----=[ CiSSD ]=---- is happy happy joy joy over Issue #2 of __ /\ |__| \ \ : _____ _____ _____ _____> \____ __|__ _ | . | __| | > | | > | | ---===[ | /_ __| /| | / _ | |__ ]===--- __|__|__|_____| _/ |__|___/__|__|_____| | | / | | : . \/ . : . . - WAR! - ========================================================================= THE CANADIAN INTERNATIONAL SOCIETY FOR SOCIAL DEVIANCY MAR (C) 1993/94 ------------------------------------------------------------------------- "Backstabbers. All of you are traitors..." Well, that hurt. For two weeks, we all ate & slept fear, of Short Mans anticipated arrest. We schemed around the clock to stop it, and shamefully, we even schemed around the clock to make sure he wouldn't rat. We protected our informants, and we didn't allow ANYBODY to get in the way of our minute moral fiber that told us this arrest was wrong. I personally found it hard to believe that the local blink who gets off on telling 976 operators about his "Steel Penis" (The replacement because of his mining accident), had enough time, or reason in the world, to run up a $35000 phone bill for some PBX that isn't even in Canada. We'd spoken about dissasociating with him before. He was the cause of 911 pranks galore on our teleconferences.. he was the reason for some international tension in our hacking circles.. he could even have been the reason for an FBI investigation that brushed the livelyhood out of our original 800 meridian, but he didn't understand.. and we never considered his foolish mistakes an act of war. We liked Short Man.. despite our amazing problems with him, some might even say we loved him. But it only took one sentence to break it all down.. one person to say "don't trust them.".. one anti CiSSD comment, to scare Short Man into submission. Now he's busted, and we all fear prosecution. You can't trust someone who can't trust you. - Terminator X(Ed) WARNING: THE FOLLOWING TEXT CONTAINS MATERIAL WHICH MAY BE CONSIDERED OFFENSIVE BY SOME. CISSD AND ITS MEMBERS BEAR NO LIABILITY ON THE PART OF THE READER. READ AT YOUR OWN RISK. DISCLAIMER: THE INFORMATION PRESENTED IN THE FOLLOWING TEXT IS NOT INTENDED TO BE USED FOR PURPOSES CONTRARY TO LAWS IN THE COUNTRY WHERE THE READER RESIDES. DUE TO AN INTERNATIONAL DISTRIBUTION, OUR CHOSEN TOPICS WILL PROVIDE INFORMATION THAT COULD POTENTIALLY BE USED FOR PURPOSES ILLEGITIMATE IN NATURE. CISSD, AND ITS MEMBERS THEREFORE, BEAR NO RESPONSIBILITY FOR THE ACTIONS OF THE READER, BE THEY A DIRECT, OR INDIRECT RESULT OF READING THE FOLLOWING TEXT. NOTE: BY READING BEYOND THIS POINT, YOU ARE AGREEING TO THE CONDITIONS IN THE ABOVE WARNING, AND DISCLAIMER. BTW, it should be noted that this file was, for the most part, written in Canada; a country where freedom of expressions existance is limited not only by public outcry, but also by conflicting government legislation. CiSSD will not hesitate to challenge the conflicting laws should any legal action occour as a result of our controversial publication. --- "We seem to be totally defenseless against these people. We have repeatedly rebuilt system after system and finally management has told the system support group to ignore the problem. As a good network citizen, I want to make sure someone at network security knows that we are being raped in broad daylight. These people freely walk into our systems and are taking restricted, confidential and proprietary information." - Digital Employee --- TABLE OF CONTENTS ITEM CONTRIBUTOR(S) LINE ==== ============== ==== Editorial Terminator X 16 Warning, Disclaimer -- 45 Table of Contents -- 82 [CiSSD] News and Natterings The Dope Man 142 [CiSSD] Meetings & Materials Terminator X 225 Bell Canada's Intent Towards Hackers The Dictator 278 Save The Scene! The Dope Man 338 Revival Discussion, From The Readers [Echo Of The Damned] 421 Abuse in the Home and School Terminator X 447 Free Calls, Third Billing Terminator X 526 Feature - 'All Systems Secure' 567 : DDN Security Management Lister 580 : Procedures for Host : Administrators : Canadian Telecom Safety The Dope Man 2832 : Checklist News Bytes (and usually bites too) 2931 : Phone fraud bill $100 million Lister 2941 : Bell anxious to compete in Terminator X 3032 : cable, other markets : $200M plea in TV battle Terminator X 3108 Erratum - Corrections from last issue Terminator X 3188 CiSSD Membership Information Terminator X 3219 Last Words From the Editor Terminator X 3254 119895 ]-[bytes]-------------------------------------------[lines]-[ 3307 --- "A sudden hot sweat had broken out all over Winston's body. His face remained completely inscrutable. Never show dismay! Never show resentment! A single flicker of the eyes could give you away." - George Orwell, Nineteen Eighty Four --- [CiSSD] NEWS AND NATTERINGS The Dope Man NEW MEMBERS Well, its been a long 3 months since the last issue of REVIVAL, and a lot has gone on in this time. Apart from the misunderstanding with Zencor, DNR on a few lines and other such news (which is common to all area codes), CiSSD has acquired a few new members. As director of the group, it is my privilege to welcome our two newest members, The Dictator and Hypnotech. We at CiSSD are confident we have make good decisions... Both will make submissions to REVIVAL and we are confident that good choices have been made in both cases. If YOU feel you might have what it takes to be a CiSSD member, then let us know! Our phone number appears at the bottom of this text, so give us a call. Remember , you don 't have to be a Phreak or Hacker to become a member. CiSSD has many legitimate interests, and talented applicants may apply. LAMERS OF THE MONTH Short Man You've been singing too much Snow to have turned Informer. Viral Infector Didn't your mom tell you to think before you open your mouth? We're waiting for your apology. Napoleon You used Hypnotech to keep your wannabe Kode KiDDie virus group alive. Then you had the nerve to tell him you didn't need his service any longer. Where are you and your group now? Silver Foxx You are a moron.. never change the password on an admin box! You got our 800 taken down cause of your stupid ass power trip. Look at all the power you've been left with now! KLM Computers For being wit' Evan Towle, so to speak. Just as a little reminder, Evan Towle put our legitimate business practice under, by propogating slanderous misinformation about our product sources.. watch out for Evans under the counter deals.. Its people like this that kill the scene. Why are they allowed to exist until shit jumps off? Its inevitable, yet we wait for it to happen.... We seek to discipline rather than prevent. It isn't working. Bruce Sterling said something at the end of "The Hacker Crackdown" that fits rather well, "It is the end of the amateurs" Its both true and necessary. The lame jeopardize our existence. I don't suggest not letting people learn, everyone must have a "lame" period of knowing little, but more that those with lame attitudes must be dealt with in some way. They jeopardize everything, yet can we censor just as the government does? What do we sacrifice? Do we go down with our morals intact? Or make a trade-off? Its a decision that must be made for each individual, yet an issue that must be dealt with immediately. --- [CiSSD] MEETINGS & MATERIALS Terminator X CiSSD will hold monthly formal meetings for members, and informal meetings for members and non-members alike. At current, CiSSD public meetings only take place in Toronto. At current, we are planning a CiSSD public meeting at the Rennesaince Hotel in Downtown Toronto Ontario, on Sunday April 18 1993. Dress will be casual, and topics discussed open to suggestion, as well as a fixed political agenda. Plans are currently tentative. For confirmation of this meeting, dial +1 416 417 0214. If you plan to attend, please leave a message, so we have an idea of how many to expect. Public meetings are new for us, and positive response can make them happen on an ongoing basis. Date: Sunday April 18, 1993 Time: x:00 XX EST Place: Rennesaince Hotel Lobby Downtown City: Toronto, Ontario -- CANADA Agenda: Group Membership Recruits and New Members Introductions : Hacking ethic.. Who's gain, who's loss? : General discussion, news discussion.. : Hacking info : Pizza or McDonalds Info: +1 (416) 417 0214 CiSSD promotional material will be avaliable soon. T-Shirts, Sweat- Shirts, bearing the CiSSD logo will find a home in your home, if you let them. As info becomes avaliable it will be released on our hotline; +1 (416) 417 0214. --- "Some of the devices used to best the computer are engagingly simple -- as in the case of a young man who, obviously knowing something about the ways of computers, applied for and received a twelve-month installment loan from a New York bank. On receiving from the bank, together with the loan, the book of computer coded coupons he was supposed to send in with his monthly payments, he tore out the last payment coupon in the book instead of the first and sent it into the bank along with one month's payment. He then received a computer-generated letter from the bank thanking him effusively for paying off his loan so promptly and assuring him of his excellent credit standing. The young man didn't exactly steal from the bank -- he just left it up to the computer to make the next move." - Thomas Whiteside, Computer Capers --- BELL CANADA'S INTENT TOWARDS HACKERS The Dictator In a conversation I had recently with two internal members of Bell Canada, I was priveledged to learn that bell "Frankly doesn't even recognise a problem of system hackers and Long-Distance Phreakers, apart from calling-card fraud." It seems as though Bell Canada (who incedentally profited in excess of $950 Million last year) doesn't find everyday phreaks a problem, even going so far as to call 416 686-5890 a 'Fluke'. "The [Bell] Hiearchy is too short-sighted to realize that there is definately the potential for repeated hacking of PBX's, seeing how there population has grown to over 1000 in the metro area alone" said one Bell official. This attitude seems to hold for other segments of H/P/V as well. "We don't even want to catch the hacker," said a Bell investigations officer, "We just want to find out how, and more importantly, why they hack." Bell believes Hackers to be nothing more than bacteria on the phone trunks. Bell Canada does not intend to alter service any further to deal with hackers , and believes overseas billing via payphones will be reinstated before 1994. Also, they have no intentions to stop third- billing overseas from Non-Millenium (Digital) Payphones. "We can see no purpose in affecting our customers' service any further." When it comes to Cam-Net, Unitel, UTI and others' hacking problems, a bell official simply stated that "They should get used to it. This is the real world. If you can't forsee hacking of your services, you shouldn't be offering them." It should also be noted that Bell wished no part of Short-Man's trial. "Why should we get involved? He's just the scum hackers scrape off of their shoes in the morning. Nothing would be gained by prosecuting him. Besides, amassing the evidence would be more exspensive than what we could possibly hope to charge him with," was the response of a bell investigations officer. With all this, Bell still intends to go ahead with their 800-Dialup service which will allow you to third-bill to any number, regardless of wether the number accepts the charges or not, by simply offering your Visa or MC number in case the charges are reversed. "We have no intention of offering a credit-card dialing service," stated one bell official, "But we believe that this service will be benificial to our customers, as well as sucessfully detering hackers. All in all, Bell stills seems uptight in believing that they can't be hacked into for any signifigant sum of money. That would seem to leave most of us in 416 safe for the time being. --- "Why should we get involved? He's just the scum hackers scrape off their shoes in the morning. Nothing would be gained by prosecuting him. Besides, amassing the evidence would be more expensive than what we could possibly hope to charge him with," - Bell Investigations Officer --- SAVE THE SCENE! The Dope Man The computer underground is in a time of crisis. Ten years ago, being a hacker was an ideal, something that every kid who ever watched War Games wanted to do, but couldn't. Back then, the scene was tiny and efficient and busts were scarce. However, in 1993 things have changed. In fact, one can hardly recognize the underground. Busts are commonplace and even the average person with a modem can access deviency text files. However, these developments pale in comparison with the one true issue, the one thing that will be the end of it all. Hackers are no longer the good guys. Over the last