💾 Archived View for spam.works › mirrors › textfiles › hacking › issm301.hac captured on 2023-11-14 at 09:54:44.

View Raw

More Information

⬅️ Previous capture (2023-06-14)

-=-=-=-=-=-=-

??????? Information???????????????????????????????????????????????????
?                          ????   ??????  ??????   ???       ???     ?
??????? Systems ??????????? ?? ?? ???? ?? ???? ??? ????? ?? ???? ?????
?                           ??    ??????  ??????   ?????????????     ?
??????? Security ?????????? ?? ????? ??? ??? ??? ? ??? ???? ???? ?????
?                          ????   ??????  ??????   ???       ???     ?
??????? Monitor ??????????????????????????????????????????????????????

Dedicated to the pursuit of security awareness..............

======================================================================
Volume 3 Number 1                                         January 1993
======================================================================


In This Issue:

Securing Your Phone Switch

Virus Alert

Social Security Numbers & Privacy

Clyde's Computer Security Hall of Fame

Dear Clyde

COMMCRYPT Lives

Computer Speak

Computer Security Day Slogan Contest Winners


The ISSM is a quarterly publication of the Department of Treasury,
Bureau of the Public Debt, AIS Security Branch, 200 3rd Street,
Parkersburg, WV 26101  (304) 420-6368

Editors:   Ed Alesius
              Kim Clancy
              Joe Kordella
              Jim Heikkinen
              Mary Clark




Securing Your Phone Switch

By Dave Goldsmith, a student at Rockland Community College. He is
working towards a degree in Computer Science. His hobbies include
learning other technologies to include telephone systems and
switches. He also edits an electronic magazine that focuses on
computer technology issues.

   "If it has a dialup, a hacker can abuse it".  This, as some
companies have already found out, applies to the System 75
telephone system.  Hackers have, within the last year, figured out
how to penetrate and manipulate a System 75.  This gives them
complete control over your PBX.  If you allow them to get access to
the controller, they will end up setting up a DISA (Direct Inward
System Access), and make outgoing phone calls on YOUR bill.  This
can result in thousands of dollars in fraudulent telephone calls,
that you are going to have to pay.  Even if you decide to battle it
out in courts, it is going to cost. In this article, I plan to
outline the steps to secure your System 75.  
   One question you should ask yourself is "Do I really need DISA
on my system?".  I highly discourage having DISA, as it increases
the chance of being a victim of toll fraud.  If it is vital for
your employees to use DISA, then I suggest that you have a barrier
code of at least 7 digits.  Any less then that is a definite
security risk.  
   If a hacker has already penetrated your system, there are some
tell-tale signs.  Logon to your system and type 'DISPLAY
REMOTE-ACCESS' followed by a carriage return.  If you haven't set
up a DISA, then there shouldn't be an extension number.  If there
is one, type 'CHANGE REMOTE-ACCESS' and remove the extension.  That
will remove the DISA, and is the start of locking the hacker out of
your system.  Your next step will be to change the passwords on ALL
of the accounts.  The common login/password combinations that
hackers use are:

     cust        custpw
     rcust       rcustpw
     browse      looker
     craft       craftpw

   It is my recommendation that you change ALL of the passwords on
the system.  Be warned, you should change the passwords to
something alpha numeric, and it should be something personal, so a
hacker can't attempt to brute force any of the accounts.  If you
find that you can't change browse's password, don't despair.  Login
under one of the higher level accounts, and type 'CHANGE
PERMISSIONS BROWSE'.  Then strip browse of all of its privileges. 
This will keep hackers from displaying remote-access and finding
out where your DISA is, if you have one.  
   To ensure system security, it is suggested that you DISPLAY
REMOTE-ACCESS on a fairly regular basis, just to make sure that
your system remains untouched.  

Editors Note: Issue 41 of Phrack magazine was recently released and
contains another article on hacking this phone switch.  Phrack 41
is available on the AIS BBS.  Information on the BBS can be found
on Page 4.





