Lucent Technologies BCS Products Security Handbook

							Security Risks 
Page 2-1 Overview 
2
BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
2
2Security Risks
Overview
In order for your system to be secure against toll fraud, you need to address 
access, egress, and system administration. This handbook addresses those 
concerns. In addition, the risk of PBX-based toll fraud increases when any of the 
following products and features are used:
nRemote Access
nAutomated Attendant
nOther port security risks
nVoice Messaging
nAdministration and Maintenance Access
nVectors associated with the DEFINITY ECS and DEFINITY 
Communications Systems
All these features offer benefits which allow companies to increase their 
availability to their customers and the productivity of their workforce. However, this 
chapter takes a look at these features from a different point-of-view: how can 
these features, when combined with other outgoing features, such as dial access 
to trunks, make a PBX system more vulnerable to toll fraud?
The remainder of this chapter discusses general security measures you can take 
to protect your system. Chapters 3 through 6 discuss the specific actions that help 
prevent these features from being the target of unauthorized use. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-2 Remote Access 
2
Remote Access
Remote Access, or Direct Inward System Access (DISA), permits callers from the 
public network to access a customer premises equipment-based system to use its 
features and services. Callers dial into the system using CO, FX, DID, or 800 
service trunks.
After accessing the feature, the user hears system dial tone, and, for system 
security, may be required to dial a barrier code, depending on the system. If a 
valid barrier code is dialed, the user again hears dial tone, and can place calls the 
same as an on-premises user.
For the DEFINITY ECS, DEFINITY G1 and G3, and for the System 75, incoming 
calls are routed to a Remote Access extension. For DEFINITY G2 and System 85, 
callers are connected to the Remote Access feature when they dial the number 
for an incoming Remote Access trunk group.
Different product releases have different restrictions, as follows. When a Remote 
Access call is answered, the caller can be requested to enter either a barrier code 
or an authorization code (the DEFINITY ECS, DEFINITY G1, G2.2 Issue 3.0 and 
later), G3, and System 75 R1V3 can require both) before calls are processed. 
When both maximum length barrier codes and authorization codes are required, 
hackers need to decipher up to 14 digits to gain access to the feature.
Hackers frequently call toll-free 800 numbers to enter customer premises 
equipment-based PBX systems so that they do not pay for the inbound calls. After 
they are connected, hackers use random number generators and password 
cracking programs to find a combination of numbers that gives them access to an 
outside facility.
Unprotected Remote Access numbers (those that do not require barrier codes or 
authorization codes) are favorite targets of hackers. After being connected to the 
system through the Remote Access feature, a hacker may make an unauthorized 
call by simply dialing  and the telephone number. Even when the Remote 
Access feature is protected, hackers try to decipher the codes. When the right 
combination of digits is discovered (accidentally or otherwise), hackers can then 
make and sell calls to the public.
For these reasons, all switches in the network should be protected. Refer to 
Chapter 3 for more information on Remote Access for the DEFINITY ECS, 
DEFINITY Communications Systems, System 75, and System 85. Refer to 
Chapter 4 for more information on Remote Access for the MERLIN II, MERLIN 
LEGEND, MERLIN Plus, PARTNER II, PARTNER Plus, and System 25 
Communications Systems.
9 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-3 Automated Attendant 
2
Automated Attendant
Automated attendant systems direct calls to pre-designated stations by offering 
callers a menu of available options. Automated attendant devices are connected 
to a port on the main system and provide the necessary signaling to the switch 
when a call is being transferred. When hackers connect to an automated 
attendant system, they try to find a menu choice (even one that is unannounced) 
that leads to an outside facility.
Hackers also may try entering a portion of the toll number they are trying to call to 
see if the automated attendant system passes the digits directly to the switch. To 
do this, the hacker matches the length of a valid extension number by dialing only 
a portion of the long distance telephone number. For example, if extension 
numbers are four digits long, the hacker enters the first four digits of the long 
distance number. After the automated attendant sends those numbers to the 
switch and disconnects from the call, the hacker provides the switch with the 
remaining digits of the number.
Many voice messaging systems incorporate automated attendant features. The 
security risks associated with automated attendant systems are common to voice 
messaging systems as well. Refer to Chapter 6 for more information on securing 
automated attendant systems.
Other Port Security Risks
Many of the security risks from voice mail, Remote Access, and automated 
attendant arise from allowing incoming callers to access outside facilities. 
