gemini - kennedy.gemi.dev

💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › K1INE › k-1ine_… captured on 2021-12-04 at 18:04:22.

View Raw

More Information

-=-=-=-=-=-=-

OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
OoO=o=oOO=o=O=>
: -`- -`- OoO=o=oOO=o=O=>
; _|_--oOO--(_)--OOo--_|_ OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
| � K-1ine Zine ! | OoO=o=oOO=o=O=>
! issue 9, volume 4 � OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
---------O^O---- OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
;. |__|__| OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
|| || OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
ooO Ooo OoO=o=oOO=o=O= OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
OoO=o=oOO=o=O=OoO=o=oOO=o=O= OoO=o=oOO=o=O=OoO=o=>

� November 2000 �

"Controlled Developments"
_____________________________________________________________________________
[Words from the Editor] |
| |

: [-] Introduction .......................................... The Clone :*
: (-) Contact Information ................................... The Clone :*

____________________________________________________________________________
[Docs] |
| |

: (x) 'Common security problems with the UBB'................ Term :*
: (x) 'RIM; Research In Motion' ............................. Magma :*
: (x) 'Security Team #4' .................................... Miklos :*
: (x) 'Security For Private Branch Exchange Systems' ........ Richard Kuhn :*
: (x) 'Millennium Payphone - Power Out Exploit' ............. PsychoSpy :*
: (x) 'Telus Call Director; Unsupervised Line Exploit' ...... The Clone :*

______________________________________________________________________________
[Conclusion] |
| |

: [-] Credits ............................................... The Clone :*
: [-] Shouts ................................................ The Clone :*

_______________________________________________________________________________

-- Introduction

You are now reading K-1ine issue 9 (volume 4) because you are either a regular
reader or a curious newcomer... whatever your reason is is irrelevant.

This month's issue is of course packed with only the newest hacking and
phreaking information available from Hack Canada and Nettwerked, making
for an interesting and mind advancing read for all who wish to lay their
eyes on my zine.

Did you write something that you feel would be perfectly situated on K-1ine?
If so, send in your text (.txt) article via e-mail and I'll be sure to review
it and let you know if it's been accepted.

Enjoy the issue!

-- Contact Information

Contact Information;

Comments/Questions/Submissions: theclone@haxordogs.net
On IRC: haxordogs.net, #cpu (key required) and #haxordogs
Shoot me an ICQ message: (UIN) 79198218
Check out my site: (Nettwerked) http://www.nettwerked.net

Common security problems with the Ultimate Bulletin Board

Term - termREMOVETHIS@boxnet.dhs.org
Boxnet Research Labs
http://boxnet.dhs.org

The methods and problems described in this paper were found and applied to the
Ultimate Bulletin Board, but could be applied to other bulletin boards with
similar problems.

Issue 1:
The Ultimate Bulletin Board creates it's data files and member files,
world writable, and also insures that they are world writable by changing the
permissions to world writable each time the files are edited.
On multi-user servers, this is of course a bad idea, and allows multiple
entry points for an attack. Either to directly edit the settings files, or to
view the member files, retrieve the password of a user with administrational
access and edit the settings through the actual web interface used to properly
administrate the UBB.
Even if ftp access is chroot'd, if the attack had webspace that allowed
cgi programs to be run, the attack could still craft a cgi script in their own
directory to obtain a password from the members directory.

Fix:
If you do not have root on the machine that your UBB is hosted on, you
could ask the administrators of the hosting machine to do some of the things
requiring root access.
Make sure that the files that are set world writeable are owned by the
group that the webserver runs under. Some of these files are:
(In the UBB cgi directory)
Styles.file
UltBB.setup
forums.cgi
mods.file
Every cgi file in the Members directory (in the ubb cgi directory)

Next, you need to edit the executable cgi files, in the ubb cgi directory so
that they do not set data files 777 or 666, but instead set them 770 or 660.
This can be done by simply using grep to find the files that set the data files
777 and 666, and then editing them using a text editor that has a find and
replace function.

Issue 2:
When at the Ultimate Bulletin Boards control panel (usually cp.html in
the non cgi directory) and a wrong password is entered, the wrong password
attempt is not logged. A simple brute force utility for cracking other sites
(such as hotmail) could easily be modified to brute force the password to an
administrative account.

Fix:
These are just my suggestions, I'm sure alot of other solutions could be
implmented. Log all login attempts (successful or not) to the control panel, and
prevent more than 3 bad logins at a time, ie. 3 bad login attempts would prevent
another login attempt from the same ip for 5 minutes. (Preventing a specific ip
from logging in for another 5 minutes prevents someone purposely sending bad
login attempts to the control panel and preventing actual administrators from
logging in.)

Note: these would require modification to the UBB's code.
A simple fix, without modifying the code would be to have a nice long password,
using letters and numbers.

-
<theclone> I lub j00
<littleyellowdot> I lub joo too
-

[What is RIM?]

RIM is Research In Motion, based out of Waterloo Ontario, just meters from the University of Waterloo
they have become the world leader in wireless handheld devices. Their products have all the wonders of
a Palm but along with that there is instant email. As their slogan goes; Always on, Always Connected.
Basicly it's an interactive pager, the following is a look behind the scenes - how it works.

