whether or not successful and whether or not exceeding the counter limit) should be recorded on the system log. Alarms to the system manager may also be raised in real-time depending on the sensitivity of the system following repeated logon failures. The record should indicate the attempted UID, the time of the event and the link involved but should not record the attempted passwords. Exceptional events (such as apparent exhaustive trialling of password on a particular UID) should be so recorded as to come rapidly to the attention of supervisory personnel. The log must be scrutinised at frequent intervals for any evidence of unauthorised access attempts. Any unusual logged events must be investigated. POLICY 6.16: SECURE ALARMS Security alarms shall be used to inform the system administrator when an attempted breach of security has been detected. 6.6.8 Last access On successful logon the user should be informed of the time and date of last access, and of any unsuccessful access attempts since then. 6.6.9 Unauthorised access Any (suspected or known) unauthorised access attempt or criminal activity should be reported immediately to the BT Investigation Department Help Desk and line management. Further investigatory action should await specialist advice from BTID. POLICY 8.8: REPORTING OF SECURITY INCIDENTS applies. 6.7 Logging off 6.7.1 Terminal inactinty The system should include an activity sensing feature to identify terminals which, although logged on, appear to have been abandoned. These are a security risk since an adversary finding such a terminal unattended could employ it with all the access rights of the previous user. If no input is detected after a certain timeout (eg. five minutes) the system should log the terminal off automatically. This may be undesirable for some very limited facilities, such as batch processing or program development, in which case longer timeouts may be associated with specific UIDs. PCs should have approved security programs installed on them such that, if no user activity has been detected for a period of time, the program will lock the PC terminal and require a password entry to be reactivated. is must be done especially for PCs logged into a server system. Such programs should also blank out the actual contents of the display (it may be replaced by some other display) until the PC has been reactivated through the password. Screen blanking options that only jumble the contents of the screen should not be used. Preferably, the blanking of data should be combined with a screen saver function, which reduces the display duty cycle significantly, to help prolong the life of the display. POLICY 6.17: TERMINAL OR UID TIMEOUT When a port or UID remains dormant for a period of time, it shall be disabled. Terminal timeout shall also occur when a terminal remains logged onto a system, but remains unused for a period of time. The screen shall be cleared of any display when the forced logoff occurs. 6.7.2 Prolonged activity The system should require users present on the system for prolonged periods (hours rather than days) to reenter their log on sequence (UID and password) . This is to ensure that the authorised user is still present and that the communication link has not been hijacked by an adversary. 6.7.3 Link interruption The system should similarly automatically log off and clear down completely and immediately the session with any terminal whose communications path is interrupted. Many terrninals have a carrier detection light to show at the communications path is open and the failure of this may indicate an interruption. POLICY 6.18: LOG OFF WHEN COMMUNICATION SESSION IS INTERRUPTED Precautions shall be taken during the design of systems to ensure that active sessions are aborted if a failure in communications occurs. 6.8 User privileges It is usually a requirement that user capabilities still be restricted after log on. This is to prevent unauthorised use of computer facilities and unauthorised access of system software and data to which the user is not entitled. It is generally accomplished by establishing a set of 'privileges' associated with each UID such that users are not permitted to perform functions or access data except as indicated in their privilege tables. Controls shall ensure this by such means as password controls, access control lists, labelling of data fields. POLICY 6.19: DATA ACCESS CONTROLS Processing capability and data shall be accessible only by authorised staff with the appropriate privileges. 6.8.1 Privilege table establishment The default condition of all privilege tables should be that corresponding to no privileges. Privilege tables must be under the ultimate control of user management who must authorise all changes. 6.8.2 Facility privileges Privileges speciing the computer facilities available to users should be controlled only by system administrator staff. Facility privileges include: o I/O device allocations, o available storage volume, o maximum job size, o financial budget and its consumption. This restriction must be applied with particular rigour to security privileges. It must not be possible under any circumstances for an ordinary user to redefine himself as a system operator or system administrator for example or obtain access to their data files or facilities or obtain access to security-related software such as: o operating systems, o password control software, o system log software, o access control software, o time restrictions. Where a job consists of several tasks run in sequence, the authority of the user should be checked at each task and not solely on the first one. Staff whose job is to run a limited set of programs should not have the facility to edit, read or write programs. Menu-driven software may be helpful to ensure this. POLICY 6.20: ADMINISTRATION OF PRIVILEGES Privileges shall be administered only by the system administrator (or equivalent role) . 