Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-55 Detecting Toll Fraud 
3
nFor Remote Access, enter the number of attempts allowed before a 
violation occurs in the Barrier Code Threshold field, and enter the time 
interval in hours or minutes for tracking the number of attempts.
nFor logins, enter the number of login attempts before a violation occurs in 
the Login Threshold field and the time interval in hours or minutes for 
tracking the number of attempts. To register as a violation, there must be 
three invalid login attempts (resulting in a forced disconnect) within the 
assigned time interval.
NOTE:
If you set the Barrier Code Threshold to 1, any unsuccessful first 
attempt by authorized users to enter the barrier code will cause a 
violation. A suggestion is to set the threshold to allow three attempts 
within five minutes to allow for mistakes made by authorized users.
nIn the Feature Button Assignment field, enter rsvn-call for the Remote 
Access Security Violation Notification button and lsvn-call for the Login 
Security Violation Notification button. The feature activation buttons do not 
have to reside on the referral destination station. They can be administered 
on any station. However, they must be activated before referral calls are 
sent to the referral destination.
NOTE:
For DEFINITY G3V3 and later releases, which includes DEFINITY ECS, 
these buttons are called “lsvn-halt,” and “rsvn-halt.” A new button, 
“asvn-halt,” lights the associated status lamp for the assigned station. 
The buttons operate the opposite way from DEFINITY G1 and G3 
pre-V3 buttons; if activated, the calls are not placed.
In addition to those SVN features already discussed (SVN Authorization Code 
Violation Notification, SVN Referral Call With Announcement, and the 
new/renamed Referral Call Buttons), DEFINITY G3V3 and later releases offer the 
following SVN features: 
nSVN Remote Access Violation Notification with Remote Access Kill After 
“n” Attempts
This feature disables the Remote Access feature following a Remote 
Access security violation. Any attempt to use the Remote Access feature 
once it has been disabled will fail even if a correct barrier code or barrier 
code/authorization code combination is supplied until the feature is 
re-enabled.
nSVN Login Violation Notification with Login Kill After “n” Attempts
This feature “locks” a valid login ID following a login security violation 
involving that login ID. Any attempt to use a login ID disabled following a 
login security violation will fail even if the correct login ID/password 
combination is supplied until the disabled login ID is re-enabled. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-56 Detecting Toll Fraud 
3
DEFINITY G3V4 offers an additional feature: 
nThe status remote access command provides information on the state of 
remote access. Valid states are 
enabled, disabled, svn-disabled, or 
not-administered. Valid barrier code states include active and expired.
For information on administering these parts of the Security Violation Notification 
Feature, see Appendix D.
Security Violations Measurement Report
This report identifies invalid login attempts and the entry of invalid barrier codes. It 
monitors the administration, maintenance, and Remote Access ports. A login 
violation is reported when a forced disconnect occurs (after three invalid 
attempts). Review the report daily to track invalid attempts to log in or to enter 
barrier codes, both of which may indicate hacker activity.
For DEFINITY ECS and DEFINITY G1, G3, and System 75:
nUse list measurements security-violations to obtain this report, which is 
updated hourly.
For DEFINITY G1 and System 75, only counts for invalid login attempts 
and invalid Remote Access attempts are provided.
For DEFINITY ECS and DEFINITY G3, the report is divided into two sub-reports, 
a Summary report and a Detail report. The Security Violations Summary Report 
has the following fields:
NOTE:
The report header lists the switch name, date and time the report was 
requested.
— Counted Since: The time at which the counts on the report were last 
cleared and started accumulating again, or when the system was 
initialized.
— Barrier Codes: The total number of times a user entered a valid or invalid 
remote access barrier code, and the number of resulting security violations. 
Barrier Codes are used with remote access trunks.
— Station Security Code Origination/Total: The number of calls originating 
from either stations or trunks that generated valid or invalid station security 
codes, the total number of such calls, and the number of resulting security 
violations.
— Authorization Codes: The number of calls that generated valid or invalid 
authorization codes, the total number of such call, and the number of 
resulting security violations. Calls are monitored based on the following 
origination types.
nStation 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-57 Detecting Toll Fraud 
3
nTrunk (other than remote access)
nRemote Access
nAttendant
— Port Type: The type of port used by the measured login process. If 
break-ins are occurring at this level, the offender may have access to your 
system administration. With DEFINITY Release 5r, port types can be:
nSYSAM-LCL (SYSAM Local Port)
nSYSAM-RMT (SYSAM Remote Port)
nMAINT
nSYS-PORT (System Ports)
— Total: Measurements totaled for all the above port types.