The BlackBerry Handheld unit includes:
� Powerful e-mail, calendar, address book and task list applications
� 32-bit Intel 386 processor with 2 MB flash memory plus 304 KB RAM
� Integrated RIM wireless modem
� Optimized keyboard and display
� Thumb-operated trackwheel (operates similar to a PC mouse)
� Docking cradle (included)
� Selectable alerts: vibrate, tone, silent
� Search functionality
� Auto text
� Clock, alarm, auto on/off, radio on/off
� Intuitive menu-driven interface
� Password protection

[Mobitex Technology]

The Mobitex network technology was developed in the early 1980's by the Swedish telecommunication R&D
company, Eritel, as Sweden's National Voice and Data wireless network. Designed to provide a secure,
reliable, and cost effective way to use the limited resource of radio frequencies for data communication
, it was fully operational in Sweden by 1987. In recent years, Ericsson has continued to advance the Mobitex standard and has introduced a continuously improving network infrastructure. Today, Mobitex is available through network operators in countries around the world. Mobitex is a secure, reliable, two-way digital wireless packet switching network ideal for a variety of data communication applications. This network has the capacity to handle large amounts of data traffic. The radio spectrum is a scarce resource. Therefore it is essential that the system makes optimal use of the allocated frequency. Mobitex uses packet switching to deliver an 8 kbp/s bit rate over a single
12.5 kHz channel, meaning that an end-user can send an email and get a reply in just a few seconds. In the system, switching intelligence is present at all levels of the network creating minimum overhead. Even base stations are capable of routing traffic within their coverage area, thus eliminating unnecessary traffic at higher network levels. There is an open attitude, allowing equipment manufacturers to develop inter-operable products which adhere to standard protocols. The network provides automatic error detection and correction to ensure the data integrity. It is a complete mobile data network based on digital cellular technology. Like a mobile telephone system, coverage in
Mobitex is provided by overlapping radio cells. Unlike other cellular systems, however, Mobitex is a dedicated data network that uses packet switching for maximum efficiency. This means that the network is always and instantly accessible and that the customer is billed for the number of packets transmitted, not connection time. Mobitex is an international standard for two-way wireless packet switched data
communication, currently operational in countries around the world.

[Mobitex Access Number]

To connect to a Mobitex network, all radio modems and fixed terminals (FSTs), such as hosts and gateways, must have an active Mobitex Access Number (MAN). A MAN is assigned to every user subscribing to the Mobitex network; it is analogous to a phone number on a telephone network. The MAN for a mobile user is stored in the mobile's radio modem, just as a telephone number is stored inside a cellular phone. Every network has a different range of MANs. For example, in the US, MAN numbers are in the 15,000,000 to 16,999,999 range; in Canada, the MANs are in
the 5,000,000 to 5,999,999 range.

[Mobitex Protocols]

MCP/1
MCP/1 (for Mobitex Compression Protocol 1) is a set of optional compression protocols used by the radio modem to enhance throughput and
reduce network costs.

MTP/1
MTP/1 (for Mobitex Transport Protocol 1) is a tested and standardized transport protocol that ensures packets are transmitted over Mobitex in order, and without loss. It is authorized by the Mobitex Operator's Association, and is publicly available for implementation.

MPAK
Data to be transmitted over Mobitex is broken up into MPAKs (for Mobitex Packet). Packets of data are assembled and transmitted with leading information as to the sender, addressee, and the type of data. The header contains this initial data. The body contains the application data to be sent or received. The maximum size of any packet is 512 bytes. To improve speed and reduce the cost of communication, the radio modem may compress the packet data before transmission. Applications can also provide a means of reducing packet charges by attempting to maximize the amount of data placed in each packet.

[Circuit-Switched]

Analogous to land-based telephone systems or dial-up Internet connections, circuit-switched communications require the establishment of a dedicated connection to be made between two parties prior to any data transfer. Once this connection has been made, the circuit (or frequency in the case of wireless communication) is tied up for the duration of the session. Circuit-switched communication is ideal for large data transfer, since users typically pay for the connection time.

[Packet-Switched]

Analogous to land-based Ethernet connections, a packet-switched wireless network involves the sharing of a single frequency between many users. Only one user may transmit or receive at any one given instant. Since only small packets of data are typically being transmitted however, this scheme is ideal for many applications, this is what the Blackberry uses. Unlike circuit-switched systems, the packet-switched
technique also allows all devices on the network to remain continuously connected, making instantaneous access and two-way paging possible.

[BRU3 Networks]

Many companies are taking the Blackberry into thework place, such areas like warehouses and shipyards have an incredible amount of area, the Blackberry provides them with the service they need - the BRU3 is how it's done The Base Radio Unit, BRU3, is a new single channel mini base station for Mobitex networks. BRU3 brings base radio stations to a new technical turning point, due to size, environmental functionality and simplicity of service.

Prime characteristics of the BRU3:

o Supported outdoor and indoor installation
o Small size and low weight
o Designed for high performance even under severe weather conditions
o Simple installation
o Integrated site-specific functions such as line modem and battery backup
o Mountable directly on antenna mast for minimal feeder loss
o High receiver sensitivity allows balanced link-budget for low power mobiles
o Built-in functions for automatic supervision of the base radio station

When planning system coverage of portable radio modems (low power) in a Mobitex system, the BRU3 is the natural choice. The operator will achieve cost-effective indoor coverage within dedicated areas as well as low-cost coverage for initial service. The BRU3 is also very well suited to achieve temporary coverage demands for new traffic situations such as at trade shows, sport events etc.
Functionality As a Mobitex base station, the BRU3 is able to handle a large number of terminals and provides a wide range of functionality. The BRU3 is equipped with one full duplex radio channel.
Service, Maintenance and Installation The BRU3 has been designed to minimize on-site maintenance. The base radio unit will support at least one year of operation without on-site visits for maintenance purposes. BRU3 can be installed close to the radio antenna in a tower, on a pole or attached directly to a wall. New software may be loaded either via the network without service interruption or on-site from a portable PC.
Environmental requirements

For normal use, the BRU3 operates in a temperature range of -33�C up to +55�C and a relative air humidity within the range of 10% to 100%. The BRU3 Base Radio Unit is designed to operate in extreme indoor and outdoor conditions. Capacity that not even flat-rate pricing will overload Mobitex is designed for demanding users who use the network services extensively. A capacity of more than 1,500 users per base station ensures that there will be no bottlenecks despite high utilization. In a Mobitex network, end-users can send an email in just a few seconds, transmit vehicle positions in less than two seconds, verify a credit card transaction in less than five

[Security]

Triple DES is simply another mode of DES operation. It takes three 64-bit keys, for an overall key length of 192 bits. In Stealth, you simply type in the entire 192-bit (24 character) key rather than entering each of the three keys individually. The Triple DES DLL then breaks the user provided key into three subkeys, padding the keys if necessary so they are each 64 bits long. The procedure for encryption
is exactly the same as regular DES, but it is repeated three times. Hence the name Triple DES. The data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key.

