Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-39 MERLIN LEGEND Communications System 
5
nEnter # in the Subscriber Password field to prevent access to the 
corresponding voice mail.
nEnter yes in the Does the subscriber have switch call coverage field. On 
the switch side, do not specify the AUDIX Voice Power System extension 
as a coverage point for any of these added extensions.
NOTE:
Although these restricted voice mailboxes cannot receive Call Answer 
messages, they do receive broadcast messages and even may receive a 
misdirected message from another subscriber. To save storage space, you 
should periodically clean out these mailboxes by accessing the restricted 
mailboxes and deleting all messages.
NOTE:
On AUDIX Voice Power System 2.1.1, mailboxes can be set individually to 
“1 minute,” reducing the clean-up required to service these mailboxes.
Protecting the INTUITY Voice Messaging System
The INTUITY Voice Messaging System provides automated attendant, call answer, 
and voice mail functionality. The automated attendant feature answers incoming 
calls and routes them to the appropriate department, person, or mailbox. The call 
answer feature provides call coverage to voice mailboxes. The voice mail feature 
provides a variety of voice messaging features.
Voice Messaging systems have two areas of weakness:
nCodes that transfer to inside or outside dial tone
Once thieves transfer to inside dial tone, they have access to any 
unprotected switch features. Preventing this type of abuse requires 
security at both the switch and at the voice messaging system.
nMailboxes that can be used as message drops
Once thieves break into a mailbox, they can use it as a message drop for 
untraceable calls for illegal activities. if you have 800 lines that can connect 
to your voice messaging system, they can pass stolen information around 
at your expense using your 800 lines. 
Protecting Passwords
The INTUITY AUDIX System offers password protection to help restrict 
unauthorized access. Subscribers should use the longest feasible password 
length and should change it routinely. Passwords can be up t o 15 digits, and you 
can specify the minimum number of digits required. Use a minimum of five digits, 
and a length at least one digit longer than the extension number length. See 
‘‘
Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security 
Measures’’ on page 2-7 for secure password guidelines. See Appendix E for 
information on how to change passwords. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-40 MERLIN LEGEND Communications System 
5
Security Tips
nAt the switch, assign toll restrictions to voice message system and 
automated attendant ports.
nIf you do not use the outcalling features of the voice messaging system, 
restrict the outward calling capability of all voice ports.
nUse a dial plan that does not allow extensions beginning with the same 
digits as ARS, TAC, or verification and test codes.
nInform all system operators that they are not to dial outside calls. Request 
that operators report all attempts to bypass switch restrictions to the 
telecommunications department for repairs or to the corporate security 
office for investigation.
nRestrict the numbers for outcalling with a disallowed list.
nDo not use default initial passwords that follow any scheme. Have a list of 
random passwords and select one when you create the mailbox. Require 
that the mailbox owner personally appear at the corporate security office or 
telecommunications office to obtain the initial password. Go over the 
subscriber password guidelines with the subscriber when you give out the 
initial password.
nMake sure subscribers change the initial password the first time they log in 
to the AUDIX system by making the initial password shorter than the 
minimum password length.
nUse the password aging feature so that users must change their 
passwords monthly.
nDiscourage the practice of writing down passwords, storing them, or 
sharing them with others.
nInform employees on how to report suspected toll fraud to the corporate 
security office.
Security Measures
The following are suggested security measures to be used with the INTUITY AUDIX 
Voice Messaging System.
Basic Call Transfer
With Basic Call Transfer, after a voice mail system caller enters    , the system 
performs the following steps:
1. The voice mail system verifies that the digits entered contain the same 
number of digits administered for extension lengths. If call transfer is 
restricted to subscribers (for the DEFINITY AUDIX System and the Lucent 
Technologies I
NTUITY System only), the voice mail system also verifies 
that the digits entered match the extension number of an administered 
subscriber.
*T 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-41 MERLIN LEGEND Communications System 
5
2. If Step 1 is successful, the voice mail system performs a switch-hook flash, 
putting the caller on hold.
NOTE:
If Step 1 is unsuccessful, the voice mail system plays an error 
message and prompts the caller for another try.
