💾 Archived View for spam.works › mirrors › textfiles › hacking › intercpt.txt captured on 2023-06-14 at 16:52:58.
-=-=-=-=-=-=-
The High Tech Hoods Presents... *&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&* * * * PAGER, FAX, AND DATA INTERCEPT TECHNIQUES * * * *&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&* One can only imagine the intemal trauma of being a paging company owner-it would be sort of like owning a company that made lime glass vials, hell, business has just suddenly shot through the roof over the last few years making enormous profits for everyone lucky enough to be in the business of manufacturing little glass vials, but sometimes, late at night, the owners must wonder exactly why people are buying millions of little glass vials... So it goes with pagers, the popularity of the common pager has exploded concurrently with the drug trade. Pagers are so popular that in America 7.2% of the entlre population carries a pager. In the good old days, wearing a pager meant you were a doctor or maybe a car thief, but certainly nothing more disreputable than that. Today doctors, and let's face it, even car thieves, like to hide their pagers under jackets or tend towards those new little pagers that masquer- ade as ballpoint pens so people don't assume they're drug dealers. At this writing, one state (Virginia) actually has a law prohibiting pager use on school grounds and several other states have tried to pass bills (unsuccessfully) de- manding licensing of pagerized individuals. Not to say that pager companies don't have some kind of conscience, they do. In fact, have formed a group known as TELOCATOR, the Mobile Communications Industry Association. Telocator promotes paging/police cooperation and attempts to keep their individual members informed on the latest laws and procedures as they apply to pagers. However, to be frank, their primary success seems to be cute little stickers they say "MOBILEized" for the war on drugs for pager companies to stick on their doors along with nice little laser-written posters that remind perspective pager renters that the "use of a pager in a commission of a felony is prohibited by federal law and carries a penalty of up to four years imprisonment and/or a fine of up to $30,000 for each offense. One can only wonder exactly how effective these efforts are in shaping the morals of the pager industry, especially since the subscriber base is expected to continue growing and is estimated to reach 21 million users by the mid-1990's. Pagers operate in the clear on radio frequen- cies that can be received with any standard receiver or a scanner. The information trans- mitted on pagers can be of interest to anyone from law enforcement to business competitor groups. There are several interesting ways of extracting said information. TYPES OF PAGERS Although numeric display pagers constitute more than half of the pagers in use today other types are also in use. Here's a list ordered by popularity: NUMERIC DISPLAY_ This service lets one receive numbers sent from any touch-tone telephone. The pager beeps and shows tele- phone numbers, previously agreed-upon codes, parts numbers, stock prices, purchase orders, and so on. Limited information may be sent along in the form of numbers that stand for initials, or simple codes. TONE_ The tone pager emits a beep telling the user to call back a predetermined location such as an office, home, voice mailbox, or telephone answering machine. TONE AND VOICE_ This paging service gives an audible tone followed by the message in the caller's own voice. There is no operator, and no need for the user to call in. The pager delivers the complete message. ALPHANUMERIC DISPLAY_ This latest develop- ment is actually a miniature message center that beeps and displays messages in words and numbers. Messages are sent through an input device or dispatched by a live operator. PRIVACY LAWS AND PAGERS For each type of pager, different legal require- ments must be met for intercepts. On the federal level, the easiest pager to deal with is the simple tone-only device. The U.S. Justice Department had long held that interception of a tone-only pager was not a search, since there is no expectation of privacy in a device that only beeps or vibrates. Therefore, the Depart- ment has maintained, interceptions raise no Fourth Amendment issues and require neither a warrant nor a court order. This policy was certified by Congress when it passed the Electronic Communications Privacy Act of 1986 (ECPA), which excludes tone-only pagers from its provisions. Although the information conveyed by intercepting a tone-only pager is limited, such intercepts can be helpful in documenting patterns of behavior by suspected criminals. Since they are the cheapest and easiest to use of all pagers, tone-only units may be most commonly encountered in connection with drug activity, at least among lower echelon criminals. Federal and state laws treat privacy interests in display and tone-and-voice paging commu- nications. Under ECPA, for example, the police generally cannot intercept a tone and voice or a display pager without first securing an appro- priate court order. This restriction stems from Congress' conclusion that subscribers using such pagers have a reasonable expectation of privacy in the paging communications they send and receive. A similar conclusion is also reflected in state privacy statutes, which often impose stricter requirements on carriers and law enforcement officials than does the ECPA. As requirements for legal protections increase, so do the rewards for intercepting display pagers. A numeric display pager dis- plays a 10- or 