Consequently, Triple DES runs three times slower than standard DES, but is much more secure if used properly. The procedure for decrypting something is the same as the procedure for encryption, except it is executed in reverse.

Well, that's it for now - future updates of this file will come as more information is learned.

- Magma@SunOS.com

11/08/00

Email - Magma@SunOS.com
ICQ - 5652209
URL - www.haxordogs.net/ghu

-
<Jawa> FUCK YOU CLONER BONER!
<Jawa> I CAN TAKE YOU!
<Jawa> NOT SO TOUGH! NOT SO TOUGH!
<Jawa> FUCKIN' 0WN YER ASS!
-

Saturday, October 22nd - Security Team #4
---------------------------------------------

On Friday night Magma paged me, so I gave him a call. Through our
conversation Magma brought up that our local hospital was doing some
re-construction for a future cancer center. He then asked if I want to go
out and check it out. Naturally, I said "yes" and in a few hours we parked a
bit off the hospital, and made our way to entrance of the construction site.
The cancer center is located right beside the main hospital, and will be a
seperate building. The previous building is being teared down a the moment,
and is the building we want to check out. As we got closer, we saw to nurses
on their break. There was a bench that we must have sat on for 15 minutes
and we could still hear the nurses still taking (slackers ;). So, we decided
to go back home and come back the next day.
It's saturday night now, and we're back to where we started, the
entrance. Magma and I had decided that it's best for one of us to explore,
and the other keep watch on surroundings. We each have 2-way radios with
good range (3 miles) so we managed to keep contact with those. I opted to be
the explorer tonight, and walked on crushed cement blocks towards the building.
I entered the building, and hit the stairs. After a few flights I was stopped
with cement blocks that I was not ready to climb over top of, so I stayed on
that floor, and entered the hallway. Each room on that floor was the same:
Empty room with a pipe sticking out from the ceiling. When I reached the
other end of the hall, I was completely blocked off by cement blocks. I
radio'ed back to Magma, and told him I was coming back to see him because I
forgot a flashlight. Sadly, when I said this Magma said he had to shut off,
cause he spotted 2 security guards. They drove a white Cavalier that had "#4"
painted on the door with brakes that made a chirping sound.
The fencing that blocks off the construction has wired windows, that
I was able to peek through to see what's going on. Magma has disappeared and
the white security car is parked in front of the construction site. For some
reason I decided to just leave the construction site. I climbed over the
fence and walked towards Magmas car. The security guys watched this, and I
thought "I don't care, as long as I can leave now". Of course, when I got to
the car, there was no sign of Magma. I then returned to the construction site
where a bench was located and sat there waiting for Magma. About 10 minutes
later Magma comes back, and he told me that the security car is circling the
hospital. Magma said we should probably leave, but I didn't want to leave yet.
We talked for a bit, and concluded to go to the backside of the construction
site away from security.
The otherside to the hospital was pretty cool. A very poorly
constructed chain-link fence with an opening of about a foot and a half from
the ground was enough space for me to slide underneath. Magma walked up the
street, and with the 2-way radio, told me when no cars were in sight. I got
through the fence fine, and made my way back to the ruined building. I took
a few cool pictures, and radio'ed Magma to see what was up. No response.
Click, click, click, and then radio went dead! (Dead batteries.) At this
point I was fed up, and decided to just go and wait for Magma at the car.
I looked out the broken window of the ruined building and the security car
was parked right in front of the fence where I entered. Immediately, I
thought, I'll leave on the otherside. I started walking to the otherside
and got close to an exit. I again took a look through the little windows on
the fence, and saw a police car? Surely, they're not here for us I thought.
However, I paniced anyway, and looked for another way out of this place.
Nothing. The fencing was just too high for me to climb over. So, I took
a bunch of skids (peices of wood) and used them as a stepping stool to get
over the fence. Bad mistake. As I got one leg over the fence I looked out
to see the security car coming right by me. I leaped off the fence, and sat
there, hoping to hear the car drive by. The chirping sound of the car got
closer until a point where it was constant. I heard the door of the car
being opened, and then I just ran. I made it to the otherside of the
construction site, scrambled under the fencing, and ran 2 blocks not looking
back for a single second. In fact, I had tripped in the construction site on
cement blocks (they were everywhere) so I knew the security guards heard me,
and thought I was running for it. I ran 2 blocks, and made a left. I still
lost contact with Magma, and so I made my way back to the hospital, and to
Magma's car. As I walked back I hit a stop light. From out of nowhere,
Magma's car stops at the light, and I just walked up to it, got in, and we
took off. As we drove off, Magma told me that a police car was in fact
circling the hospital, following him. We laughed having thought we somehow
managed to get out of this place without even a talking to the security
guards and/or police. Whew!

