Title : TAMS & Telenet Security
Author : Phrack Accident
==Phrack Inc.==
Volume Three, Issue Thirty-one, Phile #4 of 10
/ Everything you always wanted to know.. \
/ about Telenet Security, But were to stupid to find out. \
By Phreak_Accident
Ever since the early 80's GTE Telenet has been expanding their public
packet switching system to hold enormous amounts of users. Currently GTE
SprintNet (Yes, Telenet is out, SprintNet is in.) has over 300 nodes in the
United States and over 70 other nodes abroad. SprintNet provides private
X.25 networks for larger companies that may have the need. These private
networks are all based on SprintNet's 3270 Dedicated Access Facility which
is currently operating for public use, Hence for the major security Sprint-
Net has aquired.
SprintNet's security department is a common idea of what any large
public packet network should be. With their home office located in Virgina
(703), most Hacker's who run into trouble with them would wind up talking
to Steve Mathews (Not the head of security but a prime force against the
major attacks Sprintnet recieves from Hackers anually.), who is a very
intelligable security analysist that deals with this type of problem daily.
Because of Steve's awarness on Hackers invading "His" system (As most
security personnel refer to the system's they work for as their own.), He
often does log into Bulletin Boards accross the country looking for Sprint-
Net related contraband. At the time of this article, Steve is running an
investigation on "Dr. Dissector's" NUAA program. (NUA attacker is a Sprint-
Net NUA scanner.) Besides this investigation, he currently stays in contact
with many Hackers in the United States and Abroad. It seems Steve recieves
many calls a month from selected Hackers that have interests in the Security
of SprintNet. Wow. Who the Hell would want to call this guy. From many
observations of Steve Mathews, I find him to in deed be the type to feel a
bit scared of Hackers. Of course, his fright is really quite common amoung
security personnel since most fear for their systems as well as themselves.
(Past experiences have showed them not to take Hackers lightly, Hence they
have more contacts then 60 rolodex's put together.)
For now, let's forget Steve Mathews. He's not important an important
influence in this article. Trying to pin a one-person in a security depart-
ment that handles security is like finding a someone on a pirate board that
doesn't use the word "C0DE" in their daily vocabulary.
Telenet's main form of security lies in their security software called
TAMS (Telenet Access Manager System). The TAMS computers are located in Res-
tin, Virginia but are accessable throughout the network. Mostly, the main
functions of TAMS are to:
* Check to see if the NUI/Password entered is a valid one.
* Check to see if the Host has list of NUI's that can access
that host. If another NUI is used, a Rejection occurs.
* Processes SprintNet's CDR (Call Detail Recording), which
includes Source and Destination, Time of call, Volumes
of data recieved, and the Total time of the call.
* Can be used by host to add an optional "ALPHA" NUA for "easy"
access.
* Can secure Hosts further by adding an NUA security password.
* Restricts calls without an NUI for billing (I.E. No collect
calls to be processed).
* Accepts all calls to host as a prepaid call (I.E. Accepts all
calls).
TAMS is really for the handling of NUI and corresponding NUA's, therefore
being a security concept. TAMS holds all the data of NUI's and restricting NUAS
for the ENTIRE network. If one could gain the access to TAMS, one could have
the entire network at his/her disposal. This of course if highly impossible
to SprintNet's security department, but not for a couple of hackers I have ran
into. Yes, TAMS is quite interesting.
In other aspects of SprintNet security, lets focus on the actual X.25
software that they use. Anybody who tells you that Telenet can monitor the
sessions currently taking place on THEIR network is WRONG (And probably very
stupid as well). Monitoring is a basic feature of all X.25 networks, whether
it's a little PeeShooter network or not, they can and do monitor sessions.
Of course their are far to many calls being placed on SprintNet to be
monitored, but a scared host can always request a full CDR to be put on their
address to record all sessions comming in on that NUA. Such as the many re-
corded sessions of the ALTOS chat(s) in Germany that was a hot-spot for many
Hackers across the United States and Abroad. After the detection of ALTOS,
through the hundereds of illegally used NUIs, CDR's and direct host monitoring
were used on the ALTOS hosts. As far as prosecutions concern, I doubt their
were any.
Now, as far as other security software on SprintNet, they have a call
tracking service that is called AUTOTRAIL. Basically, AUTOTRAIL traces the
connections through the DNIC's and back to the orginating NUI and/or NODE loca-
tion that placed the call.
AUTOTRAIL has nothing to do with ANI. Not at all. In fact, the many
dialups that lead into SprintNet's PDM gateway do NOT have any type of ANI.
That is basically a telephony problem. ALthough I would think twice about
messing with a dialup that is run on a GTE carrier. That's up to you though.
Another aspect of security in which Telenet offers is an ASCII tape
that can be obtained by a host customer, which contains all CDR information of
any connection to that host for the last week/month/year. So, it is obvious
to say that SprintNet does have a hudge database of all CDRs. Yes, another
point: This database is located in the TAMS computer. Hmm, ahh.. Wouldn't
that be neat.
:PA
_______________________________________________________________________________