few years tens of millions of dollars have been lost worldwide due to the underground. Much of this figure is theoretical loss, money that was never taken, but is rather the loss of projected profit. The unfortunate thing is that the public does not differentiate between these two types of loss. The media says "Teenage hacker steals $100 000 in phone service" and it is accepted by the masses without question. And why should they question? The corporations and the police give the media the information for their articles. Their motives for this are plain. These institutions do not benefit from public sympathy for hackers, and they have both realized the problem, and how to solve it. The media can only print what they are told. Thus, we have the articles that condemn even 13 year old phreaks as organized criminals. There is no mention of the morality of phreaking, or Bell's over-pricing. Just a simple article reporting on a criminal. Or, even better, as is the the current trend, feature articles on the underground (which describe all of the anarchy files, but none of the ethics). The media, the government, the police, the corporations - All have it in for the scene, and they seem to be winning. All is not lost, however. The Underground in its inflated size spans the world, and encompasses many thousands of people. It may generally be said that members of the hack and phreak communities tend to be of an intelligent stock. Thus, we find our solution. They give us bad media, we give ourselves good media. Its easy to do, and it works. - Letters to the editor of papers explaining the morals behind the boy they call a crook. - Calling in to "answering machines" for radio shows. - Phone-ins on the radio - Call your local paper and tell them you will give them the inside scoop on the computer underground, and guide them through, showing the positive sides. All of these activities are relatively easy, none are major projects. However, on a massive scale, they will make a difference. The difference between the life and death of the computer underground scene - something none of us want to see in our life times. Police busts become less frequent when the public disagrees (and you don't want to be busted now do you?), and certainly hackers are treated better by police officers who feel they are arresting a "nice kid who just fools around on his computer too much". Cops want to arrest crooks; not kids. Society wants cops to bust crooks; not kids. Crook is relative to the morals of the masses. You and I can change these morals, reverse the damage, save our place in Cyberspace. But I need your help, and you need mine. If we all work together, the momentum of the movement will be unstoppable. We will win - but we must care enough to try. --- She's always miserable.. rather incomprehensable, and makes no effort whatsoever to be sociable, but at least no one will ever rob her of her happiness. --- REVIVAL DISCUSSION, FROM THE READERS [Echo Of The Damned] Postings In the future, this column will be used for reader responses to past issues of REVIVAL. To become involved in this column, apply to any BBS system worldwide, supporting the Echo of The Damned network, and post in the 'REVIVAL! Discussion' base. All CiSSD HQ boards carry Echo of The Damned, and Echo of The Damned hubs will also be granted to the most deserving applicant in any given service area, and hubs will be responsible for activity within their own area code. To apply as an Echo of The Damned hub, call CiSSD WHQ, The Downtown Militarized Zone. To apply as a node, post to 'The Dope Man' or your area hub Sysop, from any Echo of The Damned system. - Termiantor X(Ed) --- _ CRIME, krim, n. an act punishable by law; such acts collectively: an offence, sin. --- ABUSE IN THE HOME AND SCHOOL Terminator X It's a crying shame, believe it or not that 20 - 30% of children are abused in their own homes, and a far larger number are abused in their schools. I speak not of cuts and bruises, nor broken teeth and broken bones, but rather, of a much more lasting pain; that of mental abuse. The offenders; Parents, teachers, and administrators. The victims; our future -- the youth of today. The figure is staggering. It is also very approximate, but before you dismiss it, consider the following: What outlet does a child who feels neglected, or maltreated, have in order to relieve the pain and suffering.. or the feeling of aloneness? Who is it that sets guidelines, and shows children where to go when they are hurting. When you were growing up, or if you still are, who did you go to when you had a problem you couldn't deal with? Your parents, the abusers? Your best freind.. what if you couldn't see your freind, or talk to him/her? How would you feel? Surpressed? Sadly enough, childen who are abused usually have a distinct inner feeling that the abuser is right, and they are wrong. In an interview with a young abused girl, she said she thought that maybe her parents would be less abusive if she followed the rules. When asked what rules she broke, she responded, "Sometimes, I don't clean up my room," She said, "I've never been grounded for more than 2 months, although, even when I'm not officially [grounded], I can't go out, because I'll get yelled at when I get home. "My mom hasn't beat me since I was eight." She is sixteen now. Her father spends most of his time fighting with her mother, which used to tear her apart. "I'm used to it. Sometimes I just yell randomly in the middle of an argument, and then laught riotously! It's the best entertainment I get." She added, "TV has lost its edge. I'm sick of it. I could do without it." "Sex is the best. It's the only escape from the constant screaming.", she said when asked what she does to relax. She has been on birth control pills since the age of fourteen, and often has intercourse without the use of latex protection. "I hope I get AIDS and die.", she chuckled. Abuse in the school is also from neglect. Since the advent of the school designed for mass indoctrination (a.k.a. 'public school system'), administration has become so impersonal that matters of phsycological difficulty caused by neglect at home, are treated as disceplinary problems. The victims are treated as 'delinquents'. They are demited, and eventually become unemployable. Favorite phrases of administrators include "I don't want to know" and "only you caused this situation." We should work to have the school problem solved. The board of education for your area should be encouraged to hire guidance officials with phsycology experience. Problems of attendance and deteriorating work habits should always be approached with the idea that mental problems due to excessive stress in everyday life, or abuse, could be the underlying reason for substandard acheivement. Parental expectations need to be lowered to attainable levels. Not every child has the capability to perform straight 'A's in all of their subjects. Not every child has the will, and not every child has the desire. In Canada, there are laws against mental abuse, but there is no sufficient platform for enforcement of these laws by the children who are most hurt by the cruelty of their 'superiors'. When asked why disceplinary action for attendance and smoking was so severe at Thornhill Secondary School, a Vice Principal responded "These kids simply need to follow the rules. If they can't do it, then they deal with the consequences. It's not my job to oversee how they live at home. Who's job is it? --- FREE CALLS, THIRD BILLING Terminator X In the (416) area code, it has become common practise for many phreaks to third bill telephone calls to illegaly obtained Voice Mail Box systems. Recently, however, phreaks are noticing it to be increasingly difficult to third bill to these boxes.. and they can also no longer have their boxes accept collect calls. The reason for this is DMS number blocking. The switch can be programmed to automatically reject third bill and collect calls placed to a block of numbers. The system administrator for the company owning the VMB exchange calls up, and has the phone company, Bell Canada in our case, install a number screen on the VMB exchange. DMS number blocking has one significant flaw. It is only capable of placing a screen on number blocks of 1000 or more. If you are aware of any VMB exchanges containing 900 or less VMB's, not only does the company not have blocking, but cannot obtain blocking to prevent you from third billing. Another interesting footnote regarding third billing in the (416) area is that Bell Mobility Cellular has opted for the time being not to block their exchanges.. if you can hack Bell's, then that's the way to go.. not that I support any of this at all. Seriously! Other than emergency situations, third billing illegitimately provides nothing but a shure-fire way to get caught. Finally, it might be noted that Bell Mobility has experienced approximately $20000 of similar fraud every month since this flaw was uncovered.. That only includes that which DOES get caught. Those who don't get caught are stealthier.. they spread it around.. and any customer without detailed billing pays the bill without question.. they really don't know if they used $500 of phone time this month.. how could they? - Terminator X --- FEATURE: ALL SYSTEMS SECURE Lister - The Dope Man This month, CiSSD's independant researchers went off to look for articles and we came up with a concensus on a single topic.. systems security. In addition to the other topics this month, we decided to publish a few of the documents they found in our feature this issue, 'All Systems Secure'. Sourced by: Lister Topic: DDN Security Management Procedures for Host Administrators : Volume I of II Length: 74.7KB Begin ---* VOLUME I 1. Purpose. This Circular is the first of two volumes describing security management procedures for the Defense Data Network (DDN). Volume I provides operational security guidance for the DDN and describes the Host Administrator's management responsibilities. It is based on review of Government and industry documents on the DDN, local area networks, and computer security. Volume I establishes methods and procedures for detecting and reporting unauthorized activity. It describes the resources and tools available to the Host Administrator for investigating local incidents. Additionally, it discusses the procedures and tools needed for reporting network related incidents to the DDN Network Security Officer (NSO). Volume II prescribes the policy for enforcing network operational security and describes the management responsibilities of the DDN Network Security Officer (NSO). Volume II will receive limited distribution. 2. Applicability. This Circular applies to DCA Headquarters, DCA field activities, and Government and commercial activities using or managing the operation of the DDN. 3. Policy. DCA continually strives to improve its resources for providing a reasonable level of security for the DDN. These resources include the network access control system and its audit trial analysis capabilities for detecting unauthorized and illegal network activities. These detection and audit capabilities will be used to identify and prosecute unauthorized individuals who access or attempt to access databases or system software of host computers connected to the DDN. In addition, DCA has created the DDN Security Coordination Center (SCC) to gather information regarding DDN security problems and to disseminate problem definition, status, and resolution information under the direction of the NSO. These resources and tools alone are not sufficient. Site personnel such as the Host Administrators need to assume an active role and assure their constituents and the DDN that they are providing for a reasonable level of protection of the ___________ OPR: DODM Distribution: B,J,Special ii DCAC 310-P115-1 network and computing resources under their jurisdiction. Host Administrators are required to report suspicious activities to their network manager. Formal investigations of unauthorized or illegal activities occurring on the DDN must be coordinated with the DDN Network Security Officer. Individuals suspected of unauthorized access or use of host computers over the DDN will be subject to prosecution under Title 18 of the Federal Criminal Code. 4. Procedures. Chapters 4 and 5 describe the procedures for performing the security functions of the Host Administrator. 5. Responsibilities. Chapter 1 describes the responsibilities of the Host Administrator in performing the security functions. 