[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: PWN/Part 2 ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #38 | Release date : 1992-04-26 | Editor : Dispater
IntroductionDispater
Phrack LoopbackDispater & Phrack Staff
Phrack Pro-Phile on AristotleAristotle
Pirates' CoveRambone
Network Miscellany IVDatastream Cowboy
Beating The Radar Rap Part 2 of 2Dispater
Users Guide to VAX/VMS Part 3 of 3Black Kat
Wide Area Information ServicesMycroft
Cellular TelephonyBrian Oblivion
Standing Up To Fight The BellsKnight Lightning
The Digital Telephony ProposalFBI
PWN Special Report VI on CFP-2Max Nomad
PWN/Part 1Datastream Cowboy
PWN/Part 2Datastream Cowboy
PWN/Part 3Datastream Cowboy
Title : PWN/Part 2
Author : Datastream Cowboy
                                ==Phrack Inc.==

                 Volume Four, Issue Thirty-Eight, File 14 of 15

              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
              PWN                                             PWN
              PWN              Phrack World News              PWN
              PWN                                             PWN
              PWN      Issue XXXVIII / Part Two of Three      PWN
              PWN                                             PWN
              PWN        Compiled by Dispater & Friends       PWN
              PWN                                             PWN
              PWN     Special Thanks to Datastream Cowboy     PWN
              PWN                                             PWN
              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN


 What's Wrong With The Computer Crime Statute?                February 17, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 By Thomas A. Guidoboni (ComputerWorld)(Page 33)

             "Defense and prosecution agree the 1986 Computer Fraud
              and Abuse Act is flawed but differ on how to fix it."

It has become an annual ritual, since the birth of the Internet worm, for
Congress to consider amendments to the 1986 Computer Fraud and Abuse Act.  At
this point, the U.S. Department of Justice can be expected to advocate three
things: an expansion of the federal role in the investigation and prosecution
of computer crimes, the creation of new categories of offenses, and harsher
penalties, including perhaps the current darling of the department, forfeiture
of property.

Since the law is of recent origin, was substantially revised in 1986 and proved
more than adequate to prosecute and convict Robert T. Morris, there seems
little justification for expansion of its coverage.

Nevertheless, if Congress is determined to review and revise the provisions of
the act, there are several narrow, but significant, amendments that are clearly
warranted.  Of primary importance is the definition of terms.  The core of the
law suffers from a lack of clarity.  Offenses are described by reference to
"authorized" or "unauthorized access," yet these terms are not defined
anywhere.

Perilously Vague

In a universe that consists of broad computer networks, bulletin boards, E-mail
and anonymous file-transfer protocols, and one in which permissions and rights
are established by custom, usage and private understandings, a person is left
to speculate at his peril as to what conduct is permitted and what is
prohibited by this vague language.

The Computer Fraud and Abuse Act should be amended to give precise content to
the concepts of "access" and "authorization," thereby providing fair warning of
illegal conduct.

A second change for the better regarding the act would be to create a
distinction between those computer intruders who unintentionally cause a
monetary loss and those who maliciously cause such harm.

The present law, as interpreted in the Morris case, recognizes no such
distinction.  This is contrary to long-standing notions of fairness in our
system of criminal law, which acknowledges that between two persons who cause
the same harm, the one who intended that result is more culpable than the one
who did not.

A third part of the statute that needs revision relates to computerized medical
records.  It is too broad because it includes as felonious conduct the
unauthorized access to such records that "potentially modifies or impairs"
medical treatment or care.  Virtually every unauthorized access to computers
containing medical records carries this potential.  A better solution would be
simply to make any "unauthorized access" of computerized medical records data a
misdemeanor, with the intentional modification or destruction of such data
designated as a felony.

Amend, But Don't Expand

These slight but important amendments would serve to clarify and improve a
basically sound law without stifling the creativity of persons akin to those
who have been responsible for many of the advances in computer technology in
this country.  More expansive revisions are ill-advised, as they may
unnecessarily encroach on evolving privacy and free-expression interests.

A broadening of federal involvement is also inappropriate.  Nearly every state
has enacted laws against computer fraud and abuse and, as Congress recognized
in 1986, federal jurisdiction should be limited to cases where there is a
compelling federal interest.  This might include instances where computers
belonging to the federal government or to financial institutions are involved,
or cases where the crime itself is interstate in nature.  Furthermore, other
computer crimes should be left to prosecution by the individual states, as is
presently the case.

