home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
HACKING
/
ISSM301.TXT
< prev
next >
Wrap
Text File
|
1994-07-17
|
24KB
|
559 lines
┌────── Information──────────────────────────────────────────────────┐
│ ░░░█ ░░░░░█ ░░░░░█ ░░█ ░░█ │
├────── Systems ─────────── ░█ ── ░░░█ ── ░░░█ ─── ░░░░█ ── ░░░█ ────┤
│ ░█ ░░░░░█ ░░░░░█ ░░░░░░░░░░░░█ │
├────── Security ────────── ░█ ───── ░░█ ─── ░░█ ─ ░░█ ─░░█ ─░░█ ────┤
│ ░░░█ ░░░░░█ ░░░░░█ ░░█ ░░█ │
└────── Monitor ─────────────────────────────────────────────────────┘
Dedicated to the pursuit of security awareness..............
======================================================================
Volume 3 Number 1 January 1993
======================================================================
In This Issue:
Securing Your Phone Switch
Virus Alert
Social Security Numbers & Privacy
Clyde's Computer Security Hall of Fame
Dear Clyde
COMMCRYPT Lives
Computer Speak
Computer Security Day Slogan Contest Winners
The ISSM is a quarterly publication of the Department of Treasury,
Bureau of the Public Debt, AIS Security Branch, 200 3rd Street,
Parkersburg, WV 26101 (304) 420-6368
Editors: Ed Alesius
Kim Clancy
Joe Kordella
Jim Heikkinen
Mary Clark
Securing Your Phone Switch
By Dave Goldsmith, a student at Rockland Community College. He is
working towards a degree in Computer Science. His hobbies include
learning other technologies to include telephone systems and
switches. He also edits an electronic magazine that focuses on
computer technology issues.
"If it has a dialup, a hacker can abuse it". This, as some
companies have already found out, applies to the System 75
telephone system. Hackers have, within the last year, figured out
how to penetrate and manipulate a System 75. This gives them
complete control over your PBX. If you allow them to get access to
the controller, they will end up setting up a DISA (Direct Inward
System Access), and make outgoing phone calls on YOUR bill. This
can result in thousands of dollars in fraudulent telephone calls,
that you are going to have to pay. Even if you decide to battle it
out in courts, it is going to cost. In this article, I plan to
outline the steps to secure your System 75.
One question you should ask yourself is "Do I really need DISA
on my system?". I highly discourage having DISA, as it increases
the chance of being a victim of toll fraud. If it is vital for
your employees to use DISA, then I suggest that you have a barrier
code of at least 7 digits. Any less then that is a definite
security risk.
If a hacker has already penetrated your system, there are some
tell-tale signs. Logon to your system and type 'DISPLAY
REMOTE-ACCESS' followed by a carriage return. If you haven't set
up a DISA, then there shouldn't be an extension number. If there
is one, type 'CHANGE REMOTE-ACCESS' and remove the extension. That
will remove the DISA, and is the start of locking the hacker out of
your system. Your next step will be to change the passwords on ALL
of the accounts. The common login/password combinations that
hackers use are:
cust custpw
rcust rcustpw
browse looker
craft craftpw
It is my recommendation that you change ALL of the passwords on
the system. Be warned, you should change the passwords to
something alpha numeric, and it should be something personal, so a
hacker can't attempt to brute force any of the accounts. If you
find that you can't change browse's password, don't despair. Login
under one of the higher level accounts, and type 'CHANGE
PERMISSIONS BROWSE'. Then strip browse of all of its privileges.
This will keep hackers from displaying remote-access and finding
out where your DISA is, if you have one.
To ensure system security, it is suggested that you DISPLAY
REMOTE-ACCESS on a fairly regular basis, just to make sure that
your system remains untouched.
Editors Note: Issue 41 of Phrack magazine was recently released and
contains another article on hacking this phone switch. Phrack 41
is available on the AIS BBS. Information on the BBS can be found
on Page 4.
************* End of Article ****************
Virus Alert
Free diskettes distributed by the Cobb Group at the Federal
Computer Conference December 8, 9, or 10, may contain a virus which
is very difficult to detect. One diskette has a blue label with
the words "DOS/Software Connection" in large print. The other has
a red label with the words "Windows/ Software Connection" in large
print. If you or anyone you know has received such a diskette,
please do not use it in any computer. The virus detection software
installed on your computer will not detect the virus. Bring the
diskette to your Information Systems Security Manager (ISSM) or
call the AIS Security Branch at (304) 420-6355.
************* End of Article ****************
Social Security Numbers & Privacy
by Chris Hibbert
Computer Professionals for Social Responsibility
Reprinted with permission from 2600 Magazine
(Kim Clancy was recently training Public Debt employees in
Washington D.C. on computer security. Her approach to computer
security training is to first convince class participants that the
information they are being asked to protect is worthy of
protection. She mentioned the following article regarding the
protection of social security numbers and stated that it is
important that as employees of Public Debt we understand the value
of a social security number, both for our clients protection and
also on a personal basis for our own protection. Many members of
the class requested a copy of the following article initially
published in 2600 magazine (it was also published in Phrack issue
35). We have received permission from 2600 to reprint the article.)
Many people are concerned about the number of organizations
asking for their Social Security Numbers. They worry about
invasions of privacy and the oppressive feeling of being treated as
just a number.
Unfortunately, I can't offer any hope about the dehumanizing
effects of identifying you with your numbers. I *can* try to help
you keep your Social Security Number from being used as a tool in
the invasion of your privacy.
Surprisingly, government agencies are reasonably easy to deal
with; private organizations are much more troublesome. Federal law
restricts the agencies at all levels of government that can demand
your number and a fairly complete disclosure is required even if
its use is voluntary. There are no comparable laws restricting the
uses non-government organizations can make of it, or compelling
them to tell you anything about their plans. With private
institutions, your main recourse is refusing to do business with
anyone whose terms you don't like.
Short History
Social Security numbers were introduced by the Social Security
Act of 1935. They were originally intended to be used only by the
social security program, and public assurances were given at the
time that use would be strictly limited. In 1943 Roosevelt signed
Executive Order 9397 which required federal agencies to use the
number when creating new record-keeping systems. In 1961 the IRS
began to use it as a taxpayer ID number. The Privacy Act of 1974
required authorization for government agencies to use SSNs in their
data bases and required disclosures (detailed below) when government
agencies request the number. Agencies which were already using SSN
as an identifier were allowed to continue using it. The Tax Reform
Act of 1976 gave authority to state or local tax, welfare, driver's
license, or motor vehicle registration authorities to use the number
in order to establish identities. The Privacy Protection Study
Commission of 1977 recommended that the Executive Order be repealed
after some agencies referred to it as their authorization to use SSNs.
I don't know whether i