6. Related_Documents. The following documents are recommended reference materials to supplement this document. a. DoD Directive 5200.28, Security_Requirements_for Automated_Information_Systems_(AISs), dated 21 March 1988. b. DCAI 630-230-19, Security_Requirements_for_Automated Information_Systems (draft), dated 18 October 1990. c. Defense_Data_Network_Subscriber_Guide_to_Security Services_1986-1992 (includes the DDN Security Classification Guide at Appendix I). d. Internet_Site_Security_Policy_Handbook (Internet Draft). This document can be obtained by contacting the Network Information Center (NIC), SRI International, 333 Ravenswood Ave., Menlo Park, CA 94025. e. Computer Security Center (CSC-STD-002-85), Department of_Defense_Password_Management_Guideline, aka "The Green Book", dated 12 April 1985. FOR THE DIRECTOR: EDWARD J. HENDERSON, JR. Colonel, USAF Chief of Staff DCAC 310-P115-1 iii CONTENTS BASIC CIRCULAR Paragraph__Page Purpose................................. 1 i Applicability........................... 2 i Policy.................................. 3 i Procedures.............................. 4 ii Responsibilities........................ 5 ii Related Documents....................... 6 ii Illustrations........................... v Glossary of Terms and Definitions....... vii VOLUME I. DDN SECURITY MANAGEMENT PROCEDURES FOR HOST ADMINISTRATORS Chapter Paragraph__Page 1. INTRODUCTION The DDN Security Resources............ 1 1-1 Responsibilities of the Host Administrator....................... 2 1-2 Responsibilities of Other Site Representatives..................... 3 1-2 2. THE DDN SECURITY PROBLEM General............................... 1 2-1 Attack Points......................... 2 2-1 Categories of Network Abusers......... 3 2-1 Common Penetration Techniques......... 4 2-2 Necessary Precautions................. 5 2-4 3. NETWORK ACCESS SECURITY General............................... 1 3-1 TAC Access Control System (TACACS).... 2 3-1 4. OPERATIONAL SECURITY MANAGEMENT OF UNCLASSIFIED NETS General............................... 1 4-1 Access Vulnerability.................. 2 4-1 Risk Assessment....................... 3 4-2 Security Policies and Procedures...... 4 4-2 Education Program..................... 5 4-5 5. OPERATIONAL SECURITY MANAGEMENT OF CLASSIFIED NETS General............................... 1 5-1 Limited Terminal Access Controls...... 2 5-1 Closed Community Characteristics...... 3 5-1 iv DCAC 310-P115-1 Chapter Paragraph__Page Security Awareness.................... 4 5-1 6. DETECTION OF UNAUTHORIZED HOST ACCESS General............................... 1 6-1 Detection Training.................... 2 6-1 Logging Events........................ 3 6-1 Peculiar Behavior..................... 4 6-1 Legal Recourse........................ 5 6-2 Prosecution as a Deterrent............ 6 6-2 Incident Reporting by Subscriber...... 7 6-2 Contacts.............................. 8 6-2 What Information To Report............ 9 6-3 Follow-up Information................. 10 6-3 7. TOOLS FOR INVESTIGATING INCIDENTS AT THE HOST LEVEL General............................... 1 7-1 Host System Logs...................... 2 7-1 Other Tools........................... 3 7-1 TACACS Reports........................ 4 7-1 8. SUMMARY Penetration Techniques................ 1 8-1 Other Topics.......................... 2 8-1 DCAC 310-P115-1 v ILLUSTRATIONS Table Page 1 Vulnerability Analysis/ Operations Management and Processing...................... 9-1 2 Vulnerability Analysis/ Communications.................... 9-3 3 Vulnerability Analysis/ Disasters......................... 9-4 4 Vulnerability Analysis/ Personnel......................... 9-5 5 Vulnerability Analysis/ Training.......................... 9-7 6 Vulnerability Analysis/ People Errors and Omissions....... 9-8 7 Tabulation of Vulnerability Analysis/Self-Assessment Results.......................... 9-9 vi DCAC 310-P115-1 THIS PAGE INTENTIONALLY LEFT BLANK DCAC 310-P115-1 vii GLOSSARY OF TERMS AND DEFINITIONS ADP Automatic Data Processing. CERT Computer Emergency Response Team. DCA Defense Communications Agency. DCS Defense Communications System. FBI Federal Bureau of Investigation. HOTLIST A list of all TAC user identifications which have been stolen, have expired or which otherwise have been compromised. IPTO Information Processing Techniques Office. LAN Local Area Network. MILNET Military Network. NAURS Network Auditing and Usage Reporting System. NIC Network Information Center. NSO Network Security Officer. Focal point for network related operational security matters. OSI Office of Special Investigations. SCC DDN Security Coordination Center. TAC Terminal Access Controller. C/30 computer that connects end user terminals to the network and provides an interface to the DDN. In this document it also refers to a miniTAC which serves the same function as a TAC. TACACS TAC Access Control System. A system that controls terminal access to the MILNET. TACACS GUEST CARDS A temporary TACACS card given to a user who does not have TACACS privileges but temporarily needs them. A guest TACACS card may also be given to an authorized new user who has not yet received a UID or password. TAC CARD A card authorizing the user TAC Access to the MILNET. viii DCAC 310-P115-1 TAC PORT Point where an end user terminal or modem is connected to the TAC. TASO Terminal Area Security Officer. Responsible for enforcing all security requirements implemented by the NSO for remote terminal areas. Also responsible for ensuring that all countermeasures required to protect the remote areas are in place. UID User Identification. WIN WWMCCS Intercomputer Network. WWMCCS Worldwide Military Command and Control System. DCAC 310-P115-1 1-1 CHAPTER 1. INTRODUCTION 1. The_DDN_Security_Resources. This Circular is intended to provide Host Administrators a set of security guidelines to operate on the Defense Data Network (DDN). This Circular will assist you in maintaining the security of your local host computer site, as well as the overall DDN. It does not in any way supersede any current Service Regulations or Procedures governing the security of ADP facilities not related to the DDN. This Chapter provides you with a definition of your security responsibilities as a Host Administrator. You must have contact with certain offices to fulfill these responsibilities. The duties of these offices are discussed here to assist you in understanding their missions. a. DDN_NSO_(Network_Security_Officer). The DDN NSO is the single point of contact for dealing with network-related operational security issues. The DDN NSO also implements applicable policies included in DCAI 630-230-19, Security Requirements for Automated Information Systems. The NSO recommends security policy affecting the DDN and is responsible for its general enforcement. The NSO also works closely with Host Administrators to resolve network and related computer security problems and incidents affecting their sites. b. Host_Administrator. A Host Administrator is the person who has administrative responsibility for the policies, practices, and concerns of a host, or hosts, connected to the DDN, including responsibility for that host's DDN users. Specifically, the Host Administrator is responsible for the following activities: (1) Assisting with network management by ensuring that network policies and procedures are observed by the users. Locally administering the TAC access control system (TACACS), ensuring that all of their host users have been authorized for DDN and TAC access and are registered in the NIC user registration database (WHOIS/NICNAME). (2) Locally managing the network access control procedures and password system. Reporting network-related host break-ins and assisting with investigations as needed. c. NSC_(Node_Site_Coordinator). The NSC has physical control over hardware and software, and coordination responsibility for the DDN circuits and equipment located at the DDN node site. d. NIC_(Network_Information_Center). The NIC registers all users in the WHOIS/NICNAME database and operates the Network Auditing and Usage Reporting System (NAURS) computer system that produces the MILNET TACACS audit and incident reports. Call (800) 235-3155 for more information. 1-2 DCAC 310-P115-1 e. DDN_SCC_(Security_Coordination_Center). The SCC gathers information about DDN computer and network security incidents and works closely with the NSO to disseminate the information necessary to contain, control, and resolve these problems mainly through the DDN Security Bulletins. The hotline number is (800) 235-3155. f. CERT_(Computer_Emergency_Response_Team). The CERT gathers and distributes information about Internet security incidents. They work closely with the NSO and SCC on DDN- related security problems. The hotline number is (412) 268- 7090. 2. Responsibilities_of_the_Host_Administrator. Host administrators have the overall responsibility to provide a reasonable level of protection to host sites from the possibility of network compromises. They must act as liaisons with the NSO, SCC, vendors, law enforcement bodies, and other appropriate agencies to resolve any outstanding security problems and prevent their future recurrence. They are responsible for the enforcement of DDN policy at their site. Because information acquisition and distribution is such a vital part of the responsibility of the Host Administrator, the use of electronic mail is a basic tool to support this function and should be used whenever possible. Not all Host Administrators have access to this valuable tool, but given its value, these sites are strongly encouraged to implement this capability. 3. Responsibilities_of_Other_Site_Representatives. There are several other levels of responsibilities for the provision of security for the DDN. At the most basic level, the individual users should take the necessary precautions to minimize the chances that their accounts could be compromised. They bear the primary responsibility for the protection of their information. If users took this responsibility seriously and acted accordingly, the majority of computer incidents could not occur. System managers have the responsibility to maintain the resources and procedures to establish an environment for "safe" computing (e.g., implementing procedures for proper installation and testing of system software, adequate backups, and reasonable system monitoring). Vendors have the responsibility to notify their customers of problems with their software (especially problems which could compromise system security) and to distribute timely fixes. DCAC 310-P115-1 2-1 CHAPTER 2. THE DDN SECURITY PROBLEM 1. General. a. A computer network is a telecommunications system primarily designed to allow a number of independent devices (i.e., host computers, workstations, terminals, or peripherals) to communicate with each other. Essentially, the DDN is a worldwide collection of computer networks. As the DDN expands its capabilities and resources, and as more consitituents gain DDN access, the risk increases to the overall security of the information and data flowing in the network. Therefore, a major concern is that security problems will rise in response to this expansion. Additionally, the possibility of espionage activity also increases as the network gets larger. b. On November 2, 1988, Robert Tappan Morris, Jr., drastically changed the attitude of network users and administrators regarding security network and computer security problems. He unleashed his infamous Internet Worm which afflicted over 6,000 MILNET and other Internet hosts. The incident caused a fair amount of panic because most of the sites were ill-prepared for such a massive scale of intrusions. It was fortunate that, due to a miscalculation, the attack was unrestrained. In its original manifestation, Morris' Worm might have gone undetected at many sites. The main lesson to be learned from that incident is that everyone connected with the use of network and computing facilities must always take into account the vulnerabilities of network resources to compromise or attack. 2. Attack_Points. The DDN security problem is defined as the accidental or intentional disclosure, destruction, or modification of information flowing or accessed through the DDN. Potential points of attack include terminal-to-network interface connections, terminal-to-terminal interface connections, terminal-to-host interface connections, and interfaces or circuits themselves. 3. Categories_of_Network_Abusers. Identifying the security problem or threat is a key element in determining security risks. Consider the fundamental characteristics of the threats to your assets before you worry about specific techniques (to be discussed in the following section). For example: a. Unauthorized access by persons or programs which amounts to the use of any network or computer resource without prior permission. Such unauthorized access may open the door to other security threats including the use of your facility to access other sites on a network. 