12-digit number, usually the phone number of a person who desires a retum call. More sophisticated drug dealers, however, use the digits as code, with, for example, a "1" at the end of a phone number meaning "the cocaine is not in." Obviously, police and others intercepting such messages with monitoring devices or cloned pagers can har~est considerable worth- while information. The recent increase in the use of alphanu- meric paging is beneficial to law enforcement due to the added bonus of text messages. Theoretically, exact details of drug transactions could be made available to law enforcement if the deal was conducted via alpha paging and an intercept was in progress. There are several ways in which paging carriers aid law enforcement in preventing illegal use of pagers for drug transactions including leasing pagers which are cloned to police, assisting in intercepts of paging commu- nications and providing the police with infor- mation about paging subscribers. Federal and state privacy statutes, however, generally require law enforcement agencies to secure appropriate authorization before enlist- ing the aid of paging carriers. Specifically, most privacy laws prevent the police from using a cloned pager or intercepting a paging commu- nication unless they have first obtained a court order, a special emergehcy request or the subscriber's consent. Similarly, law enforce- ment agencies may not gain access to informa- tion about paging subscribers (such as transac- tional records) unless they secure either a subpoena, a warrant, a court order, or the consent of the customer. INTERCEPTIONS AN OVERVIEW Successful pager interception is dependent upon several factors: 1. Frequency of the paging service. Law en- forcement agencies or detectives are advised to simply call local paging carriers and ask them for their frequencies. This is public information and usually will be given out without any problem. Books are also avail- able on this subject from CRB RESEARCH. 2. Paging number. Some intercept techniques require the actual phone number that activates a particular pager. 3. Cap code. A cap code is a seven or eight digit number that is the actual EIN, or Electronic Serial Number of the pager. This digital cap code is what the pager looks for in the stream of paging messages before it locks onto a message and notifies its wearer. 4. Some interception methods require the paging format. There are a number of proprietary formats engineered by pager manufacturers. Most paging systems operate in the FM band normally from 35 MHz to new super-high microwave pagers in the 931-932 MHz area. These signals can be received on any receiver but they will come in as frequenc,v shift data signals, nothing that is intelligible to the normally equipped listener. Most paging systems have a local coverage area determined by the number and placement of their trans- mitters, the average area is probably 4(}60 miles in size although many companies are now expanding their coverage by adding additional transmitters or making deals with other companies to give statewide coverage. A new paging system actually gives nation- wide coverage. The system known as Wide Area Paging and is typified by CUE Paging Corpora- tion. The user rents a "Cue Pager" which is actually not a fixed receiver but rather a scanner that scans the FM commercial radio band. Cue (and other companies) rent space on one or more commercial FM stations in most cities in the United States. In fact, Cue boasts of over 200 FM stations in their nationwide network. The paging signal is carried on a sub-carrier or, SCA portion of the broadcast signal that is inaudible to standard receivers. No matter where the subscriber finds him- self, his unit will scan until it finds the paging sub-carrier signal and then lock on to that signal, waiting for its own cap code to appear. To page a subscriber, the caller dials an 800 number and then plugs in the specific pager identity code. This data is flashed by an uplink by a satellite where it is transmitted across the country to various downlink stations and then land lined or microwaved to FM radio transmit- ting towers. In a Cue-type system, it is not necessary to know where the subscriber is, simply the fact that he is in the United States gives a very high probability of reaching him on his pager. The pager itself is no larger than a standard Motorola-type paging unit. These wide area systems normally offer some sort of echo back or voice mail system to let subscribers retrieve messages from an 800 number in case they happen to be between SCA stations when a message comes in. There are a couple of ways of intercepting pager messages. One of the niftiest is through the use of a clone. A cloned pager is simply a pager which operates on the same frequency and has the same cap code as the target's pager, in short, the paging system has no way of knowing how many receivers are actually listening at any given time so any message that is transmitted will be received simultaneously 'by all identical pagers. Traditionally this has been the favorite method of law enforcement to intercept a suspect's messages, paging companies will cooperate with departments who have authori- zation by issuing them details on the owner of any pager or by physically manufacturing a cloned pager and giving it to a detective. One narc I know uses the vaguely dubious trick of "borrowing" a subject's pager during a body search, popping out the EIN chip and replacing it with a non-programmed chip. When the pager is retumed to its owner it will, of course, no longer work. Disgruntled owner takes pager back to company and complains. With