-
<Flopik> if i was homosexual clone i think i will be in love with you
-

SECURITY FOR PRIVATE BRANCH EXCHANGE SYSTEMS
By Richard Kuhn
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology

Hacker attacks on computer networks are well known, but Private Branch
Exchange (PBX) systems are also vulnerable. In one case, a hacker
penetrated the Private Branch Exchange (PBX) system operated by a hospital
in Escondido, California. For nearly two years, on various occasions, he
blocked calls to and from the hospital, connected hospital operators to
spurious numbers (including the county jail), and placed bogus emergency
calls that appeared to be coming from inside the hospital.

Unfortunately, the hospital's experience is not unique. Failure to secure a PBX
system can result in exposing an organization to toll fraud, theft of proprietary,
personal, and confidential information, loss of revenue, or legal entanglements.
Depending on how the organization's network is configured and administered,
information leading to intrusions of data networks may be compromised as well.

A PBX is a sophisticated computer-based switch that can be thought of as ess-
entially a small, in-house phone company for the organization that operates it.
Protection of the PBX is thus a high priority. This bulletin introduces some of
the vulnerabilities of PBX switches and describes some countermeasures that can
be used to increase the security of your PBX. For a more detailed
treatment of these issues, see NIST Special Publication (SP) 800-24, PBX
Vulnerability Analysis (see http://csrc.nist.gov).

INTRODUCTION
Digital PBXs are widespread throughout government and industry, having replaced
their analog predecessors. Today, even the most basic PBX systems have a wide
range of capabilities that were previously available only in large-scale
switches. These new features have opened up many new opportunities for an
adversary to attempt to exploit the PBX, particularly by using the features for
a purpose that was never intended. The threats to PBX telephone systems are
many, depending on the goals of attackers. Threats include:

- Theft of service � i.e., toll fraud, probably the most common of motives for
attackers.

- Disclosure of information - data disclosed without authorization, either by
deliberate action or by accident. Examples include both eavesdropping on
conversations and unauthorized access to routing and address data.

- Data modification - data altered in some meaningful way by reordering,
deleting, or modifying it. For example, an intruder may change billing
information or modify system tables to gain additional services.

- Unauthorized access - actions that permit an unauthorized user to gain access
to system resources or privileges.

- Denial of service - actions that prevent the system from functioning in
accordance with its intended purpose. A piece of equipment or entity may be
rendered inoperable or forced to operate in a degraded state; time-dependent
operations may be delayed.

- Traffic analysis - a form of passive attack in which an intruder observes
information about calls (although not necessarily the contents of the messages)
and makes inferences, e.g., from the source and destination numbers or frequency
and length of the messages. For example, an intruder observes a high volume of
calls between a company's legal department and the Patent Office and concludes
that a patent is being filed.

PBX CHARACTERISTICS
PBXs are sophisticated computer systems, and many of the threats and
vulnerabilities associated with operating systems are shared by PBXs. There are
two important ways, however, in which PBX security is different from
conventional operating system security:

- External access/control. Like larger telephone switches, PBXs typically
require remote maintenance by the vendor. Instead of relying on local
administrators to make operating system updates and patches, organizations
normally have updates installed remotely by the switch manufacturer. This of
course requires remote maintenance ports and access to the switch by a
potentially large pool of outside parties.

- Feature richness. The wide variety of features available on PBXs, particularly
administrative features and conference functions, provides the possibility of
unexpected attacks. An attacker may use a feature in a manner that was not
intended by its designers. Features may also interact in unpredictable ways,
even when implemented correctly, leading to system compromise even if each
component of the system conforms to its security requirements and the system is
operated and administrated correctly.

MAINTENANCE
Maintenance procedures are among the most commonly exploited functions in
networked systems. The problem is even more acute with PBXs because PBX
maintenance frequently requires the involvement of outside personnel. Ways in
which an adversary could exploit vulnerabilities in maintenance features to gain
unwanted access to the switch follow.

Special Manufacturer's Features
There may be features that the manufacturer will rely on in the event a
customer's PBX becomes disabled to such a point that on-site maintenance
personnel cannot resolve the problems. The manufacturer could instruct the
maintenance personnel to configure and connect a modem to the maintenance port.
The manufacturer may then be able to dial in and use certain special features to
resolve the problems without sending a representative to the customer's
location. The potential cost savings is a primary reason for adding such special
features. A switch manufacturer would not want the special features to be well
known because of their potential for misuse. These types of features may be
accessible via login IDs and passwords held privately by the manufacturer. Some
possible special features are listed below:
- Database upload/download utility: Such a utility allows the manufacturer to
download the database from a system that is malfunctioning and examine it at
their location to try to determine the cause of the malfunction. It would also
allow the manufacturer to upload a new database to a PBX in the event that the
database became so corrupted that the system became inoperable. Compromise of
such a utility could allow an adversary to download a system's database, insert
a Trojan horse, or otherwise modify it to allow special features to be made
available to the adversary, and upload the modified database back into the
system.
- Database examine/modify utility: Such a utility allows the manufacturer to
remotely examine and modify a system's database to repair damage caused by
incorrect configuration, design bugs, or tampering. This utility could also
provide an adversary with the ability to modify the database to gain access to
special features.
- Software debugger/update utility: This type of utility gives the
manufacturer the ability to remotely debug a malfunctioning system. It also
allows the manufacturer to remotely update systems with bug fixes and software
upgrades. Such a utility could grant an adversary the same abilities. This is
perhaps the most dangerous vulnerability because access to the software would
give an adversary virtually unlimited access to the PBX and its associated
instruments.

Dial-Back Modem Vulnerabilities
Unattended remote access to a switch clearly represents a vulnerability. Many
organizations have employed dial-back modems to control access to remote
maintenance facilities. This access control method works by identifying the
incoming call, disconnecting the circuit, and dialing the identified person or
computer at a predetermined telephone number. Although helpful, this form of
access control is weak because methods of defeating many dial-back modems are
well known.