2-2 DCAC 310-P115-1 b. Disclosure or corruption of information. Depending on the sensitivity of the information, disclosure without modification may have more damaging consequences if the event goes unnoticed. c. Denial of service which prevents users from performing their work. In fact, an entire network may be made unusable by a rogue packet, jamming, or by a disabled network component. (The Morris Worm contained all of these characteristics. If you have considered options to address these general characteristics, you may be well-equipped to handle variations of historic penetration strategies that may evolve in the future.) 4. Common_Penetration_Techniques. In evaluating the security relationships between the security of your host computer and the DDN, you may wish to consider the following penetration techniques. These are methods that may be used to penetrate your computers. Therefore, you must take precaution to prevent the possible success of these types of attacks. Several techniques exist to aid in the unauthorized access to computer system components. These techniques are closely associated with a system's vulnerabilities. Therefore, their successful application first requires identifying a system's vulnerabilities. Through analyzing a systems protection mechanisms (or lack thereof), how they function, and their deficiencies, consideration can be given to how such mechanisms can be circumvented, nullified, or deceived. Many of these techniques can be categorized by the types of activity they involve and the system vulnerabilities they exploit. A particular type of technique may be used to exploit more than one vulnerability, and a vulnerability may be exploited by more than one technique. Some techniques leave signatures (i.e., traces of their utilization), others do not. Such signatures, their detection, and analysis are fundamental to threat monitoring and security auditing. a. Browsing. An individual gains unauthorized access to a user's files by exploiting the vulnerability of a file access authorization mechanism in the operating system. "Browsing" requires knowledge of file names and use of a program, and it characteristically includes the following operations: (1) User's program A references a file not authorized for such use. (2) The operating system does not check the activity and permits access. (3) Program A gains access to the file, reads it, and formats it for printout, or deposits it into a local file under the penetrator's control. Unauthorized system users (if they know all the file names in a system) can use this DCAC 310-P115-1 2-3 technique numerous times to browse through all the files looking for classified or sensitive information. This is not generally possible, however, when files are protected by passwords. b. Masquerading. Gaining unauthorized access to a system component by assuming the identity of another authorized user is called "masquerading". Success of this technique stems from a computer system having no means of establishing a user's identity other than through symbolic identifiers. The easiest method of masquerading is to obtain the password and other identifiers of an authorized user from some report or document that was carelessly left exposed. This situation is most likely to occur in installations that support remote terminals where no option exists to have such identifiers suppressed by the terminal during the SIGN-ON procedure. Even when a suppression capability is provided by the terminal that overtypes any such identifiers before or after their printing, they can still possibly be discerned. A more sophisticated technique for gaining access to an authorized user's identifiers is to wiretap the terminal and intercept the identifiers when they are transmitted in the clear over communication lines. c. Scavenging. This penetration technique exploits the vulnerability of unerased residual data. Both primary and secondary storage media used for processing sensitive information may continue to retain that information after they have been released for reallocation to another use. The latter may then "scavenge" the information by reading the storage media before making any other use of it. d. Unknown_System-State_Exploitation. This method takes advantage of certain conditions that occur after a partial or total system crash. For example, some user files may remain open without an "end-of-file" indication. The user can then obtain unauthorized access to other files by reading beyond that indicator when the system resumes operation. e. Asynchronous_Interrupt. This technique exploits system vulnerabilities arising from deficiencies in the interrupt management facilities of an operating system. If a processor suspends execution of a protection mechanism to process an interrupt and is then erroneously returned to a user program without completing the security check then the protection has been circumvented. f. Spoofing. Spoofing exploits the inability of a system's remote terminal users to verify that at any given time they are actually communicating with the intended system rather than some masquerading system. This deception, also known as a "Mockingbird Attack," can be perpetrated by intercepting the terminal's communication lines and providing system-like responses to the user. A variation of spoofing is 2-4 DCAC 310-P115-1 the use of an application program to provide responses similar to the operating system, so the operator will unknowingly provide the passwords to an applications program and not to the operating system. g. Trojan_Horse. In this technique computer processing is covertly altered by either modifying existing program instructions or inserting new instructions. Once this has been accomplished, whenever the altered processes are used the perpetrator will automatically benefit from unauthorized functions performed in addition to the routine output. This modification is usually done by hiding secret instructions in either the original source-code or the machine-code version of a lengthy program. An even harder to detect method would be to alter the operating and utility system programs so that they make only temporary changes in the target program as it is executing. The hardware version of the Trojan Horse technique is relatively rare. However, the replacement of valid micro-chips with slightly altered counterfeit chips is entirely possible and would be very hard to detect. In either the software or hardware Trojan Horse method, only someone with access to a program or the computer system could become a perpetrator. h. Clandestine_Machine_Code_Change. This technique is closely related to the Trojan Horse technique. This method allows system programmers to insert code into the system that creates trapdoors. At specific times based on certain combinations, these trapdoors can be activated by a user from the user's program. Individuals who initially design the system, contract maintenance personnel who fix the system, or people who are able to gain access to the supervisory state also have this opportunity. The technique could be as simple as users stealing job card information on work that has already gone through the system. They then resubmit this information to the system on their own job card along with another program. This particular job may have dealt with sensitive data and therefore a security violation would have occurred. 5. Necessary_Precautions. The aforementioned techniques are only a few ways that unauthorized access or usage of your host computer system may be obtained. You must enforce proper access control on remote terminals to prevent unauthorized personnel from abusing unattended terminals used for input or data modification. You must also emphasize the physical protection of the terminal and the administration and control of password access and use. Terminal users must be instructed on the importance of protecting their user identification (UID)/password. DCAC 310-P115-1 3-1 CHAPTER 3. NETWORK ACCESS SECURITY 1. General. Access control is the primary method of providing protection from unauthorized access into the DDN. There are two basic kinds of access control systems -- those that detect intrusion and those that stop an intruder from gaining access to the network. Both intrusion detection and network access control are functions of the TAC Access Control System (TACACS) which monitors terminal network access. The security of both the network and connected hosts is greatly enhanced if the Host Administrator can provide local security systems which can complement the TACACS. Possibilities include installing security systems which limit physical access to terminals connected to their hosts. Another weak link in the security chain is dial-up access and host-to-host connections (not under TACACS control). There is a great need to establish some manner of access control with auditing capabilities to cover these situations. 2. TAC_Access_Control_System_(TACACS). This section on TACACS is provided to inform you of the tracking capability that exists if your computer terminal is connected to a Terminal Access Controller (TAC). The information obtained by the TACACS will be quite useful in enforcing proper access control for those users entering the MILNET through TACs. TACACS uses a login procedure to control access to MILNET. When a MILNET user attempts to open a connection to a host, the TAC prompts for the user's TAC user ID and access code. TACACS is automatically monitored; a variety of reports are available for use by the NSO. a. User_Registration. DCA's Data Network Operations Division establishes policy for the MILNET and administers the MILNET TAC access and control system through the Network Information Center (NIC). TACs are used on MILNET to provide controlled network access to most locations. The Host Administrator is responsible for registering all users of their hosts who have network access and who have been authorized for MILNET TAC access through MILNET TACS. All of those users must be registered and given TAC access cards by the NIC. The access cards are valid for one year at which time the TAC User must request a renewal from the Host Administrator. If a password is compromised, the UID/password can be invalidated (hotlisted). b. Guest_Accounts. A limited number of temporary guest cards are available for distribution by each Host Administrator on MILNET. These cards have a limited lifetime and are not for permanent use. They are for users without TACACS privileges who temporarily need network access, or for new users at startup time before they receive their own UID and password. 3-2 DCAC 310-P115-1 c. WHOIS/NICNAME_Database. Every request to authorize a new TAC user or renew an existing TAC user must come from a MILNET Host Administrator. Information about authorized users is kept in the WHOIS/NICNAME database on a host at the NIC. Host Administrators can request information on authorized TAC users that are changed or deleted from the database. The WHOIS/NICNAME database can be accessed by anyone on the MILNET but can be changed only by operators at the NIC. DCAC 310-P115-1 4-1 CHAPTER 4. OPERATIONAL SECURITY MANAGEMENT OF UNCLASSIFIED NETS 1. General. a. This Chapter provides operational guidance on security management of an unclassified network. Chapter 5 provides guidance for operating on a classified net. The potential exists for authorized and unauthorized users to conduct illegal activities on shared communications networks such as the DDN. Network abusers fall into three categories: (1) A person sponsored and authorized on the DDN who engages in an unauthorized activity. (2) A person accessing the network illegally. (3) A person with access to a host system who need not log-in through a TAC and engages in unauthorized activity. b. While your individual databases may be unclassified, compiling large amounts of unclassified data may result in the creation of sensitive information. [SENSITIVE UNCLASSIFIED INFORMATION is defined as any information the loss, misuse, or unauthorized access to, or modification of which adversely might affect U.S. national interest, the conduct of DoD programs, or the privacy of DoD personnel (e.g., FOIA exempt information and information whose distribution is limited by DoD Directive 5230.24.)] Network security can only be as effective as what the local Host Administrator/ADP system security officer does to enforce strict access control procedures. Network security is a principle responsibility of Host Administrators. c. You may wish to investigate additional authentication systems to protect local computing assets (i.e., systems such as smart cards or Kerberos, developed at MIT. This is a collection of software used in a network to establish a user's claimed identity and to control access to a large number of interconnected workstations). 