Virus Alert

   Free diskettes distributed by the Cobb Group at the Federal
Computer Conference December 8, 9, or 10, may contain a virus which
is very difficult to detect.  One diskette has a blue label with
the words "DOS/Software Connection" in large print.  The other has
a red label with the words "Windows/ Software Connection" in large
print.  If you or anyone you know has received such a diskette,
please do not use it in any computer.  The virus detection software
installed on your computer will not detect the virus.  Bring the
diskette to your Information Systems Security Manager (ISSM) or
call the AIS Security Branch at (304) 420-6355.



                           

Social Security Numbers & Privacy

by Chris Hibbert
Computer Professionals for Social Responsibility
Reprinted with permission from 2600 Magazine 

(Kim Clancy was recently training Public Debt employees in
Washington D.C. on computer security.  Her approach to computer
security training is to first convince class participants that the
information they are being asked to protect is worthy of
protection.  She mentioned the following article regarding the
protection of social security numbers and stated that it is
important that as employees of Public Debt we understand the value
of a social security number, both for our clients protection and
also on a personal basis for our own protection.  Many members of
the class requested a copy of the following article initially
published in 2600 magazine (it was also published in Phrack issue
35).  We have received permission from 2600 to reprint the article.)


   Many people are concerned about the number of organizations
asking for their Social Security Numbers.  They worry about
invasions of privacy and the oppressive feeling of being treated as
just a number.
   Unfortunately, I can't offer any hope about the dehumanizing
effects of identifying you with your numbers.  I *can* try to help
you keep your Social Security Number from being used as a tool in
the invasion of your privacy.
   Surprisingly, government agencies are reasonably easy to deal
with; private organizations are much more troublesome. Federal law
restricts the agencies at all levels of government that can demand
your number and a fairly complete disclosure is required even if
its use is voluntary.  There are no comparable laws restricting the
uses non-government organizations can make of it, or compelling
them to tell you anything about their plans.  With private
institutions, your main recourse is refusing to do business with
anyone whose terms you don't like.

Short History

   Social Security numbers were introduced by the Social Security
Act of 1935. They were originally intended to be used only by the
social security program, and public assurances were given at the
time that use would be strictly limited.  In 1943 Roosevelt signed
Executive Order 9397 which required federal agencies to use the
number when creating new record-keeping systems.  In 1961 the IRS
began to use it as a taxpayer ID number.  The Privacy Act of 1974
required authorization for government agencies to use SSNs in their
data bases and required disclosures (detailed below) when government
agencies request the number.  Agencies which were already using SSN
as an identifier were allowed to continue using it.  The Tax Reform 
Act of 1976 gave authority to state or local tax, welfare, driver's
license, or motor vehicle registration authorities to use the number
in order to establish identities. The Privacy Protection Study 
Commission of 1977 recommended that the Executive Order be repealed
after some agencies referred to it as their authorization to use SSNs.
I don't know whether it was repealed, but that practice has stopped.
   The Privacy Act of 1974 (5 USC 552a) requires that any federal,
state, or local government agency that requests your Social
Security Number has to tell you three things:

     1.  Whether disclosure of your Social Security Number is
required or optional;

     2.  What law authorizes them to ask for your Social Security
Number; and,

     3.  How your Social Security Number will be used if you give
it to them.

   In addition, the Act says that only Federal law can make use of
the Social Security Number mandatory.  So anytime you're dealing
with a government institution and you're asked for your Social
Security Number, just look for the Privacy Act Statement.  If there
isn't one, complain and don't give your number.  If the statement
is present, read it.  If it says giving your Social Security Number
is voluntary, you'll have to decide for yourself whether to fill in
the number.