Countermeasures
- Ensure that remote maintenance access is normally blocked unless unattended
access is required. Whenever possible, require some involvement of local
personnel in opening remote maintenance ports.
- Install two-factor (i.e., two different mechanisms) strrong authentication
on remote maintenance ports. Smart card-based systems or one-time password
tokens, in addition to conventional login/password functions, make it much more
difficult for attackers to breach your system's security.
- Keep maintenance terminals in a locked, restricted area.
- Turn off maintenance features when not needed, if possible.

ADMINISTRATIVE DATABASES
Administrative databases represent "the keys to the kingdom" for a PBX. Among
the most critical security tasks for PBX owners are administration of the PBX,
the creation and modification of its user databases, and the operating software
controlling the switch.

Passwords
Most PBXs grant administrative access to the system database through an
Attendant Console or a generic dumb terminal. Username/password combinations are
often used to protect the system from unwanted changes to the database. If
remote access to the maintenance features is available, some form of password
protection usually restricts it. There may be a single fixed maintenance
account, multiple fixed maintenance accounts, or general user-defined
maintenance accounts. The documentation provided with the PBX should state what
type of maintenance access is available.

Passwords may also be set to factory default values that can be changed by the
user. Default values are typically published in the documentation provided with
the PBX. If there are multiple maintenance accounts and maintenance personnel
use only one, the others may remain at their published factory settings. Anyone
who knew the factory default settings could then gain access to the switch.

Physical Security
Physical access to the PBX hardware grants access to the software, the
configuration database, and all calls going in and out of the PBX. With access
to the PBX, an adversary could exploit practically any conceivable
vulnerability.

The type of media on which the software and databases are stored is important to
a PBX's physical security. If these are stored on ROM-type devices or on an
internal hard disk, it is more difficult to gain access to them than if they are
stored on floppy disks or CD-ROM. ROM devices are mounted on circuit boards and
may be soldered rather than socketed, making removal and replacement difficult.
Likewise, an internal hard disk is probably mounted internally and bolted to the
chassis, making removal and replacement difficult. However, floppy disks are
easily removable and replaceable. An adversary with access to the floppy disks
could easily conceal a disk containing modified software/databases, gain access
to the PBX, and replace the original disk with the modified disk. Similarly,
CD-ROMs can be easily removed and replaced. Since equipment for creating CD-ROMs
is readily available, an adversary may find it equally easy to copy and modify a
CD-ROM-based system.

If the PBX supports configuration and maintenance via a dumb terminal, the
terminal may be located near the PBX. If the terminal is not at the same
location as the PBX, the terminal port is still available and could be used by
an adversary with a PC acting as a terminal.

Some PBXs may be configured as a central system unit with peripheral units at
remote locations. The remote peripheral units may also support
configuration/maintenance via a dumb terminal and therefore have the same
vulnerabilities as the system unit's terminal. Also, all calls routed through a
particular peripheral unit are accessible to someone with physical access to the
peripheral unit.

Attendant Consoles may offer access to PBX maintenance and configuration
software. Special features may also be available to Attendant Consoles such as
Override, Forwarding, and Conferencing. If any of these features are available
to the user of an Attendant Console, physical access to it should be restricted
to prevent giving an adversary access to these features.

Most PBXs have an attached system printer. Various information may be output to
the printer including source and destination of calls that are made or received
(possibly every call), access codes used to access certain features, account or
authorization codes used for making special calls, etc. Access to these
printouts could provide information enabling toll fraud or other compromises.

Remote Access
A very useful but potentially vulnerable feature of many PBXs is remote
administrative access. The PBX may allow an administrator to make changes to
the system configuration database through an Attendant Console or from a
terminal that is not physically located near the PBX, perhaps over a dial-in
line with a modem.

- Remote Access via an Attendant Console
The degree of the vulnerability created by remote access via an Attendant
Console is determined by several factors: password access, physical connection
of the Attendant Console to the PBX, and availability of administrative features
through the Attendant Console.
- Remote Access via a Terminal
If a standard dumb terminal can be used for access to the administrative
features, more opportunities become available for an adversary to gain unwanted
access. A modem could be connected to a terminal port and an outside dial-in
line allowing easy access for the PBX administrator to do remote configuration
and maintenance. Unfortunately, it also gives easy remote access to an
adversary. By setting up remote access in this manner, a poor password
protection system, the existence of "backdoors" (e.g., a special key sequence
that would bypass required authorization levels), or the use of easy-to-guess
passwords would seriously undermine the security of the system.

Software Loading and Update Tampering
When software is initially loaded onto a PBX and when any software
updates/patches are loaded, the PBX is particularly vulnerable to software
tampering. An adversary could intercept a software update sent to a PBX
administrator. The update could be modified to allow special access or special
features to the adversary. The modified update would then be sent to the PBX
administrator who would install the update and unknowingly give the adversary
unwanted access to the PBX.

Countermeasures

- Perhaps the most important task for password security is to make passwords
resistant to cracking by automated tools. A password generator that creates
random passwords can go a long way in defeating password crackers. Both free and
commercial random password generation tools are available. Commercial products
are available that can generate passwords of user-selectable length that are
very resistant to cracking.

- Many software packages use error detection codes to protect against
transmission or disk copying errors. Conventional error detection codes such as
checksums or cyclical redundancy checks (CRC) are not sufficient to ensure
tamper detection. Strong error detection based on cryptography must be used.
These methods use cryptographic algorithms that guarantee detection of even a
single bit modification.

- Because of the potential for exploitation by intruders, PBX boot disks and
utilities must be given more protection than usually afforded typical office
software such as word processing packages. Strong physical security should be
provided for PBX software. Audit reports from the PBX should be shredded or
destroyed in the same way as sensitive memos or financial information.

- To ensure the security of printouts, they must be shredded when discarded.