In sum, the 1986 Computer Fraud and Abuse Act would benefit from some
clarification, but expansion of its coverage and wholesale revisions are both
ill-advised and unnecessary.

Note:  Thomas A Guidoboni is an attorney with Bonner & O'Connell in Washington,
       D.C.  He represented Robert T. Morris in the Internet virus case.
_______________________________________________________________________________

 Private Social Security Data Sold to Information Brokers     February 29, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 By R.A. Zaldivar (San Jose Mercury News)

Washington, D.C. -- The privacy of 200 million Americans with records at the
Social Security Administration is threatened by an illegal trade in pilfered
computer files.  Computerization has dramatically improved our ability to serve
the public," Social Security Deputy Commissioner Louis Enoff told a Senate
panel.  "However, it has also made confidentiality more difficult."

Two executives of Nationwide Electronic Tracking, a Tampa, Florida, company,
pleaded guilty to conspiracy charges in January for their part in a national
network selling Social Security records.  Twenty-three people, including agency
employees and police officials, have been indicted in the case -- the largest
known theft of government computer data.  "Information brokers" will pay Social
Security employees $25 for a person's earnings history and then sell the data
for as much as $300.  Their growing list of customers includes lawyers, private
investigators, employers, and insurance companies.

Social Security records contain a mother lode of information that includes not
only a person's past earnings but names of employers, family history and even
bank account numbers of people who receive benefits by direct deposit.  The
information can be used to find people or to make decisions on hiring, firing,
suing or lending, said Larry Morey, deputy inspector general of the Health and
Human Services Department.

"Here we have a large-scale invasion of the Social Security system's
confidentiality," said Senator Daniel P. Moynihan, D-N.Y., chairman of the
Social Security subcommittee.

Information from other government data bases with records on individuals --
such as the FBI's National Criminal Information Center -- is also available on
the underground market.  All a broker needs is the cooperation of a clerk at a
computer terminal.

Congress may revise privacy laws to increase penalties for illegally disclosing
information in the private files of individuals.

Enoff said Social Security is studying ways to improve computer security, as
well as keeping closer tabs on employees with access to files, and stressing to
its workers that unauthorized disclosure of information is a federal crime.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Related articles can be found in Phrack World News, Issue 37, Part One:

 Indictments of "Information Brokers"                              January 1992
 Taken from The Privacy Journal

 SSA, FBI Database Violations Prompt Security Evaluations      January 13, 1992
 By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41)
_______________________________________________________________________________

