Telco News
We've seen a good deal of ineptitude on the part of phone companies over the years. But we're still capable of being surprised.
Southwestern Bell (SWBT) wins the prize in the latest round.
Some numbers to their computers have been circulating for some time. Specifically:
The numbers themselves are insignificant; every phone company's computer dial-ups have been found by someone. It's the line of defense that exists after the computer picks up that is the true test of security.
A writer we know was quite surprised when, while verifying the authenticity of one of these numbers, he accidentally got root access to the system! He had typed root as a joke thinking that would be the quickest and surest way to disconnect. Not so. He was instantly welcomed with open arms. The writer quickly hung up but this event raises some real troubling questions. Like where has Southwestern Bell been lately? Don't they realize the importance of secure, non-obvious passwords, particularly for their most powerful account? How many people will be lured in by this seeming lack of concern? And finally, is this person now guilty of "breaking into" a phone company computer when that was never the intention?
In light of this occurrence, how can we take recent SWBT claims seriously? They seem to think that hackers are the root (no pun) of all of their problems. A recent SWBT publication claims that hackers who caused no damage cost the company lots of money:
The loss to SWBT is estimated at $370,000. That includes expenses for securing the packet network to avoid future intrusions, reprogramming costs and labor for an internal investigation.
SWBT's efforts to prevent hackers include restructuring various communications networks and adding security hardware to computer systems.
"Employees serve as an important line of defense against hackers," said Barry Rabin, area manager-asset protection.
"The easiest way for a hacker to get into our computer is to obtain a password through what's known as 'social engineering,'" said Rabin.
"The hacker calls an employee and pretends to be another employee who needs a password to check on a job," Rabin said.
To guard against social engineering, Rabin recommends making sure you know who you're talking to.
"It doesn't cost anything to confirm the identity of the caller by getting a number and making a call-back check," Rabin said. "Employees who receive any suspicious calls should contact the asset protection division or their interdepartmental security forum representative as soon as possible."
If you'd like more information on the practice of social engineering, SWBT's computer security administration group actually has an employee education campaign on the subject. Posters and other information for the campaign can supposedly be obtained by calling Jackie Smick at 314-235-3032.
SWBT is urging its employees to be alert. It seems pretty obvious to us that these employees just aren't doing all they can. In fact, we think they need all the help they can get. SWBT tells its employees "If you receive a suspicious phone call with a request or a company phone directory, computer password, or other proprietary information, the caller could be a computer hacker. To be safe, ask for a name and a call-back number, then contact your interdepartmental security forum representative." It might be a good idea for the rest of us to keep on the alert for those wide open security holes you could back a truck through. If you find any, what better way to show your good intentions than by helping these poor souls out? These are the security "experts" for SWBT's various regions:
Internal security memorandums of more than a year ago indicate that Southwestern Bell was aware it had some major security holes. "Potentially ALL systems utilizing [the packet] network COULD HAVE BEEN COMPROMISED AND INTRUDED" was the dire warning in one memo, "Administrative controls SHOULD be placed on vendor support links, including dial-up ports and packet gateways." Whether or not anything was ever actually done, it would appear that sloppiness is once again the rule.
An internal Bellcore bulletin concerning the security of packet switched networks goes into detail on how hackers believed to be affiliated with the Legion of Doom and 8LGM hacker groups took advantage of "OA&M diagnostic software tools (e.g., XRAY from TYMNET and TDT2 from SPRINTNET)" to get into the Public Packet Switched Network (PPSN) of various phone companies.
"The intruders gained access to a vendor supported OA&M 'debug' port to the BCC's TYMNET based PPSN. By exploiting the group based or default password, the intruders then executed the program known as XRAY, and its utilities, to read the data traffic on any of the X.25 port line cards and MUX multiplexers. By reading the data of the X.25 port line cards or MUXs, and scanning the memory space internal to the packet handler, the intruders were able to capture logins and passwords transiting over or used within the packet network. With the help of the compromised logins and associated passwords, the intruders then attacked: 1.) the computer systems and networks that were being addressed during the compromised packet sessions, or 2.) the networked hosts to the packet handler."
The Bellcore bulletin targets a Legion of Doom/Hackers oriented bulletin board system and concludes that "The intruders have perfected their skills and have utilized that knowledge to compromise the PPSNs of several carriers. Once compromised, the intruders are able to capture data including logins and passwords from the PPSN traffic." Packet networks at risk included SPRINTNET (TELENET), TYMNET, Bell Atlantic's PDN, BellSouth's PULSELINK, Pacific Bell's PPS, Southern New England Telephone's ConnNet, and NYNEX's NYNEXLAN.
Bellcore clearly believes that hackers are nothing short of terrorists. A security alert from November 1990 warns that "The potential for security incidents this holiday weekend is significantly higher than normal because of the recent sentencing of three former Legion of Doom members. These incidents may include Social Engineering, computer intrusion, as well as possible physical intrusion." Pages are devoted to "suggested countermeasures" to counter the expected onslaught of attacks.
With this kind of paranoia running rampant in the hallowed halls of the phone companies, how is it that they still manage to leave the front door wide open?
Yellow Page Screening
Ever wonder where the phone companies draw the line on Yellow Pages advertising? We caught a glimpse of some internal NYNEX guidelines that define unacceptable advertising.
Advertisements which are, in the opinion of the publisher, indecent, vulgar, obscene, suggestive, or offensive, either in direct presentation or by suggestion in the text or illustration, will not be accepted under any heading.
"Particular care should be exercised in reviewing advertising copy and illustrations for placement at any of the sensitive headings listed... Balloons, Book Dealers, Dating Bureaus, Entertainers, Modeling Agencies, Massage, Motels, Motion Picture Producers, Night Clubs, Telegrams, Theatres, Escort Service.
... Objectionable copy or illustration will be refused at any heading... What is appropriate at one heading may take an entirely different meaning at another heading. For example, a person in a swimsuit may be appropriate at "Swimwear & Accessories" but may communicate an offensive message at "Escort Service - Personal."
What Isn't Acceptable
If the advertisement as a whole implies that the firm is something other than a legitimate establishment, the advertisement won't be printed.
Phrases that aren't acceptable include those which refer to the sex, suggest nudity, or the physical description of the business staff.
There are also certain words and phrases you cannot ever use. These include "Young Technicians," "Once is never enough," "Slip and slide oil rubs," "Hot Bodies for the man who has no limits," "We take it all off to music," "Strip Tease Dancers," "We show it all," "Full Nudity," and, of course, "Full." Other words include: "Strip," "Strip-o-Grams," "Full Show," "Topless," "Fantasy," "Nude," "Stripper," "Teletease Telegrams," "1/2 Full Show" and "Bottomless." We should point out that "Nude" and "Full" are only unacceptable when they are used to imply nudity.
Finally, the pictures/illustrations deemed unacceptable include: "Male or female forms alluding to sex or that are provocative in nature. Illustrations with expressive cleavage or bare buttocks will not be permitted; [as well as illustrations] that suggest sensual or erotic pleasures; male or female forms without proper street attire; and suggestive poses."
So now you know.