Private Organizations

   The guidelines for dealing with non-governmental institutions
are much more tenuous.  Most of the time private organizations that
request your Social Security Number can get by quite well without
your number, and if you can find the right person to negotiate
with, they'll willingly admit it.  The problem is finding that
right person.  The person behind the counter is often told no more
than "get the customers to fill out the form completely."
   Most of the time, you can convince them to use some other
number.  Usually the simplest way to refuse to give your Social
Security Number is simply to leave the appropriate space blank. 
One of the times when this isn't a strong enough statement of your
desire to conceal your number is when dealing with institutions
which have direct contact with your employer.  Most employers have
no policy against revealing your Social Security Number; they
apparently believe the omission must have been an unintentional 

Lenders and Borrowers

   Banks and credit card issuers are required by the IRS to report
the SSNs of account holders to whom they pay interest or when they
charge interest and report it to the IRS.  If you don't tell them
your number you will probably either be refused an account or be
charged a penalty such as withholding of taxes on your interest.

Insurers, Hospitals, Doctors

   No laws require medical service providers to use your Social
Security Number as an ID number (except for Medicare, Medicaid,
etc).  They often use it because it's convenient or because your
employer uses it to certify employees to its groups health plan. 
In the latter case, you have to get your employer to change their
policies.  Often, the people who work in personnel assume that the
employer or insurance company requires use of the SSN when that's
not really the case.  When my current employer asked for my SSN for
an insurance form, I asked them to try to find out if they had to
use it.  After a week they reported that the insurance company had
gone along with my request and told me what number to use.  Blood
banks also ask for the number but are willing to do without if
pressed on the issue.  After I asked politely and persistently, the
blood bank I go to agreed that they didn't have any use for the
number, and is in the process of teaching their receptionists not
to request the number.

Why Is The Use of Social Security Numbers A Problem? 

   The Social Security Number doesn't work well as an identifier
for several reasons.  The first reason is that it isn't at all
secure; if someone makes up a nine-digit number, it's quite likely
that they've picked a number that is assigned to someone.  There
are quite a few reasons why people would make up a number: to hide
their identity or the fact that they're doing something; because
they're not allowed to have a number of their own (illegal
immigrants, e.g.), or to protect their privacy.  In addition, it's
easy to write the number down wrong, which can lead to the same
problems as intentionally giving a false number.  There are several
numbers that have been used by thousands of people because they
were on sample cards shipped in wallets by their manufacturers (one
is included below).
   When more than one person uses the same number, it clouds up the
records. If someone intended to hide their activities, it's likely
that it'll look bad on whichever record it shows up on.  When it
happens accidently, it can be unexpected, embarrassing, or worse. 
How do you prove that you weren't the one using your number when
the record was made?
   A second problem with the use of SSNs as identifiers is that it
makes it hard to control access to personal information.  Even
assuming you want someone to be able to find out some things about
you, there's no reason to believe that you want to make all records
concerning yourself available.  When multiple record systems are
all keyed by the same identifier, and all are intended to be easily
accessible to some users, it becomes difficult to allow someone
access to some of the information about a person while restricting
them to specific topics.

What Can You Do To Protect Your Number?

   If despite your having written "refused" in the box for Social
Security Number, it still shows up on the forms someone sends back
to you (or worse, on the ID card they issue), your recourse is to
write letters or make phone calls.  Start politely, explaining your
position and expecting them to understand and cooperate.  If that
doesn't work, there are several more things to try:

     1.  Talk to people higher up in the organization.  This often
works simply because the organization has a standard way of dealing
with requests not to use the SSN, and the first person you deal
with just hasn't been around long enough to know what it is.

     2.  Enlist the aid of your employer.  You have to decide
whether talking to someone in personnel, and possibly trying to
change corporate policy is going to get back to your supervisor and
affect your job.

     3.  Threaten to complain to a consumer affairs bureau.  Most
newspapers can get a quick response.  Some cities, counties, and
states also have programs that might be able to help.