6.8.3 Function privileges Privileges defining the computer functions available to users should also be controlled by system administration staff only. Procedures for the replication of user privileges should only allow the minimum to be created appropriate with the users authority. Users should only be permitted to use those commands required in the normal course of their duties. 6.9 Access to user files Privileges defining the rights of users to access each other's data files may be exclusively under system administrator control, especially on high risk systems. However, on less sensitive systems discretionary control is frequently all that is required whereby each user controls the access of others to his own data files. In general systems developers should not have access to live files. 6.9.1 Implementation of logical access controls In this context 'access' may imply any of a number of operations (eg read, write, delete, modify, execute...) and it is essential that each of these should be separately specifiable. In any case there is implied the creation of a more or less detailed set of access restrictions for each user data file and the existence of special system control software for enforcement. There may also be a need for user identification control within applications, for example to test for the maintenance of separation of duties. Software development tools, for example, compilers, program libraries, source code etc, should not be available on operational systems. If they are present, their use must be strictly controlled. It is important that as much as possible of the control procedure should be performed automatically by the system and in a 'user friendly' and efficient manner. User acceptance and co-operation cannot be obtained otherwise and the security system will be viewed as an enemy by those it is intended to serve with the result that users will tend to avoid and circumvent its protective measures where possible. Most Operating Systems implement some form of access control but the degree of real security obtained varies dramatically from one system to another. 6.9.2 Default privileges The preferable default privilege is that no user other than the file owner can access (read, write, etc.) any given file unless given explicit authority to do so by the owner. 6.9.3 Password control of file access A limited degree of control may be obtained by password protection of files such that access is only available to users who know the correct password. Separate control of the different types of access (read, write, etc.) is then not generally possible, and the overall degree of security is much poorer than the fully specifiable, fully managed systems indicated above. This is partly because of user reluctance to undertake the burden of the additional passwords especially when all the issues concerning randomness and regular change of password are taken into account. 6.9.4 Encryption of files Files may also be encrypted by users to obtain a degree of protection rather higher than password control since simple access to the file no longer yields useful information. 6.10 Customer access to BT computers As communications technology becomes more and more sophisticated, and external companies become more demanding in the flexibility and management of the BT services which they use, BT is required to offer management and administrative services to its customers. The risks associated with this are well known and understood within the security community. However, systems implementors and administrators are not always aware of these. Systems which provide customer access are vulnerable in a number of areas, specifically the risk of access to system facilities which are beyond their anticipated privilege profile. Ihis can lead to: Compromise of the BT system Compromise of connected networked systems Compromise of other customers data Where customers are given access to a BT system, the system must be designed in a way that separates the customer access facility from the system's internal BT facilities. Where access to the system is initially regulated by the standard operating system User ID/password system, access to the internal BT facilities must be via a strong authentication method, preferably based upon a token or one-time password system. Customers place a high degree of trust in the service BT provides. It is the responsibility of systems implementors to consider the impact of failure upon a customer. Depending upon the risks it may be beneficial to provide access upon strong authentication techniques. When customers are given access to BT Service Management Systems, used by other customers, or holding sensitive information about other customers, processes or contracts undertaken by BT, then the Service Management System shall be considered to be a "high impact" system and subject to accreditation by the Director of Security and Investigation. (See section 2.8) POLICY 6.21: SENSlTIVllY OF SYSTEMS WlTH CUSTOMER ACCESS Systems providing customer access are deemed to be HIGH IMPACT systems where there is a connection between that system and other BT systems. POLICY 6.22- AUIHENTFICATION ON SYSTEMS VVlTH CUSIOMER ACCESS Access to non-customer facilities on a system providing customer access shall be via strong authentication methods. 