 Back to Act I                                                    March 3, 1992
 ~~~~~~~~~~~~~
 Taken from Communications Daily (Page 2)

"Supreme Court Lets Stand Ruling That FCC Ban On Indecency Is Unconstitutional"

FCC's 24-hour ban on indecent programming is unconstitutional, U.S. Supreme
Court ruled in refusing to consider unanimous U.S. Appeals Court, D.C.,
decision.  Supreme Court action also effectively overruled December 1988 rider
to Senate appropriations bill directing FCC to ban all indecent programming.
Last summer, en banc Appeals Court had refused to reconsider May decision by
unanimous 3-judge panel that FCC ban is unconstitutional.

FCC, with support of Justice Department, had asked Supreme Court to reconsider
case.  Coalition of 14 intervenors, including Action for Children's TV (ACT),
had opposed FCC in Appeals Court and Supreme Court.  En banc Appeals Court said
that none of 13 judges who participated "requested the taking of a vote" on
whether to rehear case.  On Supreme Court, Justices Sandra O'Connor and Byron
White voted to reconsider case. FCC's definition of indecency:  "Language or
material that depicts or describes, in terms patently offensive as measured by
contemporary community standards . . . sexual or excretory activities or
organs."  Agency has fined several stations for indecent programming in the
last year.

With loss in Supreme Court, FCC official told us "we don't have any choices
left" but to permit such programming to be broadcast.  "We're back to Act I."
Source predicted, and other FCC officials agreed, that agency soon will issue
rulemaking to make a ban on indecent programming later than 8 p.m.  Same
sources expect Congress once again to take up issue.

ACT President Peggy Charren said: "It's very exciting for ACT to have won one
for the First Amendment.  We always knew it's preposterous for the FCC to try
to ban speech at 3 o'clock in the morning to protect children . . . It's very
satisfying to have this particular [conservative] Supreme Court agree with us."
NAB (which also was intervernor in case) Associate General Counsel Steve
Bookshester said Supreme Court "correctly" acted in not reviewing lower court
decision:  "Now, it's up to the Commission to adopt new procedures to determine
when such material is permitted to be broadcast."  Washington attorney Timothy
Dyk, who represented intervenors, said: "I think it's a very happy result . . .
The Court of Appeals decision is exactly where it should be in terms of a safe
harbor."
_______________________________________________________________________________

 Drug Enforcement Data Are Vulnerable Through Phone Lines         March 4, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Taken from Communications Daily (Page 5)

Classified information in computers of Drug Enforcement Administration (DEA) is
at risk, General Accounting Office (GAO) said in a report.  It said DEA doesn't
provide adequate protection of classified information because too many people
have access to computers that store data, and computers with classified
information are hooked into nonsecure telephone lines, making them vulnerable
to outside intrusion.

Report, Computer Security:  DEA Is Not Adequately Protecting National Security
Information (GAO/IMTEC-92-31), said it found several instances of lax physical
and electronic security at DEA computers in several locations.  Although there
are no known instances of security breaches, "these disturbing security
weaknesses pose serious risks that could potentially hinder DEA's mission and
threaten the lives of federal agents," the report said.  The report found that
DEA isn't complying with standard security guidelines outlined by National
Security Agency.

In preliminary findings, GAO was so concerned with security weaknesses that it
called in Department of Justice on January 9 and furnished it with a "limited
official use" version of its report to give DEA time to correct problems, said
Rep. Wise (D-W.Va.), chairman of House Government Operations Subcommittee, who
ordered the investigation.  He said other government agencies should be wary of
sharing information with DEA until security problems have been eliminated.
Calls to DEA on progress of follow-up security procedures weren't returned.
Findings are "indicative" of typical "apathetic security attitude" that the
government has, said David Banisar, security expert for Computer Professionals
for Social Responsibility.

GAO investigators found DEA couldn't adequately identify what computers used
classified information.  "DEA cannot ensure that adequate safeguards are in
place for protecting national security information," report said.  In spite of
federal guidelines, GAO found that DEA hasn't "completed a risk analysis" of
computer system.  Some classified computers were found to be operated in areas
where contractors -- with no security clearances -- moved around with no
restrictions.  No computers were found to be "tempest" hardened, meaning
electronic emissions from keyboards can't be picked up.

In light of concern on outside intrusion from "hackers," GAO found several DEA
computers were connected by phone lines "that are not encrypted" -- which it
described as clear violation of national security guidelines.  The report said
"unauthorized individuals can intercept or monitor information emanating from
and transmitted by" the agency without being detected.  Classified information
was found to be stored on hard disks in an "inadvertent" manner, allowing for
the possibility that computers, when resold, still might hold data.  One such
occurrence, recorded by GAO in its report, occurred last year when sensitive
grand jury information on informants was left on surplus computers sold by DoJ
at a public auction.

The report said that DEA has acknowledged weaknesses "and is taking action to
correct them."
_______________________________________________________________________________

 BBS Controversy Brews Close To Home                                 March 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Taken from Puget Sound Computer User
 Special Thanks: Peter Marshall in Telecom Digest

In a case before the Public Utility Commission of Oregon, US West is
maintaining three phone lines connected to a free-access BBS in a residence
should be billed at business rates.  Because of the similarities in tariffs
>from state to state and US West's position in the case, many are predicting
that if US West prevails, the company will be authorized to raise all Oregon
BBS lines to business rates and try to raise rates for BBS lines in US West's
remaining 13 states.

The case started when Tony Wagner, a Portland system operator, received a
letter from US West in October, 1991.  In the letter, Communications Consultant
Sandi Ouelette said "Bulletin board services are considered a business,
therefore, subject to business rates ..."

One Seattle attorney interested in telecommunications said these attempts by
the phone companies to raise rates for BBSes are "just another attempt to swipe
people's communication."
_______________________________________________________________________________

 1-800-54-PRIVACY                                                March 10, 1992
 ~~~~~~~~~~~~~~~~
 Taken from Communications Daily

American Newspaper Publishers Association (ANPA) President Cathleen Black asked
American Paper Institute to support the newspaper industry's fight against
RHCs, warning that the market for paper could drop if phone companies are
allowed to expand activities into information services.  Increased electronic
classified ads and other services could lead to cutbacks in demand for
newsprint, Black said.  Newspaper producers, traditionally allied with ANPA,
said they would study the matter.