     4.  Tell them you'll take your business elsewhere (and follow
through if they don't cooperate).

     5.  If it's a case where you've gotten service already, but
someone insists that you have to provide your number in order to
have a continuing relationship, you can choose to ignore the
request in hopes that they'll forget or find another solution
before you get tired of  the interruption.

   If someone absolutely insists on getting your Social Security
Number, you may want to give a fake number.  There is no legal
penalty as long as you're not doing it to get something from a
government agency or to commit fraud.  There are a few good choices
for "anonymous" numbers. Making one up at random is a bad idea, as
it may coincide with someone's real number and cause them some
amount of grief.  It's better to use a number like 078-05-1120,
which was printed on "sample" cards inserted in thousands of new
wallets sold in the 40s and 50s. It's been used so widely that both
the IRS and SSA recognize it immediately as bogus, while most
clerks haven't heard of it.  It's also safe to invent a number that
has only zeros in one of the fields. The Social Security
Administration never issues numbers with this pattern.  They also
recommend that people showing Social Security cards in
advertisements use numbers in the range 987-65-4320 through
987-65-4329.
   The Social Security Administration recommends that you request
a copy of your file from them every few years to make sure that
your records are correct.



                                    
CLYDE'S Computer Security Hall of Fame

   The Savings Bond Operations Office (SBOO) Division of Accounts
and Reconcilements (DAR) has been inducted to the Computer Security
Hall of Fame.


   The SBOO/DAR's dedication to the Bureau of Public Debt's
computer sercurity program has consistently been evident in all
aspects of their computer security administration.  SBOO/DAR
ISSM's, Glenn Siber, Liz Abram, Sharon Abbott, Don Hainkel, and Tom
Jamison have pioneered the ISSM's role in administering computer
access capabilities by being the initial ISSM group to interact
with the AIS Security Branch in administering user logonid password
resets, reviews, etc. utilizing ACF2 software.
   SBOO/DAR ISSMs have promoted security awareness training not
only to their own personnel through distribution of the ISSM
newsletter, but also distribute copies of the newsletter to all of
the FRBs.  They have consistently dedicated their time and
resources to ensure that computer security awareness and computer
security issues are addressed not only throughout their
organization, but also others that interface with the Bureau.   
   SBOO/DAR's dedication, interest, and leading edge participation
to all aspects of the Bureau of the Public Debt's computer security
program is of the type that makes any undertaking successful.

Submitted by Kim Clancy, Manager of the AIS Security Branch, and Ed
Alesius





"Dear Clyde;"

(Responses to questions for those who are searching for the truth.)

Dear Clyde;

   One day, while I was away from my desk, someone sent an E:Mail
message to my boss that said "Bite It".  Since it was sent from my
PC, my boss thought I had sent the message.  Needless to say, I was
in big trouble with the boss.  Isn't it an invasion of my privacy
for someone else to use my CC:mail?

Miss Imin Bigtrouble

Dear Imin,

   Yes it is an invasion of your privacy when someone else uses
your CC:mail, however you can easily prevent this type of invasion
by simply remembering to secure your PC whenever you are leaving
the area.  If you log out, or activate software that requires your
password to be entered prior to your PC being able to be used, you
will prevent this type of situation.
   Remember to protect your logonid as you would your credit card. 
Don't make it available for someone elses use, the consequences can
be very expensive.


Send your comments or questions to Clyde c/o the AIS Security
Branch in Parkersburg, Room 1013, or leave them in Clyde's mailbox
located on the Security bulletin boards throughout the Parkersburg
office.





COMMCRYPT Lives!

by Jim Heikkinen

"SCANNER" grafted to Public Debt network servers! 

