Copy Link
Add to Bookmark
Report
k-1ine_07
.;..;. .;..;. . ;. . . .;; . ... .; ;...;
.' . ; ;.. .;. ..
.;;. .;..;. ttt ttt .;..;. .;...
..; NNN NNNN .;..;. ttttttttt ttttttttt .;.
. NNNN NNNN ttt ttt .;..;..;..;. ...;
;. NNNNN NNNN ttt .;..;. ttt .;..;. ..;
..; NNNNNN NNNN eeeeeeee ttt ttt .;
.. NNNNNNNNNNN eee eee ttt ttt _---_---_--- .;
.; NNNN NNNNNN eeeeeeee ttt .;. ttt W E R K E D >>> .;;;.
. NNNN NNNNN eee ttt ttt _---_---_--- . ;
. ;.; NNNN NNN eeeeeeee ttt ttt .;..; . .;.;. .;;;.
..;
--/-/-///--- _-- [ K - 1 i n e #7 ] --_ ---\\\-\-\-\--
'It Comes On Anyhow'
_)##vol.3####$.;..;..;..;. .;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
:: ::
`:==--::--==--::--==--::--==--::--==--::--==--::--===?:--::--==--::--==--::--=:'
^ ^
^ September 2000 ^
^ ^
*: :*
*: :*
*: [-] Introduction .......................................... The Clone :*
*: (-) Contact Information ................................... The Clone :*
*:-=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=>y4y<=:*
[Main Menu;]
*: (x) 'Anyone with a Screwdriver Can Break In!' ............. Jay Beale :*
*: (x] 'OB Duct Tape Hack' ................................... Kira Brown :*
*: (x) 'Walk' ................................................ D.M.S. :*
*: (x) 'Hacker Hypocrisy; @Stake/L0pht' ...................... The Clone :*
*: (x) 'Model 001 Payphone Programming Guide' ................ Nettwerked :*
*: (x) 'PBX Access Total' .................................... Flopik :*
*: (x) 'US NATIONAL PARTYLINE NUMBERS' ....................... Kybo_Ren :*
*: (x) 'Rogers/AT&T Pay-As-You-Go Billing Vulnerability' ..... The Clone :*
*: (x) 'A Guide to General Packet Radio Service' ............. N&N :*
*: (x) 'DND Non-Public Network and Workstation Security' ..... PsychoSpy :*
*: (x) 'DND WAN DNet Architecture' ........................... PsychoSpy :*
*: (x) 'How Non-Public DND Information Was Easily Compromised' PsychoSpy :*
*: (x) 'Miklos Adventure at Graybar' [love this article!] ... Miklos :*
*: [-] Credits ............................................... The Clone :*
*: [-] Shouts ................................................ The Clone :*
*: :*
*: :*
*: :*
*: :*
.
.
.
=-=-
==
-= - . -= = =- -= -
.;. .;..;..;..;. .;. ;;;; .;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;.
.;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
- - = - -= = - .,. ,. -= =-
= = - .,. , - , ,. , =- -=
[][][ PERSONAL ADS: ][][]
--
Brand New Telephone Related Archive;
'Telecom File Archive' -- www.nettwerked.net/TFA/TFA.html
--
Brand New Organization;
'Canadian Phreakers Union' (FAQ) -- www.nettwerked.net/TFA/cpu_faq.html
--
.;..;..;..;..;..;..;..;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;.
.;.. .;. .;..;. .;..;.
== - , , ;; ;: ; ; / ; / ; ; ; ; / ;/;/; / ; / ; ;;
.;..;..;..;..; ..;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;.
.;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
.;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
.;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
brian had tailored his intestinal flora to allow him to remix music
biologically...
.;. .;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
.;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;.
.;.;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
.;..;..; Great, smashing, super. .;.;;. ;. ;; ;; ;.;..;
..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .; .. ; . ;. ; .,l,l,,,l;?quirk
;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;.
;..;. .;..;. .;..;..;..;. .;..;.
;..;. .;..;. .;..;..;..;. .;..;.
;..;. .;..;.;..;. .;..;.
;..;. .;..;.;..;.
;..;. .;..;.
;..;. .;..;.
;..;. .;..;.
.;..;.
.;..;..;..;..;..;..;..;
.; Introduction .;
`.;..;..;..;..;
- BEGINNING OF CHEESY INTRO -
Welcome to the September edition of K-1ine -
Oooo summer is over... back to school, kiddies!
Alright, this is the seventh issue and third volume of K-1ine...
the issues keep jumping numbers and growing & growing in submission size...
what can I say - I'm impressed!
Keep those rockin' articles coming, and I'll continue to compile them!
Enjoy this far-out issue!
- END OF CHEESY INTRO -
Contact --
Comments/Questions/Submissions: theclone@haxordogs.net
Check out my site: (Nettwerked) http://www.nettwerked.net
Shoot me an ICQ message: (UIN) 79198218
___
Anyone with a Screwdriver Can Break In!
By: Jay Beale -- jay@bastille-linux.org
August 28, 2000 - This article will discuss the second weakest layer
of computer security, Physical Security. As we'll see, any
attacker with physical access to a computer, a little ingenuity, and
sufficient time can compromise the system.
By way of example, I'll demonstrate attack and defense on a Red Hat
Linux box and show how you might slow down, or even prevent, these
kinds of attacks. You don't need a Linux machine, or even technical
responsibility, for this article to be useful. This problem is
independent of operating system and this article is general enough to
be useful to every level of computer user. Be warned, though - you'll
probably only be able to slow down a determined attacker.
Breaking in Through the LILO Prompt
If you boot a Red Hat Linux 6.x system right now, you can boot into
single user mode like this:
LILO: linux single
This will place the machine in Runlevel 1, or single-user mode. You'll
be logged in as the superuser, root, and you won't even have to type
in a password! This is not a backdoor, as such - this mode is
generally used for system maintenance, which is a good idea. Requiring
no password to boot into root here is probably a bad idea!
You can fix this by editing /etc/inittab. Insert the following line,
right after the "initdefault" line:
~~:S:wait:/sbin/sulogin
This will require a password to boot into single-user mode by making
init run sulogin before dropping the machine to a root shell. sulogin
requires the user to input the root password before continuing.
So, what if we've password-protected single-user mode? Well, you can
still have root on the machine if you type:
LILO: linux init=/bin/bash
This boots the Linux kernel, but runs the Bourne-Again-Shell (bash) as
the first (non-kernel) process, in place of init. Since the kernel
runs init as the root user, this shell is run as root. You now have an
instant rootshell!
OK, so how do we stop this and attacks like it? We really should
restrict who gets access to the LILO prompt.
LILO permits this, natively. First, we can password-protect the LILO
prompt, so an attacker can't add options to the LILO prompt without
typing a password. To add a password to the LILO prompt, just choose a
password, and place the following lines in the top of the
/etc/lilo.conf file:
restricted
password=SOME_PASSWORD_YOU_CHOOSE
We can also protect the LILO prompt by setting the delay time to 1
millisecond, providing an attacker with insufficient time to add
options[34]2. You can accomplish this by editing /etc/lilo.conf and
then re-running lilo. Comment out any lines that read "prompt" by
placing a # in front of them. Then insert the line:
delay=1
near the top of the file. Once you're done, make sure to re-run lilo
to effect your changes, by typing lilo at the root prompt. Type man
lilo and man lilo.conf to learn more about the LILO Linux [kernel]
Loader.
OK, so we've secured lilo - have we completely locked an attacker out
of superuser access? Sadly, we haven't, because an attacker with
physical access can...
Boot Via a Floppy/CD-ROM/Other Bootable, Removable Medium
Well, if your computer has a floppy or CD-ROM drive, an attacker can
usually boot the system from a bootable floppy/CD-ROM. I carry around
a Tom's Root Boot disk in my laptop case, for occasions where someone
forgets their root password (or a machine is too munged to boot
properly). I boot the system from my Linux floppy disk, and then mount
the drive, like this:
# mkdir /jay
# mount /dev/hda5 /jay
# vi /jay/etc/passwd
Since I booted with my own floppy disk, I'm root on the machine. If
the drive isn't encrypted, I can mount it (as above), edit the passwd
file, and create myself a root equivalent account, by adding a line
like this:
jay::0:0:Security Admin:/:/bin/bash
This creates a non-passworded root-equivalent account named
'jay'. From here, I can repair the damage to the box, delete
the account and go about my business.
Unfortunately, an attacker can use the same technique illegitimately
to quickly root a box. We can prevent this, initially, by restricting
the machine to booting only off the hard drive. This technique is
useless if the computer won't boot off a floppy/CD-ROM.
You can generally configure boot options via your computer's
battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware,
turn your machine off and then, as it boots, press whatever key (Esc,
F1, F2...) puts you into your BIOS's configuration menu. Now, when the
option is saved, try to boot off a floppy. This should be impossible.
OK, so now an attacker can't simply insert a floppy disk to root the
box, nor can he get easy access through the LILO prompt. Does he have
other methods? Of course! He can...
Remove the Boot Device Restrictions!
A knowledgeable attacker, upon finding that he can't boot from
removable media, will simply follow the same procedure you just did,
simply changing the boot device list back! Well, we can combat this,
but you should be seeing two primary effects:
1. Stop less knowledgeable attackers by knowing just a little more
than them.
2. Slow down and deter the knowledgeable attacker.
We'll talk about these later - I just didn't want you to lose hope
halfway through the article...
So, the attacker can undo the change we just made to your system's
boot restrictions. Well, most systems, including Intel-based hardware,
allow you to set a password on the NVRAM, EEPROM, CMOS or whatever.
This is an easy option to find, yet still an easy one to neglect.
Place a password on your system's BIOS.
This, combined with the options above, will stop a large percentage of
attackers dead in their tracks. The remaining few might...
Remove the BIOS/NVRAM/.../CMOS Password!
OK, our attacker is annoying. He's also burning plenty of time. If he
can get sufficient access, he might be able to use a tool to discover
the BIOS password from inside Linux. Usually, he can't do this.
Instead, since he has physical access, he can take the simpler
approach. On Intel hardware, the CMOS/BIOS configuration is maintained
via a small battery, often similar to a watch battery. If you
disconnect this battery for a few moments, the RAM blanks, and the
system forgets its password.
While some systems then default to a manufacturer's password, there
are online tables of these which our attacker can probably consult
and/or partially memorize.
What do we do here? Well, we can place a lock on the case, so it can't
be easily opened. With time, and tools, these locks can be picked or
broken. Further, the attacker might be able to compromise the lock by
harming the case directly... Still, the lock (and strong case) will
slow him down and may deter him to the extent that he leaves. Further,
you might just remove the floppy drive, CD-ROM drive, and any other
external drive/disk mount ports (Zip disk, parallel port...). What
then?
Remount the Hard Drive on Another Machine!
Remember our mounting trick with the floppy disk from earlier? This
can be applied from another host! While this may seem impractical,
I'll note that I saw a deck-of-cards-sized computer just a few weeks
ago, at DefCon, that could be used for this very purpose. Boasting a
340MB hard disk, with a Red Hat Linux install and a free IDE port,
this ultra-portable computer could be used easily for this purpose.
Just plug the hard drive into this system or another system you've got
control of, and you've got somewhat-less-that-quick superuser access.
All we need, generally, is a screwdriver to open the target machine to
get at the hard drive! Again, the case locks can help here, but they
only serve to slow down a determined attacker.
So, suppose we're still working on stopping the determined attacker.
This guy is a total pain. The physical access makes the machine weak!
So, what if we could remove the physical access? We place the machine
in a locked room, with a steel door, hinged on the inside, with
multiple non-trivial locks. Only the monitor, mouse and keyboard are
accessible. We're truly safe now, right?
Well, don't start patting yourself on the back just yet. Check those
walls. Most of you secure your server rooms behind walls that don't
quite go up past the ceiling... What do I mean, you ask? Consider the
ceiling tiles around the room. Push one up, right near your inter-office
walls, and you might find plenty of crawl space over that wall into your
"secure" server room.
Once, when I locked myself out of my own office, I was told to use
this space to unlock the door from the inside. Most offices don't
think about this design in their physical security audit!
OK, OK, I'm getting a little outrageous by now, yes? Eh, it really
depends on how "secure" you need your computers to be. As I hope I've
shown, it truly is difficult to stop an attacker who has time and
unsupervised physical access to your computers. So, what do you do?
Remove the Opportunity and Deter the Attacker
You really can stop most attackers, simply by not providing them with
the unsupervised opportunity and time required to carry out an attack.
If you followed the path our attacker might take, you'd note that all
of this took time. He had to reboot the host several times. This all
takes time.
If you harden the LInux LOader (lilo) sufficiently, set boot device
restrictions and secure the method of changing such, our attacker will
be getting into the realm of opening his target computer's case,
possibly defeating locks along the way.
While this part takes time, it's also highly likely to be noticed by
anyone monitoring the area. If you've given physical access because the
target is in a computer lab, you can hire a lab monitor to watch for
anything this noticeable. If the physical access is accidental/unintended,
you can look into door locks, alarm systems, and perhaps even guards.