3. The voice mail system sends the digits to the switch.
4. The voice mail system completes the transfer.
With Basic Call Transfer, a caller can dial any number, provided the number of 
digits matches the length of a valid extension. So, if an unauthorized caller dials a 
transfer code followed by the first digits of a long-distance telephone number, 
such as          , the voice mail system passes the numbers on to the 
switch. (This is an example showing a 5-digit plan.) The switch interprets the first 
digit ( ) as an access code, and the following digits as the prefix digit and area 
code. At this point, the caller enters the remaining digits of the phone number to 
complete the call.
If call transfer is restricted to subscribers (for the DEFINITY AUDIX System and 
the Lucent Technologies I
NTUITY System only), the caller cannot initiate a transfer 
to an off-premises destination unless the digits entered match an administered 
subscriber’s mailbox identifier; for example, 91809. To insure the integrity of the 
subscriber restriction, do not administer mailboxes that start with the same digit(s) 
as a valid switch Trunk Access Code. It is strongly recommended that all transfers 
be restricted to subscribers when Basic Call Transfer is used.
Closely Monitor All Mailboxes
The use of INTUITY AUDIX system security features in combination with mailbox 
administration can help reduce the risk of unauthorized use of mailboxes.
nLock out multiple consecutive attempts to enter a voice mailbox. The 
INTUITY AUDIX system has a password time-out feature that allows callers 
three attempts in one call to correctly enter their password before they are 
automatically disconnected. You can also specify how many consecutive 
invalid attempts are allowed before a voice mailbox is locked.
nDeactivate unassigned voice mailboxes. When an employee leaves the 
company, close or reassign the voice mailbox.
nDo not create voice mailboxes before they are needed.
nAvoid or closely monitor the use of “guest” mailboxes (mailboxes without a 
physical extension that are loaned to outsiders for the duration of a 
project). If you need a guest mailbox, assign it when it is needed and 
deactivate or change its password immediately after it is no longer needed. 
Do not reassign a guest mailbox without changing the password.
91809
9 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-42 MERLIN LEGEND Communications System 
5
Restrict Outcalling
Outcalling uses the voice messaging ports. If mailbox security is broken, 
unauthorized persons can use outcalling to transfer messages at your expense. If 
you need outcalling, restrict it as far as possible to eliminate the possibilities for 
theft of services.
nDo not enable outcalling at all if you do not need it. Do not enable outcalling 
for any subscribers who do not need it.
nIf outcalling is used only to ring in-house telephones that do not have 
message waiting lights, restrict the number of digits to the maximum length 
of extension.
nIf possible, restrict outcalling to the local area (7 digits), or North American 
(10 digits).
nIf outcalling must be done to pagers, use pagers that have individual DID 
numbers so that pager identification digits are not required and restrict any 
additional digits for call identification to the minimum possible.
nIf a limited number of pagers are in use, consider putting the pager 
numbers on all unrestricted calling list so that outcalling can be effectively 
limited to only those numbers.
Detecting Toll Fraud
With SMDR activated for incoming calls, you can check the calls into your voice 
mail ports. A series of short holding times may indicate repeated attempts to enter 
voice mailbox passwords.
Review SMDR reports for the following symptoms of voice messaging abuse:
nShort holding times on calls where voice messaging is the originating 
endpoint or terminating endpoint
nCalls to international locations not normal for your business
nCalls to suspicious destinations
nNumerous calls to the same number
nUndefined account codes
NOTE:
The MERLIN LEGEND system only records the last extension on the call. 
Internal toll abusers transfer unauthorized calls to another extension before 
they disconnect so that the SMDR does not track the originating station. If 
the transfer is to your voice messaging system, it could give a false 
indication that your voice messaging system is the source of the toll fraud. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-43 MERLIN LEGEND Communications System 
5
Protecting the MERLIN MAIL, MERLIN
MAIL-ML, MERLIN MAIL R3, and MERLIN
LEGEND Mail Voice Messaging Systems
The MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND 
Mail Voice Messaging Systems provide automated attendant, call answer, and 
voice mail functionality. The automated attendant feature answers incoming calls 
and routes them to the appropriate department, person, or mailbox. The call 
answer feature provides call coverage to voice mailboxes. The voice mail feature 
provides a variety of voice messaging features.