6.11 Contractors 6.11.1 Software development by third parties Development of applications for BT by external companies should adhere to the same standards of development practice that we expect of internal developments. The quality assurance of the system is a crucial issue, particularly for systems which are of an operational or mission critical nature. Assurance standards should be quoted in terms of the Information Technology Security Evaluation Criteria (ISEC) levels, which should be specified at the start of the project. There are greater risks associated with software produced by external companies, where the level of direct BT supervision is likely to be minimal. The introduction of Trojan horse code is not easy to detect without extensive analysis of the program code. On-line systems need to be afforded protection from development people, and segregation of roles is a key element of this. Development contractors need to be separated from live environments. Default access to live data is not permitted. Access to live data in support of the contract should be for specific activities and must be monitored. Access must be withdrawn immediately following completion of the activity, or between phases of it. POLICY 6.23: CONTRACTOR ACCESS TO DATA Third Party Contractors used for development of systems shall not have direct access to on-line BT systems or live data, unless such facilities are absolutely necessary for execution of the contract. In this case, the contract shall specify the security requirements to protect BT's information. Operational activies by third parties BT has used outside contractors and agents for carrying out work for many years. Examples of this are building maintenance and other non-communications related activities. Increasingly, activities are being transferred to outside specialists. However, over the last decade, almost all of our activities and functions have been computerised and have become highly integrated with other systems. Therefore, outsourcing of an activity has to be viewed against the threats to BT as a whole from such a scheme. POLlcY 6.24: OUTSOURCING Proposals to outsource a process, to be carried out without direct BT supervision off BT premises, and which requires electronic access to BT information, must be supported by a Security Policy Document. If the process involves on-line access to a BT system processing information at Sensitivity level 2 or higher, the system must be accredited in accordance with Policy 2.7 Software and data Contents 7.1 Introduction. . . . . . . . . . . . . . . . 7-2 7.2 Software installation and maintenance . . . 7-2 7.2.1 Software changes. . . . . . . . . . . . . . 7-2 7.2.2 Protection of production systems. . . . . . 7-2 7.2.3 Software copyright. . . . . . . . . . . . . 7-3 7.2.4 System backup . . . . . . . . . . . . . . . 7-4 7.2.5 Failures and recovery . . . . . . . . . . . 7-4 7.3 Log faciliffes and system data. . . . . . . 7-4 7.3.1 Log facilities. . . . . . . . . . . . . . . 7-4 7.3.2 Logging system activity . . . . . . . . . . 7-5 7.3.3 Logging user activity . . . . . . . . . . . 7-5 7.3.4 Checking logs . . . . . . . . . . . . . . . 7-5 7.3.5 Retention of logs and journals. . . . . . . 7-6 7.3.6 Condition records . . . . . . . . . . . . . 7-6 7.3.7 Storage of logs in microfiche form. . . . . 7-6 7.3.8 Encryption of system data . . . . . . . . . 7-7 7.3.9 Back-up copies. . . . . . . . . . . . . . . 7-7 7.4 Data sensiffvity 7.4.1 Data ownership. . . . . . . . . . . . . . . 7-7 7.5 Storage . . . . . . . . . . . . . . . . . . 7-8 7.5.1 Write protection. . . . . . . . . . . . . . 7-8 7.5.2 Labelling . . . . . . . . . . . . . . . . . 7-8 7.5.3 Documentation . . . . . . . . . . . . . . . 7-9 7.5.4 Extraneous magnetic influences. . . . . . . 7-9 7.6 Disposal of media . . . . . . . . . . . . . 7-9 7.6.1 Magnetic media. . . . . . . . . . . . . . . 7-9 7.6.2 Disposal of computer equipment. . . . . . . 7-11 7.6.3 Documents, printout and consumables . . . . 7-11 7.7 Computer viruses. . . . . . . . . . . . . . 7-11 7.7.1 Vulnerability of systems. . . . . . . . . . 7-12 7.7.2 What a computer virus does. . . . . . . . . 7-12 7.7.3 Detection of computer viruses . . . . . . . 7-13 7.7.4 Group policy on computer viruses. . . . . . 7-13 7.7.5 Guidance. . . . . . . . . . . . . . . . . . 7-14 7.1 Introduction It is a security objective that software and data are correct complete and available to authorised users. Full use should be made of the security features provided by the operating system to achieve this objective. If software needs to be written, security and audit requirements should be considered at the system design stage. Users must ensure that the Statement of Requirements document contains a definition of security requirements and access restrictions. 7.2 Software installation and maintenance 7.2.1 Software changes All software modifications to a computer system must be authorised and fully recorded. The modification log should be held by the system administrator. Emergency patches (those that are not scheduled) must be properly documented and reviewed by the appropriate authority within one working day. Checks should be implemented to ensure that only one change is carried out at a time. If development pressure compels the packaging of changes in order to minimise the system testing overheads, the checking must be even more vigilant. Expert personnel should check all new and modified software for correctness and completeness with special regard to the possibility of security flaws. It should also be verified to ensure that it functions according to design, that it does not adversely affect other functions in the system and that no unauthorised changes have been made to the system. These checks should be conducted on an off-line system and not on operational machines. Verification should be performed after all software changes and on a regular basis. While full verification testing of the type outlined above is not always possible due to operational constraints, use of unverified software provided by a third party represents an unknown quantity from a security viewpoint, especially in cases where the source code is not available. In any case assurances must be obtained from the supplier about the integrity of the software and especially about the removal of undeclared commands incorporated for debugging purposes. It is preferable that user software should be written in a high level language. Only compiled programs should be released. Source code should only be available to the programmer creating or amending the program or for the verification of the validity of any changes; this applies equally to operational Job Control Language text. Job Control Language which cannot be compiled should be held in a discrete library store with controlled access. 