In any case, now that you understand the dangers, you'll be able to
think about this problem more carefully and choose the measures that fit
your organization.
Not Really a Losing Battle?
OK, so, against a determined attacker, with sufficient time and no
supervision, you've got little chance, right? Well, not quite. Most
attackers don't quite think of all of these methods, or don't have the
time/energy/wherewithal to apply them. Further, I would think that
most attackers wouldn't choose a method that might be so
time-intensive, when they can be caught on the scene.
So, work to foil all but the most capable attacker with the steps
above. Secure the operating system boot loader, the physical boot loader
(BIOS...) and the hardware itself. The few attackers left will require
lots of time to break in, which, along with fear of being caught, will
often provide an ample deterrent.
Really, deterring the attacker is the name of the game for many of us.
If we could get anywhere near to making a computer impossible to break
into, it would be considered fairly unusable by most. So, we
compromise. We remove all of the "easy" methods of breaking in, like
the 30-second LILO: linux single or boot floppy "exploits"
demonstrated above.
We try to go as many steps further as we can, without disrupting
normal use. If we can make our machines enough of a pain to root, most
attackers will go after someone else. The remainder we'll have to try
to catch or deter with other methods, like security systems and lab
monitors.
In the end, always remember, the attacker is a human being, with
plenty of potential for creativity and brilliance. Don't underestimate
him/her!
Good luck!
Footnotes
1. The absolute weakest layer of computer security is widely believed
to be the social, or "people," layer. Crackers like Kevin Mitnick
often broke in simply by calling users, pretending to be system
administrators, and asking said users for their passwords.
2. By the way, Bastille Linux can perform both of these steps for
you. (Wink, wink, plug, plug)
____
OB Duct Tape Hack
Date: Sun, 03 Sep 2000
kira@linuxgrrls.org
ObDuctTapeHack: If you get the wooden storage racks from the children's
section of Ikea, the plastic boxes that go with them make excellent
top-box luggage containers for motorbike usage. Just takes a little
tape to stick the top on.
ObThat'sTooObviousHack: I used duct tape to stick tagged 7/5AF cells
together to make a new pack for my Compaq LTE5100 ancient crappy laptop.
ObWhyNoWD40ThisTimeHack: WD40 makes an *excellent* polish for laminated
wooden desk surfaces...
ObHeyThisiMacIsKindofCool: when it's running LinuxPPC :-)
Kira Brown.
___
___
Walk
A moonless night awaits my journey
into the unknown, surrounded with the
terrifying sounds of silence and the thick
spring air thinking of careless times
and childhood freedom just to realize
the horror of times hold on humanity
as it ticks by; no stars to wish upon
desperately awaiting her smile, endless
travel through the overgrown path
sweat trickling down as nervousness
takes over the thought, breathing,
gasping, going nowhere, suddenly a
wind passes by my soul and
I start to shiver, droplets of
water begin to fall, showering
sounds take over the silence,
still walking this path, ending where
I began, I felt a warm moss touch
my back. Fear ran down my spine, but
alas, a hand touched mine, and gently
whispered "I'm here, I'll walk with you from now on."
My heart filled with happiness,
and as the sun came, I saw her smile.
- Dead Musicians Society
____
<theclone> hows tarzan?
<Semtex> small and shrinking I hear
<wildman> swinging around
<theclone> caught in a fan again?
<wildman> noop one of his cheetas is sick
____
Hacker Hypocrisy; @Stake/L0pht
- 09/05/00 -
RE: SecurityFocus News: AtStake jilts Phiber Optik
http://www.securityfocus.com/templates/article.html?id=79
You know, in regards to @Stake I really don't know what to think.
Here we are [in the] the year 2000 talking about "hacker hypocrisy" and
what happens to a group of people (L0pht) who, until just recently stood
for something pure in our hacking sub-culture.
What happened?
When a multi-million-dollar venture capital is offered to a group of
people, who for the better part of the 90's relied on donations and
t-shirt/cd sales, and eventually, computer security consulting jobs to
break even -- well of course they're going to take it. I mean, who wouldn't
turn down a nice comfortable corporate career doing what they love?
WHO would of thought that a group who were so respected in the hacking
scene go about screwing over both of their own; Space Rogue (in June) and
now Phiber Optik? The same group who were once going against the grain,
doing their part for our culture and at the same time maintaining a
certain amount of respect have now sold out in a big big way.
It's one thing to take on a well paying job, but it's another to have it
interfere with what you love to do and have it ruin the friendships that
were built over the years.
Maybe it's me ranting about something I really don't know anything
about... disappointed in a group who I looked up to for so many years as
"heros of the information age" - maybe it's the rebellious generation-X
all grown up?
Whatever it may be is irrelevant now -- the damage has been done, it
doesn't look like @Stake is bowing to hacking culture in any way at all.
---
The L0pht is no more, HNN is now very heavily saturated by the bureaucracy
of @Stake stockholder value rather than fair media reporting, and now it
seems they want nothing to do with any hacker convicted of ... hacking?
- The Clone
Nettwerked; "a web-site for the 780 undergr0und scene"
http://www.nettwerked.net
___
Model 001 Payphone Programming Guide
FEATURES:
* Coin operated line powered payphone.
* Keypad programmable.
* Multi coin phone: accepts nickels, dimes and quarters.
* Touch-tone dialing.
* Ringer On/Off switchable.
* Phone emits warning tone 15 seconds prior to end of call.
FACTORY PRESETS:
* Tone dialing
* Local calls: $0.25 for 3 minutes.
* Long distance calls: $0.75 for 1 minute.
* Information calls (1411/411): $0.50 for unlimited time.
* Restricted calls: operator, international, 1900, 1976, 976, and 1700.
* Free calls: 1800, 1888, 1877, and 911.
* Incoming calls for unlimited time.
* Allow 0+, calling cards, and credit cards calls.
* Pass Code: 000000
IMPORTANT:
It is recommend that you read the 001 users manual prior to installation
and programming the phone.
TO INSTALL THE 001 PAYPHONE:
Simply plug the phones line cord into a standard RJ11 outlet provided
by the phone company.
TO REMOVE THE COIN BOX:
Locate the metal tabs at the rear of the phone and pull the top tab back.
This will allow the coin box to be removed. To lock the coin box close the
tab and insert a pad lock (not provided with phone) between the two holes
of the tabs.
TO USE THE PAY PHONE:
1. Lift handset, LCD display will show HELLO
2. Dial desired phone number, the display will show the amount to be
deposited
3. Deposit the amount requested
4. Press talk button when other party answers
5. If you get a busy tone or a no answer signal, hang up the handset and
the money will be refund
PROGRAMMING REFERENCE:
Note: All programming must be done in the program mode. The first
important thing you need to do is to change factory preset pass code.
For all programming press # to save the entry, press * to cancel.
To enter the program mode:
1. Enter # then the six digit pass code 000000, the display will show
FLASH then FREE
2. Enter preset pass code, *#000000, the display will show P-, you
are now in the program mode
To change factory pass code:
1. Enter *96 the display will show the old pass code
2. Enter your new 6-digit pass code
3. Enter # to confirm, display will show PASS
If you forget your pass code:
1. With the phone hang up, remove the tap underneath the base to
reveal the dipswitches
2. Dipswitches should be dipswitch-1 off, dipswitch-2 on, and
dipswitch-3 on
3. Put dipswitch-1 on and go off hook
4. Enter #000000 display will show FLASH then FREE
5. Enter *#000000 display will show P-
6. Put dipswitch-1 off
7. Enter *96 and your new 6-digit pass code, enter # to confirm and
display will show PASS
8. The pass code becomes your own 6-digit number.
To use Dipswitches:
- Dipswitch-1 resets pass code. It is used as above.
- Dipswitch-2 sets tone or pulse dialing. For tone dialing, put it on,
for pulse dialing, put it off.
- Dipswitch-3 sets ringer on or off.
To check the amount of money in the coin box:
1. Enter *97 the display will show the cash amount
2. Enter # to reset or enter * to exit
(Example: 00075 is $0.75, 00100 is $1, and 20000 is $200)
To erase old program settings:
1. Enter *99, display will show [99] CLr
2. Enter # to confirm, display will blink CLr ----, then show PASS
To set phone for PBX:
To set phone to work on a PBX but you will manually dial the prefix
i.e. 0 or 9.
1. Enter *13
2. Enter 1 then your 1-digit extension
3. Enter # to confirm, display will show PASS
To set phone to work on a PBX but to automatically dial the prefix
i.e. 0 or 9.
1. Enter *13
2. Enter 2 then your 1-digit extension
3. Enter # to confirm, display will show PASS
To set phone for regular line: (preset by factory)
1. Enter *13
2. Enter 00
3. Enter # to confirm, display will show PASS
Incoming calls: (preset as unlimited time)
1. Enter *14
2. Enter your 2-digit time limit; it can be set for 01 minute to 98
minutes
3. Entering 00 will restrict incoming calls; entering 99 will allow
unlimited time on incoming calls
4. Enter # to confirm, or enter * to cancel
Example: To set incoming time limit to 5 minutes.
1. Enter *14
2. Enter 05
3. Enter # to confirm, display will show PASS
Free calls:
There are 20 different locations you can used to allow 20 different
free calls up to 12 digits. These locations are *40 thru *59.
To allow a particular number to be free enter any locations from
*40 thru *59.
Enter that particular number, if the number is less than 12 digits
enter # after the last number. Then enter # to confirm or enter * to cancel.
Example: To allow the number 281-550-5592 to be free.
1. Enter *45
2. Enter 2815505592#
3. Enter # to confirm, display will show PASS, or enter * to
cancel the entry.
Restrict calls:
There are 20 different locations you can used to restrict 19 different
numbers up to 12 digits. These locations are *20 thru *39. To restrict
a particular number enter any locations from *20 thru *39. Enter that
particular number, if the number is less than 12 digits enter # after
the last number. Then enter # to confirm or enter * to cancel.
Example: To restrict 011 calls.
1. Enter *28
2. Enter 011#
3. Enter # to confirm, display will show PASS, or enter * to cancel
the entry.
Rate bands:
*00 thru *12 allows you to create a total of 13 types of rate bands.
The rate is set by an initial charge and time limit (in seconds)
followed by an additional charge and time limit (in seconds).
| RATE BAND | RATE # | INTIAL RATE/TIME LIMIT | ADDITIONAL RATE/TIME LIMIT |
*00 00 025180 025180
*01 01 075060 075060
*02 02 050999 000999
*03 03 Empty Empty
*04 04 Empty Empty
*05 05 Empty Empty
*06 06 Empty Empty
*07 07 Empty Empty
*08 08 Empty Empty
*09 09 Empty Empty
*10 10 Empty Empty
*11 11 Empty Empty
*12 12 Empty Empty
- *00 is used by factory preset for local calls set at $.25 for the
first 3 minutes and $.25 for each additional 3 minutes.
- *01 is used by factory preset for long distance calls set at $.75 for
the first minute and $.75 for each additional minute.
- *02 is used by factory preset for information calls (1411 & 411) set
at $.50 for unlimited time.
To create a rate band enter any empty rate band from *00 thru *12 and
set up the initial rate and time limit followed by the additional rate
and time limit.
Example: To set up a rate band to charge for $.50 the first 3mins,
and $.25 each additional 2mins.
1. Enter *03
2. Enter 050180 025120, the initial rate 050180 is 50 cents for 180
seconds, the additional rate 025180 is 25 cents for 120 seconds.
3. Enter # to confirm, display will show PASS, or enter * to cancel
the entry.
Assign area codes or prefixes to rate bands:
There are a total of 100 3-digit memory locations that may be used to
assign special area codes and/or prefixes to a particular rate band
(*00 thru *12). These 3-digit memory locations are 000 thru 099.
You may first create a rate band containing charges and time limits you
want (see rate bands), and then assign an area code or area code/prefix
in a particular 3-digit memory location from 000 thru 099.
Enter # after the last number if the area code and/or prefix is less
than 7 digits. Then enter your rate number for the particular rate
band you created and enter # to confirm.
Example 1: To assign the area code 1-281 to the long distance
rate band in the memory location 056.
(assume *01 is kept as factory preset.)
1. Enter 056 1281#01
2. Enter # to confirm, display will show PASS, or enter * to cancel
the entry.
Example 2: To assign the area code 1-713 and prefix 551 to charge for
$.75 for the first minute and $.25 for each additional minute.
First create a rate band (we choose rate band *10)
1. Enter *10
2. Enter 075060 025060
3. Enter # to confirm, display will show PASS
Then assign the area code and prefix to a particular 3-digit memory
location and assign it to the rate band we just create by the rate
number. (we choose 3-digit memory location 088)
1. Enter 088 1713551#10
2. Enter # to confirm, display will show PASS
To allow/disallow 0-calls: (factory set to disallow) To allow 0-calls.
1. Enter *60
2. Enter 1
3. Enter # to confirm, display will show PASS
To disallow 0-calls.
1. Enter *60
2. Enter 0
3. Enter # to confirm, display will show PASS
To enable/disable 0+ rerouting calls: (factory set to enable)
To enable 0+ rerouting calls.
1. Enter *61
2. Enter 1
3. Enter # to confirm, display will show PASS
To disable 0+rerouting calls.