2. Access_Vulnerability. Connection to the DDN will require a reevaluation of the risk assessment concerning threat and vulnerability of your host locations. Users accessing these hosts should be told what level of data security will be provided. For example, do maintenance contracts exist with the system software vendors to fix defects that might otherwise compromise the resources? You should consider what is the level of sensitivity of data that users should store on your systems. It would be unwise for users to store very sensitive information on a vulnerable system whether the information was classified or not. It is also very important that your site does not seem to encourage penetration attempts through the use of a welcome banner as part of the login 4-2 DCAC 310-P115-1 request response of the host. The courts have given great leeway to intruder defendants who claimed that they were encouraged to browse by the banner. Additionally, your login challenge should not include information about the operating system. It helps a would-be abuser determine which penetration techniques would probably be most effective. 3. Risk_Assessment. Risk assessment is a requirement of DCAI 630-230-19. A checklist providing guidelines for reevaluating the threat and vulnerability that results from connecting to the DDN has been included (see Tables 1-6, Vulnerability Analysis). 4. Security_Policies_and_Procedures. This section covers many diverse aspects such as physical security and data security, authorizations, education, and training. a. Physical_Security. Physical security includes the facilities that house computers as well as remote computer terminals. Within security parameters established by the Host Administrator, work areas must be restricted with physical barriers, appropriate placement and storage of equipment and supplies, and universal wearing of identification badges, as applicable. b. Authorization. Another crucial factor that must be considered in devising a security program is user authorization. Only people with a "need to know" and with a realization of proper precautions can be given access to sensitive or proprietary information or to ADP facilities. The use of passwords and terminal access restrictions can provide extra security for highly sensitive information. Passwords can be used to reduce accidental or non-accidental modification by authorized personnel by restricting access to their respective database files. c. Data_Security. Although it is not foolproof, the best known identification/authentication scheme is the use of passwords. The Host Administrator must assure that passwords are kept secret by their users. The Host Administrator must also assure that passwords are long enough to thwart exhaustive attack by changing them often and by adequately protecting password files. (In the case of MILNET TAC Users, the TACACS generates passwords with the proper attributes. The users are not given the option to create their own TAC passwords.) When creating passwords, the following restrictions should be observed. Failure to do so will result in passwords that could be found in a database dictionary, or otherwise easily discovered. (1) Don't use words that can be found in a dictionary. DCAC 310-P115-1 4-3 (2) Don't use traceable personal data. (3) Don't allow users to create their own passwords. (4) Change passwords frequently. (5) Keep passwords private. d. One-Time_Passwords. [The following is excerpted from CSC-STD-002-85.] One-time passwords (i.e., those that are changed after each use) are useful when the password is not adequately protected from compromise during login (e.g., the communication line is suspected of being tapped). The difficult part of using one-time passwords is in the distribution of new passwords. If a one-time password is changed often because of frequent use, the distribution of new one-time passwords becomes a significant point of vulnerability. There are products on the market that generate such passwords through a cryptographic protocol between the destination host and a hand-held device the user can carry. e. Failed_Login_Attempt_Limits. [The following is excerpted from CSC-STD-002-85.] In some instances, it may be desirable to count the number of unsuccessful login attempts for each user ID, and base password expiration and user locking on the actual number of failed attempts. (Changing a password would reset the count for that user ID to zero.) f. Monitoring_Terminal_Use. The Host Administrator should also have some method of monitoring terminal use. A log-in sheet is convenient to provide an audit trail if the host has no automated access control and audit capability. This record should contain such information as login and logout times, purpose, project being worked on, project classification, and anything else deemed necessary by you as the Host Administrator. Additionally, the classification level at which the terminal may be used should be prominently displayed at the terminal location. You will need to work closely with the system manager to assure that host activities are monitored as well. This information will be extremely valuable in conjunction with TAC connections and will be the primary information for incidents where access originated from an external host and no network audit data is available. g. Terminal_Usage. You must also ensure that proper procedures are enforced when using computer terminals. The 4- following points should be considered: (1) Automated login procedures that include the use of stored passwords should not be allowed. (2) Terminals logged onto the DDN network or to the host computer should not be left unattended. 4-4 DCAC 310-P115-1 (3) Some form of access control for dial-up telephone connections, such as dial-back procedures, should be used. [Note: Dial-back is not acceptable on lines that may be subject to Call Forwarding.] (4) Unclassified sensitive information in printed form or in terminal display should be revealed on a "need to know" basis only. (5) Proper disposal of printed information (i.e., tearing, shredding, or otherwise obliterating such material) is mandatory. (6) Securing of terminals and access lines during non-business hours. (7) Securing of software programs and stored data during non-business hours. (8) Recording of equipment, custodians, serial numbers, and equipment locations to aid in identifying lost or stolen equipment. h. Electronic_Mail. Any electronic mail host administrator should have written procedures for users to follow in the event that any mail in the host is determined to be classified. The Host Administrator must be notified immediately to purge any backup files containing the classified mail, retrieve it from addresses and mail boxes, and remove it from the active data base. Such an event is an administrative security violation that must be reported to the offender's organization security officer immediately. i. Internal_Controls. Even the most sophisticated access control system is ineffective if an organization has weak internal controls. Case studies of commercial firms often describe abuses made by employees who have resigned from a company, but still have active user IDs and passwords. It is just as important for Military or DoD organizations to remove network access, as well as local host computer access, from anyone being transferred, retired, or otherwise leaving the organization. Changing (all of) the password(s) associated with a user's account(s) should be part of the local exit procedures. Every Host Administrator should have written procedures for retiring e-mail accounts. Consideration should also be given to establishing a procedure to reevaluate an individual's requirement to access the network when the person is transferred within the organization. It is the Host Administrator's responsibility to enact the following: (1) Procedures to remove individuals' access to the DDN upon that individual's departure. DCAC 310-P115-1 4-5 (2) If sponsoring a non-DOD organization's access to the DDN, procedures must be established to require a written agreement that the non-DOD organization will have an individual's access to the DDN removed upon that individual's departure. j. Encryption. Another method of securing data is encryption, a powerful method of protecting information transmitted between the host computer and remote terminals. It limits access to information stored in the computer's data base. An individual user not possessing the proper encryption key has little chance of gaining usable information from a computer protected in this manner. 5. Education_Program. Security training is a key element of a security program. Evaluating the risks within a DDN environment and implementing an active DDN security program requires properly trained personnel. An effective training program will provide both formal and informal instruction. Depending on the size and complexity of the ADP environment and the level of data being processed, the instruction will range from security awareness education for top-level management, to highly technical security training for DDN operations personnel. (See DCAI 630-230-19). a. General_Information. Users of the host system should be provided with information regarding their computing and network environment and their responsibilities within that setting. Users should be made aware of the security problems associated with access to the systems via local and wide-area networks. They should be told how to properly manage their account and workstation. This includes explaining how to protect files stored on the system, and how to log out or lock the terminal/workstation. Policy on passwords must be emphasized. An especially important point that must be emphasized is that passwords are not to be shared. b. Specific_Topics. The below listed training areas must be taught at the appropriate administrative, management, and staff levels. You must also implement testing plans to assure that personnel will know their responsibilities in emergency situations. Drills should be scheduled periodically to determine that the emergency procedures are adequate for the threat to be countered. The Host Administrator's security training program should include specifics in the following areas as applicable: (1) General security awareness. (2) User security. (3) Security administration. (4) Transition control and computer abuse. 4-6 DCAC 310-P115-1 (5) Software security. (6) Telecommunications security. (7) Terminal/device security. (8) System design security. (9) Hardware security. (10) Physical security. (11) Personnel security. (12) Audit. (13) Data security. (14) Risk assessment. (15) Contingency/backup planning. (16) Disaster recovery. (17) Security accreditation. (18) Security test and evaluation (ST&E). (19) DDN security and contractor interface. (20) Common penetration techniques. DCAC 310-P115-1 5-1 CHAPTER 5. OPERATIONAL SECURITY MANAGEMENT OF CLASSIFIED NETS 1. General. Unauthorized user activities obviously pose a greater threat to the classified nets. Since the classified communications nets are closed communities, classified hosts must maintain their own access control and audit system to detect and analyze problems. For specific details concerning security in the WIN Communications System (DSNET 1), refer to JCS Pub 6-03.7, Security_Policy_for_the_WWMCCS_Intercomputer Network (Unclas), dated April 88. For specific details concerning security in the Sensitive Compartmented Information Network (DSNET 3), refer to the following documents: DIAM 50- 3, Physical_Security_Standards_for_SCI_Facilities (FOUO); DIAM 50-4, Security_of_Compartmented_Computer_Operations (C), dated June 80; and DCID 1/16, Security_Policy_for_Uniform_Protection of_Intelligence_Processed_in_Automated_Information_Systems_and Networks (S), dated July 88. 2. Limited_Terminal_Access_Controls. Terminal access controllers, when used on the classified subnetworks, are currently limited to controlling access into the network. The TACs do not collect and forward audit information of network activity to a central location for analysis, usage data collection, and processing as is done on the unclassified networks. The TAC Access Control System (TACACS), necessary for dial-in access, has not been implemented on the classified networks because there is no dial-in access. In the WIN Communications System, for example, TACs are not used; network access is controlled by the interconnected hosts. The WWMCCS Intercomputer Network (WIN) hosts also collect audit data of user activity at each host location. 