7.2.2 Protection of production systems Ideally the software development cycle should involve a separation of Development, Test and Production environments. These three areas often have quite different security requirements. As far as technical restraints and costs permit, they should be isolated from each other. Technical and procedural controls should be applied to the promotion of software from Development to Test and from Test to Production environments. Special care should be taken to protect the integrity of code accepted into Production use. POLICY 7.1: VERSION CONTROL OF SOFTWARE Software shall be subject to version control to ensure that only current and approved software is in use on an electronic system. POLICY 7.2: PROTECTION OF DATA IN SYSTEM TESTING Live data shall not be used in system testing. Test data derived from, and traceable to, live data shall be afforded a similar level of protection to the original source. POLICY 7.3: SOFTWARE OF UNKNOWN INTEGRlTY Unless a trustworthy method has been used to create and distribute software then the integrity of the software shall be considered to be unknown and shall not be used on BT systems. POLICY 7.4: LIMITED USE OF DEVELOPMENTAND MAINTENANCE SOFTVVARE Software that can be used to modify existing programs on systems (such as editors and compilers) shall be restricted in their use to authorised staff. Any such software that is not needed for operational reasons shall be removed. POLICY 7.5: EMERGENCY ACCESS TO PRODUCTION SYSTEMS Emergency access to Production systems, using powerful utilities, for the purpose of data repair shall be subject to rigorous change control and every access of this nature must be recorded. 7.2.3 Softvare copyright The Copyright, Designs and Patents Act 1988 expressly accords computer programs the same copyright protection as written documentation. When BT owns the copyright in a computer program because it was written in-house or under a contract assigning copyright to BT, it is BT policy to mark the program appropriately. Details on how to mark information are contained within the Information Security Code. POLICY 7.6: COPYRIGHT OF BT SOFTWARE All software written in BT, or written for BT under a contract which provides for ownership of copyright by BT, shall be clearly marked so as to identify BT as the owner of copyright in such software. POLICY 7.7: COPYRIGHT IN NON-BT SOFTWARE Copyright law restrictions prohibiting the unauthorised copying, modification or unlicensed use of software and software documentation, in which the copyright is not owned by BT, shall be respected at all times. Unless BT has been granted an appropriate licence by the copyright owner, software and software documentation in which the copyright is owned by anyone other than BT, must not be copied, modified or used in BT. Where BT has a licence, the terms of the licence, including any limitations on copying, modifying or using such software and software documentation must be complied with at all times. Copyright markings applied by the copyright owner must not be removed (unless expressly permitted under the licence). 7.2.4 System backup Interruptions to normal working may be caused by such events as fires, hardware, software or environmental failures and malicious damage. POLICY 7.8: SYSTEM BACKUP Copies of the current versions of the system software, data, and accompanying documentation shall be safely stored and available so as to enable a quick and controlled recovery in case of a processing interruption. 7.2.5 Failures and recovery All abnormal program terminations should be monitored by the system to permit control to be passed to system recovery routines when necessary. Any software failure must be documented and investigated as this may be an indication of a breach in security. There should also be controls to ensure the validity of the software itself. POLICY 7.9: RECOVERY FROM PROCESSING FAILURES The planning of systems shall take into account the need to detect failures of software and hardware and provide recovery features such that the integrity of the data shall not be compromised. 7.3 Log facilities and system data System data is the information used by the operating system and application software to control and monitor access to system resources by users. Logs kept by the system form a large component of system data. 7.3.1 Log facilities A system log is required to identify users who have invoked transactions so as to assign accountability. The logs should reflect both system performance and user activity and each event on the system log should have an associated reference number and be time-stamped. It is essential that log hard copy and log software, eg reporting programs for logs held on disk or tape, should be afforded maximum protection from unauthorised modification and should be unaffected by system restarts etc. Hard copy logs should be kept for critical system logs. The pages of a hard copy log should be pre-numbered so that it may readily be checked for completeness. 7.3.2 Logging system activity System activity should be recorded on the log to include matters such as: - processing software errors, - program aborts, - crashes, - machine failures, - restarts together with information about causes. 