USER FEATURES
An adversary may be able to exploit vulnerabilities in a system's features and
the way in which features can interact. As with many aspects of information
technology, the proliferation of features that make PBXs easy to configure and
use has led to an expansion of vulnerabilities. Many of these are inherent in
the features themselves or arise out of feature interactions, making them
difficult to avoid. This discussion illustrates some of these vulnerabilities so
that administrators will be able to weigh the risks of features against their
benefits.

Attendant Console
Attendant Consoles typically have more function keys and a larger alphanumeric
display than standard instruments to support the extra features available to the
Attendant Console. The Attendant Console may be used for access to maintenance
and administrative functions, but there are potential vulnerabilities of the
Attendant Console with respect to maintenance and administration. Some typical
features available with an Attendant Console are Override, Forwarding, and
Conferencing.

- Attendant Override
Attendant Override is intended to allow the Attendant to break into a busy line
to inform a user of an important incoming call. An adversary with access to an
Attendant Console could use this feature to eavesdrop on conversations. The PBX
should provide for some protection against such uses of Override by providing
visual and/or audible warnings that an Override is in progress.

- Attendant Forwarding
A common feature granted to the Attendant is the ability to control forwarding
of other instruments. An adversary with access to the Attendant Console could
use this feature to forward any instrument's incoming calls to a long-distance
number. The adversary could then call the target instrument and be forwarded to
the long-distance number, thereby gaining free long-distance access.

- Attendant Conferencing
Attendants may also have the ability to initiate a conference or join into an
existing conference. If this feature is available, the potential exists for an
adversary logged in as an attendant to eavesdrop on a conversation or add an
additional party to a conference without the knowledge of the other parties.

Automatic Call Distribution (ACD)
ACD allows a PBX to be configured so that incoming calls are distributed to the
next available agent (e.g., reservation clerk) or placed on hold until an agent
becomes available. Agents may be grouped together with each group having a
supervisor. The group of supervisors may then even have a higher-level
supervisor. The number of supervisors and number of levels of supervisors is
dependent on the type of PBX being used.

Most ACD systems grant a supervisor the ability to monitor the calls of the
group they are supervising. Because of this feature, ACD systems are a potential
vulnerability to the users of PBX. If an adversary could gain access to the
configuration tools or the system database, they could become an ACD supervisor
and set up an ACD group. The supervisor could then monitor the calls of any of
the users in the group.

Account Codes/Authorization Codes
Account Codes are normally used for tracking calls made by certain people or
projects so that bills can be charged appropriately. For example, a user may be
required to enter an Account Code prior to placing a long-distance call.
Depending on the configuration of the PBX, the Account Code may have to be on a
list of approved codes for the call to be successful. If this is the case, the
Account Code may be considered an Authorization Code because the user must dial
a specific Account Code that is authorized for making long-distance calls.

Another important use for Access Codes is for Dial In System Access (DISA). DISA
typically allows a user to dial in to the PBX system from an outside line and
gain access to the normal features of the PBX, almost as if they were a
subscriber on the PBX instead of an outside caller. This feature is typically
used to allow employees to make long-distance calls from the corporate PBX while
out of the office by dialing in to the switch, then entering a code to make
long-distance calls. It is easily abused by anyone with the authorization code,
possibly leading to large fraudulent long-distance charges.

Certain Account Codes may also be allocated for changing a user's Class of
Service (COS). When the COS is changed, the user may have access to a different
set of features. For example, most instruments may be assigned a COS that does
not permit the use of an Override feature, but a special COS that is only
accessible by using an Account Code may be created that does permit the use of
Override. By using the Account Code, an adversary could then gain access to the
Override feature.

Since the Account Codes are used for billing, there are records kept of the
calls that are made for the various Account Codes. These records generally
include the source, destination, Account Code, and time/date of the call. The
records may be stored as files on one of the system's disks or they may be
printed out on a system printer. If the records are printed, an adversary who is
able to gain access to the printer will have access not only to traffic
information, but also to the printed Account Codes. Once the codes are known,
the adversary will be able to use the codes for toll fraud, additional feature
access, etc.

Override (Intrude)
An Override or Intrude feature is common to many PBXs. Due to its potential
vulnerability, it is commonly selectable as a feature that can be
allowed/disallowed on a single instrument or a group of instruments. Override is
intended to allow one user (perhaps a supervisor) to break into a busy line to
inform another user (perhaps a subordinate) of an important message. This
feature could be used by an adversary with access to any instrument permitted to
use the Override feature to eavesdrop on conversations. The PBX should provide
for some protection against such uses of Override by providing visual and/or
audible warnings that an Override is in progress.

Diagnostics
In addition to the major diagnostic features available at a maintenance terminal
or Attendant Console, many PBXs provide diagnostics that can be initiated from
any instrument. These diagnostic features may permit a user to make connections
through the PBX by bypassing normal call processing restrictions. An adversary
with access to these diagnostic features may be able to deny service or make
undetected connections allowing for the monitoring of other calls.

Feature Interactions
With the advent of the digital PBX and its wealth of features, the interaction
between features presents a significant possibility for vulnerabilities. For
example, in some systems the return-call and camp-on features can be manipulated
to defeat caller-ID blocking. With the large number of features available in
modern PBXs, it becomes difficult for the manufacturer to consider all of the
ways in which different features may interact. Because of this, vulnerabilities
may exist that were undetected by the manufacturer that allow an adversary
unwanted access to the PBX and its instruments.

Since the actual Feature Interaction vulnerabilities found on a specific system
depend heavily on the particular implementation of the features, it would be
nearly impossible to describe every possibility for a generic system. NIST SP
800-24 includes detailed examples of some feature interactions.

Countermeasures
- Vulnerabilities can be minimized if the Attendant Console connects to the
PBX with a different physical connection than that of the telephone instruments.

