by Justin Petersen

Station.

HOLLYWOOD, Calif.   In today's highly competitive broadcast industry, most station managers and engineers do not often have the motivation or the time to concern themselves with computer security. Usually, the subject is ignored until the station suffers a breach. Unfortunately for some, this is a costly mistake.

Imagine for a moment what the temporary loss of your station phone or computer system would cost in terms of revenue and wasted man hours. Could your station continue to function effectively?

In the computer and information age, we find ourselves relying more and more on these complex systems. But our increased use of computer and other remotely controllable systems brings an increased vulnerability to an outside attack. All businesses need to be prepared for this new fact of life. You can take a number of measures to minimize your exposure.

How big is the threat?

The media and law enforcement infatuation with computer hackers has reached almost a fever pitch in recent months. Having been a hacker myself in the past, and also having been somewhat involved in the recent hoopla. I can comment that I find it all a bit amusing. The powers -that- be are pressing their panic buttons a little prematurely. This, however, is not to say that the potential for a major "hack" does not exist. Indeed, I will go on record as saying it is just a matter of time before the headlines cover yet another major computer break-in. Which organization or corporation is the next victim?

Certain computer security consultants would have you believe that an insatiable army of savvy computer criminals is perusing the networks of the world just looking for a way to pilfer funds. In my experience. this is not the case. I believe the threat can he summed up into two types of hacker.

One is the criminal opportunist willing to jump on the hi-tech crime bandwagon. Once someone who knows what he or she is doing passes on to the masses a technique to defraud a system, it becomes a widespread problem. e.g.. long distance codes. credit card encoding and cellular phone cloning. This type of dispersion takes time; a company can plan to limit or prevent it. The second is the playful or sometimes malicious teenage hacker. Clever, resourceful and sometimes relentless, these kids may make it their mission to get into your systems. It is the latter who will most likely be drawn to probe a station's systems for vulnerabilities. If your station caters to a young demographic, you may have already experienced some problems.

Signs of trouble

"Social engineering," as the hackers label it, is the art of gaining information over the phone during a pretext call. Simply put, they cleverly B.S. you into telling them what they want to know. He or she may pose as an engineer looking for work. a potential advertiser, or a telephone company technician tracking down a problem. Social engineering is a popular and effective technique. It's been my experience that in most cases, the target never realizes it has occurred, or only does so long after the call is complete. Many times, the information is gleaned over several days from many sources. Who is at risk? This is a question that the entire station staff must answer collectively. Assess the level of computerization, automation and remote controllability of your station. It may not occur to you that some of your systems can be remotely accessed. A non-exhaustive list of potential vulnerable systems includes personal computers. World Wide Web servers, computer networks, voicemail/auto attendant, phone systems. STLs. EAS, audio processors, answering machines, and remote transmitter controls.

Where to start

The first step is to determine which systems are either on line (connected to a phone line via a modem) or remotely accessible. Many managers may be unaware that certain systems have a phone line connected for remote control by touch tones. For example, some of the newer audio processors for controling signal parameters have remote capability. In addition, many station engineers set up custom remote systems for transmitter control.

Another oversight is the phone system. Essentially a computer-based system, this could be your biggest and most costly target. A common feature of many PBXs is the ability to dial in, then after entering an access code, dial out. The phone companies have more recently shifted the liability of unauthorized calls to the owner of the system itself. If some kid hacks your code and runs up your bill chatting with a hacker in Australia, it is your responsibility. Stories of six digit phone bills are not uncommon.

A thorough computer security discussion is beyond the scope of this article. There are a hundred tricks hackers can use to gain privileged access to your systems. However, if you follow a few simple rules, you will discourage all but the zealots.

I. Your system should have its password protection activated.

2. Your passwords should Consist of an alphanumeric combination and not just a word common to a dictionary. for example 0UR4M32. Make it at least four characters long.