1. Enter *61
2. Enter 0
3. Enter # to confirm, display will show PASS
Cut off time: (factory set as 5 second)
*62 is programmed to set a cut off time on calls using 0 or Operator
for the leading number prior to the prefix. If additional numbers are
not entered within the preset time, the connection will be broken and
deposited coins will be returned. This function is effective only
under the condition that there is not a reroute number in *63.
To change the cut off time.
1. Enter *62
2. Enter the 1-digit time limit in seconds
3. Enter # to confirm, display will show PASS
Example: To set the cut off time to 3 seconds.
1. Enter *62
2. Enter 3
3. Enter # to confirm, display will show PASS
To reroute number:
*63 is used to program a 0+reoute number that will be dialed out when
you dial 0. This number can be up to 29 digits, if the number is less
than 29 digits enter # after the last number.
The factory preset reroute number is 18884562277 pause 2815505592.
Example: If you want to set up the reroute number as 1010222.
1. Enter *63
2. Enter 1010222*0#, the display will show [63] 1010222-0=
3. Enter # to confirm, display will show PASS
When customers dial 0-281-550-5592, the phone will actually dial:
1010222 pause 0-281-550-5592. * is to put a pause in the reroute number.
Example: If you want to set up the reroute number as:
18884562277 pause 2815505592.
1. Enter *63
2. Enter 18884562277*28155055920#, the display will show [63]
18884562277-28155055920=
3. Enter # to confirm, display will show PASS
When customers dial 0-956-855-2345, the phone will actually dial
1888-456-2277 pause 281-550-5592-0-956-855-2345.
To set the pause time in the reroute number: (factory set at 5
seconds)
1. Enter *64
2. Enter the time in seconds (1-digit)
3. Enter # to confirm, display will show PASS
Example: To set the pause time to be 3 seconds.
1. Enter *64
2. Enter 3
3. Enter # to confirm, display will show PASS
To clear the reroute number:
1. Enter *63
2. Enter #
3. Enter # to confirm, display will show PASS
OWNERS TO MAKE A FREE COINLESS CALL:
1. Enter # then your pass code, the display will show FLASH then FREE
2. You are now able to make a free call
ERROR CODE LIST:
- Error 2: Dial restricted number or invalid numbers.
- Error 4: Coin mechanism is full or has coin jam.
- Error 6: You dont dial number for 25 seconds after handset is lifted.
- Error 7: You dont deposit enough coins for 25 seconds.
- Error 8: The line is connected for a long time but no one answers.
FACTORY PRESETS:
*#000000 Pass code
*00 025180025180# Rate 00 for local at $.25 for 3mins. and $.25 for each
add 3mins.
*01 075060075060# Rate 01 for long distance at $.75 for 1min. and $.75
each add min.
*02 050999000999# Rate 02 for information (411/1411) set at $.50 for
unlimited time limit
*13 00# Regular line dialing
*14 99# Incoming calls set at unlimited time
Restricted calls:
*20 1900## Used to restrict 1900#s
*21 1976## Used to restrict 1976#s
*22 976## Used to restrict 976#s
*23 1700## Used to restrict 1700#s
Free calls:
*40 1800## Used to allow 1800 toll free calls
*41 1877## Used to allow 1877 toll free calls
*42 1888## Used to allow 1888 toll free calls
*43 911## Used to allow free emergency 911 calls
*60 0 Used to disallow 0- calls
*61 1 Used to allow 0+ calls
*62 5 Cut off time set at 5 seconds
*64 5 Pause time set at 5 seconds
000 through 099 3-Digit Memory locations
000 1#01# 1+ Long distance calls set a rate 01
001 2#00# 001 thru 008 are 3-digit memory locations
002 3#00# used to set local calls at rate 00
003 4#00#
004 5#00#
005 6#00#
006 7#00#
007 8#00#
008 9#00#
009 1411#02# 1411 calls set at rate 02
010 411#02# 411 calls set at rate 02
TECHNICAL SPECIFICATIONS:
Complies with part 68, FCC rules
FCC Regulation Number: 4N9THA-30319-CX-E
Ringer Equivalence: 1.0A
U.S.O.C.: RJ11C
Model Number: ST-001
w w w . n e t t w e r k e d . n e t
0 8 . 3 1 . 2 0 0 0
___
<PBX ACCESS TOTAL>
------------------
Salut ,bon aujourd'hui ma vous présenter un systême de VMB,PBX qui j'ai nommer acces total car c'est la compagnie qui
s'occuper de ca qui s'appelle dememe et j'ai pas trouver de nom officiel.C'est mon ami Loster qui ma donner un pbx dememe,
mais j'avais jusqu'a resamment tester un peut toute les options que je vais vous faire partager.Pour ce qui est des nip
(passwords)avant c'était les deux pbx que j'avais était de 4 numéro mais vu qu'il y a eu quelque abuseur (regarder moi pas
comme ca)ben il on augmenter la sécurité selon ce que Neuro ma dis.Bon la vous saver un peu l'historique ,bon maitenant ce
trouver un numero 990 a hacker .C'est ultra simple dans tout le range (450)(514)-990-XXX c'est rien que de ca! Vous pourriez
aussi regarder dans les journaux car plusieur ligne érotique gratuite sont dans le 990 ,ou simplement des agences d'escortes (gang de pervert).
Bon quand vous appeller vous a aller entendre un message et ensuite ca transfer a quelque chose d'autre.C'est avant le
transfer et directement quand ca répond qui faut émidiatement composer un mot de passe. C'est habituellement entre 6-10
numéro(quoi que avant yen avais avec 4).Faut en rentrer deux apres * sinon ca te disconnect.Vu que c'est 6 chiffre et +
c'est pas évidant a rappeller alors tu fais sois le numéro a l'envers ou des choses simples que la personne pourrais mettre
(Voir zine de pyrofreak ou npc).
La fiche technique:
Rappelle
-Se retrouvant surtout dans le (450)(514)-990-XXX
-On rentre le nip rapidement au debut,tout de suite quand ça répond
-Tu rentre deux nip ensuite tu fais * ,sinon apres trois ca te disconnect
-Nip entre 6-10 habituellement
MENU
2-Réacheminement des appelles
De quel facon desirer vous que vos appelles sont réacheminer ?
Vos appelles sont actuellement reacheminer a.....
Entrer les deux chiffre de la mémoire pour reacheminer vos apelles
ou encore appuiyer sur * pour laisser la fonction de reacheminement actuel
6-Transmettre un message
Veuiller rentrer le numero access total ou vous désirer envoiyer un message
0-Aide
8-Fonctions évolués
1-Enregistrer un message d'acceuil pour une mémoire
2-Enregistrer l'intro standard
3-Modifier le numéro reserver
4-Modifier le nom enregistrer
5-Activé l'horraire hebdomadaire
6-Désactivé l'horraire
7-Écouter intro du systême et changer le nip
Veuiller entrer votre nouveau Nip maitenant
9-faire un appelle (Seulement dans le 450-514 malheureusement)
Si on veux faire un autre appelle ensuite tu fais deux fois le ##
'Pratique ca si tu est dans une cabine !!
*-Avancer
#-Reculer
Pour conclure,si vous avez de la misère a trouver les mots de passes ,j'ai un ami qui a reussi a faire du social engineering
en se fesant passer pour quelqu'un de Bell Canada ,alors a vous d'essaisser ce que vous pouver pour reussir.Have phone!
Flopik
___
US NATIONAL PARTYLINE NUMBERS
Submitted by: Kybo_Ren
On: Friday September 1, 2000
For: Canadian Phreakers Union
Notes: The following party line phone numbers offer free sign-up and
private conference rooms for up to 8 people. Use these numbers for your
conferences, but please don't abuse the systems because that just ruins it
for the rest of us...
- Boston Donut 617-933-7760
- Chitown Underground 312-602-1212
- Connecticut Raven 860-835-7760
- Mars Hotel 815-333-4356
- Miami Raven 305-503-7771
- Miami Zoo 305-503-7777
- NYC Club 30 718-280-7779
- Raven 305-503-7771
- Roach 305-503-1878
- "" 215-825-7776
- "" 305-503-7771
- Viper 305-503-1877
END
___
<Semtex> Jawa you little felching pile of festering maggot ridden cat shit!
___
[-` Rogers/AT&T Pay-As-You-Go Billing Vulnerability `-]
Advisory released: Tuesday August 29, 2000
Severity: Pay-As-You-Go billing vulnerability on the part of Rogers/AT&T
allowing anyone (especially YOU!) to exploit it and make
local/national/international calls for free.
Author: The Clone
--
Disclaimer; I don't take responsibility for anything in this file because
an Iranian terrorist group known as 'habakkkoktao' has held me
at gun point requesting that I write this or they're going to
shoot me. Don't blame me, blame them!
Introduction;
Rogers/AT&T (Canada) offers to its customers, a particular service plan
known as the "ROGERS/AT&T Pay-As-You-Go Wireless Plan". This "plan" entitles
you to full local, national, and international wireless service within the
coverage areas that it offers (see www.rogers.ca for coverage info).
In order to make use of the pre-paid wireless service,
you must firstly sign up by:
1. Dialing one of the following toll-free numbers from a landline phone;
(Between 8:00am-9:00pm weekly, 8:00am-6:00pm Saturdays and holidays)
1-800-663-1415 - British Columbia, Alberta, Saskatchewan, Manitoba
1-800-268-7347 - Ontario
1-800-361-0538 (1-800-ROGERS AT&T) - Quebec, New Brunswick, Nova Scotia,
Prince Edward Island, Newfoundland
OR
2. Walk into any Rogers/AT&T store or certified dealership and sign up there.
Want to order over the phone or need help finding the nearest dealership?
Call: 1-888-448-7994
OR
3. Buy 'Pay-As-You-Go' online:
http://www.rogers.ca/wireless/english/voice/pay/buy/index.html
Pre-Paid Cards;
By going to any Rogers/AT&T wireless store location, you can pick yourself
up one of many different Pay-As-You-Go cards. What I usually buy are the $25
1-hour cards because their cheap and I'm not really huge on talking on tumor
causing insecure radio transmitter/receivers.
Activating your Card;
After purchasing your pre-paid card, what you can do is call up one of the
INWATS number listed above (from a landline) that services your local area
and speak to one of the friendly customer service representative who'll
be MORE than happy to help you out. Tell them that you just purchased a
pre-paid card and that you'd like them to renew the time to your phone.
Re-filling your time;
Either buy another Pay-As-You-Go card from a Rogers/AT&T dealership,
call them up and pay with your credit card, OR see step 3 [above].
--
The Vulnerability - as a scenario.
- Johnny picks up his wireless Rogers/AT&T pre-paid phone and turns it on
- Johnny hears a beep, looks at his phone and notices that he has a lot of
battery power left - Johnny feels glee and lets out a huge *sigh*
- Johnny then proceeds to dial his boyfriend Frank's phone number
- Johnny prepares to listen to the beautifully sounding automated female
recording (that makes him for a moment in his very homosexual life want
to be heterosexual just so he'd know what it was like to actually lust
for such an angelic voice) read off the number of minutes he has left
for his call (account balance).
- Too bad for Johnny; no automated voice at all! "What duth dith mean?"
lisps the very gay, confused, and curious Johnny.
Well Johnny, what just occurred was simple;
The Rogers/AT&T's Pay-As-You-Go billing system didn't recognize your account,
therefore you weren't billed for that particular call. Each time the automated
voice plays, you're billed for the call - each time it doesn't, you aren't.
I've estimated (with my personal experience) that the billing errors occur
approximately 40% of the time while 60% of the time the billing goes through
absolutely fine.
One good easily exploit this vulnerability by;
Hanging up the call every time the automated voice appears on the phone,
re-dialing the desired number and repeating the process until the automated
voice doesn't appear.
Simply only pay for one $25 Pay-As-You-Go card and keep exploiting the
Rogers/AT&T system, calling any number you wish in the world for absolutely
free! No one gets billed, no one is hurt.
Leech off the capitalist pigs while you still can!
-END-
___
A Guide to General Packet Radio Service
Written by: PsychoSpy and The Clone
Date: Sunday September 3, 2000
GPRS (short for General Packet Radio Service) is a data service upgrade for
GSM networks. This allows GSM Networks to be completely compatible with the
Internet. GPRS uses a packet-mode technique to transfer traffic in bursts.
These bursts allow higher efficiency, and therefore higher speeds. The packet
bursting technique is also used in DSL modems, and other methods of high-speed
internet access. Due to this technique GPRS allows bit rates of 9.6 Kbps to
anywhere more than 150 Kbps per user.
There are a couple major benefits of using GPRS. These include better use of
radio/network resources and a completely transparent support of IP.
Radio resources are only used when data is being sent and/or received.
GPRS also provides an immediate connection (again like DSL or Cable) and
a high throughput. It also allows end user applications to only occupy
the network when data is being transferred, and is an almost perfect
design for the short data burst which data applications seem to have these
days.
Applications based on standard protocols (data) like IP and X.25 are supported.
Four different quality of service levels are supported by GPRS. To supports
data apps, GPRS uses several new network nodes in addition to the GSM PLMN
network nodes.