- If the Attendant console connects to the PBX in the same manner as the
telephone instruments, vulnerabilities can be reduced by having some sort of
line configuration feature. Such a feature could reduce vulnerabilities by
requiring that a line be specifically configured for use with an Attendant
Console. With such a configuration requirement, a telephone instrument could not
be easily replaced with an Attendant Console to gain access to the
administrative features.

- When implementing a Class of Service, feature interaction should be given
much thought. Many of the feature vulnerabilities discussed involve Feature
Interaction since several COS items or system options may have to be
enabled/disabled to allow them to occur.

- Because the vulnerabilities described in this section are inherent in
feature implementation, they are difficult to defend against. The most effective
strategy is to ensure that only essential features are activated.

COMPUTER TELEPHONY
One of the biggest new developments in telecommunications is the advent of
computer-based telephony systems (CT). As microprocessor speeds have increased
and memory prices dropped, it has become possible to implement a PBX on little
more than a high-end PC. A CT system typically requires only the addition of
specialized voice processing boards to an ordinary office PC with 64 MB of
memory, a 3 GB disk, and a 300 MHz processor. Some CT systems use specialized
real-time operating systems, but the trend is toward commercial off-the-shelf
systems such as Windows, Linux, or other versions of UNIX. This development has
brought great reductions in the cost of PBX systems, but means the possibility
of enormously increased security risks. Two factors in particular can increase
exposure: greatly expanded integration of telephony with the computer network
and implementation of PBX functions over operating systems with widely known
vulnerabilities. Some of the features appearing in new CT systems include:

- Voice over IP,
- Browser-based call handling and administration,
- Integration of IP PBX with legacy PBXs and voicemail systems,
- Integration of wireless networks with office network systems, and
- Virtual private networks.

A complete exposition of the risks of CT systems is beyond the scope of this
document. The safest course of action is to assume that most or all of the
vulnerabilities described here apply to CT systems as well as traditional PBXs.
CT systems may also have added vulnerabilities resulting from well-known
weaknesses of PC operating systems. Future NIST publications may address CT
security issues in more depth.

RECOMMENDATIONS
Not all of the security measures described in this bulletin will be applicable
to every organization. The first step in improving PBX security is to assess
the organization's current telephony applications. This bulletin describes
important areas to consider. Following this assessment, NIST SP 800-24 can be
used in conducting a detailed evaluation. SP 800-24 also includes a set of
baseline security considerations for PBXs and a more complete set of
countermeasures for common vulnerabilities.

REFERENCES
NIST SP 800-24, PBX Vulnerability Analysis, National Institute of Standards and
Technology, 2000.

Online resources:

- NIST Computer Security Resource Clearinghouse: http://csrc.nist.gov
- DISA Information Assurance:
http://www.disa.mil/infosec/iaweb/default.html

-
<niteshade> you're gonna take that from a FOURTEEN year old are ya clone??
Jawa01 was kicked off #CPU by theclone (you fucking teenie bopper)
-

Millennium Payphone - Power Out Exploit - By PsychoSpy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Intro/Story....

Recently while carousing the halls at my local educational
facility, I noticed that the LCD Displays on the phone had
gone completely blank. I couldn't believe my eyes! The
power on the phones had gone out! Can we say damn lucky?!?
I then walked up to the phone and picked it up, as I put my
ear to the slightly chilly earpiece, I heard the distinct
noise of the dial tone. You may say "Well hey! What else
do you expect to hear when you pick up the phone?!? You
forgot something you psycho! The millennium dial-tones are
all pre-recorded." Well, that's right, the dial-tones ARE
pre-recorded, however, with the power out, the recorded
dial-tone isn't played due to lack of power. In fact, you
can hear the physical switch inside the Millennium switch
over. This my friend is a REAL DIAL TONE!! WOOO!!

I then proceeded to try to dial a well known number
(Clones pager). The damn payphone wouldn't let me though.
It turns out that when the power goes out, the payphone
initializes a failsafe mode which dissables the dialing
of ANY numbers on the key pad until the 1 and 8 have been
pressed first. This is meant to make it so that you cannot
dial any numbers other than 800, which you could do when
the power was on anyways.

Onto the exploits....

First what you have to do is either cut the power to the
Millennium, or find one with the power out. The first option
is the most likely of the two. It was out of pure luck that
I found the payphones with the power out. Just be VERY VERY
careful when snipping the power. Make sure you've got rubber
gloves, the wire cutters have rubber handles etc. If you fry
yourself because of this, IT'S YOUR OWN DAMN FAULT!! DON'T
COME CRYING TO ME!!

Now for the real exploit stuff....

The numbers are only dissabled on the physical key pad. This
means that we can pull out our trusty tone dialer, and dial
away any number we please. I actually didn't have a tone
dialer with me, so I used a mini-audio recorder. To use the
audio recorder, you just dial 18 and then press record, and
dial the rest of the numbers with the mic up to the ear piece.
Then, hang up, and play the tones back into the phone.

NOTE: The tones must be played as fast as possible. This is
due to the dial-tone going dead in around 10 to 15 seconds.

The second exploit is based on the line seizing exploit on
the Protel's which The Clone found awhile back. With the power
out, the Millennium no longer protects against this attack.
This means that you can dial a 800 number that will drop you
to a dial-tone, and will be able to use it. You can also
try phoning up the operator and pissing her off so much that
she hangs up, therefor giving you an unlimited dial-tone once
again. Once you get this dial-tone, you can dial any number
your little heart desires.

Outro/Shouts/To Come....

Well, that's it kiddies! Have fun! This is only the FIRST of
MANY files to come in the near future on the Millennium Pay-
phones which have spread across Canada like a technological
plague. Kinda interesting new frontier of phones though. The
Telcos are actually getting somewhat smarter. Who'd of ever
thought?!!?