3. Closed_Community_Characteristics. Most, if not all, of the guidance given in Chapter 4 is incorporated in creating a "closed" community. A major difference in access control of classified networks is that no dial-up access is allowed. Also, personnel having access to a facility will have, as a minimum, a system high clearance level for their site. There are multiple classification levels at some locations. The Host Administrator must take special precautions to ensure that the classification of passwords and the access authority of operating personnel are at or above the classification level of the operation being performed. 4. Security_Awareness. Because of the nature of classified systems and the greater threat that security infractions can cause, it is incumbent that the host administrator assure that there exists sufficient exposure to security awareness and training. The listed training areas must be taught at the appropriate administrative, management, and staff levels. You must also implement testing plans to assure that personnel will know their responsibilities in emergency situations. The Host Administrator's security training program must 5-2 DCAC 310-P115-1 include specifics in the following areas: (1) General security awareness. (2) User security. (3) Security administration. (4) Transition control and computer abuse. (5) Software security. (6) Telecommunication security. (7) Terminal/device security. (8) System design security. (9) Hardware security. (10) Physical security. (11) Personnel security. (12) Audit. (13) Data security. (14) Risk assessment. (15) Contingency/backup planning. (16) Disaster recovery. (17) Security accreditation. (18) Security test and evaluation (ST&E). (19) DDN security and contractor interface. (20) Most common penetration techniques. DCAC 310-P115-1 6-1 CHAPTER 6. DETECTION OF UNAUTHORIZED HOST ACCESS 1. General. Because you, as the Host Administrator, are responsible for the security of the host computer, early detection of potential abuse will serve to prohibit losses. Effective monitoring will also deter potential perpetrators from attempting to experiment with illegal schemes if the probability of detection is high. The following points provide guidance for the types of events you should look for to detect unauthorized activity: a. Unexplained use of disk space. b. Unknown files listed in the directory. c. Repeated failed attempts to access the host. d. Unusual log-in times. e. A file being accessed by someone who has no authorization to be in that file. f. Excessive time (hours) on line or a pattern of unusually short access times (less than one minute). 2. Detection_Training. Detection of unauthorized activities at host locations is a responsibility shared by all personnel within the work place. The Host Administrator, however, may find it necessary to educate personnel on this point and delegate responsibilities. Apart from the measures taken to manage the security environment, Host Administrators must act with diligence regarding technical or quasi-technical areas affecting security. For example, their responsibilities might include enforced cycling of password changes, compartmentalizing proprietary information away from the generally accessible system and limiting its accessibility to those with a bona fide "need-to-know," monitoring access logs and maintaining audit trails to facilitate detection of unusual activity, and using security systems and services offered by their network systems and service providers. 3. Logging_Events. Illegal attempts to gain access into sensitive areas (i.e., trespassing or guessing at passwords in order to sign on or access files from remote terminals) should be logged and reviewed regularly. One effective detection of unauthorized activities is to display the last log-on time and date on the screen after the user has successfully logged onto the system. Statistics of access violations should be collected with regard to details of the particular terminals being abused and the files being accessed. The results should be reviewed by the NSO. 4. Peculiar_Behavior. If not typical of or appropriate for your organization, beware of unsupervised work especially if a 6-2 DCAC 310-P115-1 person regularly volunteers for overtime work and is allowed to stay on the premises unsupervised. Have two-man control procedures for sensitive information work. In addition, be advised that many computer crimes occur during holiday periods, or during times when host computers are experiencing low traffic. Pay particular attention to peculiar activities during these periods. 5. Legal_Recourse. Public Law 98-473, known as the "Counterfeit Access Device and Computer Fraud and Abuse Act of 1984" added Section 1030 to Title 18 United States Code on October 12, 1984. It was the first federal computer crime law that criminalized unauthorized access to classified national security information or information in certain financial records. Additionally, it criminalized certain unauthorized accesses to computers operated on behalf of the Government. 6. Prosecution_as_a_Deterrent. When there is adequate evidence collected for conviction, the perpetrator should always be prosecuted. This action would serve as a serious warning to others contemplating making similar attempts and can be extremely effective as a deterrent. However, as recent world events have revealed, this really doesn't deter abuse adequately. Therefore, you must assure proper protection of your computer systems. 7. Incident_Reporting_by_Subscriber. The flow of security incident reporting should be from the end user to the Host Administrator, or other appropriate individual who determines if the problem is local or network related. If the problem is network related, the problem should be referred to the appropriate Network Manager/Security Officer. The Network Manager/Security Officer would contact the DDN NSO, if appropriate, for assistance in obtaining audit trail data from the NIC for MILNET. Depending on the seriousness of the incident, the DDN NSO would assure that the appropriate investigating agency was involved, and support requests for information for formal investigations. 8. Contacts. To correspond with the DDN NSO, use any one of the following methods of contact: a. Via network mail to: SCC@NIC.DDN.MIL or DCA-MMC@DCA-EMS.DCA.MIL b. Via U.S. mail to: HQ Defense Communications Agency, Code: DODM, Attn: DDN-NSO, Washington, DC 20305-2000 c. Via commercial phone to: (800) 451-7413, or (800) 235-3155 for the SCC d. Via DSN/AUTOVON to: 312-222-2714/5726 e. Via AUTODIN to: DCA WASHINGTON DC//DODM// DCAC 310-P115-1 6-3 f. Classified correspondence must be forwarded via AUTODIN or U.S. mail using procedures appropriate for its classification level. 9. What_Information_To_Report. Your incident reports must include certain minimal information to enable the DDN NSO to take action. The DDN NSO requires a brief, unclassified description of the incident and the name, telephone number, and organization of the person reporting the incident. If the incident's occurrence is classified, the report and any classified discussions between the DDN NSO and officials at the affected organization must take place using secure modes of communication. The following is the minimum information necessary for an incident report: a. Date of report (Day-Month-Year, e.g., 01 Jan 87) b. Date and time period of incident(s) (Zulu time) c. Personal data of person reporting the incident: (1) Name (2) Telephone number (3) Organization d. Network involved (e.g., MILNET, DSNET 1, 2, or 3) e. Did unauthorized access come from the DDN, if known? (If not, refer reporting person to his/her Host Administrator). f. Presumed classification of incident (i.e., Unclassified, Confidential, Secret, Top Secret, Top Secret/Sensitive Compartmented Information. [Note: Contact the DDN NSO should you have any questions concerning the level of classification of a particular incident.] g. Brief description of incident (Unclassified). 10. Follow-up_Information. Follow-up contact with Host Administrators might be required to obtain more detailed information that may not have been initially available. The DDN NSO would try to determine the following factors: a. Where the activity was initiated (i.e., at another host or specific TAC) b. What routines the intruder ran on the host system c. What files the intruder accessed on the host system 6-4 DCAC 310-P115-1 d. What user identification log-in was used. For example, was there a password? Was the password the same as the log-in? Was the account password protected? Did the user change the password initially provided? Security incidents that are discovered to be a local problem will be investigated at the Host Administrator level. DCAC 310-P115-1 7-1 CHAPTER 7. TOOLS FOR INVESTIGATING INCIDENTS AT THE HOST LEVEL 1. General. This Chapter will help you, the Host Administrator, with investigations of security incidents that are determined to be a local problem. The tools available for investigating network incidents are products of audit trail data collected in the TAC Access and Control System for the unclassified networks and in the audit data collection systems of the individual hosts (if they exist) in both the classified and unclassified networks. The network traffic data collected by the network utilities at the community of interest monitoring centers is useful for network control and design purposes, but its use for network security investigative purposes is limited. 2. Host_System_Logs. The host system can provide a wealth of information that can complement the network data. Most operating systems automatically store numerous bits of information in log files. Examination of these log files on a regular basis is often the first line of defense in detecting unauthorized use of the system. Lists of currently logged in users and past login histories can be compared. Most users typically log in and out at roughly the same time each day. An account logged in outside the "normal" time for the account may be in use by an intruder. System logging facilities, such as the UNIX "syslog" utility, should be checked for unusual error messages from system software. For example, a large number of failed login attempts in a short period of time may indicate someone trying to guess passwords. Operating system commands which list currently executing processes can be used to detect users running programs they are not authorized to use, as well as to detect unauthorized programs which have been started by a cracker. 3. Other_Tools. The tools available for conducting an incident investigation on unclassified nets consist of the TACACS reports, provided to the DDN NSO, and the Host audit and log book, if used. Additionally, personnel may be interviewed to provide necessary insight. The tools available for conducting an investigation on classified nets include the Host audit, system logs, physical log book, and personnel as well. Additionally, the UID/password and the specific terminal will provide further useful information. No TACACS reports are available for the classified nets. 4. TACACS_Reports. TACACS incident reports are reviewed by the DDN NSO for unauthorized network activity. Other TACACS reports are available to the DDN NSO to help investigate illegal or unauthorized network activity. You as the Host administrator can request investigative assistance from the DDN NSO to obtain TACACS audit data for MILNET. Assistance may also be requested by the Host Administrator to involve an investigating agency (e.g., FBI, OSI, NIS, MI, etc.). 7-2 DCAC 310-P115-1 THIS PAGE INTENTIONALLY LEFT BLANK DCAC 310-P115-1 8-1 CHAPTER 8. SUMMARY 1. Penetration_Techniques. This document has provided you, as Host Administrators, guidelines for securing your host computer locations. Security problems arise and espionage activity may increase as access to computers increases. Therefore, you must apply these instructions because you are ultimately responsible for the security of the DDN. This instruction has covered common penetration techniques you must guard against. 