They are responsible for traffic routing, and various other internetworking
functions with other, external, packet-switched data networks (can anyone
say Datapac?), subscriber location, cell selection, roaming and all the
other functions which all cellular networks need to operate.
Now that we have the general info on what GPRS is, I will talk about a few
other protocols which are linked with GPRS.
NS
~~
NS (Network Service) transfers the NS SDUs between the SGSN (serving GPRS
support node) and BSS (Base station system). There are several services
which are provided to the NS user. They include:
Network Congestion Indication - The Sub-Network Service (i.e. Frame Relay)
perform congestion recovery control actions. The network service uses
various congestion reporting mechanisms which are in the Sub-Network
Service implementation.
Status Indication - Is used to tell the NS user of NS affecting events.
An example is a change in the capabilities of transmission.
Network Service SDU Transfer - Allows network service primitives.
This lets transmission and reception of upper layer protocol data units
between the BSS and SGSN. NS SDU's are transferred in order of the
Network Service, but under certain circumstances order might not be maintained.
The NS PDU format is:
1 byte
|----------------------------|
| PDU Type |
|----------------------------|
| Other Information Elements |
|----------------------------|
The PDU Type can be any of the following:
NS-ALIVE
NS-ALIVE-ACK
NS-BLOCK
NS-BLOCK-ACK
NS-RESET
NS-RESET-ACK
NS-STATUS
NS-UNBLOCK
NS-UNBLOCK-ACK
NS-UNITDATA
Next we're onto the Information Elements (IEs) of the PDU. The IEs which are
present depend on what the PDU type is. The structure of an IE is as follows:
1 byte
|------------------------------|
| Information Element ID (IEI) |
|------------------------------|
| Length Indicator |
|------------------------------|
| Information Element Value |
|------------------------------|
The first 8th (or octet) of an information element, having the TLV format,
contains the IEI of the IE. If the IEI is not known to the PDU, the receiver
assumes that the next octet is the first octet of the length indicator.
This rule is used to allow the receiver to skip unknown IEs to analyze
any other following elements,
Next up is the length indicator. This varies in length, and can be either one
or two octets long. However, the second octet may not be present. This
field has the field extension bit, 0/1 ext, and closely following it is
the length of field in octets.
The 8th bit of the first octet is reserved for the field extension bit.
If the field extension bit is set to zero, the second octet of the length
indicator is present. If it is set to one, then the first octet is the
final octet of the length indicator.
Lastly, the IE Value. The following IEs can be present, but are, once again,
dependent on the PDU type:
Cause
NS-VCI
NS PDU
BVCI
NSEI
BSSGP
~~~~~
The primary functions of the BSSGP are:
- Provision by an SGSN to a BSS of radio related information used by the
RLC/MAC function (in downlink)
- Provision by a BSS to an SGSN of radio related information from the RLC/MAC
function (in uplink)
- Provision of functionality to allow two physically distinct node, an SGSN
and a BSS, to operate node management control functions.
The BSSGP PDUs format is:
1 byte
|----------------------------|
| PDU Type |
|----------------------------|
| Other Information Elements |
|----------------------------|
LLC
~~~
The LLC (Logical Link Controller) defines the logical link control later
protocol to be used for (packet) data transfer between the MS (Mobile
Station) and a serving GPRS support node (SGSN).
LLC goes from the MS to the SGSN and is intended to be used for both
acknowledged and unacknowledged data transfers.
LLC's defined frame formats are based on the ones defined for LAPD and RLP.
Although, there are major differences between other protocols and LLC, in
particular to frame delimitation methods and transparency mechanisms.
These differences are necessary for independence from the radio path.
Two methods of operation are supported by LLC. These are:
- Unacknowledged peer-to-peer operation
- Acknowledged peer-to-peer operation
All LLC layer peer-to-peer exchanges are in frames of the following format:
1 byte
|------------------------------|
| Address |
|------------------------------|
| Control |
|------------------------------|
| Information |
|------------------------------|
| FCS |
|------------------------------|
The address field contains the SAPI and identifies the DLCI which a downlink
frame is intended and the DLCI transmitting an uplink frame. The length
of the address field is 1 byte, and has the following format:
_______________________________
Bit | 8 7 56 4-1 |
|------------------------------|
| PD C/R XX SAPI |
|------------------------------|
- The protocol discriminator (PR) shows whether a frames is LLC or belongs to
a different protocol. LLC frames have the PD bit set to zero. The frame is
treated as invalid if its PD bit is set to 1.
- The C/R identifies a frame as either a command or response. The MS side
sends commands with the C/R bit set to zero, and responses with it at 1.
The SGSN does the opposite (commands are sent with C/R set to 1, and
responses are set to 0).
- The XX bit is a reserved bit.
- Service Access Point Identifier (SAPI) identifies a point where KKC
services are provided by an LLE to a layer-3 entity.
After the address, comes control. This identifies the type of frame.
There are four types of control field formats. They are:
- Confirmed information transfer (I format)
- Supervisory functions (S format)
- Unconfirmed information transfer (UI format)
- Control functions (U format)
Next is the information bit. This contains various commands and responses.
The FCS (Frame Check Sequence) field consists of a 24-bit cyclic redundancy
check (CRC) code. CRC-25 is used to detect bit errors in the frame header
and information fields.
SNDCP
~~~~~
SNDCP (Sub-Network Dependent Convergence Protocol) users the services provided
by the LLC Layer, and SM (Session Management) sub-lay. The four main functions
of SNDCP are:
- Multiplexing of several PDPs (Packet Data Protocol)
- Compression/Decompression of user data
- Compression/Decompression of protocol control information
- Segmentation of a network protocol data unit (N-PDU) into LLC
protocol data units (LL-PDUs) and re-assembly of LL-PDUs into a
N-PDU
Data transfer is acknowledged by the SN-DATA PDU. The format of the SN-DATA
PDU is:
8 7 5 6 4-1
|-------------------------------------------|
| X | C | T | M | NSAPI |
|-------------------------------------------|
| DCOMP | PCOMP |
|-------------------------------------------|
| |
| Data |
|-------------------------------------------|
The SN-UNITDATA PDU (used to Acknowledge data transfer) has a format
as follows:
8 7 5 6 4-1
|-------------------------------------------|
| X | C | T | M | NSAPI |
|-------------------------------------------|
| DCOMP | PCOMP |
|-------------------------------------------|
| Segment offest | N-PDU Number |
|-------------------------------------------|
| E | N-PDU Number (Cont'd) |
|-------------------------------------------|
| |
| Data |
|-------------------------------------------|
NSAPI (Network Service Access Point Identifier. The values of this field may
be any one of the following:
0 | Escape Mechanism for Future Extensions
----|--------------------------------------------------
1 | Point-to-multipoint multicast (PTM-M) information
----|--------------------------------------------------
2-4 | Reserved for future user
----|--------------------------------------------------
5-15| Dynamically allocated NSAPI value
----|--------------------------------------------------
M is the more bit. It's values may be:
----|-------------------------------------------------------
0 | Last Segment of N-PDU
----|-------------------------------------------------------
1 | Not the last segment of N-PDU, more segments to follow
----|-------------------------------------------------------
The T bit, SN-PDU type specifies whether the PDU is SN-DATA (0) or
SN-UNITDATA (1).
C is the compression indicator. If set to 0, the compression fields DCOMP
and PCOMP are not included. While 1 tells that these fields are included.
X is the spare bit. This is always set to 0.
DCOMP (Data Compression Coding) is included if the C-bit is set.
DCOMP values are:
----|--------------------------------------------
0 | No Compression
----|--------------------------------------------
1-14| Points to the data compression identifies
| negotiated dynamically
----|--------------------------------------------
15 |Reserved for future extensions
----|--------------------------------------------
PCOMP (Protocol Control Information Compression Coding) is included if the
C-bit is set. The PCOMP Values are:
----|--------------------------------------------
0 | No Compression
----|--------------------------------------------
1-14| Points to the protocol control information
| compression identifier negotiated dynamically
----|--------------------------------------------
15 |Reserved for future extensions
----|--------------------------------------------
N-PDU Number
0-2047 when the extension bit is set to 0.
2048-524287 if the extension bit is set to 1.
RLP
~~~
The Radio Link Protocol (RLP) is used to transmit data over the GSM PLMN. RLP
covers the functionality of Layer 2 of the ISO OSI Reference Model. It
has been tailored to the needs of digital radio transmissions and provides
an OSI data link service. It also spans from the MS (Mobile Station) to the
interworking function, which is located at the nearest MSC (Mobile
Switching Center) or even further. There are currently three versions of RLP:
Version 0 is a Single-link basic version,
Version 1 is a Single-Link extended version,
And Version 2 is a Multi-link version.
RLP frames are fixed in length. The frame can either be 240 or 576 bits.
The frame consists of a header, information field, and an FCS field.
The format of the 240-bit frame is:
_____________________________________
| Header | Information | FCS |
|---------|-----------------|--------|
| 16 bit | 200 bit | 24 bit |
|---------|-----------------|--------|
| 24 bit | 192 bit | 24 bit |
|---------|-----------------|--------|
The header is 16 bits in versions 0,1, and in the U frame of version 2.
It is 24 bits in the S and I+S frames of version 2.
The format of the 576-bit frame is:
_____________________________________
| Header | Information | FCS |
|---------|-----------------|--------|
| 16 bit | 536 bit | 24 bit |
|---------|-----------------|--------|
| 24 bit | 528 bit | 24 bit |
|---------|-----------------|--------|
The header is 16 bits in version 1 and in the U frames of version 2.
It is 24 bits in the S and I+S frames of version 2.
The header contains control information. This control information can be any
one of three types:
1) Un-numbered protocol control information (U frames)
2) Supervisory Information (S frames)
3) User Information Carrying Supervisory information piggypacked (I+S Frames)
The FCS (Frame Check Sequence) field in the RLP is just like the FCS which is
used in LLC which was discussed earlier.
RLP can be either in Asynchronous Balanced Mode (ABM) or Asynchronous
Disconnected Mode (ADM). ABM is the data link operation mode, while ADM
is the data link non-operational mode.
Now we're going to get into some, maybe, confusing diagrams. The following
diagram shows the Structure of Versions 0 and 1.
N(S) is a bit 4 low order bit, and N(R) bit 11 low order bit.
Bits 1-16 are as follows:
___________________________________________________________________________
U | C/R | X | X | 1 | 1 | 1 | 1 | 1 | 1 | P/F | M1 | M2 | M3 | M4 | M5 | X |
| | | | | | | | | | | | | | | | |
|-----|----|----|---|---|---|---|---|---|-----|----|----|----|----|----|---|
S | C/R | S1 | S2 | 0 | 1 | 1 | 1 | 1 | 1 | P/F | N (R) |
| | | | | | | | | | | |
|-----|----|----|---|---|---|---|---|---|-----|----------------------------|
I+S | C/R | S1 | S2 | 0 1 N 1 1 1 | P/F | N (R) |
| | | | (S) | | |
|-----|----|----|-----------------------|-----|----------------------------|
version 2
S is a L2R status Bit, N(S) is a bit 1 low order bit, N(R) is a bit 14
low order bit and UP is a UP bit.
Bits 1-24
___________________________________________________________________________
U | C/R | X | X | 1 | 1 | 1 | 1 | 1 | 1 | P/F | M1 | M2 | M3 | M4 | M5 | X |
|-----|---|---|---|---|---|---|---|---|-----|-----|----| ----|---------| |----|
S | X | X | X | 0 | 1 | 1 | 1 | 1 | 1 | P/F | C/R | S1 | S2 | N(R) X UP |
|-----|---|---|---|---|---|---|-- |-|-|-----|-----|----|----|----------------|-|
I+S | N(S) | | P/F | C/R | S1 | S2 | N(R) S UP |
|-----------------------------------|-|-----|-----|----|----|----------------|
The C/R (Command Response) bit shows whether the frame is a command or a
response frame. It can have only one of two values:
1 Command
0 Response
The P/F (Poll/Final) bit shows a special instance of the command/response
exchange.
The X bits don't really matter.
In the Unnumbered Frames (U) the M1 M2 M3 M4 and M5 bits can have any
of the following values in the U frames depending on the type of information
carried.
SABM 11100
UA 00110
DISC 00010
DM 11000
NULL 11110
UI 00000
XID 11101
TEST 00111
REMAP 10001
SABM == Set Asynchronous Balance Mode
SABM is used to initiate a link for a numbered information transfer
or to reset a link already established.
UA == Unnumbered Acknowledge
UA is issued as a response to acknowledge a SABMM or DISK command.
DISC == Disconnect
DISC is used to disestablish a previously established link information
transfer link. (duh!)
DM == Disconnect Mode
DM Encoding is used as a response message
NULL == NULL
UI == Unnumbered Information
UI says that the information f field is to be interpreted as unnumbered
information.
ID == Exchange Identification
ID signifies that the information field should be interpreted as
exchange identification, and is used to negotiate and/or renegotiate
parameters of RLP and Layer 2 relay functions.
TEST == TEST
This shows that the information field of the frame is test information.