— Successful Logins: The total number of successful logins into SM (that is, 
the login ID and the password submitted were valid) for the given port type.
— Invalid Login Attempts: The total number of login attempts where the 
attempting party submitted an invalid login ID or password while accessing 
the given port type.
— Invalid Login IDs: The total number of unsuccessful login attempts where 
the attempting party submitted an invalid login while accessing the given 
port type.
— Login Forced Disconnects: The total number of login processes that were 
disconnected automatically by the switch because the threshold for 
consecutive invalid login attempts had been exceeded for the given port 
type. The threshold is three attempts.
— Login Security Violations: The total number of login security violations for 
the given port type. As with barrier code attempts, the user can define the 
meaning of a security violation by setting two parameters administratively:
nThe number of unsuccessful logins
nThe time interval
— Login Trivial Attempts: The total number of times a user connected to the 
system and gave no input to the login sequence.
The Security Violations Detail Report provides system management login data per 
login identification. It relates only to system administration. This report has the 
following fields:
— Login ID: The login identification submitted by the person attempting to 
login. Login IDs include the valid system login IDs.
— Port Type: The type of port where login attempts were made. DEFINITY 
Release 5r has the following ports:
nYSAM-LCL (SYSAM Local Port)
nSYSAM-RMT (SYSAM Remote Port) 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-58 Detecting Toll Fraud 
3
nMAIN
nSYS-PORT (System Ports)
nMGR1
nINADS (The Initialization and Administration System port)
nEPN (The EPN maintenance EIA port)
nNET
— Successful Logins: The total number of times a login was used 
successfully to log into the system for the given port type.
— Invalid Passwords: The total number of login attempts where the 
attempting person submitted an invalid password for the given port type 
and login ID.
For DEFINITY ECS and DEFINITY G3:
nUse monitor security-violations for a real-time report of invalid attempts 
to log in, either through system administration or through remote access 
using invalid barrier codes. For G3V3 and later, the monitor 
security-violations command has been split into three separate 
commands:
monitor security-violations 
— 
— 
— 
The four resulting Security Violations Measurement Reports provide 
current status information for invalid DEFINITY ECS and DEFINITY 
Generic 3 Management Applications (G3-MA) login attempts, Remote 
Access (barrier code) attempts, and Authorization Code attempts.
The report titles are as follows:
1. Login Violations Status Report
2. Remote Access (barrier code) Violations Status Report
3. Authorization Code Violations Status Report
4. Station Security Code Violations Report
NOTE:
The data displayed by these reports is updated every 30 seconds. 
Sixteen entries are maintained for each type of violation in the 
security status reports. The oldest information is overwritten by the 
new entries at each 30 second update.
The Login Violations Status report has the following fields:
— Date: The day that the invalid attempt occurred 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-59 Detecting Toll Fraud 
3
— Time: The time the invalid attempt occurred 
— Login: The invalid login that was entered as part of the login violation 
attempt. An invalid password may cause a security violation. If a 
valid login causes a security violation by entering an incorrect 
password, the Security Violation Status report lists the login.
— Port: The port on which the failed login session was attempted
The following abbreviations are used for DEFINITY G3i:
nMGR1: The dedicated Management terminal connection (the 
EIA connection to the Maintenance board)
nNET-N: The network controller dialup ports
nEPN: The EPN maintenance EIA port
nINADS: The INADS (Initialization and Administration System) 
port
nEIA: Other EIA ports
The following abbreviations are used for DEFINITY G3r:
nSYSAM-LCL: Local administration to Manager 1
nSYSAM-RMT: Dial up port on SYSAM board, typically used 
by services for remote maintenance, and used by the switch 
to call out with alarm information.
nSYS-PORT: System ports accessed through TDM bus.
nMAINT: Ports on expansion port networks maintenance 
boards, used as a local connection for on-site maintenance.
nEXT: The extension assigned to the network controller board 
on which the failed login session was attempted. This is 
present only if the invalid login attempt occurred when 
accessing the system via a network controller channel.
