[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]
/[/]/[/] [/]/[/]/
[/]/ /[/]
/[/] ===== An Ounce of Prevention ===== [/]/
[/]/ == Making the Telcos Hacker-Proof == /[/]
/[/] [/]/
[/]/ ------- by: ------- /[/]
/[/] --- Mack Hammer --- [/]/
[/]/ /[/]
/[/]/[/] [/]/[/]/
[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]
Know thine enemy.
Good advice for any battle. For the hacker or phreaker, one's primary
opponents are computer security professionals. Since the greatest feather
for any cyberpunk's cap is exploitation of a Telco, the behavior of Telco
employees is of particular importance. Telco's spend a lot of time studying
what hackers do, what information they have, and then trying to apply this
information to thwarting the attempts of would be intruders in their
systems.
Therefore, it seems like hackers and phreakers should be aware of what
the Telcos are doing to stop them. Most hackers know about ANI Feature
Group D and the other electronic countermeasures used by the Telcos to track
down hackers, but how are Telco employees trained to detect and thwart
attempts at social engineering, and how do the Telcos respond to break-ins
that are detected? This article will discuss basic electronic
countermeasures, the training and advice given to employees, and the
response of the Telcos to known threats to their systems.
/* Hardware */
Before one commits toll fraud (discouraged by this publication), or
before they dial up a known carrier, questions race through their mind. The
first and foremost is, "Are they tracing this call?" It makes you wonder,
how many calls are actually traced?
Unfortunately, which telcos trace and which don't varies from company to
company. Needless to say, the Big Three long distance carriers (AT&T, U.S.
Sprint, and MCI) record both the originator and reciever of every long
distance phone call made on their system. For verification of this, call
U.S. Sprint and ask for a billing report several months old. Rather than
the spiffy little invoice you usually get, you'll recieve a crappy screen
dump from a computer with "best possible quality" or something similar
stamped on it. It lists, among other things, each call, along with the
numbers of both parties. As you can see, this renders toll fraud using any
of said systems practically impossible.
Many local long distance systems, on the other hand, don't have the
facilities necessary for tracing telephone calls. Use your own best
judgement. As far as the regional telephone companies are concerned (Bell
South, Pacific Bell, etc.), I have heard that newer ESS systems record ALL
numbers dialed, including mistakes. I find it hard to believe that this is
true, or if it is, that these records are easily retrieved and sifted
through.
In any case, tracing is quite possible, and in some cases, is quite
probable. Use your better judgement, and remember, the bigger the company,
the bigger the risk.
/* Prevention through employee awareness */
Among telcos today, much attention is given to employee awareness.
Nearly all telco employees are trained to recognize and prevent social
engineering and hacking. Unfortunately for the telcos employee laziness and
complacence often leads employees to replace caution with sloth. For
example, much attention has been given to "trashing" or "dumpster diving,"
and employees are encouraged to shred sensitive documents. In all my
trashing experience, however, I have NEVER found shredded paper.
The same holds true for social engineering, explicit instructions are
given to telco employees to lessen the threat of information leaks through
clever social engineering. Employees are encouraged to get the caller's
phone number and call them back, but this does not often occur.
This advice for beefing up security was given in an article in
"Enterprise," a magazine printed by Southwestern Bell.
* Get rid of trivial passwords.
* Routinely change passwords.
* Review password files.
* Restrict access to "read only."
* Know to whom you're talking.
* Shred as many documents as possible.
* Post a warning which will be displayed whenever one logs into a
computer.
* Lock up terminals, personal computers, and floppy disks when they are
not in use.
* Eliminate unnecessary access lines.
* Disconnect modems when they are not in use.
* Avoid public domain software.
* Report suspicious activity.
As you can see, computer security personnel have gotten smart. They
are well aware of most hacker tricks, and are doing their best to explain
them to all of the other employees. Hackers now rely on the forgetfulness
and laziness of normal employees for success, not the ignorance of system
managers.
Telco security personnel are much more apt to check audit trails than
they once were. Suspicious activities such as late-night logins, the use of
test and demo accounts, and the like are carefully monitored. One should
use the telco computers during peak hours so that strange activity won't be
noticed by already busy system managers.
Security professionals also carefully monitor activities in the hacker
world. They keep a watchful eye on hacker BBSes and publications. Each
finding, either a breach in security or increased knowledge amongst hackers
is recorded, prioritized and then published in various security documents.
One should be especially cautious of any "beginner" who asks a lot of strange
questions, because the telcos must have at least some people on the inside.
One can also assume that if one telco or corporation has a particularly
effective strategy for stopping hackers, or a successful awareness campaign,
it will spread like wildfire to all telcos. Despite the fact that telcos
are competitors, and are especially secretive since their business depends
on a technological edge, they are happy to share all security information,
since the ruination of the computer underground is one of their primary
goals. This leads us to the final section of this article. . .
/* Responses to security breaches */
What do the telcos do when they detect a security breach? This may be
the most important question the hacker can ask. Of course, one's goal is
to explore the system in question without being detected, but if the worst
happens and your intrusion is discovered, it's good to know what steps the
telco will take to prevent your future intrusion.
The first thing to remember when hacking into a telco's computer is, if
you're caught, you will be prosecuted. . . If there's any way they can get
you in court, you can bet your bottom dollar you'll be there. Unlike other
businesses, which may ignore the occasional security breach because they
don't feel like it's a major problem, the telcos live in fear of hackers,
and do their utmost to prevent entry into their systems.
Telcos make it a point to document every security risk, whether it's a
break-in on their system, a bug in an operating system, or some new
information found on a BBS. These detections are often published in telco
literature in an attempt to educate all of the employees of the telephone
company.
/* Summing it up */
Overall, the telcos finally seem to have gotten wise to most of the
scams run by today's hacker. Despite the fact that telcos are often the
victims of hacking and phreaking (thank goodness), they are much less
susceptible to infiltration through hacking, trashing, and social engin-
eering than they once were. The moral of the story is, today's security
measures are breeding a harder working hacker, one who must constantly
watch his back and look before he leaps.
Back to the master Table of Contents.