REMAP == REMAP
This signifies that a remap exchange takes place in ABM following
a change of channel coding. If an answer is not received within
a specified time then the module end enters ADM.
In the S and I+S Frames the following are present:
N(S) == Send Sequence Number
N(S) contains the number of the I frame.
N(R) == Receive Sequence Number
N(R) is used in ABM to designate the next information frame to be
sent and to confirm that all frames upto and including this bit
have been correctly received.
S == L2 Status Bit
S1 and S2 bits can have the following significance
in the S and I+S
frames.
RR 00
REJ 01
RNR 10
SREJ 11
RR == Receive Ready
RR can be used as a command OR a response. It clears any previous
busy condition in that area.
REJ == Reject Encoding
REJ is used to show that in numbered information transfer, 1 or more
out of sequence frames have been received.
RNR == Receive Not Ready
RNR shows that the entity isn't ready to receive numbered information
frames.
SREJ == Selective Reject
SREJ is used to request a retransmission of a single frame.
UP is used in version 2, to indicate that a service level upgrade will
increase the throughput.
[- {GTP} -]
The GPRS Tunnelling Protocol (GTP) is the protocol between GPR
Support Nodes (GSNs) which allow multiprotocol packets to be tunnelled
through it in the GPRS backbone network. These packets are the collection
of data that carry one of two substantial pieces of information;
either the user's IP or X.25 packets. Below GTP, the standard protocols
(TCP or UDP) are employed to transport the GTP packets within the GPRS
backbone network. X.25 expects a reliable data link to be used, thus why TCP
is occupied for data transfer. UDP, is simply used for special access to
IP-based packet data networks, which don't necessarily expect reliability
in the network layer. IP is employed in the network layer to route specific
packets through the GPRS backbone. Please note; Ethernet, ISDN, or
ATM-based protocols may be used below IP for GTP packeting.
Lets summarize shall we?
In the GPRS backbone we have an IP/X.25-over-GTP-over-UDP/TCP-over-IP
transport architecture. Subnetwork Dependent Convergence Protocol --
The Subnetwork Dependent Convergence Protocol (SNDCP) within the
signalling plane, specifies a tunnel control and managment protocol which
allows the SGSN is used to transfer data packets between the Serving GPRS
Support Node (SGSN) and the Mobile Station (MS).
Its functionality includes:
* Compression and decompression of user data and redundant header information.
* Multiplexing of several connections of the network layer onto one
virtual connection in the underlying Logical Link Control (LLC) layer.
(Definition; Logical Link Control (LLC): a data link layer protocol for GPRS.
This layer assures the reliable transfer of user data across a wireless
network.)
- In the signaling plane, GTP specifies a tunnel control and management
protocol which allows the SGSN to provide GPRS network access for a MS.
- Signaling is used to create, modify and delete tunnels.
In the transmission plane, GTP uses a tunneling mechanism to provide a
service for carrying user data packets. The choice of path is dependent
on whether the user data to be tunneled requires a reliable link or not.
- The GTP protocol is implemented only by SGSNs and GGSNs. No other
systems need to be aware of GTP's presence. GPRS MSs are connected to an
SGSN without being aware of GTP. It is assumed that there will be a
"many-to-many" relationship between SGSNs and GGSNs.
- A SGSN may provide service to many GGSNs. A single GGSN may associate with
many SGSNs to deliver traffic to a large number of geographically diverse
mobile stations.
GTP header structure
The GTP header is a fixed format 16 octet header used for all GTP
messages. Below is a simple diagram of the GTP header structure, hopefully
this will give you a general idea of the relevancy of GTP headers.
8 7 6 5 - 2 1
Version Reserved LFN
Message type
Length
Sequence Number
Flow Label
LLC Frame Number
x x x x x x x FN
Reserved
TID
GTP header structure
GTP Header Structure; Definitions
---------------------------------
- Version: Set to 0 to indicate the first version of GTP
- Reserved: Reserved bits for future use, set to 1.
- LFN: Flag indicating whether the LLC frame number is included or not.
- Message Type: Type of GTP message.
- Length: Indicates the length in octets of the GTP message (G-PDU).
- Sequence number: Transaction identity for signaling messages
and an increasing sequence number for tunneled T-PDUs.
- Flow label: Identifies unambiguously a GTP flow.
- LLC frame number: Used at the Inter SGSN Routing Update procedure
to coordinate the data transmission on the link layer between the
MS and the SGSN.
- x: Spare bits x indicate the unused bits which are set to 0 by the
sending side and are ignored by the receiving side.
- FN: Continuation of LLC frame number.
- TID: Tunnel identifier that points out Mobility Management and
PDP contexts.
The format of the TID is as follows:
5 - 8 4 - 1
MCC digit 2 MCC digit 1
MNC digit 1 MCC digit 3
MSIN digit 1 MNC digit 2
MSIN digit 3 MSIN digit 2
MSIN digit 5 MSIN digit 4
MSIN digit 7 MSIN digit 6
MSIN digit 9 MSIN digit 8
NSAPI MSIN digit 10
TID Format:
MCC, MNC, MSIN digits
Parts of the IMSI (defined in GMS 04.08).
NSAPI: Network service access point identifier.
[- {GMM} -]
GMM
What is GMM? GMM, or GPRS Mobility Management is a very complex versatile
protocol that operates within the signaling plane of GPRS handing such things
as: roaming, authentication, and selection of encryption algorithms.
The main function of the GMM sub-layer is to support the mobility of user
terminals, such as informing the network of its present location and providing
user identity confidentiality.
GMM header format:
8 7 6 5 4 3 2 1 Octet
Protocol discriminator Skip indicator 1
Message type 2
Information elements 3-n
GMM header structure; Definitions
---------------------------------
Protocol discriminator - 1000 identifies the GMM protocol.
Skip indicator - The value of this field is 0000.
Message type - Defines the function and format of each GMM message.
The message type is mandatory for all messages. Bit 8 is reserved for
possible future use as an extension bit. Bit 7 is reserved for the
send sequence number in messages sent from the mobile station.
GMM message bit types:
0 0 0 0 0 0 0 1 Attach request
0 0 0 0 0 0 1 0 Attach accept
0 0 0 0 0 0 1 1 Attach complete
0 0 0 0 0 1 0 0 Attach reject
0 0 0 0 0 1 0 1 Detach request
0 0 0 0 0 1 1 0 Detach accept
0 0 0 0 1 0 0 0 Routing area update request
0 0 0 0 1 0 0 1 Routing area update accept
0 0 0 0 1 0 1 0 Routing area update complete
0 0 0 0 1 0 1 1 Routing area update reject
0 0 0 1 0 0 0 0 P-TMSI reallocation command
0 0 0 1 0 0 0 1 P-TMSI reallocation complete
0 0 0 1 0 0 1 0 Authentication and ciphering req
0 0 0 1 0 0 1 1 Authentication and ciphering resp
0 0 0 1 0 1 0 0 Authentication and ciphering rej
0 0 0 1 0 1 0 1 Identity request
0 0 0 1 0 1 1 0 Identity response
0 0 1 0 0 0 0 0 GMM status
0 0 1 0 0 0 0 1 GMM information
---
Conclusion;
PsychoSpy and I wrote this document as a guide for anyone desiring
to learn more about the future of GSM wireless. Within the next
couple of years, I guarantee you'll be seeing a vast number of GSM-type
phones in Canada (FIDO provider) offering the high-speed GSM add-on
technology known as GPRS. So when GPRS is released by 2002, you won't be
left out in the cold wondering "now how the hell did they do that?"
because you would of read this document!
What to look for in the future in regards to our R&D:
- A look at GPRS administration, configuration and security analysis
- CDMA Protocols; CC, MM, BSSMAP, DTAP (GSM-L3), RR, BTSM, BSSAP
- SS7 Protocols; MTP2/MTP3, SCCP (v2.0), TCAP ISUP, TUP, DUP
----
Contact Information;
PsychoSpy -- E-mail: PsychoSpy@softhome.net
ICQ: 5057653
The Clone -- E-mail: theclone@haxordogs.net
ICQ: 79198218
URL: http://www.nettwerked.net
~-= An N&N Production =-~
___
DND Non-Public Network and Workstation Security - By PsychoSpy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------- Beginning of Disclaimer ---------
This file is to be used for educational purposes
only. By continuing to read this file, you agree
that all responsibility for any misuse of this
information is bestowed upon you, the reader.
--------- End of Disclaimer ---------
Well, here we are once again! So, you've always wondered what kind
of networks the DND are running haven't you? Have always wanted
to know what kind of security mechanisms they use, how are their
networks are setup etc.?
Well, here's your chance kiddies! This file will answer all your
questions and more! So, sit back, relax, and enjoy, while I take
you on a journey through the DND Classified Network.
*spooky music*
1- Introduction and Overview
~~~~~~~~~~~~~~~~~~~~~~~~~
The Department of National Defense IT Infrastructure (DND ITI) is
segmented into two domains. One, a classified/mission critical
environment, and the other a designated or general-purpose
environment. The designated environment (which is detailed in one
of my earlier files) consists of information processing which is
administrative, and unclassified, or designated up to and including
what they call a Protected B. Whereas, the classified environment
if for information which is, obviously, classified due to national
interest, or so the gov't says. Currently, the classified environment
(CNet) is being certified and accredited to allow the processing of
information upto and including "SECRET" level including all caveats.
This file will talk strictly about the classified environment.
According to the classified domain architecture planning, all traffic
is to be encrypted at the network layer using high-grade network
encryption units (NEU(H)), they also say that commercial encryption is
to be used at the application layer to support secure messaging and
caveat separation. It has been decided that the Entrust Public Key
Infrastructure (PKI) and Entrust compatible cryptography will be used
in the classified domain to meet the application layer encryption
requirement. The diagram below shows the DND Classified Domain
Architecture.
DND Classified Domain Architecture
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEU(H)
ISAP Switch CDN3
NEU(H) CDN1 ISAP Switch NEU(H) CDN2 ISAP Switch |-------| |---|
|---| |-------| |---| |-------| |///////|-----|CDN|
|CDN|-------|///////| |CDN|---------|///////| |-------| |---|
|---| |-------| |---| |-------| | |
| | | | | |
| |-------| | | ISAP Router |-------| |---------|
|---------| |///////| ISAP Router |---------| |-------| |///////| | CDN CDN |
| CDN CDN | |-------| | CDN CDN | |///////| ISAP Router |-------| |---------|
|---------| \ |---------| |-------| / Classified
Classified \ Classified \ / LAN
LAN \ LAN \ /\ /\ /
\ /\ \/ \ / \/
\/ \ \ /
\ /\ \ /
\ / \ \ /
\/ \ /\ _______________________\___ /
\ / \ { } /
\/ \ { International }/
Cdn Classified NEU(H) ISAP \{ Switch }
LAN CDN Boundary Switch { DWAN |-------| |-------| DWAN International
|---------| |---| |-------| { |///////|---|///////| Router
| CDN CDN |-------|CDN|-----|///////| { |-------| |-------|
|---------| |---| |-------| {___________________________} \
| | / \
| | / \ ISAP Switch
|---| MLS (EAL3) |-------| / \ |-------|
|GTW| Coalition |///////|------/ \ /\ |///////|------------|
|---| Boundary GTWY |-------| \/ \ |-------| |
| Ottawa (101) \ | |
| Router \ | |---| NEU(H)
| \ |-------| |CDN| CDN_DPLY
|---------| |---| NEU(H) \|///////| |---|
| COA COA |-------|COA| COA Boundary |-------| | |---------|
|---------| |---| Deployed ISAP |---| CDN CDN |
Coalition | Router |---------|
Classified LAN | Deployed Canadian
| NEU(H) Classified LAN
~~~~~~~~~~~ COA_DPLY
{ COALITION } |---| |---------| Deployed Coalition
{ WAN }--------|COA|---| COA COA | Classified LAN
{ } |---| |---------|
~~~~~~~~~~~
COA == Coalition Classified
CDN == Canadian Classified
GTW == Gateway
Assumptions
~~~~~~~~~~~
Certain assumptions are made by the DND as to how the Classified
environment will operate. The following assumptions are made:
- The amount of classified data stored on the workstation can be
considerable
- The systems will ensure local confidentiality protection (caveat
separation) of data by standardizing on such security mechanisms
as access control lists (ACLs), standard directory structures,
encrypted directories on local hard-disks (Entrust ICE) and C2
operating systems
- Workstations will be located in DND facilities with appropriate
levels of physical access controls in place commensurate with
those required for classified systems (e.g. commissioners,
electronic door locks, swipe card access control systems)
- Protection against malicious hacking from outside sources is not
the primary goal. This protection will be provided at the domain
boundary by firewalls or gateways as required
- All DND employees who have access to the classified ITI will have
the required security clearance. Uncleared persons will be escorted
- All workstations within the classified environment will be
considered as shared systems (i.e. intended for use by more than
one person). Data on the workstation will be protected on a
need-to-know or discretionary basis
- A classified domain PKI will be implemented using Entrust
Also, the Department of National Defense has suggested that an evaluated
C2/EAL3 Operating System be a minimum standard OS for a classified
domain workstation. To provide an acceptable level of protection against
security threats and system vulnerabilities, while keeping the cost
reasonable, several protection mechanisms and security policies will
be implemented on all of the classified workstations. These mechanisms
and policies are meant to provide confidentiality, integrity, authentication,
and ensure classified data is valid and un-tampered.