   During the month of December, an ad hoc group consisting of Jim
Heikkinen, Joe Kordella (Security Branch), Richard Montalbano, and
Dave Frietsch (LAN Committee) sucessfully developed and implemented
a plan that will scan the Bureau's NOVELL network file servers for
viral infestations. 
   The plan called for installation of an anti-virus software
package named COMMCRYPT, and was to be carried out in two phases. 
   Phase one called for the continuous scanning of each server for
viruses.  This was accomplished with the installation of Scan Plus,
one of the two main ingredients in COMMCRYPT.  The implementation
of this phase was accomplished by December 14.  The second and
final phase, the installation of Detect Plus, was in place two days
later on Wednesday, December 16th.  This phase consists of
comparing the "signatures" of executable files of each server
against those previously captured in a hopefully virus-free file
list called a "watchlist".
    Should either Scan Plus or Detect Plus encounter suspicious
activity, a notice is automatically sent to the Help Desk for
immediate resolution.
   Prior to the installation of COMMCRYPT, a user-centered scheme
relied heavily on the individual computer user as the first line of
defense against viral infection.  Security awareness programs are
in place that promote the use of virus detection software, etc.,
and have been regarded as generally successful.
   Recently however, the server-centered philosophy suggested the
computer user should, but might not always offer the level of
protection needed to continually safeguard every BPD network.
   COMMCRYPT will provide that protection at a minimal cost in
server performance. 
   An expanded team has been developed to review network scanners
recently released on the market to ensure that the greatest level
of protection is provided for Public Debt computer resources. 




COMPUTER SPEAK 

COMPUTER TERMS AND THEIR MEANINGS

scanner..........   Software that is designed to help identify
                    viruses within files, boot sectors, partition
                    tables, memory, and other hiding places; to
                    name them; and potentially to help remove
                    them.

PBX..............   A telephone system operating within one
                    building, company, etc. and having outside
                    telephone lines.

access controls..   Restrictions on the ability of a subject
                    (e.g., a user) to use a system or an object
                    (e.g., a file) in that system.  Such controls
                    limit access to authorized users only.  Access
                    control mechanisms may include hardware or
                    software features, operating procedures,
                    management procedures, or any combination.


                                

Computer Security Day Slogan Contest Winners

Congratulations!  The following are the award winning Computer
Security Slogans that were submitted by ISSM Newsletter readership. 
The slogan selection committee was so impressed with the quality of
the slogans that they unanimously decided to award a prize to each
entrant.......


Brenda McFarland; DTRA-3

     Keep your PC secure, 
     And don't ever slack,    
     Or you could be the victim
     Of a big hack attack.                             

Barb Milliron; DDS/Data Retrieval

     A virus is to a computer
     What AIDS is to a human.
     Protect your computer
     As you would yourself.

Ken Kirby; OAIS/ASD/WTB                       

     Security and Securities                      
     You have to invest.                          

Becky Marks; OA/Search & File

     As the day enters night
     Your machine enters QUIeT.

Rick Montalbano; DPC/Communications Branch        

     Your data, Your job... Protect them both.              

     A BPD man shared his password                
     In security, felt his was the last word.               
     A disgruntled employee                       
     Logged into his PC.
     His now scrambled is data back-s-wards!


Kaye Dobson; DTS/Software Branch

     Keep it SHUT
     Lock it UP!

     Keep it Clean
     Clear the Screen.                  


Lee Ohringer; Engraving & Printing

     PSSST.  Can you keep a secret?  Begin with your password.

     At BPD we Backup and Protect our Data.

     Don't let them "Read your bits" -- Logoff and lock up.

     Comp?ter sec?rity is not right without "U".


Patina V. Waters; Securities Audit Section

     A password unprotected is an invitation for data elimination.

     Disks on the go can carry viruses unknown.


Steve Berenson/Mary Davis-Demick; DPPA

     Protect your PC: Practice safe software.




The AIS Security Branch Runs an Electronic BBS. Give us a call at
(304) 420-6083. An electronic version of the ISSM is posted on the
board and can be downloaded. Articles in the electronic version may
include more detail in that we are not limited by space constraints
as we are in the paper copy. 


Downloaded From P-80 International Information Systems 304-744-2253