7.3.3 Logging user actinty Monitoring user activity is especially dependent on the existence of a user activity log and may be regarded as an audit trail for the detection of unauthorised activity and identification of its origination. The user activity log should record such events as the following and include for each record any relevant information such as date, time, physical access point or port, UID, and nature of the attempt: o all system log on attempts (successful or unsuccessful), o all log off events, o all attempts by users to access system facilities outside their range of privilege, o all attempts by users to access data files belonging to other users in contravention of system access controls, o all attempts by users to employ commands outside their range of privilege o all use of high level privilege. The log should particularly include all security-relevant events, that is, interaction and attempted interaction with the security system such as: o password changes (although without logging password values) o access to restricted or critical system tables o modification of privilege lists POLICY 7.10: ELECTRONIC SYSTEM ACTIVlTY RECORDS An audit log of the system activity shall be maintained and regularly reviewed so as to identify abnormal system or user activity. Activity records shall be kept of events on all High Impact Systems, particularly of any activity which might be abnormal. Abnormal activity shall raise an alarm. 7.3.4 Checking logs While it may be impracticable to scrutinise an entire system log by hand, a regular spot check must be made on random samples of the log and on periods of unusually high logon activity, or access at abnormal hours. Project documentation should give precise instructions regarding the checking of system logs. The use of a software tool to separate unusual log entries from routine and non-contentious information which would enable a more careful scrutiny to be made, should be considered. Specialist audit packages, data test equipment are examples. POLICY 7.11: CHECKING OF LOGS System logs shall be regularly checked so as to detect unauthorised system activity. The use of automated techniques shall be considered. POLICY 7.12: CONTROL OF AUDIT TOOLS The automated tools used to analyse the system log files shall be protected and subject to management and control procedures. 7.3.5 Retention of logs and journals The length of the retention period should take into account audit and legal requirements, error recovery and investigation of any unusual occurrences. 7.3.6 Condition records Hard copy logs of important system parameters, data modifications, and details pertaining to hardware and software conditions, must be securely maintained by the system administrator. Iis permits a comparison to the system state after events such as software updates, fix or patch insertions and system restarts to verify that no accidental or unauthorised changes have been made. Parameters to be verified include: o billing options, o access control features, o user privilege profiles, o audit trails, o configuration management. This inforrnation can be used to provide legally submissable evidence concerning the correctness of the system in the pursuance of Section 69 of the Police And Criminal Evidence Act (1984). POLICY 7.13: LOGGING OF FAULT REPORTS A log shall be kept of fault reports by users, and hardware and software maintenance on systems. POLICY 7.14: AUDlTS AND JOURNALS All audit and journals of system activity shall be retained or archived for a reasonable amount of time in the event that the information is required for evidential purposes. 7.3.7 Storage of logs in microfiche form Special precautions must be taken to preserve the usefulness of logs as evidence if they are processed onto microfiche. The people responsible for the operation of the process and the subsequent storage must provide clear evidence that there can have been no interference with the logs during the process, or with the subsequent microfiche. 7.3.8 Encryption of system data Particularly sensitive files and data such as password listings should be given extra protection by being encrypted by the system. Passwords in particular should be one-way encrypted such that the original data cannot be recovered under any circumstances. 7.3.9 Back-up copies A system backup must be taken by system management personnel at regular intervals, the frequency of which will reflect the importance of the system and the impact of a system failure. The backup data should be stored securely o£ premises. Current copies of all on-site system images should be kept in approved locked, fire-resistant cabinets. A definitive copy of important data files must be securely maintained and used by system management to detect unauthorised changes to such things as access control mechanisms, user rights profiles, backup controls and audit mechanisms. Any file amendments must be logged. POLICY 7.15: BACKUP OF SENSITIVE DATA Sensitive information shall be backed up by a cycle of copies, devised so that the system can be brought into service after any accidental or deliberate erasure of data. 7.4 Data sensitivity Systems that perform security functions, or which safeguard commercially sensitive information whereby the failure to protect the confidentiality, integrity, availability of that information would cause: o a substantial loss to BT, o a substantial gain to a competitor, o severe embarrassment to BT, o serious loss of confidence in BT, or o a serious reduction of BT's standing in the community, or relationships generally, are called HIGH IMPACT SYSTEMS. 