any luck the company will program a new pager to the same cap code on the spot and give it back to the suspect. The cop simply pops the EIN chip into his own pager and now owns a non-registered clone that will duplicate the perp's messa es... A TRICK The second paging intercept option is to purchase one of several software packages that work in conjunction with a scanner or a receiver and an IBM or a Mac PC. These soft- ware packages "listen" to the scanner which is set up to listen to a certain paging frequency. In this type of operation, the potential inter- ceptor only needs to know either the cap code or the call number-nothing else. Assuming one has the phone number to activate the target pager, one simply tums on the receiver, initializes the software and then dials the pager sending a unique code (for some reason 6666 seems to be in vogue with most law enforcement agencies), and then watches a computer monitor to see when the code is broadcast. The program will immediately display the cap code of the pager and, if it is an alphanumeric pager, the text message. Once this has transpired, the program will set up an automatic file in the computer to grab any and all further messages to that pager, storing them as to time, date, and phone number or text message to be called. Most systems will take any of the paging formats including the POCSAG fommat. Case files can be pAnted immediately or pAnted when reviewed or stored on floppy disks and reviewed at any time. Most of these systems will monitor from 1-32,000 pagers at any given time and set up a file for each individual pager. These systems began as propAetary systems to be used by paging companies to monitor hacking attempts, traffic pattems, and system problems but have spread to law enforcement and now civilian intercept markets. Do these systems work? Yes, I've tested the INTERCEPTOR-LE system and it pretty much does what it says it's going to do. The system grabs and displays incoming messages simultaneously or in many cases faster than the pager receives them and works with all existing paging formats as well as has the capability to use new formats as they are introduced. The LE system sells in the $4,000 range at the time of this wAting but, folks let's face it, it's just a little software package and lower-pAced clones are going to appear on the market if they haven't by this wAting. LE is available from SHERWOODCOMMUNICATIONS. A second paging intercept program is avail- able from TGA Technologies in Dunwoody, Georgia. Or you can get it from The New York Hack Exchange BBS. What to do if you think your pages are being intercepted by some nameless force? One gentleman I know (damn but I do know a lot of interesting people, don't I?) got a "666" page on his pager in the middle of the night. He had reason to suspect he was the target of a non-warranted police surveillance as a close frend of his had just been popped on a weapons charge (later dropped). My friend spent the next two days calling himself and entering 30 or so "interesting" return numbers including CIA, NSA and FBI offices around the country, plus intemational suppliers of anything interesting, phone numbers of vaAous embassies and even a White House "inside" number he happened to have on hand. It may not be a cure all, but the satisfaction of knowing he was dAving several detectives crazy did provide a certain amount of satisfaction. FAX INTERCEPTION Alexander Graham Bell must be tuming over in his grave at the spread of the ubiquitous fax machine. Fax machines are rapidly replacing telephones as the pAmary method of commu- nication for many businesses and some individuals. I personally know of at least two people who have impulsively Apped out their telephones and replaced them with a fax machine, the implication being, of course, that my time is too valuable to waste talking on the phone. Many people who should know better think that faxes are a safer method of data exchange than is the telephone because no words are transmitted, simply data. As one might suspect, this data can be intercepted and logically regurgitated to "bug" fax machines. There have been a couple of problems associated with fax tapping that have just recently been solved; faxes trade data by means of frequency- or phase-shift keying at speeds of 300 to 9600 baud. This type of data transmission does not lend itself to recording and playback on most audio tape recorders, as the speed is too high and the frequencies are too close together. Any distortion renders the transmission unintelligible. Faxes fall into several groups depending on what type of transmission peAmeters they employ. The most common one at this time is called Group III. The particular protocols for Groups I, II, III and IV, are set by something called CCITT and are available in a $25.00 booklet. Faxes trade setup information at the beginning of each call in something known as the handshake period. During the handshake the sending fax will set itself to the highest possible group protocol that the receiving fax will accept before it begins transmitting data. The sending fax requires acceptance and confimmation of this handshake before it will begin the actual transmission. Some faxes offer limited secuAty by reading the phone number of the receiving fax and compaAng it to an intemal list before sending the data, but this should not concem anyone who is tapping into the line because if they use a high impedience phone tap (just a simple .Olmfd capacitor in sences with 10k ohm resistor and perhaps a NE-2 neon lamp across the line between the two components), the sending fax will not notice the "invisible" third party on the