3. Disconnect your modem when it is not in use.

4. Install one of the popular virus protection software packages.

5. Regularly back up your data and keep a copy at another location.

6. Educate all of the employees at your Station on security issues including the use of "social engineering."

7. Change your password every 30 to 90 days and delete any unused accounts on multi-user systems.

8. If you must use numerous dialups and you run a networked system. I recommend hiring a security Consultant to evaluate it and patch up any holes

Regarding remote control of transmitters, STL,. processors, and the like; if you can disable these systems when not in use, I would highly recommend it. Because this is not often practicable, consider certain measures, In my opinion, a four-digit password is not long enough. A hacker can program his computer to hack that in a day. It you have the option for five, six, or seven digits, implement it. Also. when accessing your remote, avoid doing so from a cellular phone. If the thought of someone else controlling your system makes you lose sleep at night, you have a few more options. First, control your transmitter via your STL link. Some systems are available to do this. Second, install a "pager notification system" that will page you every time someone accesses your transmitter control. These systems are available for under $200.

Voicemail

Many large stations have found it necessary to install computerized call processing equipment. Applications range from automatic attendant to voicemail to information services. These systems are usually high profile and as a result will frequently come under attack. As I mentioned earlier, password security is essential. Instruct users not to use simple passwords such as 1111, 1996, or the extension number. Four-digit passwords will suffice for individual boxes. However, many systems have administrator boxes used for setting up and controlling the entire system. These boxes or extensions should carry the longest password possible. As I mentioned earlier, your phone system may have a remote dial-in and dialout capability. If you do not need it, disable it. If your station personnel do use it, regulate it. Keep passcodes long, change them frequently, and if possible, restrict the types and amounts of calls allowed. Securing your computerized telephone systems is a sizable task in itself. Assign either a knowledgeable employee from the station or an outside consultant specifically to keep an eye on the systems. Many of the control programs associated with these applications generate security reports and you should monitor them routinely. I can think of a few dozen additional tips for securing a system, unfortunately, I find myself running out of room to expound.

Regardless, the simple point here is to be aware of the potential problem. The chances of your station phones getting hacked are high. The amount of damage and how much it costs depend in part on how closely you administer your system. I almost forgot to point out one of the hacker's favorite pastimes, "trashing", as it is affectionately referred to, is the practice of acquiring the garbage of a target company and dissecting it for information. Keep in mind that if one gleans enough seemingly harmless information, it becomes valuable once compiled. This is not to mention that your secretary might throw away an old computer manual with a password scribbled on it. Pay attention to what you discard, and if you feel you are subject to an attack, have

your trash shredded. If a hacker really sets his or her sights on you, he or she will most likely get in. Remember, you are not protecting missile silos. In some cases, it is just not cost-effective to double bolt every door. If an invasion happens, alert all of your staff, have a meeting, and call the authorities or a security specialist. The latter will likely be more effective.

Real crime

I'm not aware of any widespread hi-tech crime involving the broadcast industry (aside from the FCC auctions). In 1991, a couple of Los Angeles hackers hijacked radio station call-in lines and won a slew of prizes. The hackers utilized a telephone company computer system that normally is used to test phone lines. Instead of testing the lines, they used the system to seize them, thus preventing the rest of the world from calling in. After $50,000 in prize money and two Porsche giveaways, the hackers were arrested and jailed. Being familiar with the technology the hackers used, I can say the chances of this happening again are slim. The telco system in Los Angeles that was used has since been decommissioned and similar systems throughout the country are difficult to access. However, an unscrupulous telephone company employee could take advantage of his or her position. The only prevention of which I am aware is to have 10 or more contest lines installed at the studio and picking the winning line at random. Having interception equipment attached to more than four lines simultaneously is cumbersome. I should know, I was one of those Los Angeles hackers. Please accept the information I have delivered in this article as an apology to the radio broadcast industry and an attempt to set straight what I have done. I think I'll leave it at that. And no. I wasn't allowed to keep the Porsche.

Hackers will always be out there doing what they do. Most grow up, mend their ways and move on to legitimate computer careers, much like myself. Unfortunately, my generation has been replaced by one with more resources, more home computers, and ultimately, more targets. With a little education and foresight, your station doesn't have to be an easy target.

Justin Petersen is an audio engineer. computer security consultant and ham radio operator by trade. He is currently working on an live Internet feed project and can be e-mailed at asteal@primus.net