Meanwhile, full-page newspaper ads placed by ANPA and allied Consumer
Federation, Graphic Communications International Union, National Newspaper
Association, and Weatherline have generated thousands of calls to an 800 number
>from readers concerned about potential invasions of privacy by telephone
companies.  The latest ad ran in the March 7 Washington Post, under the
headline:  "Unless they're stopped, the Bells will know more about you than
even the IRS." The ad advised callers to dial 1-800-547-7482, referred to in
the telephone message as "1-800-54-privacy."

Gary Slack, of the Chicago PR firm Slack, Brown & Myers, which is coordinating
the 800 campaign, said that the angle in the ad has become an effective weapon
against RHCs because "there are a lot of people concerned about privacy."
Callers are sent a 4-page letter signed by Black and "action guidelines" for
asking legislators to support bills by Representative Cooper (D-Tenn.)
(HR-3515) and Senator Inouye (D-Hawaii) (S-2112) that would restrict RHC entry
into information services.  ANPA has argued that, through data on telephone
bills, information can be collected about callers.

RHCs didn't have the incentive to use that data before, but now with the
ability to offer information services, they do, ANPA said.  ANPA generally
doesn't pay for ads, but offers them to newspapers to run when they have space,
a spokesman said.  Pacific Telesis Vice-President Ronald Stowe said ANPA ads
"show desperation and questionable ethics."  He said ANPA is using some of same
tactics it has accused RHCs of using, including collecting information on
subscribers.  ANPA ads are "really sewer-level stuff," Stowe said:  "There are
enough legitimate issues that ought to be debated."

*** Editor's Note:  For more information on this story, please see "Standing Up
    To Fight The Bells" by Knight Lightning in this issue of Phrack.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Missouri Bulletin Board Case Settled                            March 24, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Taken from Communications Daily (Page 6)

Southwestern Bell in Missouri has filed a new tariff with the Missouri Public
Service Commission (PSC) to allow computer bulletin board (BBS) operators to
use residential lines.  The tariff would take effect April 10 if there are no
complications.  Under proposal, the BBS operators at homes would be allowed to
continue to use residence lines if they don't "solicit or require any
remuneration, directly or indirectly, in exchange for access" and use 4 or
fewer residential lines priced at flat rates.

BBSes that don't meet those requirements would be required to use business
lines.  The tariff, negotiated between SWB and representatives of BBS
operators, defines a BBS as "a data calculating and storage device(s) utilized
as a vehicle to facilitate the exchange of information through the use of
Southwestern Bell Telephone Company facilities."  BBS language is part of a
high-grade Information Terminal Service originally aimed at business users with
computers, but interpreted by BBS operators as targeted at them.  SWB
originally had wanted to make the new service mandatory for computers with
modems, but the new proposal, submitted March 11, makes it optional.

*** Editor's Note:  For more information, please see the numerous articles on
    this topic in Phrack World News, Issue 37, Part 3.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

In a surprising turn of events, the April 14, 1992 issue of Communications
Daily reports that U.S. West in the state of Washington has decided not to
follow the example of Oregon attempt to raise rates for electronic bulletin
board (BBS) hobbyists.

Patsy Dutton, consumer affairs manager for Washington Utilities &
Transportation Commission (WUTC), asked U.S. West about its policy after
receiving request from BBS operators.

In a letter dated March 31 to system operator Bruce Miller, Dutton said she had
reviewed U.S. West tariff and had talked with company representatives as to
current and future plans for BBS service:  "The company indicates it has no
intention of changing its current procedure."  Residential service would be
available for hobbyists, with business rates applying under other conditions.

An Oregon PUC law judge is currently considering complaint against U.S. West
for raising rates of bulletin board operators there.
_______________________________________________________________________________

 Congress Explores Dropping Subsidy of Federal Science Network   March 13, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Taken from Communications Daily (Page 6)

                          "Fairness For All Is Urged"

In hearing, Representative Boucher (D-Va.) questioned National Science
Foundation (NSF) on its management policies and future direction of NSFnet,
national research network.  He said it's "essential" that NSFnet be structured
so all commercial providers of network services "receive equal treatment" and
that government policy for managing the network "not favor any provider" or set
of providers.