Operating Systems
~~~~~~~~~~~~~~~~~
There is a slight problem which occurred when the classified domain
was being planned. This problem was due to the mixture of operating
systems which are used on workstation. Currently both Windows NT and
UNIX (mostly Solaris) are used. This poses a problem for creating a
common set of security mechanisms, as some of the safeguards are not
available for certain OSs. Due to the lack of safeguards which UNIX
usually has, the DND has urged projects and implementors to migrate
away from UNIX workstations to the Windows NT platforms. Later in this
document, lack of a security mechanism for an OS will be identified.
2 - Security Services and Mechanisms
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The high-grade encryption which is present at the network layer in the
classified domain provides confidentiality for classified information.
However, a number of security services are required at the classified
workstation to ensure the secure storage, processing, and transmission
of coveted information, which local processing will decide who to give
access to what data. The DND has decided that a mandatory access control
(MAC) solution to achieving this was not feasible, not cost effective.
Instead, they decided to implement a mixture of security services which
are implemented in a certain way to create safeguards and procedures.
The specifics of these security mechanisms and services are discussed
below.
The trusted computer base (TCB) must be able to enforce the authentication
of each individual user, based on a secure login process (described later)
which can be provided by a C2 OS, the platform BIOS, and the network OS.
Strong authentication will also be provided through Entrust-ready programs,
using key management certificates provided by the Entrust PKI.
The TCB must also be able to control the deletion and release of objects
and resources back the system once they contain coveted information. This
ensures that coveted data does not become accessible to a system or user
with insufficient clearance, and is provided by, once again, a C2 OS, and
Entrust-ready programs.
It also must be able to create, maintain, and protect and audit trail
of certain security related events (i.e. failed login attempts etc).
The audit log will be stored on a separate TCB. An audit "reduction"
tool will also be used to allow the security administrator to centrally
manage and extract any relevant audit data from the log files created
by the OS. Audit can be provided by a C2 OS and by other third party
tools.
Need-to-know separation must be enforced between all object and subjects
by the TCB. This separation is provided by a C2 OS, and encryption with
Entrust.
Access Control Lists (ACLs) allow a system administrator to limit the
number of users, or groups of users access rights to certain data. These
assist in the implementation of access rights in order to control access
to information on a need-to-know basis.
The DND has also said that all information in the classified domain must
be labeled. This includes all hard copy output, files, e-mail, directories,
content displayed on the screen, and any other stored objects. They must
be labeled with the appropriate classifications, caveats and handling
restrictions. This makes proper storage and transmission of classified
information easier, and indicated the need-to-know required to access
certain classified information. Mechanisms to do this include Entrust
applications, or labeling applications which do the labeling at the
system level within the directory of file system or as part of the text
or data.
Low-grade network encryption units (NEU(L)) can be used to provide
login/password or other types of protection over the LAN if required by
a Threat and Risk Assessment (TRA) (i.e. the login information to a CEO
server should be protected over the LAN if there is a perceived threat
of someone sniffing for login information).
3 - Safeguards and Procedures
~~~~~~~~~~~~~~~~~~~~~~~~~
This section will describe the details of safeguards and procedures which
are implemented onto a classified workstation to provide the services and
mechanisms which where described earlier.
Viruses
~~~~~~~
Viruses, Trojan, Worms, Time Bombs, etc. are statistically one of the top
security threats to any computer system and network. Individual computers
and entire networks have been rendered inoperable for days due to a virus
infection. Many hours of have been lost, and administrator workloads have
increased exponentially due to network downtime, cause by the spread of
a virus. Most viruses are introduced into the network by users who copy
files from unknown, or untrusted sources, via floppy or across the internet
etc. The best method to ensure that viruses are not introduces into the
network, other than prevent users from copying files from floppy disks
or other outside sources, is to have a resident virus scanner active at
all times during operation of the workstation.
As of 1999 the DND has a departmental license for McAfee anti-virus software
and around 12,000 licenses for DrSolomon anti-virus software. Both products
are now licensed from Network Associates Inc (NAI). Every workstation inside
the DND's classified domain is required to be protected by an anti-virus
program which has been selected by the DND. They are to be setup to scan
for viruses every time a file is accessed.
Encryption Software
~~~~~~~~~~~~~~~~~~~
Entrust Client is the software product of choice for DND classified
systems to provide local confidentiality and discretionary access
control on classified systems and networks. All local traffic which
requires confidentiality and additional access control will be encrypted
before being sent across the network. This can be accomplished using an
Entrust-ready application. Traffic which requires proof-of-origin and/or
strong integrity will be digitally signed using Entrust Private Signing
Keys. Entrust provides strong public key encryption and key management
which, combined with the x.500/x.509 directory service, will allow user
to securely store and transmit local data for any user or group of users.
As well, the Entrust client can provide secure delete services to files
upon deletion. This object reuse feature is designed to ensure that
sensitive information cannot be recovered by unauthorized people once
the file has been deleted. A detailed description of how Entrust provides
these services will be illustrated later in this document.
Entrust Client is also essential for applications like secure e-mail,
secure messaging, PeopleSoft, Remote Access etc. Hence, this product
is to be installed on every classified workstation.
The Entrust ICE software product has also been selected by DND as their
local hard-disk encryptor. This, when used with Entrust Client, will
allow users to implement need-to-know/caveat separation by selecting
folders where files will be saved in encrypted form automatically every
time they are saved to that specific folder. Folders can also be setup
to encrypt files for only the owner's use or for a specified group of
users. This product allows user to automatically save backup files on
a server in an encrypted form just by copying or moving the file to a
specific folder. This enables users to access sensitive files from
any workstation across the network, and have appropriate protection
on those files to prevent unauthorized users from viewing them.
Entrust Tokens and Readers
~~~~~~~~~~~~~~~~~~~~~~~~~~
The DND has selected hardware token technology to provide a high assurance
two-factor identification and authentication, storage and cryptographic
processing device for use by applications that implement Entrust encryption
and digital signature technology. This token may be a smart card,
PCMCIA card, USB token, or any other appropriate, portable form.
Tokens are issued to all users of the Military Message Handling System
(MMHS) and the Command and Control Information Systems (CCIS) in the
classified domain. This token is used to provide additional security
to the desktop by ensuring the user identity, password and that the user
is in possession of their Entrust Token. The hardware token can be
compared to our debit cards, in that it the card must be inserted into
a specific slot, and the PIN number must be entered before secure operations
will be allowed. This token contains an internal computer processor and
memory which allows the security functions (i.e. private encryption key
and digital signature key storage, digital signatures, etc.) to be
implemented into the token itself, and therefore taken awat from the threat
environment of the workstation. The intent is that individual users will be
issued their own token, which will support secure operations on a classified
LAN.
Token readers will be installed on all classified workstation within the
department (or provided as add-on equipment for existing workstations).
Specific details of token reader requirements will be covered in a future
file on MMHS.
Labeling Software
~~~~~~~~~~~~~~~~~~
Unfortunately not much information on this subject is available. The
information which I have found however, says that the DND is currently
being investigated. I may have an update for this in the near future.
Keyed Locking Screws
~~~~~~~~~~~~~~~~~~~~
To prevent users and unauthorized people from gaining access to the
internal components of the workstation, keyed locking screws will be
utilized by system administration staff. These devices require the use
of special keyed tools in order to remove them. The use of these screws
is intended to prevent unauthorized individuals from easily opening the
workstation to remove the BIOS battery which could reset the BIOS, remove
components such as memory chips or circuit cards, or add components such
as modems which could decrease the level of security.
BIOS Configuration and Password
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DND has required that the BIOS be configured in such a manor that users
are not able to boot from a floppy disk or CD-ROM. This prevents any
unauthorized users from booting around the systems Identification and
Authentication mechanisms in order to install or run unauthorized,
illegal and possibly harmful applications (i.e. key loggers, password
crackers, disk recovery programs, etc.). Forcing the initial boot from
the hard drive will also prevent accidental booting from a floppy disk,
which could be infected with a boot sector virus. In the event that a
workstation cannot be booted from the hard drive, administrator or
maintenance personnel will be able to reset the BIOS to allow booting
from a floppy disk in order to recover the workstation.
The BIOS password is also to be set for all workstations to prevent
users from making changes which could permit them to bypass security
mechanisms. The system administrators are required to keep records
of these passwords and effect changes in the same manner as Security
Officers maintain combination numbers for file cabinets and safes.
Only system administrators and maintenance personnel shall have
access to the BIOS password and therefore the BIOS setting on
workstations.
Secure Configuration of Workstation Operating System
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All workstations are to be secured as outline in
"DND Secure Windows NT 4.0 Installation and Configuration Guide"
or "DND Secure UNIX Installation and Configuration Guide". These
documents include guidence on configuring and installing C2
configurations, file systems, registries, security policies, and
profiles. This includes a properly configured registry for Windows NT.
4 - Workstation Cryptographic Processes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section will, obviously, go over the cryptographic processes which
occur on the workstation. This includes, encrypting a file for multiple
users, logging on, and the Entrust ICE Log-on Procedure.
Encrypting a File for Multiple Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The diagram below demonstrates how a file is encrypted for multiple users
and then decrypted for any individual authorized user. The process for
encrypting a file using symmetric and asymmetric encryption involves
many steps and a complicated process. The file type (i.e. text document,
picture, database, etc.) has absolutely no impact on this process as far
as the encryption goes.
Step 1: First the user creates a clear-text (unencrypted) file which
could be a text document, graphic, database or any other file
type.
Step 2: Next this clear-text file is encrypted with a randomly generated
symmetric encryption/decryption key. At this point of time the
original clear-text file is securely deleted to ensure that the
confidentiality of the information is maintained.
Step 3: Now that we have our encrypted file with an exposed asymmetric
encryption key, measures must be taken to protect that key from
being compromised. The next process involves encrypting the symmetric
key with the public asymmetric key of the intended recipient(s).
A single copy (or copies for each recipient) of the encrypted
symmetric key is attached to the original file to create a new
file. When the new encrypted files is save, it is identified by
the extension ".ent" which is appended to the original filename.
Step 4: Now the file is encrypted with a symmetric encryption/decryption
key and this key is protected using the public asymmetric key of
all the intended recipients. The only way to decrypt the original
file is for a user to obtain a copy of the symmetric key, which
can then be used to decipher the original data. If the user is an
authorized recipient for the file, that individual can use their
private asymmetric decryption key to unwrap the symmetric key and
subsequently decrypt the file.
Step 5: At this point, the file is back to its original form, with the
filename intact and ready for viewing.
|------------|
|++++++++++++|
|+File+++++++| Original File
|++Cleartext+| Unencrypted
|++++++++++++|
|------------|
|------------| |------------|
|+Data+++++++| |++Symetric++| Original File Encrypted
|++Encrypted+| |+Encryption+| Using Symmetric
|+By+++++++++| |++++Key+++++| Encryption/Decryption
|+Encryption+| |++++++++++++| Key
|------------| |------------|
|------------| |------------|-----------| |------------|-----------| |------------|-----------|
|+Data+++++++| |+Encrypted++|+++User1+++| |+Encrypted++|+++User2+++| |+Encrypted++|+++User3+++| A copy of the symmetric
|++Encrypted+| |++Symetric++|+Asymetric+| |++Symetric++|+Asymetric+| |++Symetric++|+Asymetric+| decryption key is encrypted
|+By+++++++++| |+Encryption+|+Encryption| |+Encryption+|+Encryption| |+Encryption+|+Encryption| with the asymmetric public key
|+Encryption+| |++++Key+++++|++++Key++++| |++++Key+++++|++++Key++++| |++++Key+++++|++++Key++++| of each intended recipient
|------------| |------------|-----------| |------------|-----------| |------------|-----------|
|------------|-----------| |------------| |------------|
The asymmetric private decryption |+Encrypted++|+++User2+++| \ The decrypted symmetric key |+Data+++++++| |++Symetric++|
key of User2 is used to decrypt the |++Symetric++|++Private++| =====\ is then used to decrypt the |++Encrypted+| |+Encryption+|
symmetric key originally encrypted |+Encryption+|+Asymetric+| =====/ original file |+By+++++++++| |++++Key+++++|
with the User2 public encryption key |++++Key+++++|+Decryption| / |+Encryption+| |++++++++++++|
|++++++++++++|++++Key++++| |------------| |------------|
|------------|-----------|
|------------|
|++++++++++++|
|+Data+++++++| Original File
|++Cleartext+| decrypted and available for
|++++++++++++| viewing by user
|------------|
Logging On
~~~~~~~~~~
There are a number of identification and authentication points for a
user logging into the network from a classified workstation. An image
should be included with this file, in the same directory, called
"ntwrk_sec_diag.gif". This image shows a classified workstation
connected to a network with its associated security components.
The following paragraphs will provide a description of the processes
which occurs each time a user logs on to the workstation.