2. Other_Topics. The major items this document emphasizes are the following: a. Proper access control procedures b. Reevaluation of the risk assessment of your host site c. Security education training d. Detection of unauthorized or suspected unauthorized access e. Incident reporting f. Tools for local incident investigation g. Assistance from the DDN NSO for network incident investigations 8-2 DCAC 310-P115-1 THIS PAGE INTENTIONALLY LEFT BLANK DCAC 310-P115-1 9-1 TABLE 1: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Operations Management and Processing** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Has a systems security officer | | been appointed? | | ------------------------------------------------------------- Have procedures been developed | | defining who can access the | | computer facility, and how and | | when that access can occur? | | ------------------------------------------------------------- Have procedures been established | | to provide physical protection of | | local and remote terminal access | | equipment? | | ------------------------------------------------------------- Have procedures been established | | to provide physical protection of | | host computers? ------------------------------------------------------------- Is someone designated as a terminal | | area security officer? | | ------------------------------------------------------------- Have procedures been established to | | positively identify transactions | | occurring to and from remote | | locations? | | ------------------------------------------------------------- Have security procedures been | | established for the microcomputers | | which will communicate with the DDN? | | ------------------------------------------------------------- Have procedures been established | | for providing physical security over | | these microcomputers and the data | | processed by them? | | ------------------------------------------------------------- Have procedures been established | | to protect data within the custody | | of the microcomputer user? | | ------------------------------------------------------------- Have alternate means of processing | | been established in the event either | | the individual or the personal | | computer is lost? | | ------------------------------------------------------------- 9-2 DCAC 310-P115-1 TABLE 1: VULNERABILITY ANALYSIS (con't) ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Is the security over the micro- | | computer environment regularly | | reviewed? | | ------------------------------------------------------------- Have the vendor installed pass- | | words been changed? | | ------------------------------------------------------------- Does someone verify that all current | | passwords are different from a list | | of commonly used or vendor installed | | passwords? | | ------------------------------------------------------------- DCAC 310-P115-1 9-3 TABLE 2: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Communications** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Is sensitive information transmitted | | over common carrier lines protected | | (e.g., through cryptography)? | | ------------------------------------------------------------- Can data being transmitted or | | processed be reconstructed in | | the event either main processing | | or remote processing loses integrity?| | ------------------------------------------------------------- Are processing actions restricted | | based on the point of origin or the | | individual making the request? | | ------------------------------------------------------------- Have procedures been established | | for providing host connection | | access control over remote terminals | | and on-site terminals? | | ------------------------------------------------------------- Is a log maintained of accesses | | to computer resources? | | ------------------------------------------------------------- Do non-employees have access to | | communications facilities (except | | where the system specifically is | | designed for those non-employees)? | | ------------------------------------------------------------- 9-4 DCAC 310-P115-1 TABLE 3: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Disasters** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Have the types of potential | | disasters been identified? | | ------------------------------------------------------------- Has equipment been provided to | | deal with minor disasters, such | | as fire and water damage? | | ------------------------------------------------------------- Have alternate processing | | arrangements been made in the | | event of a disaster? | | ------------------------------------------------------------- Have procedures been established | | to provide back-up equipment or | | automatic data processing (ADP) | | processing capabilities in event of | | loss of primary ADP resources? | | ------------------------------------------------------------- Have simulated disasters been | | conducted to ensure that disaster | | procedures work? | | ------------------------------------------------------------- Are critical programs and data | | retained in off-site storage | | locations? | | ------------------------------------------------------------- Have users been heavily involved | | in developing disaster plans for | | applications that affect their areas?| | ------------------------------------------------------------- DCAC 310-P115-1 9-5 TABLE 4: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Personnel** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Are formal reports required for | | each reported instance of computer | | penetration? | | ------------------------------------------------------------- Are records maintained on the most | | common methods of computer | | penetration? | | ------------------------------------------------------------- Are records maintained on damage | | caused to computer equipment and | | facilities? | | ------------------------------------------------------------- Is one individual held accountable | | for each data processing resource? | | ------------------------------------------------------------- Does management understand threats | | posed by host connection to DDN? | | ------------------------------------------------------------- Is management evaluated on its | | ability to maintain a secure computer| | facility? | | ------------------------------------------------------------- Are the activities of any non- | | employees in the computer center | | monitored? Is an escort policy | | enforced? | | ------------------------------------------------------------- Are contractor personnel subject to | | the same security procedures as other| | non-employees? | | ------------------------------------------------------------- Are procedures installed to restrict | | personnel without a "need to know"? | | ------------------------------------------------------------- Have procedures been established | | to limit the damage, corruption, or | | destruction of data base information?| | ------------------------------------------------------------- Has a security incident report form | | been created? | | ------------------------------------------------------------- 9-6 DCAC 310-P115-1 TABLE 5: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Training** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Are employees instructed on how to | | deal with inquiries and requests | | originating from individuals without | | a "need to know"? | | ------------------------------------------------------------- Has an adequate training program | | been devised to ensure that employees| | are aware of the requirements to pro-| | tect their equipment from unauthor- | | ized use or unauthorized purposes? | | ------------------------------------------------------------- Have personnel been advised on | | penalties of the Federal Computer | | Crime Law for unauthorized access to | | Government ADP systems? | | ------------------------------------------------------------- DCAC 310-P115-1 9-7 TABLE 6: VULNERABILITY ANALYSIS ------------------------------------------------------------- **People Errors and Omissions** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Are errors made by the computer | | department categorized by type | | and frequency, such as programming | | errors? | | ------------------------------------------------------------- Are records maintained on the | | frequency and type of errors | | incurred by users of data | | processing systems? | | ------------------------------------------------------------- Are users provided a summary of | | the frequency and types of user- | | caused errors identified by the | | application system? | | ------------------------------------------------------------- Are the losses associated with | | data processing errors quantified? | | ------------------------------------------------------------- Are records maintained on the | | frequency and type of problems | | occurring in operating systems? | | ------------------------------------------------------------- Are abnormal program terminations | | on computer software summarized | | by type and frequency so that | | appropriate action can be taken? | | ------------------------------------------------------------- Are personnel trained to recognize | | attempts to access their system by | | common penetration techniques? | | ------------------------------------------------------------- 9-8 DCAC 310-P115-1 TABLE 7: TABULATION OF VULNERABILITY ANALYSIS ------------------------------------------------------------- **Self-Assessment Results** --------------------------- HOW TO IDENTIFY VULNERABILITIES ------------------------------------------------------------- | # of | Rank for | Component | "No's" | Action | Comments ------------------------------------------------------------- Operations Management | | | and Processing | | | ------------------------------------------------------------- | | | Communications | | | ------------------------------------------------------------- | | | Disasters | | | ------------------------------------------------------------- | | | Personnel | | | ------------------------------------------------------------- | | | Training | | | ------------------------------------------------------------- People Errors and | | | Omissions | | | ------------------------------------------------------------- *--- End Sourced by: The Dope Man Topic: Canadian Telecom Safety Checklist Length: 2.1KB Begin ---* SAFETY CHECKLIST (CANADIAN TELECOM Feb 93) Ultimately, human factors are the weakest link in any protection plan. Some of these protection steps will cost money and cause inconvenience to your users, but the only way to eliminate CPE-based toll fraud is to manage equipment you control. Your telecommunications equipment can be protected against virtually all toll fraud if you follow this checklist. You should consult your vendor to obtain detailed (in writing, if there are liability concerns) about your equipment. 1. Deny unauthorized access to long-distance trunking facilities through your voice-mail systems. - block activation/assign passwords. 2. Secure Direct Inward System Access (DISA) numbers. - do not publish DISA numbers. - use long authorization codes. 3. Foil "Dumpster divers". - shred CDR records. - switch printouts and other documentation. 4. Change codes frequently. - delete former employee codes. 5. Secure authorization codes. - use many digits. - do not share among employees. - treat like credit card numbers. 6. Block DISA in all equipment. - at least restrict nights, weekends, holidays (prime times for fraud). 7. Monitor call records. - look for suspicious calling patterns. - automate exception reporting. 8. Restrict international calls. - block or selectively allow for certain country and area codes. 9. Restrict call forward. - do not permit forwarding to long-distance or trunking facilities. 10. Secure access codes and passwords. - discourage employees from having them in plain view. - warn of "shoulder surfing". 11. Secure your equipment rooms. - know who has access to them. - do not use for janitorial storage. 12. Deactivate ports access. - block access to remote maintenance ports. 