The Remote Access Violations Status Report has the following fields:
— Date: The day that the invalid attempt occurred
— Time: The time the invalid attempt occurred
— TG No: The trunk group number associated with the trunk where the 
authorization code attempt terminated
— Mbr: The trunk group member number associated with the trunk 
where the authorization code attempt terminated
— Ext: The extension used to interface with the Remote Access 
feature
— Barrier Code: The incorrect barrier code that resulted in the invalid 
access attempt (G3V3 and later)
In DEFINITY G3V3 and later, the Authorization Code Violations Status 
report has the following fields: 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-60 Detecting Toll Fraud 
3
— Date: The day that the violation occurred
— Time: The time the violation occurred
— Originator: The type of resource originating the call that generated 
the invalid authorization code access attempt. Originator types 
include:
nStation
nTrunk (other than a trunk assigned to a Remote Access trunk 
group)
nRemote Access (when the invalid authorization code is 
associated with an attempt to invoke the Remote Access 
feature)
nAttendant
— Auth Code: The invalid authorization code entered
— TG No: The trunk group number associated with the trunk where the 
remote access attempt terminated. It appears only when an 
authorization code is used to access a trunk.
— Mbr: The trunk group member number associated with the trunk 
where the Remote Access attempt terminated. It appears only when 
an authorization code is used to access a trunk.
— Barrier Code: The incorrect barrier code that resulted in the invalid 
access attempt. It appears only when an authorization code is 
entered to invoke Remote Access.
— Ext: The extension associated with the station or attendant 
originating the call. It appears only when an authorization code is 
entered from a station or attendant console.
The Station Security Code Violations Report has the following fields:
— Date: The date that the attempt occurred
— Time: The time that the attempt occurred
— TG No: The trunk group number associated with the trunk where the 
attempt originated
— Mbr: The trunk group member number associated with the trunk where the 
attempt originated
— Port/Ext: The port or extension associated with the station or attendant 
originating the call.
— FAC: The feature access code dialed that required a station security code.
— Dialed Digits: The digits that the caller dialed when making this invalid 
attempt. This may help you to judge whether the caller was actually trying 
to break in to the system, or a legitimate user that made a mistake in the 
feature code entry. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-61 Detecting Toll Fraud 
3
Remote Access Barrier Code Aging/Access Limits 
(DEFINITY G3V3 and Later)
For DEFINITY G3V3 and later, including DEFINITY ECS, Remote Access Barrier 
Code Aging allows the system administrator to specify both the time interval a 
barrier code is valid, and/or the number of times a barrier code can be used to 
access the Remote Access feature.
A barrier code will automatically expire if an expiration date or number of access 
attempts has exceeded the limits set by the switch administrator. If both a time 
interval and access limits are administered for an access code, the barrier code 
expires when one of the conditions is satisfied. If an expiration date is assigned, a 
warning message will be displayed on the system copyright screen seven days 
prior to the expiration date, indicating that the barrier code is due to expire. The 
system administer may modify the expiration date to extend the time interval if 
needed. Once the administered expiration date is reached or the number of 
accesses is exceeded, the barrier code no longer provides access to the Remote 
Access feature, and intercept treatment is applied to the call.
Expiration dates and access limits are assigned on a per barrier code basis. 
There are 10 possible barrier codes, 4 to 7 digits long. If there are more than 10 
users of the Remote Access feature, the codes must be shared.
NOTE:
For upgrades, default expiration dates are automatically assigned to barrier 
codes (one day from the current date and one access). It is strongly 
recommended that customers modify these parameters. If they do not, when 
the barrier codes expire, the remote access feature will no longer function.
When a barrier code is no longer needed it should be removed from the system. 
Barrier codes should be safeguarded by the user and stored in a secure place by 
the switch administrator. See Appendix D for information on administering Barrier 
Code Aging.
Recent Change History Report (DEFINITY ECS 
and DEFINITY G1 and G3 only)
The latest administration changes are automatically tracked for DEFINITY ECS 
and DEFINITY G1 and G3. For each administration change that occurs, the 
system records the date, time, port, login, and type of change that was made.
For DEFINITY ECS and DEFINITY G1 and G3:
nTo review the report, enter list history. Check for unauthorized changes to 
security-related features discussed in this handbook. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-62 Detecting Toll Fraud 
3
NOTE:
Since the amount of space available for storing this information is limited, 
you should print the entire output of the list history command immediately 
upon suspicion of toll fraud.