In Windows NT Workstations, when an authorized user logs on at a
networked computer, that person must first authenticate himself or
herself to a network server (A) where their policy file is stored
before they can access the workstation. Once the user is authenticated,
a copy of their policy file is downloaded to the workstation where it
will be merged with the local registry settings. This will ensure that
each time a user logs in they will be forced to comply with the security
policy settings as determined by the network administrator.
The Windows NT platform includes a secure log-on sequence (using the
Ctrl-Alt-Del key sequence). This presents applications from trapping
username and passwords from the login. Coupled with the account lockout
feature, failure to enter the correct password after a specified number
if attempts prohibits unauthorized users from accessing critical data.
The NT secure logon process has been evaluated to the equivalent of a
B2 platform's secure logon process.
The applications which are available will depend on what is required
for the particular user or group of users needs. All network post logon
routines will be performed (i.e. virus scan, system checks, software
updates, etc.).
Entrust ICE Logon Process
~~~~~~~~~~~~~~~~~~~~~~~~~
Once the user has completed logging into the workstation, and all network
software has completely loaded, the user will then have to logon to
Entrust ICE, which enables the cryptographic security services. To do
this, a user must authenticate him/herself to the Entrust ICE program.
This is done by inserting their Entrust token into the reader and entering
their user id and password. The Entrust token is used to store the user
credentials. Storing the epf file on the token increases the level of
protection for the user keys and other attributes to a much higher
degree. During this authentication process, Entrust will check a user's
credentials against the Certificate Revocation List (CRL) on the Entrust
Directory Server (See "C" in the diagram) to verify that their .epf file
has not been revoked. If the user is validated then the logon will
continue as usual, otherwise the logon process will terminate. Once
Entrust ICE become inactive for a specified period of time, ICE will
automatically time-out. When this occurs a user still has the ability
to encrypt files like usual by saving them to the designated folder.
However, the user will not be able to decrypt a file until they
go through the authentication process again to re-authenticate them
to Entrust ICE. This is put in place to ensure that if a user leaves
their workstation unattended for more than the predetermined time frame,
an unauthorized person could not gain access to their encrypted files.
5 - Caveat Separation
~~~~~~~~~~~~~~~~~
Requirement
~~~~~~~~~~~
Currently, classified system (i.e. command and control systems) require
mechanisms to isolate and protect caveat information (i.e. CEO, CANUS,
NATO, AUSCANZUKUS) processed on the same workstation and/or LAN. There
has been considerable work done to define the mechanisms for caveat
separation based on Discretionary Access Control (DAC) mechanisms and
Entrust.
Presently, there is a requirement for several separate caveat domains.
This results in significant complexity within the Classified Security
Domain of DWAN. Some resolution of the caveat issue has been accomplished
at the operational level. This is done by moving towards a "SECRET"
(CANUS) dedicated mode of operation. For example, MCOIN III currently
has a SECRET CANUS warning level on all its classified material. This has
forced JC2IS to purge all CEO material, to allow it to declare itself
CANUS and inter-operate with MCOIN III with limited need-to-know access
enforcement, if any at all.
However, using the mechanisms outlined in the following sub-sections,
the objective is to separate or compartmentalize caveats and implement
a Canadian Classified Domain of SECRET (MULTI CAVEATS). This would allow
all classified work groups to operating in a multiple caveat environment.
Mechanisms which provide separation of covet information within the
DND Classified Domain must meet the following criteria:
- Allow for a system high mode of operation where the need-to-know
principle will be enforced
- Classified documents will be labeled, stored, and protected according
to their label
- Caveat information will be separated/isolated through approved security
mechanisms
Well... All I can say now is that my hands are tired from typing, and my eyes
are completely strained. I hope it was worth the time and effort which I put
into this file. I truly hope that people out there find this useful, or
interesting.
There was one more section which I was going to add on labeling specifications,
and an overview of the classifications. However, my computer didn't like the
amount of text I was putting into it, and I didn't feel it was too important,
so I left it out. However, if for some reason you're interested in this extra
section, e-mail me and I'll write it up real quick and send it off to you.
Look for more DND related files in the near future. I would like to send out
a special shout to the guys at the DND who do a great job planning their
network security, however you guys have to work on your implementation a little
more. ;-)
Shouts go out to Clone, Semtex, everyone at Hack Canada, and all the regulars at
#Haxordogs. Keep up the good work everyone!
Tune in next time to find my conclusion on the DWAN's overall security, and some
possible security problems I see with their setups. Same Psycho time... Same Psycho
site...
-- PsychoSpy
psychospy@hushmail.com
ICQ#: 5057654
___
<cyb> when I say Moldy... you say BUNZ!!!
___
DND WAN DNet Architecture - By PsychoSpy
~~~~~~~~~~~~~~~~~~~~~~~~~
--------- Beginning of Disclaimer ---------
This file is to be used for educational purposes only.
By reading this file you agree that all responsibility
for any misuse of this information is bestowed upon the
reader.
If you continue to read this file, you also agree that
this file cannot be used in any legal cases, and that
you are not employed by a policing, or intelligence
agency.
--------- End of Disclaimer ---------
Introduction
~~~~~~~~~~~~
This file will go over the Department of National Defense
Wide Area Network (DWAN_ designated domain (DNet) architecture.
DWAN was setup to provide a computer/data communications
infrastructure to connect various different Local Area Networks
(LANs) and Metropolitan Area Networks (MANs) together within the
DND.
The DWAN is separated into three main domains. The first domain
is called GP-Net. GP-Net is the unclassified domain. The second
domain is the designated domain, which is known as DNet. The last
domain is called CNet, and is the classified domain.
Hopefully in future files I will cover GP-Net and CNet architecture,
although they are relatively similar to each other.
DWAN as a whole, uses DTES 3 for it's Network Authority and Configuration
Control Manager.
Now you're asking what exactly the DWAN is able to do. Well, DWAN was
designed to "provide interconnection to approved, existing, and planned
DND systems." DWAN fully supports the TCP/IP protocol as a migration
towards OSI. It also provides a common, high-speed, reliable
inter-networking communications backbone, and a communication infrastructure
to facilitate the implementation of inter-networking requirements across DND.
DNet allows user to perform the many tasks. These tasks include
co-ordination and planning, cost control, security accreditation for the
infrastructure, configuration management, and maintenance control.
DNet Components
~~~~~~~~~~~~~~~
There are four main DNet components, which are much like any network
components, including the internet.
The first of the components are routers. The routers used in DNet act
in the same way, and in most cases are the same, as Routers in any
other network. What they basically do is route data and information to
their proper destinations. They are also able to filter out data much
like a firewall. Interconnected routers form the DNet Backbone and act
as area backbones. NSMC centrally manages the routers. Management
traffic is carried in-band via frame relay. Authentication of management
traffic is done by TACACS+ and Secure ID.
The next component of DNet is switches. DNet utilizes two different
types of switches. The first type of switch is an Integrated Service
Access Point (ISAP) Switch. Every DNet site has an ISAP Switch. The
second switch is a Controller Switch. Controller Switches allow
connection with the other 12 BAR sites, Border Area Routers, and their
local ISAP Routers.
DNet's third main component is the Domain Name System (DNS) Servers.
The DNet DNS servers are the same as any DNS server on the internet.
They take requests from hosts or remote DNS servers, and provide IP
resolution for the request. i.e. A web browser requests
http://www.nettwerked.net
The DNS sees this, looks it up, and resolves the IP address for
nettwerked.net. Within DNet is two levels of DNS. The first is at the
national level and is managed by the network management center, NSMC.
The second level of DNS is at the bases or MANOC level. There is a
primary DNS which is located at the NSMC, and there are six secondary
DNS servers, one for each region. The secondary DNS servers are in
Esquimalt, Edmonton, Kingstong, Halifax, Valcartier and Ottawa. The
primary and regional DNS for Area 4 are on the same server.
The fourth, and last, main component is the Management Workstations.
Each ISAP site has a Pentium 75 workstation and NetID software to
enable the local MAN manager to manage their respective block of IP
address's. Two network management workstations are provided to ensure
reliable backup of the system management. The first system is a Hewlett-
Packard Model 715 with 256MB RAM. The second is a Hewlett-Packard C-100
with 448MB RAM, 2 Gig HDD, SCSI Drive, 1.44 Disc Drive, Keyboard, Mouse,
4xCD-Rom, Externam 4mm DAT, External Gig HDD and a 20" Colour Monitor.
The operating system of choice on these machines is HP-UX 9.0 with upgrades
to Version 10.20. These specs where as of the 9th of April, 1997. They
have most likely upgraded their systems, but types of hardware, and
OS is most likely the same.
System Architecture
~~~~~~~~~~~~~~~~~~~
The DND's inter-networking facilities have been recently, and continue to
be restructured to improve capacity, performance, reliability, scaleability,
manageability and to reduce overall costs. DNet physically organizes it's
communications infrastructure at two levels. These two levels are
regional, and inter-regional (or national backbone). The national
communications topology is structured and combined to replace the low
speed point to point dedicated circuits which existed to a relatively
higher speed, frame relay Permanent Virtual Channels (PVCs).
DNet is a TCP/IP router based backbone network, which combines MAN's
and IT infrastructures into a common network. This combination occurs
at the Base level through the ISAP switches. The design consists of
cutting the country into six areas along geographic and address
boundaries. There is an additional area (Area 9) which is the Test
and Development Facility (TDF) which simulates an operational area
for test purposes. Each operational area has two Border Area Routers
(BARs) which brings all the traffic inside the IP subnet to two or
three master subnet address that each router uses to tell other
routers, through routing tables, who can be reached by which routers.
The inter-connectivity between the BARs is what the main National level
backbone for the DND consists of. These routers are the point of
connection between the National backbone, and the area base routers.
The six areas (plus the test area) are as follows:
Name | Province/Region | Locations
--------|----------------------|-------------------
Area #1 | British Columbia |* Aldergrove
| | Aldergrove ISAP
| |* Esquimalt
| | Esquimalt ISAP
--------|----------------------|-------------------
Area #2 | Prairie | Cold Lake
| | Yellowknife
| | Wainwright
| | Shilo
| | Moose Jaw
| | Winnipeg ISAP
| |* Winnipeg
| | Suffield
| | Edmonton ISAP
| |* Edmonton
--------|----------------------|-------------------
Area #3 | Ontario |* Borden
| |* Kingston
| | Borden ISAP
| | Kingston ISAP
| | London
| | Trenton
| | North Bay
| | Petawawa
| | Toronto
--------|----------------------|-------------------
Area #4 | NDHQ |* Tunneys
| |* Pearkes
| | Tunnets ISAP
| | Pearkes ISAP
| | Leitrim
--------|----------------------|-------------------
Area #5 | Quebec/New Brunswick |* Montreal Area
| |* Valcartier
| | Montreal ISAP
| | Valcartier ISAP
| | Gagetown
| | St. Jean
| | Bagotville
--------|----------------------|-------------------
Area #9 | |* TDF
| | TDF-2 ISAP
| | TDF ISAP
--------|----------------------|-------------------
Note: "*" Indicates the site connects to the frame relay
The BAR sites are fully meshed together while, within a geographical
area ISAPs are only partially meshed. All data traffic is processed
through a commercial Frame Relay service.
BAR Sites
~~~~~~~~~
There are 12 BAR sites. The typical BAR site configuration is shown
in the diagram below. BAR sites are made to consolidate all IP traffic
across a single consolidated National backbone. Each primary BAR Site,
except Tunney's Pasture, have the same configuration. They are made up
of a Cusci 7505 Router with 16 Serial ports with an 8Mbps capacity on
each port. The router has dual CPUs, dual power supplies and a two port
fast ethernet card. The BAR site also has a local network management
workstation and a fast ethernet switch for inter-connectivity to the
resident ISAP Router. The Primary DNS is installed at the NSMC. Secondary
DNSs are located at five BAR sites located at: Halifax, Valcartier,
Edmonton, Esquimalt, and Kingston. The Ottawa regional DNS share the
National DNS server in the NSMC. Network management traffic is carried
in-band via frame relay. Authentication of the management traffic is done
using TACACS and Secure ID Token Cards.