Beginning with Release 3.1, ports assigned for use by voice messaging systems 
(including generic or integrated VMI ports) are now assigned outward restrictions 
by default. Also, FRL 0 and Disallowed List #7 are used. Prior to Release 3.1,
FRL 3 is used. If a voice messaging system should be allowed to call out (for 
example, to send calls to a user’s home office), the system manager must remove 
these restrictions. Provide outcalling only to mailboxes that have a business need 
for the feature.
NOTE:
Unauthorized persons concentrate their activities in two areas: they try to 
transfer out of the voice messaging system to gain access to an outgoing 
trunk and make long distance calls; or they try to locate unused or 
unprotected mailboxes and use them as dropoff points for their own 
messages.
Protecting Automated Attendant
Two areas of toll fraud risk are associated with the automated attendant feature. 
These are listed below.
nPooled facility (line/trunk) access codes are translated to a selector code to 
allow Remote Access. If a hacker chooses this selector code, the hacker 
has immediate access.
nIf the automated attendant prompts callers to use the host switch’s Remote 
Call Forwarding (RCF) to reach an outside telephone number, the system 
may be susceptible to toll fraud. An example of this application is a menu or 
submenu that says, “To reach our answering service, press 5,” then 
transfers the caller to an external telephone number.
Remote Call Forwarding can only be used securely when the central office 
provides “reliable disconnect.” This is sometimes referred to as a forward 
disconnect or disconnect supervision. This guarantees that the central 
office will not return a dial tone after the called party hangs up. In many 
cases, the central office facility is a loop-start line/trunk which does not 
provide reliable disconnect. When loop-start lines/trunks are used, if the 
calling party stays on the line, the central office will return a dial tone at the 
conclusion of the call, enabling the caller to place another call as if it were 
being placed from your company. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-44 MERLIN LEGEND Communications System 
5
Take the following preventative measures to limit the risk of unauthorized use of 
the automated attendant feature by hackers:
nDo not use automated attendant selector codes for Automatic Route 
Selection (ARS) codes or Pooled Facility codes.
nAssign all unused automated attendant selector codes to zero, so that 
attempts to dial these will be routed to the system operator or General 
Mailbox.
nIf Remote Call Forwarding (RCF) is required, coordinate with your Lucent 
Technologies Account Team or authorized dealer to verify the type of 
central office facility used for RCF. If a ground-start line/trunk, or a 
loop-start line/trunk and central office reliable disconnect can be ensured, 
then nothing else need be done.
NOTE:
In many cases these will be loop-start lines/trunks without reliable 
disconnect. The local telephone company will need to be involved to 
change the facilities used for RCF to ground start lines/trunks. 
Usually a charge applies for this change. Also, hardware and 
software changes may need to be made in the MERLIN LEGEND 
Communications System. The automated attendant feature merely 
accesses the RCF feature in the MERLIN LEGEND Communications 
System. Without these changes being made, this feature is highly 
susceptible to toll fraud. The same preventative measures must be 
taken if the RCF feature is active for MERLIN LEGEND 
Communications System extensions, whether or not accessed by an 
automated attendant menu.
Protecting Passwords
For the MERLIN MAIL and MERLIN MAIL-ML Voice Messaging Systems, 
passwords can be up to four digits. For the MERLIN MAIL R3 and MERLIN 
LEGEND Mail Voice Messaging System, passwords can be up to 15 digits. See 
‘‘
Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security 
Measures’’ on page 2-7 for secure password guidelines. See Appendix E for 
information on how to change passwords.
Security Tips
The MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND 
Mail Voice Messaging Systems, through proper administration, can help you 
reduce the risk of unauthorized persons gaining access to the network. However, 
phone numbers and authorization codes can be compromised when overheard in 
a public location, lost through theft of a wallet or purse containing access 
information, or when treated carelessly (writing codes on a piece of paper and 
improperly discarding them). 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-45 MERLIN LEGEND Communications System 
5
Hackers may also use a computer to dial an access code and then publish the 
information for other hackers. Substantial charges can accumulate quickly. It is 
your responsibility to take appropriate steps to implement the features properly, to 
evaluate and administer the various restriction levels, and to protect and carefully 
distribute access codes.