7.4.1 Data ownership Data ownership is an essential element in safeguarding BT's commercially sensitive information. The Data Owner is responsible for identifying the value and sensitivity of their data. This decision must be respected by all users and systems. Ownership conveys both responsibility for, and authority to: o judge the value and importance of the information, o assign a sensitivity level, o specify operational controls and permitted uses, o communicate control and protection requirements to users and custodians. POLICY 7.16: DATA OWNERSHIP All data shall have an owner who is responsible for deciding its sensitivity. 7.5 storage It is essential that software and data stored on magnetic or equivalent media should be properly handled, stored and protected so as to ensure the accuracy and completeness of all records. A full set of all software and data must be retained and filed for backup and recovery purposes. 7.5.1 Write protection Where possible all storage media should be write-protected prior to shipping and at all times when not active in the system. 7.5.2 Ibelling Magnetic media should be labelled with a unique identifier and the relevant privacy marking if appropriate. Methods of marking may be: 1 Magnetic tape spools - attaching marked labels to the front flange, and/or the edge of their protective canisters, and/or the front of any suspension rings used to support the tape spools during storage. 2 The front and back faces of cassettes and spines of protective boxes should be clearly marked. 3 Removable magnetic disks and disk packs should be marked on the top of the disk or pack or labels fixed to the top and side of the storage covers. 4 Floppy disks should be labelled on one side as specified by the manufacturer. If disks are kept in boxes, the front and back of these should also be marked. 5 A log should be kept of their use with the following information included: o system name and reference number, o date and time of last use, o present privacy status, o other corresponding tapes or disks, o name or initials of the person responsible for their use. POLICY 7.17: MARKING OF MEDIA Media shall be marked to indicate the most sensitive information on the media in accordance with the Information Security Code. Where a medium is shared it should be treated as containing the highest sensitivity level that may be stored upon it. POLICY 7.18- MARKING OF DATA Data shall be marked in accordance with the Information Security Code. 7.5.3 Documentation Systems specifications, program listings, details of test data etc. for systems containing sensitive information must be accorded a similar degree of protection as that of the computer held data. They should be marked with the appropriate privacy marking, locked away when not in use and spare copies held securely either in a fire-resistant safe or at another location. 7.5.4 Extraneous magnetic influences Magnetic media may be corrupted accidentally simply by being in the wrong location. Most electronic and electrical equipment generates a magnetic field either of a permanent nature or specifically when powered up. Such magnetic fields can both corrupt and erase data stored on disks and tapes. Floppy disks are much more prone to corruption from magnetic sources than hard disks and it is recommended that when not in use they should be stored away from office electrical equipment such as electronic typewriters, printers, computers or telephones. 7.6 Disposal of media 7.6.1 Magnetic media Magnetic and optical media holding sensitive information requires precautions to be taken before its reuse or disposal. Media which is damaged may be read easily by sophisticated equipment. Even magnetic media which is overwritten many times using seemingly complex patterns may be read using specialist techniques. Details of the secure destruction facility may be found in chapter 10. POLICY 7.19: ERASURE AND DESTRUCTION OF MEDIA Where media is to leave the boundary of a system, or there is a requirement to change a disk drive, or other vise dispose of media, one of the following rules shall be applied. A - Destruction of media, using facilities approved by the Director of Security and Investigation. B - Overwriting of media, using a technique approved by the Director of Security and Investigation. C - Reformatting, using a fail safe operating system low level format facility. D - Release permitted, but only to reputable companies with which BT has a non-disclosure agreement. E - Bulk erasing (degaussing), using equipment approved by the Director of Security and Investigation. X - This option is not permitted. The sensitivity level refers to the highest sensitivity of the information that has ever been stored on the media. Fixed Disks Sensitivity level Damaged disks Trade in disks >3 A A 3 A A 2 D B 1 D B/C Removable Media Disposal Disposal Reuse Reuse Sensitivity level damaged good on same within media media system BT >3 A A c x 3 A A C B 2 A C/E C/E B 1 E C/E - - If in the opinion of the system owner, the cost to BT of destroying media outweighs the value of the information, the system owner may seek approvel from DSecI to take alternative action. Also. see chapter 13 of the ISC. 7.6.2 Disposal of computer equipment Computer systems which are withdrawn from service pose a serious threat to BT if they are not processed properly before disposal. All systems to be disposed of by BT must have the disk formatted or destroyed according to policy 7.19. No software must reside on the hard disk of any machines which are disposed of, apart from the operating system. Entitlement to these must be documented at the time of the transfer. All master copies of software should be either retained or returned to the local computer administration unit for re-allocation. Managers should note the possible conflict of interest associated with the local scrapping and subsequent sale to BT people. If equipment is to be locally scrapped, the procedure for doing this must be documented and all records must be made available for audit and scrutiny. POLICY 7.21: DISPOSAL OF COMPUTER EQUPMENT No computer equipment containing non-volatile data storage capabilities that has been used for processing IN STRICTEST CONFIDENCE information shall be disposed of as surplus equipment until it has been examined by a person approved by the Director of Security and Investigation to ensure that all sensitive inforrnation has been removed. 