However, there are other endpoints within your system that should also be denied 
to incoming callers. Many of these endpoints can be dialed as internal calls within 
the system, and can be reached from either voice mail, auto attendant, or Remote 
Access.
For example, the NETCON (Network Control) data channels provide internal 
access to the system management capabilities of the system and can be reached 
on a call transfer from an AUDIX Voice Mail System if not protected by appropriate 
restrictions. [See ‘‘
Increasing Product Access (Port) Security’’ on page 2-6.] Any 
features or endpoints that can be dialed, but are to be denied to incoming callers, 
should be placed in restriction groups that cannot be reached from the incoming 
facility or from endpoints that could transfer a call.
Sophisticated modems being used today, if not protected, offer incoming callers 
the ability to remotely request the modem to flash switch-hook, returning second 
dial tone to the incoming caller. Modem pool ports need to be appropriately 
protected or otherwise denied access to second (recall) dial tone. Outgoing-only 
modem pools are at risk if they can be dialed as extensions from any of the 
remote access or voice mail ports as in the example above. (See ‘‘
Recall 
Signaling (Switchhook Flash)’’ on page 3-17.) 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-4 Voice Messaging Systems 
2
Voice Messaging Systems
Voice messaging systems provide a variety of voice messaging applications; 
operating similarly to an electronic answering machine. Callers can leave 
messages for employees (subscribers) who have voice mailboxes assigned to 
them. Subscribers can play, forward, save, repeat, and delete the messages in 
their mailboxes. Many voice messaging systems allow callers to transfer out of 
voice mailboxes and back into the PBX system. When hackers connect to the 
voice messaging system, they try to enter digits that connect them to an outside 
facility. For example, hackers enter a transfer command (the AUDIX Voice Mail 
System uses  ), followed by an outgoing trunk access number for an outside 
trunk. Most hackers do not realize how they gained access to an outside facility; 
they only need to know the right combination of digits. See Chapter 5 for 
information on securing your voice messaging system.
Sometimes hackers are not even looking for an outside facility. They enter a voice 
messaging system to find unassigned voice mailboxes. When they are 
successful, they assign the mailboxes to themselves, relatives, and friends, and 
use them to exchange toll-free messages. Hackers can even use cellular phones 
to break into voice mailboxes. (See ‘‘
Protecting Voice Messaging Systems’’ on 
page 5-2.) In addition, unauthorized access to voice messaging systems can 
allow hackers to access the switch and change administration data. See 
‘‘
Increasing Product Access (Port) Security’’ on page 2-6.
Administration / Maintenance Access
Expert toll hackers target the administration and maintenance capabilities of 
customer premises equipment-based systems. Once criminals gain access to the 
administration port, they are able to change system features and parameters so 
that fraudulent calls can be made. The following measures can be taken to 
prevent high level access to system administration.
Passwords
Changing Default Passwords
To simplify initial setup and allow for immediate operation, either the switch and 
adjuncts are assigned default administration passwords, or passwords are 
disabled, depending on the date of installation. Hackers who have obtained 
copies of customer premises equipment-based and adjunct system 
documentation circulate the known default passwords to try to gain entry into 
systems. To date, the vast majority of hacker access to maintenance ports has 
been through default customer passwords. Be sure to change or void all default 
passwords to end this opportunity for hackers. 
*T 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-5 Administration / Maintenance Access 
2
The following is a list of customer logins for systems in this handbook that provide 
login capabilities. For information on password parameters, see the applicable 
system chapter. For information on how to change passwords, see Appendix E.
nAUDIX Voice Mail System: cust
nAUDIX Voice Power System: audix (or is on the Integrated 
Solution-equipped system)
nDEFINITY AUDIX System: cust
nDEFINITY ECS, DEFINITY G1, G3V1, G3V2, and System 75: cust, rcust, 
bcms1, browse*, NMS*
nLucent Technologies INTUITY System: sa, vm
nMERLIN LEGEND Communications System: admin on Integrated Voice 
Response platform-supported systems
nMERLIN MAIL and MERLIN MAIL-ML Voice Messaging Systems: 1234
nPARTNER MAIL and PARTNER MAIL VS Systems: 1234
nSystem 25: systemx5
Choosing Passwords
Follow the guidelines listed below when choosing passwords.
nPasswords should be as long as allowed. See the section specific to your 
system for maximum password length information.
nPasswords should be hard to guess and should not contain:
— all the same characters (for example, 1111, xxxx)
— sequential characters (for example, 1234, abcd)
— character strings that can be associated with you or your business, 
such as your name, birthday, business name, phone number, or 
social security number
— words and commonly-used names. Many of the war dialers used by 
hackers are programmed to try all of the names from books listing 
potential baby names. In one documented case, the contents of an 
entire dictionary were used to try and crack passwords.
nPasswords should use as great a variety of characters as possible. For 
example, if both numbers and letters are permitted, the password should 
contain both.
nPasswords should be changed regularly, at least on a quarterly basis. 