The current process of using federal money to subsidize NSFnet is "obsolete"
said Mitchell Kapor, representing Commercial Internet Exchange (CIX)
Association, a consortium of commercial network services suppliers.  Although
federal money was necessary in the "early stages," when technology for building
the network still was "experimental," now that the network is in place,
government subsidy should stop, Kapor said.  He said CIX members can provide
"any level of service" needed by the same community served by NSFnet --
research and education.  Kapor said CIX members could build and service
national backbones with "off-the-shelf" technology; however, he said, because
federal money goes to support the current network backbone, NSFnet users are
allowed on the network free and don't have an incentive to use commercial
services.

William Schrader, president of Performance Systems International (PSI), said
government could level the playing field by providing money directly to
individual universities and letting them choose, on a "free-market" basis,
which network service provider to use.  That system, he said, would provide
incentive for several suppliers to upgrade networks in efforts to corral most
customers.  Kapor said it also would "push the envelope" of technology to an
even greater level.  With the current system in place, the technological level
of the network will evolve more slowly because there would be no incentive to
provide a higher level of service, he said.

Current users of NSFnet spoke against changing the status quo.  Michael
Roberts, VP-networking for Educom, a task force of 48 universities, said that
removing funding for the network would be "horrendous."  By requiring
individual universities to seek out their own service providers, he said,
government would have to institute another level of bureaucracy, creating
"thousands of entitlements," which would be impossible logistically.  Douglas
Van Houweling, speaking for NSFnet manager Merit, said removal of funding most
likely would upset the networks' level of stability, leading to disruption in
service that "millions of users" have become accustomed to.  By letting "any
number" of commercial providers supply network services, there would be no
guarantee of level of service, which is a "vital" mission of research labs,
universities and federal agencies now using the network, Van Houweling said.

Federal agencies would rather have a stable network than improved service, said
Stephen Wolff, director of NSF's Networking & Communications Division.  He told
Boucher that federal agencies didn't want the network open to competition
because they feared it would degrade the quality of service.  Wolff said NSF
would proceed with its plan to commercialize network "within 5 years" as
requested under the recently voted High-Performance Computing Act.  He also
said he had presented to universities the idea of providing them with federal
money and letting them purchase network services in the free market.  The
proposal was "soundly rejected," he said, because universities didn't feel they
were able to make such decisions. Instead, they supported NSF's current
proposal of rebidding network management so that 2 network providers would be
in place.  The new system would operate on model of government's FTS 2000
program. NSF would grant awards for network services to 2 companies and have an
independent 3rd party act as "traffic manager" to ensure one network provider
wasn't favored over another.
_______________________________________________________________________________

 MCI and Sprint Take Steps To Cut Off Swindlers                   April 1, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 By Kent Gibbons (The Washington Times)(Page C1)

MCI and Sprint are cracking down on telephone fraud.

The two long-distance carriers are tackling different kinds of swindles,
though:

    * MCI said it will stop sending out bills for pay-per-call operators who
      promise help getting a loan, credit, a credit card or a job.

    * Sprint said it will offer large business customers a form of liability
      insurance against unauthorized use of corporate switchboard lines.

MCI Communications Corporation of the District said it wanted to protect
consumers who might be gulled into overpaying for some "900-number" services
during economic troubles.

But long-distance carriers are also guarding their own bottom lines by
tightening up pay-per-call standards, said telecommunications analyst James
Ivers.

"They're acting fiscally responsibly because traditionally, these were the
types of programs that created a high level of uncollectible" bills when
ripped-off consumers refused to pay, said Mr.  Ivers, senior analyst with
Strategic Telemedia, a consulting firm in New York.

Last September, Sprint Corporation, of Kansas City, MO, told more than 90
percent of its 900-number customers it would no longer do their billing.  Long-
distance firms cannot refuse to carry pay-per-call services, but most 900-
number operators do not want the expense and trouble of doing their own
collections.

American Telephone & Telegraph Co., of New York, said it has set up strict
guidelines for all 900-number firms, such as disclosing in advertising any fees
charged for credit processing.

AT&T spokesman Bob Nersesian said:  "We still think there are legitimate
providers of this kind of service and our guidelines keep the dishonest guys
off the network."

Sprint's switchboard-fraud liability protection is aimed at big customers,
whose Sprint bills are more than $30,000 per month.

For an installation fee (up to $5,000) and a monthly charge (also up to
$5,000), Sprint will absorb fraudulent phone charges above $25,000 per
switchboard.  The customer pays the first $25,000.  Sprint's liability ends at
$1 million.

Large and medium-sized companies can rack up huge bills if their private
switches, known as private branch exchanges or PBXes, are broken into and used
to make calls to other countries.