phone line. Let's examine the handshake protocol of a typical fax machine. What happens when one presses "send" on a fax machine? The answeAng fax machine transmits a 2,100Hz tone for three seconds, and then begins a negotiating process at 300bps including a single high-pitched tone, followed by a lower, warbling tone. The second tone is the 300-bps receiver capabilities packet. When the warbling ends, there is a bAef pause, and if the calling fax hasn't responded, the process is repeated. The first step is to send a digital identification signal (DIS) that tells the answeAng machine what it can do including: What is the maximum transmission speed possible? Does the sending unit support modified read compression? Does it include error . correction? The sending fax transmits a digital command signal (DCS) that tells the called unit which of the operating parameters descAbed in the DIS will be used. This signal tums on these features in the receiving unit. gzThe sending fax transmits a test signal to help the receiving unit lock onto the proper signals. The receiving fax transmits a confirmation- to-receive (CFR) signal to tell the sending unit it is ready to accept the first page. The first page of the fax message is sent from the oAginating device. When the end of the page is reached, the sending unit transmits an end-of-page (EOP) signal and waits for a message confirmation (MCF) from the receiving unit. This process continues until the final page is sent and the calling fax transmits a disconnect (DCN) signal to sever the connection, freeing both telephones. Note that the initial handshaking that establishes the capabilities of each unit in the connection is conducted only once, at the beginning of the link. Once the sending fax starts transmitting pages, there is no need for this handshake again. Commercial fax interception devices are made by a number of companies including HDS and STG, aimed at law enforcement but, in some cases, sold to anyone with the bucks. Commercial facsimile taps are based either on an IBM PC equipped with a fax modem which intercepts and receives the protocol signals and the fax message, writing it directly to disk and then reprinting it out on the screen or on a printer or by employing a special tape recorder to save messages for later playback through a modified fax machine. These devices do work and have been used in courts on numerous occasions. They also average about $28,000 each. If money's no object, hey, I say give 'em a call. In reality there's very liffle difference in tapping a data transmission than there is in tapping a voice transmission. Here's how to do it for about $27,000 less: Intercept the data stream by use of a good dropout recorder or high impedience capaci- tor circuit as described above. Record the entire transmission on a digital audio tape recorder. DAT's are now commercially available for about $800 but this will drop soon and may have dropped by the time you read this. DAT's use a high sample rate to record the audio in the form of boolean digits. There is no distortion, noise or error intro- duced in playback or recording. What you hear is what you get. Therefore, DAT's are the ideal and perhaps really the only method of recording fax transmissions. Once the transmission is on tape, there are two choices: either feed it into a fax modem and into a computer where it can be stored and manipulated, or feed it directly into a fax machine. In either case the information should come down a phone line. The simplest way to do this, if one has access to two phone lines, is to unscrew the mouthpiece and clip a jumper cable from the output of the DAT directly into the telephone line, dial up the other phone line and run it into the computer or fax machine. However, a very nice alternative is to employ your own central office in the form of a VIKING Phone Line Simulator. For about $ 100 this liffle device provides a carrier that makes any phone think it's hooked up to central office and another telephone. Signals, voice and data can be fed into the simulator and will come out at line level at the output. If the resulting signal is to be fed into a computer, the carrier on the modem should be turned off so it will not respond with a carrier of its own when receiving the target's communications resulting in interference. If a Hayes equivalent modem is used, the signal sequence to put it into the monitor mode so it will still receive data without a carrier are as follows- FOR ORIGINATE: AT C0 S10=255D FOR ANSWER: AT C0 S10=255A This turns off the carrier and sets the modem to ignore the carrier loss. The output of the DAT can be fed into a fax machine, and with a little bit of practice one can use the pause button in order to time the handshake sequence setting up the fax machine to receive the intercepted transmis- sion just as if it were the receiving end fax. As long as the machines sync up with regard to baud rate and protocol, it will reproduce the fax communication. This procedure will also work for data communications between two computers. Instead offeeding the result into a fax, simply feed it into your modem. In fact, modem transmission which is frequency shift keying and less subject to distortion than phase shift keying, can often be reproduced, by a high quality reel-to-reel tape recorder. Or yo can get the 'DATA TAP' program that will soon be avaible through out the computer underground, this program allows on to TAP into various lines with a stand alone unit or use of a laptop, the program is expected to be released in Jan. of 94. It's written by The Raven and IBMMAN of The High Tech Hoods. For an other info. contact them.