13. Keep telephone numbers private. - do not discuss number plan outside of company. - destroy old internal phone books. *--- End --- "I saw no man use you at his pleasure. If I had, my weapon should quickly have been out, I warrant you. I dare draw as soon as another man, if I see occasion in a good quarrel, and the law on my side" - William Shakespeare, Romeo & Juliet --- NEWS BYTES (and usually bites too) The Dope Man - Lister - Terminator X - Ibex Special thanks this month go out to Ibex, whose only forms of communcation with us have been limited to US Post, and messages back and fourth on a voice mail system. We unfortunately won't be able to publish your submission this issue, due to time constraints. Sorry. Sourced by: Lister Topic: Phone fraud bill $100 million Length: 3.3KB Begin ---* Bell bans overseas card calls from pay booths By Dana Flavelle/Toronto Star - Toronto, Ontario Long-distance telephone fraud is an estimated $100 million headache for Canadian telephone companies and some of their biggest customers -- and it's growing, says a telecommunications industry expert. "It's become a huge issue in the last year or so in Canada," said Ian Angus, a consultant who's writing a book on the subject. At least some long-distance fraud is committed by computer hackers who gain access to major corporate telephone networks and start ringing up big bills, he said. But most of it is "low-tech" credit card and telephone calling card fraud, Angus said in a telephone interview following yesterday's announcement by Bell Canada that it will no longer accept overseas card calls from pay phones. "We didn't want to do this," Bell spokesperson Una MacNeil said in an interview. "We know it's an inconvenience. But it's a significant enough problem that we have to put a plug in it until we work out a longer-term solution." In the past two months, one in five overseas calls made from pay telephones has been fraudulent, she said. Bell is not revealing the cost of the fraud for "security" reasons, she said. Effective yesterday, a customer who tries to use a credit card or telephone calling card to make an overseas call from a pay phone will be given the following options by an operator: [] Go to a non-pay phone to place a card call; [] Have the call billed to a third party, provided there's someone avaliable to accept the charges; [] Make a collect call, except in cases where no collect call agreement exists between Canada and the coutry being called; or [] Pay cash. In addition, Bell has stopped accepting cash calls from certain kinds of pay phone to five overseas contries: China, Pakistan, Bangladesh, Macao and Hong Kong. Situated mainly in airports and major hotels, these are the kind of pay phones that simply "read" the magnetic strip on the back of the credit or calling card, and will also accept cash calls. For reasons Bell officials wouldn't explain, phony cash calls can be placed from these kinds of telephones to these specific countries. "We don't like to talk a lot about this issue because we don't want to give people ideas," MacNeil said. Credit cards and calling cards can still be used to make pay phone calls within North America, where fraud hasn't been a big problem, Bell said. Most of the fraud is being committed by organized theives, who get hold of calling card numbers by watching people use their cards in busy public places like airports, said Angus. Then, they set up shop around public pay phones using those numbers to make calls for customers who are charged about $5, he said. Police in Montreal busted one racket operating in a subway station earlier this year, he said. A task force of Bell and Northern Telecom engineers is trying to devise electronic ways of thwarting such frauds and, better still, detecting people in the act. MacNeil was confident full overseas service will eventually be restored, but couldn't predict when. "It is a large problem and we have a lot of people working on it." she said. *--- End Sourced by: Terminator X Topic: Bell anxious to compete in cable, other markets Length: 2.9KB Begin ---* By Kevin Dougherty/Financial Post - Montreal, Quebec Bell Canada wants to be able to deliver cable television or any other value-added telecommunications sercice to the homes or offices of its telephone customers, the utility's president said yesterday. "The telephone companies must be allowed to fully compete in all communications markets for the benefit of all Canadians," Robert Kearney said at a Canadian Club luncheon. "Bell Canada should be able to carry anything, independant of technology, for any customer anywhere." While Bell Canada wants the Canadian Radio - television and Telecommunications Commision to consider it a common carrier, it also wants "other access carriers, like cable companies" to be designated common carriers as well. Kearney said Bell Canada agrees that basic telephone service should continue to be regulated, paying tribute to the Canadian "social agenda" that has allowed a 98% penetration rate for telephone service in Canada. But he said all other services should be deregulated. The regulatory commission will have to untangle what is competitive and what is not competitive, he added. The commission began hearings on broadcasting last week and plans further consultations later this year on telecommunications. Kearney said Bell Canada is not prepared to offer its definitions yet. But he said that five years from now -- if the issue has not been resolved -- the cable companies and telecommunications carriers won't be fighting over technologically irrelevant barriers. They will be fighting for their survival. "Everybody should be a common carrier," he told reporters. More immediately, Bell Canada is pressing the CRTC to grant a rate increase, hiking charges for local calls for the first time since 1983. Bell Canada is allowed a rate of return in the 12.5%-to-13.5% band, he noted, but this year, the return will fall to 10.75% and in 1994 it will be below 10%. Resellers, who buy space on Bell Canada wholesale and sell services at a discount, accounted for 7% of the telecommunications market last year, not the 2% the CRTC had predicted, he said. This year, resellers and Unitel Communications Inc., which offers a competing long-distance service to Bell Canada's will together hold a 15% market share. Reflecting Bell Canada's declining revenue, New York bond rating service Standard & Poor's has lowered the rating on its debt. Kearney speculated it could take another downgrading before Bell Canada is allowed an improved rate of return. He said U.S. telephone companies cross-subsidize local telephone service 2cents-3cents a minute, while 17cents a minute of Bell Canada's long-distance revenue, or about $2 billion a year goes to subsidize local service. "The subsidy keeps our local rates low, but is an incredible drain on our competitiveness." *--- End Sourced by: Termiantor X Topic: $200M plea in TV battle Length: 1.0KB Begin ---* Broadcasteres demand cable firms pay for carrying programs By Richard Siklos/Financial Post - Hull, Quebec Canada's private broadcasters yesterday appealed to federal regulators for permission to start charging cable operators up to $200 million a year to carry their signals. The fee-for-carriage plan put forth by the Canadian Association of Broadcasters is perhaps the most radical proposal before the four-week Canadian Radio-television and Telecommunications Commission hearing into the structure of Canadian television. From the broadcasters' perspective, it is no longer equitable for cable to distribute local over-the-air television signals without paying for permission to do so. "It's an issue of fairness," CAB chairman Douglas Holtby told the hearing. "The taking of our signals by cable is fundamentally contrary to basic Canadian values." CAB is seeking between 35cents and 80cents a month per local signal from cable. Its case is supported by an angus reid group Inc. study showing that most subscribers either believe a portion of the $1.6 billion consumers spend on cable already goes to private TV, or don't know where the money goes. Despite the advent of cable only specialty services such as CNN and The Sports Network, local private broadcasters, such as those owned by WIC Western International Communications Ltd., CanWest Global Communications Corp. and Baton Broadcasting Inc., accounted for 52% of cable viewing in 1992. And it is not fair, the broadcasters argue, that they shoulder the burden of producing the bulk of Canadian programming required by regulators. The broadcasters' plan has met with stiff opposition from cable operators, who maintain TV owes its success to cable. Maclean Hunter Cable TV last week said private TV's aregument that it cannot live on advertising revenues alone is a result of takeovers and the industry's profligate spending on U.S. programming, which increased from $142 million in 1985 to $248 million in 1991. The CAB has similarly rejected cable's counter-offer to create a fund of up to $100 million a year over five years for independant producers. CAB president Michael McCabe said the cable fund would be an administrative nightmare that doesn't address the issue of broadcasters' signals. McCabe said the broadcast system would be better served by cable fees, from which at least 33% and as much as 100% would go to programming. "I'm not impressed by your fears," CRTC charman Keith Spicer told McCabe, noting independent producers have expressed reservations about the plan. The CAB is hoping fee-for-carriage regulations recently instituted by the U.S. Federal Communications Commission will buoy its case. However, their cable opponents privately predict the plan is doomed on a range of fronts. *--- End --- Imagine, if it were 1984: doubleplusungoodthink revivals refs unconcepts.rewrite fullwise upsub antefiling. make unoldthink and uncrimethink. unrisk joycamp. revival absolutewise ungood. - Miniluv --- ERRATUM I'm not much of an editor, and I don't care.. but there were a few offensive errors in the last issue.. here are the corresponding apologies.. IBEX might have been offended that i reffered to him as IDIX throughout the North America realease of the last issue.. I never did like global edit(I jest of course). Sorry. CHAIN was not given proper credit for his dictating of articles last issue. Thanks for your ongoing contributions which are ongoing(!!)hint, hint! As well, there were numerous typos and other stupid errors... too numerous to mention here.. I will leave those up to you, the reader, to discover. - Terminator X --- If you can't find the solution, maybe you're answering the wrong question! --- CiSSD MEMBERSHIP INFORMATION With a large resurganse in CiSSD activities, we have decided to begin accepting some members through an application process. Our commune is not yet large enough to accept the masses without rebellion, but is open enough to accept those with ideas similar to our own, and open minded enough to publish comment from those who are opposed to us. Please write to richfair@eastern.com , and I will publish your comments, and respond to 'letters to the editor.' If you are seriously interested in becoming a CiSSD member, you can download the CiSSD application from any CiSSD Headquarters BBS, and upload the completed form, or send the completed form E-Mail to richfair@eastern.com . In addition to members, CiSSD will honour those who have special achievements, members, or non members alike. If you know someone you believe to deserve CiSSD recognition, please write to the same address(richfair@eastern.com), or leave a message on our voice mail. --- The Downtown Militarized Zone BBS (416) 450 7087 Sysop - The Dope Man [CiSSD] WHQ The Revolutionary Front BBS (416) 936 6663 Sysop - Lister [CiSSD]/HELL/cDc CiSSD Voice Mail Canada (416) 417 0214 Users - Terminator X - The Dope Man - Lister CiSSD Fax Line - Projected for April 18 1993 CiSSD Voice Mail BBS - Projected for July 1 1993 (Canada Day) --- LAST WORDS FROM THE EDITOR Terminator X It's 2:12AM. I should be heading over to Dope's place tommorow. Sometimes I think his house is a big black hole.. except it's not that big, and it's rather colourful, but that' s besides the point. It's a black hole in the sense that while physical objects, and the thought process remain intact, the ability to be productive is sucked away into no-where! The only thing we can consistently produce is a couple of large pizza's, and a day of joy and happiness.. but then, isn't that what I go over there for? Certainly, I don't go for the Brampton 'chicks'.. and there's no way in hell I go for the big beatiful Brampton Downtown.. I think I go to have fun and pal around with a real freind. If you don't have one, I suggest you pick one up. They make great birthday gifts.. CREDITS The Dope Man Repeat contributor, and CiSSD President. May no-one CiSSD ever provoke him to think twice, because having him think once was painful enough for the rest of us! This is a man with many a creative idea. Lister Interpersonal relations, Repeat contributor, not to CiSSD mention system hacker extrordinaire. One might(and would) attribute his hacking ability to his independance and persistance. Dictator Dedicated to provoking a political turnaround, this CiSSD one has a style and approach all to his own. When reminded that he wasn't being paid for his efforts, he informed me that he was. What was I thinking! Ibex With somewhat of a different thinking approach than CiSSD the rest of us, he manages to provoke us into questioning our own views. It's an inspiration, and a southern accent all in one. Hypnotech Back on the scene, after a little break from the CiSSD hustle and bustle of a group lifestyle, he's jumped right into the mag to add his bricks to our group foundation. You will see contributions from him next issue. Good luck in the future. Terminator X Editor. And a lousy one at that. Enjoys music, and CiSSD releasing magazines months after their projected release date. Out for now, Ed. ------------------------------------------------------------------------- THE CANADIAN INTERNATIONAL SOCIETY FOR SOCIAL DEVIANCY (C) 1993/94 -------------------------------------------------------------------------