In a recent case, more than 20,000 calls were made on a company's PBX over a
weekend, with the charges estimated at more than $1 million, said M.R. Snyder,
executive director of Communications Fraud Control Association, a Washington
trade group.

"It is certainly a fraud target that is ripe for being abused," Ms. Snyder
said, especially since telephone carriers have improved their ability to spot
unauthorized credit-card calls more quickly.

Overall, telecommunications fraud costs phone carriers and customers an
estimated $1.2 billion per year, although the figure is really just a
"guesstimate," Ms. Snyder said.

Company PBXes often have features that allow traveling employees, or distant
customers, to call in and tap an outgoing line.  With computer programs,
hackers can randomly dial numbers until they hit security codes.

Sometimes the codes are only four digits, so hackers don't even need a
computer, said Bob Fox, Sprint's assistant vice president of corporate
security.

Along with the fees, customers must agree to take certain precautions.  Those
include using security codes at least eight digits long and eliminating the
ability to tap outside lines through voice mail.  In return, Sprint will also
monitor PBX use every day, instead of the five days per week currently done
free for customers, Mr. Fox said.

MCI spokesman John Houser said his company will be watching Sprint to see if
the program is a success.  Spokesman Andrew Myers said AT&T offers fraud
protection to some corporate customers, but is not considering extending that
to cover PBX abuse.

AT&T is currently involved in several lawsuits over disputed PBX charges that
total "many millions" of dollars, Mr. Myers said.  Sprint officials said they
have not sued any customers to collect on PBX fraud bills.
_______________________________________________________________________________

 Sprint Offers Liability Limit For Corporate Phone Fraud          April 1, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 By Edmund L. Andrews (New York Times)(Page D4)

The Sprint Communications Company, the nation's third-largest long-distance
carrier, said that it would limit the liability of large corporate customers
for the huge bills rung up by phone-service thieves who manipulate a company's
telephone switching equipment and voice-mail systems.

Typically, such thieves call into a company on one of its toll-free "800"
numbers and then figure out the codes necessary to obtain an outgoing line that
can be used to call anywhere in the world.  These telephone "hackers" often
sell plundered telephone codes to illegal operators who then sell overseas
calls to hundreds of people at a time.  Sprint officials said this sort of
fraud approached $1 billion a year.

The new Sprint plan would be available to companies that signed two-year
contracts to buy at least $30,000 of international long-distance service a
month and agreed to adopt a series of protective measures.  These include
installing longer telephone codes that are harder for thieves to crack and new
limits on the ability of voice-mail systems to obtain outgoing lines.

In exchange, customers would be held responsible for no more than $25,000 in
stolen calls for each round of break-ins, and a maximum limit of $1 million a
year.  Although that is still a substantial sum, it is much less than many
companies have lost in recent years from theft of service by telephone hackers.

A Point of Contention

Thieves broke into the switchboard of Mitsubishi International in New York in
1990, for example, and ran up $430,000 in overseas telephone calls.  Procter &
Gamble lost $300,000 in a similar incident in 1988.  Had either company been
operating under the new Sprint plan, its liability would have been limited to
$25,000.

Long-distance carriers and their corporate customers have long argued over who
should bear responsibility for the huge bills caused by service theft.  The
carriers have maintained that their customers are responsible for these bills,
even if fraud is undisputed, arguing that the thieves took advantage of
weaknesses in the customers' equipment, rather than in the weaknesses of the
long-distance network itself.

But some corporate victims have argued that they had no idea their systems were
vulnerable, while others contend that they incurred big losses even after
adopting special security procedures.

MCI Moves Against '900' Fraud

In a separate issue involving telephone fraud, MCI Communications Corporation
said it would no longer provide billing services for companies that use "900"
numbers to offer credit cards, and that it would place tough new restrictions
on the use of 900 numbers to sell job-placement services, contests and
sweepstakes.

The long-distance company said its decision was based on numerous complaints
about abusive and fraudulent sales practices.  Companies that provide
information through the use of telephone numbers with the 900 area code charge
callers a fee each time they call the number.  MCI and other long-distance
companies carry these calls and bill customers on behalf of the company that
provides the information service.

Pam Small, an MCI spokeswoman, declined to say how much revenue the company
would lose because of the suspension.  But she said the 900 services that would
be affected represented a small part of its pay-per-call business.
_______________________________________________________________________________
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.