BAR SITE CONFIGURATION
~~~~~~~~~~~~~~~~~~~~~~
MANAGEMENT INFRASTRUCTURE + BACKBONE INFRASTRUCTURE +
+ +
+ |-------| + |-------| |-------------| Other BAR Sites
+ /----| M M M |------------| M M M |------ X.21 ------| R R R R R R | (Cisck 7507)
+ Frame Relay / |-------| + |-------| |-------------|
+ |-------------|/ Modem + Modem
+ | FR FR FR FR | (Motorola/Luxcom) + (Motorola/Luxcom)
+ |-------------|\ Xm + Xm
+ | \ |-------| + |-------| |-------------| ISAPs Xn
+ |-| \----| M M M |------------| M M M |------ X.21 ------| R R R R R R | (Cisck 7507)
+ | |-------| + |-------| |-------------|
+ |-------| Modem +
+ | M M M | (Motorola/Luxcom) + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ |-------| Xn +
+ | +
+ X.21 +
+ | +
+ |-------| Modem +
+ | M M M | (Motorola/Luxcom) +
|--| + |-------| Xn +
| | --------------| + | +
|--| | + X.21 +
Mgmt Workstation | + | +
|---| | + |-----------| Border Area Router +
|UPS| | + | R R R R R | (Cisco 7507) +
|---| |--| 10M + |-----------| +
| | -----------| | + | +
|--| | | + | +
Secondary Workstation 10M | + | +
| | + |-----------| Leased +
| |-------| C C C C C | Switch Controller MUX +
|----------|-----------| {-------} +
+ | |----------{ L L L }------| +
+ | 10M {-------} | +
+ + + + + + + + + + + + + + + + + + + + | | | +
|-----------| |-------| Modem |-------| |-----| UNIT +
ISAP Router | R R R R R |----- X.21 -----| M M M | <-- (Motorola/ ---> | M M M |---| R R | (Cisco xxxx) +
(Cisco 7505) |-----------| |-------| Luxcom) |-------| |-----| +
| Xn +
| +
|-----------| +
| S S S S S | +
|-----------| +
ISAP +
Switch +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ISAP Sites
~~~~~~~~~~
ISAP Sites are location on every major base or station in Canada. There
are 34 ISAP sites. The role of the ISA{ is to consolidate all IT
Infrastructure of a DND base into a single point of access onto the
backbone. The ISAP consists of a Cisco 7505 router with 12 serial ports,
2 port fast ethernet (100 Mbps) card and a 6 port ethernet card (10 Mbps).
Because the ISAP router consolidates all base IT subnetworks it includes
the Cisco Enterprise Software Suite which allows the Base MAN to
inter-operate by allowing local IP, IPX, and VIP to be locally routed.
However, the traffic on the main backbone is IP only. The typical
configuration of an ISAP site is shown in the diagram below.
ISAP SITE CONFIGURATION
~~~~~~~~~~~~~~~~~~~~~~~
MANAGEMENT INFRASTRUCTURE + BACKBONE INFRASTRUCTURE
+
+ Modem
+ (Motorola/Luxcom)
+ Xn
+|---------| |-------|
+| R R R R |-X.21-| M M M |
+|---------| |-------| |-------| |-------------| Other ISAPs Xn
+ Primary BAR / /----| M M M |------- X.21 ------| R R R R R R | (Cisco 7507)
+ (Cisco 7507) Frame|Relay / |-------| |-------------|
+ |-------------|/ Modem
+ | FR FR FR FR | (Motorola/Luxcom)
+ |-------------|\ Xm
+ / | \ |-------| |-------------| Secondary BAR
+ /----/ |-| \----| M M M |----- X.21 ------| R R R R R R | (Cisco 7507)
+ / | |-------| |-------------|
+ | |
+ | |
+ | |
+ |-------| |-------| Modems Leased Line
+ | M M M | | M M M | (Motorola/Luxcom) MUX
|--| + |-------| |-------| Xn {-------}
| | --------------| + | | |---------{ L L L }----------|
|--| | + |--X.21-\ X.21 10M {-------} |
Mgmt Workstation | + \ | | |
|---| | + |-----------| |-------| Modem |-------| |-----| UNIT
|UPS| | + | R R R R R |------- X.21 --------| M M M | <-- (Motorola/ ---> | M M M |---| R R | (Cisco xxxx)
|---| |--| 10M+ |-----------| |-------| Luxcom) |-------| |-----|
| | -----------| | + | ISAP Router
|--| | | + | (Cisco 7505)
TCP/IP Mgmt 10M | + |
Workstation | | + |-----------|
| |-------------| S S S S S | Switch Controller
|----------------|-----------|
+
+
+ + + + + + + + + + + + + + + +
Communication Protocol
~~~~~~~~~~~~~~~~~~~~~~
The Treasury Board of Canada and DND have been directed to evolve Open
Systems Interconnect (OSI) protocols. Because of this, and to be sure
that the network will remain manageable for them, the protocols to be
allowed on DWAN will be limited. The Treasury Board quickly realized
that OSI products are not readily available. Therefor they have allowed
a migration to OSI through the use of TCP/IP which is now the internet
standard.
Security
~~~~~~~~
At the time of writing I was unable to gain access to any documents
relating to the security of DWAN/DNet. Hopefully in the near future I
will be able write a file on security alone.
Well, that's it for today kiddies! Look for more DND and CSE related
files soon! Although it sounds like an illogical order, I will be
writing a file on DWAN Architecture itself, as opposed to just the
designated domain of DWAN.
Shouts go out to all the usual's. Especially The Clone, and Semtex
(who saves my ass frequently). Thanks man! I appreciate it. Also,
to all the rest of the Hack Canada Crew.
-- PsychoSpy
psychospy@hushmail.com
ICQ#: 5057653
___
How Non-Public DND Information Was Easily Compromised - By PsychoSpy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------- Beginning of Disclaimer ---------
This information is for educational use only.
By continuing to read this file, all legal
responsibility for any damage done, or any
other illegal activity is bestowed upon you,
the reader.
If you don't agree with this, than don't read
the file.
--------- End of Disclaimer ----------
As you may have noticed, I just recently (along with this file) released
a few files on the DND network. You're probably wondering how I got
so much great information on DWAN and various other DND computer information.
To answer this pondering which many probably have, I am writing about
the problem which I recently found in the DND, or more like the
Government Canada's servers. This problem allowed me to gain much
information which allowed me to write those files.
So, here's the scenario. After talking to The Clone about AGNPAC
(the Alberta Government Packet Switching Network), I decided to see
of there was an Ontario version of this. To check, I booted up my
computer and zipped my trusty web browser over to www.gc.ca, Government
Canada's main site. I saw the Search link on the main page there and
followed it. I type in a few keywords to search for information on
there possibly being an Ontario Gov't Packet Switching Network. However,
I didn't find anything of importance no the subject. What I did notice
was the url which was in my url box after I hit the search button.
It was something like this:
http://search-recherche.gc.ca/cgi-bin/query?mss=canada%2Fem%2Fsimple&
pg=q&enc=iso88591&site=main&bridge=&lowercaseq=&what=web&user=searchintranet
&kl=XX&op=a&q=Ontario+Government+Packet+Switch+Network&x=44&y=2
(url is wrapped)
There one thing which caught my eye when I saw this. It was the part that
said "user=searchintranet". Wow.. This is interesting. I wonder what kind
of files I can access. Is this really an intranet search?
Well, you guessed it folks! It sure is. It's quite humorous actually.
See, a couple days before I had tried to access a directory listing on
the CSE's server but wasn't able to do so as the server was marked as
forbidden. Oooo... Forbidden.. Damn I can't help my curious mind. Of
course I want to see all that which is forbidden! So, I found the url
for the directory I wanted to get a listing for, and clicked search.
Then, POW right there on the screen was what basically amounted to a
directory listing of this supposedly forbidden directory. Of course,
it's the government, so they wouldn't put a password on the folder.
I guess they figure that if it's marked forbidden people wouldn't be
able to see the files inside. However, now that I have the full path
names for the files, I could easily (with the click of a mouse) access
these files.
In fact, it turned out that I could access many files which are considered
sensitive by the Canadian Government. These "sensitive" files where mostly
seen on the CSE and DND servers.
What I believe happened was that the method in which the trusts between
the servers where setup, coupled with the manner in which the search
script searched for sites, allowed a person to search through every
directory on all government agency web servers which where above the
root web directory.
So, if the main page of a server resided on:
/usr/cse_web/html/
Then anything inside of that HTML directory, including all sub-folders,
was accessible and could be searched through. This also means that
the passwd files etc. on the servers could not be accessed. However,
due to the discovery of this, I found that there are many other
vulnerabilities which various Government Agency servers are open to.
Hopefully in the near future I will be able to write about these
vulnerabilities on the various agency servers, however I do not
feel that it would be in my best interest to do so right now.
This really demonstrates how insecure these servers really are. It
seems that the government has great planning for their security of
servers, however, the implementation is just not there. Maybe more
files like this will send a strong enough message to the gov't that
they really should wake up.
Well, that's it for today guys, and please try to stay out of trouble.
Also, do NOT try any of the things mentioned within this file, we have
delayed the release of this file to allow the administrators of the
networks time to correct the issue at hand.
Shouts go out to Clone, Semtex, everyone at #Haxordogs, and Hack Canada.
-- PsychoSpy
psychospy@hushmail.com
ICQ#: 5057653
____
Tuesday August 23rd - Miklos' Adventure at Graybar
--------------------------------------------------------
Schools coming around shortly, and I haven't had much luck finding
drains in my dismal city. However, I have kept my eye on a construction site,
for the new home of a very successful electric wholesaler, Graybar. A couple
months pass and I see that construction is coming together with some
interesting things for me to check out.
It is now 21:00 on August 23rd, and I pump myself up to travel solo,
and explore the building. I have no car, so I pack up my backpack and begin
walking to the building. When I arrived, I quickly made my way to a pile of
girders. I hid behind the girders until traffic eased up, so no one could see
me enter the building. The building is centrally located around resid
ential,
light industrial, and a lighted baseball field 500 meters away from this
building. A few minutes pass, and I quietly slip into the building. In front
of me are hundreds of girders, wall panels, and blocks of concrete. The
building has 2 floors, the ground level, and an upstairs. The ground level
so far is spilt into 2 sections. The section I entered was the offices, and
such. The other section is a huge space to load trucks, and hold inventory.
I crawled along against the wall of the office part of the building
(to aviod being spotted by traffic) I entered the larger section of the
building. whoa. There wasn't even a concrete floor yet, just a huge 4
walled, gravel floored building. As I started going through this room, I
saw a light "shit!" I backed-up against the wall, quickly turned off the
maglite, and waited for the light to go away. Then, I heard an engine noise,
and some guy yelling. I was unsure at the moment what to do, so I waited for
the guy(s?) to leave. After 15 minutes of some more yelling, the car finally
left, and so did I, back to the office section of the ground level.
I searched around the office section of the building, not finding much,
and made my way towards the stairs. Again, I layed low against a wall until
the traffic lightened up so I could go up the stairs un-noticed by motorists.
The second level hasn't been done yet, but I could still move around up
there. I walked mostly along planks to get a look at rest of the
building. The upstairs didn't offer much for me, except a nice view of
the entire building from above.
I looked around for ladders, or anything else to get me higher..
Success! I found a 30-foot ladder to would take me to the roof! I
quickly scaled the ladder, and got up on the roof. It was a nice site. I
walked around up on the roof, and tried to take a picture of the city.
Unfortunately, the picture turned out bad, as did most of the pictures that
night. Anyhow, I had a nice, cool breeze against my face up on the roof, and
decided to chill out and watch the night scenery for a bit.
Afterwards, I went back down the ladder, down the stairs to the
ground level and left the building. At this point in time, I didn't even care
if anyone saw me on the site, cause I was leaving. I put the camera, my
maglite, and streetchy gloves into my backpack, and started my journey
back home. I pulled out my music, and strolled home to witness a
beautiful lightning storm, and get a bit wet from the rain.
So concludes my adventure at Graybar. For a pictorial version of
this, check out: http://www.haxordogs.net/ghu/ue/ex/graybar.htm . See
you in the next installment of Urban Exploration.
Miklos@SunOS.com
http://www.haxordogs.net/ghu
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Credits:
I would like to give credit to the following people for helping with this
issue of K-1ine - if it wasn't for you guys I don't think this issue would
of been released...
Dead Musicians Society (D.M.S.), Flopik, Jay Beale, Kira Brown,
Kybo_Ren, Miklos, and lastly to PsychoSpy
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Thanks you guys, seriously. I'm very happy to see all the contributions.
Remember: Articles are ALWAYS welcomed. If you have something you'd like to
see on this zine, feel free to send me an e-mail. Even if you're worried
that the article is "lame" or "isn't technical" or something like that,
send it anyways.
Remember: everyone has something to offer to the scene. Show your support.
--
Shouts:
Cyb0rg/asm - I REALLY appreciate your full support by linking the
last three issues from Hack Canada... thanks for getting the
w0rd across about K-1ine.
Psychospy - Partner in file written - keep up your superb work, brotha!
Hack Canada (www.hackcanada.com) and Haxordogs (www.haxordogs.net), #CPU,
k-rad-bob @ b0g (www.b0g.org), Magma, Alan, Ottawa 2600, RT, Enjoy` (my
little cutie!), Seuss, Blackened @ Damage Inc., and lastly to everyone
and anyone who gives a shit about the Canadian H/P scene.
;. .;.. ; ;. ;..
;.. .;..; .;.; .;; ;..
.;..;. .;..; .;.;...; ;..;..
.;. A .;. .;.
;.. N E T T W E R K E D ;..
;..;.. P R O D U C T ;..;..
.;..; ;..;..
; .;..;.;.. .; . .;. ..;..
.;.. . .;..;..;..;.. .;
;..;. .;.. . .;.. .;.;.
;..;. ;..;..; .;.
;..;;..; ;..; .;
;..;;..;;..;
;.;.;; .;. .
;/.;:..
,;..
..
/'
. .-ll; .; ;;-.;. -- .;; -- .; . it doesnt matter it doesnt matter... *UH!*