Recycling old passwords is not recommended.
1. Not available in System 75 R1V1 (bcms is not available in System 75 at all.) 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-6 Administration / Maintenance Access 
2
Increasing Adjunct Access Security
Since system adjuncts can be used to log in to otherwise “protected” systems, you 
also should secure access to the following products:
nG3 Management Applications (G3-MA)
nCSM (Centralized System Management)
nCMS (Call Management System)
nManager III/IV
nTrouble Tracker
nVMAAP
Logins and passwords should be changed and managed in the same manner as 
the system being managed (for example, the switch or the AUDIX Voice Mail 
System). See ‘‘
Administration Security’’ on page 3-47 for additional information.
Increasing Product Access (Port) Security
You need to protect your security measures from being changed by the hacker 
who gains access to the administration or maintenance ports of your customer 
premises equipment-based system or its adjuncts. See ‘‘
Logins for INADS Port’’ 
on page 3-47.
If you use PC-based emulation programs to access administration capabilities, 
never store dial-up numbers, logins, or passwords as part of an automatically 
executed script.
For greater security, you may want to purchase and use the optional Remote Port 
Security Device (RPSD). The RPSD consists of two modem-sized devices, a lock, 
installed on the receiving modem (for example, at the PBX), and a Key, which is 
placed on the originating modem (for example, at the remote administration 
terminal). The lock and key must match before a communications pathway is 
opened. Refer to Appendix G for more information.
Another area that may be vulnerable to toll fraud is the System 75 and the 
DEFINITY ECS, DEFINITY G1 and G3 (except G3r) NETCON data channel — 
the internal extension number that can be used for administration and 
maintenance access. If the NETCON data channel is not restricted, a hacker can 
do a valid transfer from the voice mail port (or other ports in the system) to the 
network extension, get dial tone, and connect to and log into the administrative 
port, bypassing any port protection device, such as an RPSD. In a modem pool or 
NETCON modem installation, this would permit a hacker to transfer to a NETCON 
extension, get data tone, and get a login prompt. In a modem pool installation, this 
would also permit the hacker to transfer out to make toll calls.
Use COR-to-COR restrictions to restrict stations from calling the NETCON so that 
only CORs allowed to access the maintenance port are able to do so. For  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-7 General Security Measures 
2
example, if voice mail extensions have a COR of 9, and extensions assigned to 
NETCON channels have a COR of 2, ensure that COR 9 does not have access to 
COR 2. Anyone not authorized to use the NETCON channel should not be able to 
access it.
NOTE:
To determine how the NETCON channels have been assigned, use the list 
data module command. The output from this command identifies the 
modules in your system. If NETCON extensions are administered, they will 
be listed as NETCON, along with the four 3- or 4-digit extension numbers 
associated with the data channel(s).
NOTE:
NETCON extensions may also be contained in a hunt group. If list data 
module does not list the NETCON extensions, use list hunt group to see if 
the NETCON data channels are in a hunt group.
NOTE:
For verification purposes, you may also enter list data module 
, if you think you know the extension that is associated with the 
NETCON data channel. This command will list the COR, COS, Tenant 
Number, and name of the data module (for example, NETCON, TDM) 
associated with the extension you entered.
In addition, the modem port used for voice mail maintenance or administrative 
access is often a switch extension. It should be restricted in the same manner as 
the NETCON channel.
General Security Measures
General security measures can be taken systemwide to discourage unauthorized 
use.
Educating Users
Everyone in your company who uses the telephone system is responsible for 
system security. Users and attendants need to be aware of how to recognize and 
react to potential hacker activity. Informed people are more likely to cooperate 
with security measures that often make the system less flexible and more difficult 
to use.
nNever program passwords or authorization codes onto auto dial buttons. 