Shouts out to The Clone, Cyb0rg/asm, Semtex, and Niteshade.

-- PsychoSpy
psychospy@hushmail.com
ICQ#: 5057653

11/05/00

-
<PhluX> when im like a grandpa im gonna get aids for shits and giggles and
smoke myself even stupider WHILE im senile
-

#`;

'Telus Call Director; Unsupervised Line Exploit'

-[Date: 11/07/00]-
-[Handle: The Clone]-
-[Type: Telus Advisory]-

-[EMAIL: theclone@hackcanada.com]-
-[URL: http://www.nettwerked.net]-

(notes: This particular exploit has been verified several times by the
Canadian Phreakers Union [#cpu/haxordogs.net]; it has worked on
many occasions however we've found that sometimes it doesn't work
which completely boggles the mind. We've had greater success when
the TCD subscriber picks up after the first or second ring.)

Enter the phone number of someone who is subscribed to TCD
(Telus Call Director) who you know will be on the Internet
at the same time you place the call.

1. Call up a phone number and be sure you're connected.

2. Do a quick Flash hang-up or push the Link/3-way button on your CID
display phone... this will initiate the 3-way chain and will drop
you to a dial-tone.

3. Now enter the phone number of someone is subscribed to TCD who you
know will be on the Internet at the same time you call them.

4. When the TCD subscriber picks up the telephone you will then be
connected to both parties.

The 'sploit? -- On Telus (Mobility) cellular/landline $20 a month plans,
the phone bills give a specific list of every long-distance number you
called (including duration) from the time after you received your
previous months' last bill.

Right, so that direct/3-way call you made to the TCD subscriber was not
logged, meaning Telus' billing-equipment didn't recognize that particular
call essentially giving you direct access to an unsupervised line.

[ed note; looks as if Telus' recent upgrade to (former) BCTEL's "newer"
billing system is not without its share of serious glitches... so Telus,
was that multi-billion dollar merger with BC-TEL simply because they had
more advanced equipment really worth it? ;-]

The Possibilities --

1. Chatting on an unrestricted line that completely ignores all Telus
Call Director subscribers via a direct call or three-way chain can be
used as a virtual "get out of jail free card" for both parties who may
be suspected of criminal activity (drug dealing, extortion, etc.), and
therefore have their calls logged and put into a "suspect database" run
by Telus - police accessible.

The 3-way-to-TCD billing-exploit will be completely feasible in this
particular situation making customer monitoring a little more
difficult to perform and subject to countless inaccuracies.

Emergency Interrupt Avoidance;

Q: "Okay, just what is Emergency Interrupt?"

A: Lets say you have an appointment with a friend and you call her only
to find that her phone is busy and you get blasted with an annoying
busy signal. No use in complaining about why she isn't subscribed to
call-waiting; so you call up the operator and ask them to test the
line, which they do by using a process called BLV (Busy Line
Verification) to check if the line is busy.

From there the operator will ask you if you'd like to send a message to
the particular subscriber, which of course you do and the operator
sends the message through to your friend.

This is where the BLV process becomes a bit more complex; with the line
busy how is she going to break into the call and send the message? Using
the Emergency Interrupt option she will automatically utilize the NTT
(No Test Trunk) which basically tests a line without breaking into it
like Emergency Interrupt is programmed to do.

At this point you're probably thinking that the operator just breaks
into the line and alerts your friend... wrong. See, what telephony
companies did was added an encryption feature into the TSPS/OSPS (the
operators) console which made it impossible for an operator to be able
to just tap into a conversation without firstly causing the subscribers
line to beep before coming on to the line; a nice implementation if I
do say so myself.

2. By performing the Telus Call Director exploit, you could avoid all
attempts by the Telus operator to perform Emergency Interrupt because
on their TSPS/OSPS screen they will see that your line is not even in
use. From there they will alert the person that is trying to contact
you that your line is free and there is no need for them to bother
initializing the Emergency Interrupt command.

You will be an invisible void within those copper veins of Mah-Bell. ;)

-
yellowdot/#cpu sings, "I think I'm a clone now..."
theclone blinks
---

Conclusion;

As you can see, the enormous of the growing the telecommunications-industry
is not without its share of security vulnerabilities. Before finish this
paper, I would personally like to thank two other people who have helped
me with the testing of this exploit; Alan and Phlux - thanks a lot for
your help guys.

For further information on other Telus Call Director exploits, please
refer to Phlux's 'Owning Telus Internet Call Director' http://www.nettwerked.net/icd.zip

;`#

-- Credits

Without the following contributions this zine issue would
be fairly delayed or not released, so thank you to the following people:

Magma, Miklos, PsychoSpy, Richard Kuhn, Term, and myself The Clone =p

-- Shouts:

Hack Canada, #CPU, k-rad-bob @ b0g, Blackened @ Damage Inc.,
The Grasshopper Unit, Pyrofreak, Yellowdot and lastly to everyone
and anyone who contributes to the Canadian H/P scene.

;. .;.. ; ;. ;..
;.. .;..; .;.; .;; ;..
.;..;. .;..; .;.;...; ;..;..
.;. A .;. .;.
;.. N E T T W E R K E D ;..
;..;.. P R O D U C T ;..;..
.;..; ;..;..
; .;..;.;.. .; . .;. ..;..
.;.. . .; ..;..;..;.. .;
;..;. .;.. . .;.. .;.;.
..;. ..;.. .;. ;.;..;;..;.;
;.;;..;.. ;.;.; .; .
;.;..;. .;. ;.;:.;.
,;....;.
.;.;. .;.;
.;.;.;
.;.;
;..;.
.;.;
;.; .;. ..; ;. > > > *poof*