For DEFINITY G3V4 with the Intel
® processor, the history log has doubled in size 
to 500 entries, and provides login and logoff entries. This log includes the date, 
time, port, and login ID associated with the login or logoff.
Malicious Call Trace
For DEFINITY G2, G3r, System 85 R2V4, and DEFINITY G3V2 and later 
releases, Malicious Call Trace (MCT) provides a way for terminal users to notify a 
predefined set of users that they may be party to a malicious call. These users 
may then retrieve certain information related to the call and may track the source 
of the call. The feature also provides a method of generating an audio recording of 
the call.
While MCT is especially helpful to those businesses that are prime targets of 
malicious calls, such as bomb threats, this feature can aid any business in tracing 
hackers. For this reason, it may be considered as a security tool for businesses 
that do not normally experience malicious calls.
Depending on whether the call originates within the system or outside it, the 
following information is collected and displayed:
nIf the call originates within the system:
— If the call is on the same node or DCS subnetwork, the calling 
number is displayed on the controlling terminal.
— If an ISDN calling number identification is available on the incoming 
trunk, then the calling number is displayed.
nIf the call originates outside the system, the incoming trunk equipment 
location is displayed. In this case, the customer must call the appropriate 
connecting switch.
nThe following is displayed for all calls: called number, activating number, 
whether the call is active or not, and identification of any additional parties 
on the call.
There are several ways to activate the MCT feature. See the 
DEFINITY ECS 
Release 5 Feature Description
, 555-230-204, for more information. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-63 Detecting Toll Fraud 
3
Service Observing
When toll fraud is suspected, this feature allows an authorized person, such as a 
security supervisor, to monitor actual calls in progress to establish whether or not 
an authorized user is on the call. The service observer has the option to listen only 
or to listen and talk.
An optional warning tone can be administered (on a per-system basis) to let the 
calling party and the user whose call is being observed know that a supervisor is 
observing the call. The warning tone is a 440-Hz tone. A two-second burst of this 
tone is heard before the supervisor is connected to the call. A half-second burst of 
this tone is heard every 12 seconds while a call is being observed. The warning 
tone is heard by all parties on the observed call.
NOTE:
The use of service observing may be subject to federal, state, or local laws, 
rules, or regulations and may be prohibited pursuant to the laws, rules, or 
regulations or require the consent of one or both of the parties to the 
conversation. Customers should familiarize themselves with and comply 
with all applicable laws, rules, and regulations before using this feature.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nEnter change system-parameters features to display the 
Features-Related System Parameters screen.
nEnter y in the Service Observing Warning Tone field.
nEnter change station to display the Station screen.
nEnter serv-obsrv in the Feature Button Assignment field.
nUse change cor to display the Class of Restriction screen.
nEnter y in the Service Observing field.
nEnter change station to assign the COR to the station.
For DEFINITY G2 and System 85:
NOTE:
This feature is available only with an ACD split.
nUse PROC054 WORD2 FIELD8 to assign the Service Observing Custom 
Calling Button to a multi-appearance terminal.
For DEFINITY G3V3 and later, which includes DEFINITY ECS, the Observe 
Remotely (remote service observing) feature allows monitoring of physical, 
logical, or VDN extensions from external locations. If the remote access feature is 
used for remote service observing, then use barrier codes to protect remote 
service observing. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-64 Detecting Toll Fraud 
3
Busy Verification
When toll fraud is suspected, you can interrupt the call on a specified trunk group 
or extension number and monitor the call in progress. Callers will hear a long tone 
to indicate the call is being monitored.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nEnter change station to display the Station screen for the station that will 
be assigned the Busy Verification button.
nIn the Feature Button Assignment field, enter verify.
nTo activate the feature, press the Verify button and then enter the Trunk 
Access Code and member number to be monitored.
For DEFINITY G2 and System 85:
nAdminister a Busy Verification button on the attendant console.
nTo activate the feature, press the button and enter the Trunk Access Code 
and the member number.
List Call Forwarding Command
For DEFINITY G3V4 (and later, including the DEFINITY ECS), this command 
provides the status of stations that have initiated Call Forwarding On Net and Off 
Net and Call Forwarding Busy/Don’t Answer. The display includes the station 
initiating the Call Forwarding and the call forwarding destination