×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

__Tips from GHTROUT

The Multi Layered Approach - Mistake Resistant Security by GHTROUT
Posted: 13 May 06 (Edited 15 Jan 11)


Original writing of GHTROUT (Yes, Jon was real, and he and I worked at the same Interconnect).  This is meant to raise awareness and prompt questions that should be asked more frequently.



When we think of phone phreaking and hacking, a common vision is some late night or weekend where our phone lines are being enjoyed by people we don't know, waiting in what is like a line to the restrooms at State Fair...never ending and we feel like the...you know.  While that kind of penetration can be very costly, the following true story may have dome more damage:

It was in the early 1980's...  Jon, my co-worker and friend, didn't steal.  However, he did like to "shock" his friends.  We were doing a wiring project a block from his house one day.  For lunch he would make sandwiches that rivaled the best deli (shock factor).  As we ate, he picked up the phone and dialed a number, then added some digits and then started talking into the phone about [imagination goes here].  I figured whatever; it was probably some friends answering machine.  That wasn't the case.  He was speaking to three floors worth of overhead paging speakers at a fairly large customer.  Scary isn't it.  I think I might advertise free phone service before having to deal with that at my company,

How did such a security hole open up?  That system had been in place for a while.  The original installation design engineer did not overlook this – the secure paging trunk he set up was later changed from "PAG" to "COT" to satisfy a customer request to allow Zone Paging.  Then some time after, another change to allow pager outcalling to an 800 number service was requested.  The technician modified the voice mail system to enable 1800 and it didn't work, he tried 800, then resorted to 8 and then finally called for help where he was reminded the allow table should be "91800".  That worked!.  It's late and he has other things on his mind than some company and their toll free pager needs.  He is gone.  Little problem here.  The paging "all-call" was 84.  And guess who just left after putting "8" in the allow table.  Just an innocent mistake and now three floors hear a company-wide announcement from Jon, the guy that loved to shock people.

Making it Hard to Screw Up

That incident was a turning point for me.  I realized that normal changes by technicians and customers would continue to open holes if it was as easy as adding one digit in a table.  In addition to the restrictions that can be assigned in the voice mail system, I activate each of these features where possible:

Flexible Trunk to Trunk Connections:  Since most of the systems I have come across needed to allow outcalling to pagers or cell phones, it was a feature in the Meridian 1 X-11 Rls 23 that caught my eye.  Flexible Trunk to Trunk Connections provided a means to restrict a phone TN (in this case, the voice mail TNs) from connecting a caller to a destination over a trunk.  NCOS, TGAR or other CLS do not take precedence or over ride the feature setting   Flexible Trunk to Trunk Connections is not enabled by default, but phone TNs show the restriction value as FTTU, FTTC, or FTTR.  When the feature is activated in the Customer Data Block, users will lose the ability to release an incoming caller to an external destination unless they were changed to CLS FTTU

SRE is another Class of Service available.  If this is assigned to Voice Mail TNs, the system not be able to originate calls over trunks, regardless of NCOS.  The disadvantage is that Outcalling will not be possible either.  It is a great layer to add if outcalling is not used.

NCOS is generally assigned to the Voice Mail TNs with some thought.  Over time, the capabilities of each NCOS setting may have changed without considering the capability that may have been added to the voice mail TNs.

TGAR is a layer that can restrict phone TNs from dialing the Trunk Route Access Codes, bypassing the restrictions that NCOS provides.

The features listed above can effectively restrict voice mail from being use to place unauthorized calls.  Each should be considered, evaluating the overall effect they may have on the system.  Differences in system configuration can also change the level of restriction I have described.

Back to Nortel: CS1000 (Meridian) systems FAQ Index
Back to Nortel: CS1000 (Meridian) systems Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close