To reduce the risk of unauthorized access through your voice messaging system, 
also observe the following procedures:
nMonitor SMDR reports and/or Call Accounting System reports for outgoing 
calls that might be originated by internal and external abusers.
nIf the MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and/or 
MERLIN LEGEND Mail Voice Messaging System outcalling feature will be 
used, on the MERLIN LEGEND Communications System, outward restrict 
(FRL 0) all voice messaging system ports not used for outcalling. This 
denies access to facilities (lines/trunks).
nThe two-port systems (MERLIN MAIL Voice Messaging System, 
MERLIN MAIL-ML Voice Messaging System, MERLIN MAIL R3 
Voice Messaging System, and MERLIN LEGEND Mail Voice 
Messaging System) use port 2 for outcalling; outward restrict port 1.
nThe four-port systems (MERLIN MAIL Voice Messaging System, 
MERLIN MAIL-ML Voice Messaging System, MERLIN MAIL R3 
Voice Messaging System, and MERLIN LEGEND Mail Voice 
Messaging System) use port 4 for outcalling; outward restrict ports 
1, 2, and 3.
nThe six-port system (MERLIN MAIL R3 and MERLIN LEGEND Mail 
Voice Messaging Systems) uses ports 5 and 6 for outcalling; 
outward restrict ports 1, 2, 3, and 4.
nRequire employees who have voice mailboxes to use passwords to protect 
their mailboxes. For the MERLIN MAIL and MERLIN MAIL-ML Voice 
Messaging Systems, passwords should be four digits long. For MERLIN 
MAIL R3 and MERLIN LEGEND Mail Voice Messaging Systems, 
passwords should be at least six digits long.
nRequire the System Administrator and all voice mailbox owners to change 
their password from the default.
nHave employees use random sequence passwords.
nImpress upon employees the importance of keeping their passwords a 
secret.
nEncourage employees to change their passwords regularly.
nUse a secure password for the General Mailbox.
nReassign the System Administrator’s mailbox/extension number from the 
default of 9997. Be certain to password protect the new mailbox.
nHave the System Administrator delete unneeded voice mailboxes from the 
system immediately. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-46 MERLIN LEGEND Communications System 
5
nSet the maximum number of digits in an extension parameter appropriate 
to your dial plan. The voice messaging system will not perform transfers to 
extensions greater than that number.
nWhen possible, restrict the off-network capability of callers by using calling 
restrictions, Facility Restriction Levels, and Disallowed List features.
nOutward restrict all MERLIN LEGEND voice mail port extensions not used 
for outcalling. This denies access to facilities (lines/trunks). Beginning with 
Release 3.1, this is the default. You should change this setting only after 
careful consideration.
nCreate a Disallowed List to disallow dialing 0, 70, 011, 809, 1809, 0809, 10, 
9999, 411, 1411, 800, 888, 700, 900, 976, 550, 1800, 1888, 1700, 1500, 
1900, 1976, 1550, 0800, 0888, 0700, 0500, 0900, 0976, and 0550. Assign 
all voice mail ports to this list. Lucent Technologies recommends using List 
7 — the last Disallowed List. This is an added layer of security, in case 
other restrictions are inadvertently removed.
nIf outcalling is required by users of the voice messaging system:
nProgram an ARS Facility Restriction Level (FRL) of 2 for voice mail 
port extension(s) used for outcalling.
nIf 800 and 888 numbers are used as outcalling destinations, remove 
1800 and 1888 from Disallowed List number 7.
nIf outcalling is allowed to long distance numbers, build an Allowed 
List and assign it to the voice mail port extension(s) used for 
outcalling. On a two-port system, port 2 is used for outcalling. On a 
four-port system, port 4 is used for outcalling. On a 6-port system, 
ports 5 and 6 are used for outcalling. This list should contain the 
area code and first three digits of the local exchange telephone 
numbers to be allowed.
nWhen possible, block out-of-hours calling.
nLimit outcalling to persons on a need-to-have basis.
nUse the Transfer to Subscribers Only feature (MERLIN MAIL R3 Voice 
Messaging System only).
nRequire network dialing for all extensions, including voice mail port 
extensions, to be through ARS using dial access code 9.
nDeny access to pooled facility codes by removing pool dial-out codes 70, 
890-899, or any others on your system.