Display phones reveal the programmed numbers and internal abusers can 
use the auto dial buttons to originate unauthorized calls.
nDiscourage the practice of writing down passwords. If a password needs to 
be written down, keep it in a secure place and never discard it while it is 
active. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-8 General Security Measures 
2
nAttendants should tell their system manager if they answer a series of calls 
where there is silence on the other end or the caller hangs up.
nUsers who are assigned voice mailboxes should frequently change 
personal passwords and should not choose obvious passwords (see 
‘‘
Choosing Passwords’’ on page 2-5).
nAdvise users with special telephone privileges (such as Remote Access, 
voice mail outcalling, and call forwarding off-switch) of the potential risks 
and responsibilities.
nBe suspicious of any caller who claims to be with the telephone company 
and wants to check an outside line. Ask for a callback number, hang up, 
and confirm the caller’s identity.
nNever distribute the office telephone directory to anyone outside the 
company; be careful when discarding it.
nNever accept collect phone calls.
nNever discuss your telephone system’s numbering plan with anyone 
outside the company.
Establishing a Policy
As a safeguard against toll fraud, follow these guidelines:
nChange passwords frequently (at least quarterly). Set password expiration 
times and tell users when the changes go into effect. Changing passwords 
routinely on a specific date (such as the first of the month) helps users to 
remember to do so.
nEstablish well-controlled procedures for resetting passwords.
nLimit the number of invalid attempts to access a voice mail to five or less.
nMonitor access to the dial-up maintenance port. Change the access 
password regularly and issue it only to authorized personnel. Consider 
using the Remote Port Security Device. (Refer to Appendix G for additional 
information.)
nCreate a PBX system management policy concerning employee turnover 
and include these actions:
— Delete all unused voice mailboxes in the voice mail system. 
— If an employee is terminated, immediately delete any voice 
mailboxes belonging to that employee.
— If a terminated employee had Remote Access calling privileges and 
a personal authorization code, remove the authorization code 
immediately. 
— If barrier codes and/or authorization codes were shared by the 
terminated employee, these should be changed immediately. Notify 
the remaining users as well. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-9 Security Goals Tables 
2
— If the terminated employee had access to the system administration 
interface, their login ID should be removed (G3V3 or later). Any 
associated passwords should be changed immediately.
nBack up system files regularly to ensure a timely recovery should it be 
required. Schedule regular, off-site backups.
Physical Security
You should always limit access to the system console and supporting 
documentation. The following are some recommendations:
nKeep the attendant console and supporting documentation in an office that 
is secured with a changeable combination lock. Provide the combination 
only to those individuals having a real need to enter the office.
nKeep telephone wiring closets and equipment rooms locked.
nKeep telephone logs and printed reports in locations that only authorized 
personnel can enter.
nDesign distributed reports so they do not reveal password or trunk access 
code information.
Security Goals Tables
The following tables list the security goals for each communications system, and 
provide an overview of the methods and steps that are offered through the 
switches to minimize the risk of unauthorized use of the system.
nTable 2-1 on page 2-10 provides information for the DEFINITY ECS, 
DEFINITY Communications Systems, System 75, and System 85.
nTable 2-2 on page 2-13 provides information for the MERLIN II, MERLIN 
LEGEND, MERLIN Plus, and System 25 Communications Systems.
nTable 2-3 on page 2-16 provides information for the PARTNER II and 
PARTNER Plus Communications Systems. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Security Risks 
Page 2-10 Security Goals Tables 
2
Table 2-1. Security Goals: DEFINITY ECS, DEFINITY Communications 
Systems, System 75 and System 85
Security Goal Method Security Tool Steps
Protect Remote 
Access featureLimit access to 
authorized usersBarrier codes Set to maximum 
length 
Set COR/COS
Authorization 
codesSet to maximum 
length 
Set FRL on COR
Use VDNs to route 
callsCall Vectoring (G2 
and G3 only)Administer Call 
Vectoring (G3 only)
Use CORs to 
restrict calling 
privileges of VDNs
Limit times when 
Remote Access is 
availableNight Service (G1, 
G2, G3, and 
System 75 only)Administer Night 
Service
Shared Trunk 
Group (System 85 
only)Assign shared 
trunk group
Suppress dial tone 
after barrier code 
enteredSuppress Remote 
Access Dial Tone 
— (G1, G3 and 
System 75 R1V3 
require the 
concurrent use of 
Authorization 
codes)Turn off dial tone 
(See Remote 
Access form)
Prevent 
unauthorized 
outgoing callsLimit calling area AAR/ARS Analysis Set FRL
Set COR
Digit Conversion 
(G1, G2, G3, and 
System 85 only)Administer digit 
conversion
Toll Analysis (G1, 
G3, and System 
75 only)Identify toll areas to 
be restricted
FRLs Limit access to 
AAR/ARS route 
patterns by setting 
to lowest possible 
value