7.6.3 Documents, printout and consumables IN STRICTEST CONFIDENCE waste must be disposed of under direct BT supervision by burning, shredding using a Director of Security and Investigation approved shredder, or by using a disintegrator. IN CONFIDENCE waste including personal and other sensitive data must be destroyed by burning, shredding, or disintegration. For large quantities of IN CONFIDENCE material, use can be made of the approved sensitive waste paper collection services. POLICY 7.22: DESTRUCTION OF PRINTER-BASED MATERIAL Sensitive media shall be destroyed in accordance with the Information Security Code. 7.7 Computer viruses A computer virus is an element of executable software that can be transferred between programs, or between computers, with or without the knowledge of the users. When triggered by an event determined by the perpetrator of the virus, it can carry out any of a wide range of unauthorised activities. Examples include infecting other programs or the operating system, sending infected messages to other systems, deleting files. Furthermore, these unauthorised events may occur while giving the impression that the computer is functioning normally. These actions can be malicious or benign, but in any event they breach the integrity of the system. Given BT's dependency on computerised systems for business-critical activities, it is essential that the integrity of such systems is maintained. 7.7.1 Vulnerability of systems Computer systems can be designed with built in capabilities to resist viruses. This may be achieved by erecting logical compartments enforcing strict segregation of the operating system, and the program areas and data areas of each user. Another measure is to prohibit terminals that have media entry capability or can be connected to untrusted networks. While these restrictions may pary solve the problems for defence systems, they are onerous, impractical and too expensive for most commercial of fice systems, IT systems and network management systems. Because most commercial computer systems are vulnerable to viruses, the primary protection depends mainly on management policy and the active co-operation of the users to ensure that viruses are not introduced into systems. However, many of the working practices that have evolved with the Personal Computers encourage virus propagation. Borrowing or lending disks containing programs or utilities is typical example. Downloading of software from the public databases and bulletin boards is particularly risky. 7.7.2 What a computer virus does A virus does two things. Firstly it has a mechanism to propagate itself For instance the perpetrator of the computer virus may attach it to a commonly run program or routine. Having carried out the legitimate function of the program, the virus takes control and attaches a copy of itself onto other programs that are resident, either directly or by altering the operating system. Thus once a computer has been infected it may infect the programs on any other floppy disk placed in its environment. These in turn may infect any other computer in which the infected disk is placed. Unless strict precautions are taken, advanced viruses are capable of causing infection to remote computers via networking facilities. The second feature of the virus is its function. The function can consist of any activity that can be performed by the computer. The virus function can be triggered by any detectable event, eg: a time, a date, execution of a particular routine, receipt of a message, deletion of a file or cancellation of a UID. In short, a computer virus is self-replicating software used to propagate a Trojan Horse or Logic Bomb. 7.7.3 Detection of computer viruses In the event of discovering a virus the Local Computing Help Desk should be contacted immediately for advice. For most parts of the business, this will be the GCS Help Desk. The suspect machine and disks which have been used on the machine should not be used further until the Help Desk has been contacted. Programs are now becoming available for most popular machines that claim to be able to prevent, detect or eradicate virus infections. These tools may certainly help to detect the presence of viruses. Unfortunately the indeterminate nature of computer viruses makes an absolute guarantee of detection virtually impossible. Nevertheless, virus detection tools should be regarded as a contributory factor in maintaining computer system integrity. The prevention of virus attack demands a fundamental shift of behavioural pattern on the part of users of micro- and mini-systems. Many of the procedures that have evolved to help and assist colleagues now need to be reconsidered in the context of possible attack by computer viruses. For instance, operating system, program or utility disks must not be borrowed or lent. Manufacturers source disks must be securely protected, not left inside the instruction manual in the open. Transit disks, that is those containing data files, should not be bootable or contain any executable files. Except when being written to at the beginning of the transfer process, the disks should be write- protected. 