nInstruct employees to contact their System Administrator immediately if 
any of the following occur:
nstrange voice mail messages are received
ntheir personal greeting has been changed
nthey suspect their MERLIN MAIL Voice Messaging System mailbox 
is being used by someone else 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-47 MERLIN LEGEND Communications System 
5
Additional MERLIN MAIL R3 and MERLIN 
LEGEND Mail Voice Messaging System Security 
Features
The MERLIN MAIL R3 and MERLIN LEGEND Mail Voice Messaging System 
includes the following additional security features:
nThe Transfer to Registered Subscribers Only setting of the Transfer 
Restrictions feature allows callers to be transferred only to users who have 
mailboxes in the system. Lucent Technologies strongly recommends using 
this feature to guard against toll fraud.
nTransfer-Only mailboxes allow callers to reach extensions that need to be 
transfer destinations but do not need to receive messages. A maximum of 
255 Transfer-Only mailboxes are available.
nThe System Administrator can set the Minimum Password Length to any 
value from 0-15 digits. The default value is six digits. Every subscriber’s 
mailbox password and the System Administration Password must be 
at 
least
 six digits.
NOTE:
A Minimum Password Length of at least six digits is strongly 
recommended. The shorter the Minimum Password Length, the more 
vulnerable your system is to abuse by unauthorized persons. Choose 
the largest acceptable minimum length in order to maximize the 
security of your system.
nThe Security Violation Notification feature enables the System 
Administrator to choose to be warned about possible mailbox break-in 
attempts. The System Administrator can choose from the following options:
nMailbox Lock — Locks the subscriber’s mailbox and sends a 
warning message to the mailbox owner’s mailbox and the System 
Administrator’s mailbox.
nWarning Message — Sends a warning message to the mailbox 
owner’s mailbox and the System Administrator’s mailbox (factory 
setting).
nNo Security Notification (strongly discouraged).
When a caller reaches the maximum number of unsuccessful login 
attempts, and Security Violation Notification is set to either Mailbox Lock or 
Warning Message, the system plays the message, “Login incorrect. Too 
many unsuccessful login attempts. The System Administrator has been 
notified. Good-bye.” The system sends a warning message to the mailbox 
owner and to the System Administrator.
NOTE:
The System Administrator should use the most restrictive form of the 
feature that the business allows. Use the Mailbox Lock option unless 
this is too restrictive for your business. Use the Warning Message  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-48 PARTNER II Communications System 
5
option otherwise. It is strongly discouraged to administer a system 
without Security Violation Notification. The System Administrator 
should investigate all warning messages received.
PARTNER II Communications System
The PARTNER II Communications System R3, and later releases, supports the 
PARTNER MAIL System. The PARTNER II Communications System R3.1 and 
later releases support the PARTNER MAIL System and the PARTNER MAIL VS 
System.
For information on these systems, see ‘‘
Protecting the PARTNER MAIL and 
PARTNER MAIL VS Systems’’ on page 5-48.
Also see ‘‘Related Documentation’’ in the ‘‘About This Document’’ section for a list 
of manuals on these products.
Protecting the PARTNER MAIL and PARTNER
MAIL VS Systems
The PARTNER MAIL and PARTNER MAIL VS Systems provide automated 
attendant, call answer, and voice mail functionality. The automated attendant 
feature answers incoming calls and routes them to the appropriate department, 
person, or mailbox. The call answer feature provides call coverage to voice 
mailboxes.The voice mail feature provides a variety of voice messaging features.
Unauthorized persons try to locate unused or unprotected mailboxes and use 
them as dropoff points for their own messages, especially if inbound calls are free 
(for example, 800 inbound service).
Protecting Passwords
For PARTNER MAIL Release 1 and all releases of PARTNER MAIL VS, 
passwords can be up to four digits. For PARTNER MAIL Release 3, passwords 
can be up to 15 digits in length. See ‘‘
Administration / Maintenance Access’’ on 
page 2-4 and ‘‘General Security Measures’’ on page 2-7 for secure password 
guidelines. See Appendix E for information on how to change the passwords.
Security Tips
nMonitor SMDR reports and/or Call Accounting System reports for outgoing 
calls that might be originated by internal and external abusers.
nFor PARTNER MAIL System mailboxes, exercise caution when assigning a 
Class of Service.