7.7.4 Group policy on computer viruses BT attaches considerable importance to the integrity of its computer systems, particularly those systems that provide applications that are critical to the smooth functioning of the Business. The recent emergence of computer viruses presents a serious threat to BT s computer systems. POLICY 7.23: VIRUSES: RESPONSIBILITY OF USERS It is the personal responsibility of each individual to ensure that viruses are not introduced into any BT system, or customers' system, that they come into contact with. POLICY 7.24: VIRUSES: POLICY FOR HIGH IMPACT SYSTEMS Detailed procedures on combating virus attacks shall be prepared for the security of systems for which the impact of security failure is high. These policies are to be submitted to Director of Security and Investigations for concurrence. POLICY 7.25: VIRUS DETECTION All disks inserted into customers' PCs must be virus checked before hand, using approved virus detection software, or be certified as being virus free by the manufacturer. 7.7.5 Guidance Utilities are available for many popular machines that claim to be able to prevent, detect or eradicate computer viruses. While their rigour and scope is unproven, they may certainly help detect the presence of viruses. Nevertheless, the primary objective is to avoid infection in the first place by means of careful operating procedures. The following steps should be followed by users to reduce the possibility of any system being infected by computer viruses: 1 Reduce the risk by only using software that is sourced directly from reputable manucturers and for which there is a customer/supplier contract that identifies a requirement for quality so%ware. 2 Machine-readable media containing master copies of operating systems, programs or utilities should be locked away securely at all times. 3 Computers containing executable copies of operating systems, programs and utilities should be kept within a local secure perimeter, else some means of logical access control should be deployed to prevent malicious infection. 4 Operating system and program media should never be lent, borrowed or exchanged (except where the highest levels of personal trust prevail) . 5 Machine-readable media used for data file exchange should contain only the data. Media should be inspected for executable files. 6 Machine-readable media should not be exposed to systems whose integrity is unknown, for example, systems at home or university systems. 7 Public-domain programs shall not be downloaded, and in particular, computer games should not be held or played on BT machines. Where games arrive as a part of a software package they should be erased. 8 All incoming and outgoing machine-readable media should be checked for known viruses. The preferred method of doing this is on a standalone machine, dedicated to that purpose (commonly called a sheep-dip PC). For further information on the approved high integrity product, please refer to section 11. +++ EOF ============================================================================= PHUK MAGAZINE - Phile 9 of 10 ============================================================================= --------------- Notes & Queries --------------- Note: Notes & Queries is the section where the readers send in any questions, problems etc that they might have, and other readers can send in the answers. We want YOU the reader to send your questions and answers to us, at anon93143@anon.penet.fi . Let me start off with some feedback that PHUK has got. Dear PHUK, First of all , loved the first issure of PHUK , its about time there was something decent to read in the UK , well done , look forward to reading the next one. You asked what the difference was between "Breach of confidentiallity" and "Hacking" , well , after consultation with my legal expert it appears that Breach of confidentiallity is to do with the trust that an employer gives to his employee in terms of access to data , (not necessarily computer data ). Hacking is the activity of unauthorised access to computers via any means. Usually hacking is done at a remote location rather than on site as the " BT Hacker " did . As far as I can see , he didn't hack anything , he just used the computer as part of his job and leaked dodgy data to the press. Keep up the good work. Regards HILO. Well thanks for the praise , your cheque is in the post ! ;-) Phuk-Ed. Now for some queries . Q: Does anyone know what frequencies the secrurity people use at the Troc , or does anyone know of some really interesting frequencies I could scan for ? A: Well readers , I will wait for your answers - Phuk-Ed . Q: Who do I ask to find out about the 2600 SE meeting ? A: Any one who knows about it , ok only joking the the details are as follows. LOCATION: ROEBUCK PUB IN LEWISHAM TIME : FROM 8PM ONWARDS DATE : 2Oth MAY 1995 OR ROUGHLY 3 SATURDAYS AFTER THE FIRST FRIDAY OF THE MONTH +++ EOF ============================================================================= PHUK MAGAZINE - Phile 10 of 10 ============================================================================= ----- OUTRO ----- Well this issure is finally finished and I hope you enjoyed it ! Hopefully there has been a general round up of the phreaking / hacking scene as it is happening in the UK . Although if you think a certain topic has not been covered the why not submit an article for PH-UK and it will go in the next issure . The only way this E-zine is going to survive is by people sending us snippets of news, articles, code, numbers, hints, tips and general ideas to keep the ball rolling. Send all articles, flames, Letters of Comment etc etc to PHUK magazine, anon93143@anon.penet.fi, OR speak to any of the PHUK crew at any London 2600 meeting ......... Anyhow, next month we have the following goodies for you ....we hope ! Green Boxing - DrKaos & TheGoat BT Computer Security Manual Part III Tracing people - Death's Apprentice Something on Novell Networks ... Some trash from BT wastebins .... Mecury Mailboxes .... UK News .... - Phuk-Ed +++ EOF .