=============================================================================

		PHUK MAGAZINE - Phile 0 of 10

=============================================================================



 Welcome to the second issue of P/H-UK magazine, an ezine for the

Hackers & Phreakers in the United Kingdom. 

 Distrubition of PHUK#1 has gone excedingly well,please keep it 

up ! Dr. Kaos has managed to upload PHUK#1 to a few BBS's and 

apprently it has spread like wild fire since giving out the 

first issure at the December 2600 meeting. The D.A! has been 

able to distrubute PHUK#1 to a few eduacational establishments

through a few of his data courier agents. Also the D.A! has

cunningly spread it through covert means by leaving it on 

computers in directorys called SEX , SEXGAMES AND PORN .

This is due to the fact the file is called PHUK01.ZIP which

sounds a little rude and and should get people to be a little

curious , who said a little anarchy does not work ! ;-)



 Well on to the contents , this issure we have a report on

the 2600 SE meeting that was sent in by THE PRANKSTER which was

received on 01-04-95 with all the local gossip of the south east.

 Also we have the second part of the BT MANUAL which I know you 

have all be en waiting for.More answer phone antics by HILO , and

a lot more so I won't spoil the surprise !



STANARD DISCLAIMER

==================



 THIS IS AN ALPHA COPY OF PHUK#2 ..... NO RESPONSIBILITY CAN 

BE HELD FOR THE ACTIONS OF PHUK READERS WHO USE THE INFORMATION 

WITHIN UNWISELY !! SO SAY THE PHREAKERS / HACKERS UNITED KINGDOM

EDITORIAL MANAGEMENT OR PHUKEM FOR SHORT <GRIN> ;-) .





=============================================================================

		P / H - U - K -- C O N T E N T S

=============================================================================

0: INTRO: You're reading it!

-----------------------------------------------------------------------------

1: EDITORIAL: Time for revolution ? 

-----------------------------------------------------------------------------

2: NEWSBYTES: UK News

-----------------------------------------------------------------------------

3: HACKING THE BASICS - Death's Apprentice !

-----------------------------------------------------------------------------

4: UK HACKER'S CONFERNCE:

-----------------------------------------------------------------------------

5: ANSWERPHONE - The Audioline 815 Digital Answer System - Hilo

-----------------------------------------------------------------------------

6: INTERNET SHOPPING AT THE LINK - Korporate Konsumer

-----------------------------------------------------------------------------

7: PHONE CARDS AROUND THE GLOBE - Korporate Mole

-----------------------------------------------------------------------------

8: BT Computer Security Manual Part 2 - Mrs. Brady of Doncaster

-----------------------------------------------------------------------------

9: Notes & Queries: A question & Answer Forum

-----------------------------------------------------------------------------

10: OUTRO: Next Issue .... Real soon now , we hope!!

-----------------------------------------------------------------------------





+++

EOF

=============================================================================

		PHUK MAGAZINE - Phile 1 of 10

=============================================================================



		-----------------------------------------

		TIME FOR REVOLUTION ? - Phuk-Ed

		-----------------------------------------



 Well what do you know a second issue of PH-UK has finally arrived ,

isn't that amazing ! How things have changed since the last time an

issue was let loose on the computer underground . History will soon

be made when we have our first Hackers Conference in July , (Details

are in the ezine) , I can hardly wait what the media are going to say !



 I mean , all those hackers and phreakers in the same location at the 

same time in full view of the press and MI5 ... ;-) How will the 

UK cope after such an event , what disasters are in the pipeline 

to be blamed on electronic terrorism by teenage technocrats . 

I can just see the the headlines in The Sun now .... but wait , what 

does the UK have to fear . Are the any hackers and phreakers

actively doing what they do best ? If they are then they must

be very covert operations ! More like that there are few

hardcore hackers and phreakers playing with the system then you

would imagine . There are a few that are cloning cellular phones

but they are doing it for a profit and not for the sheer thrill

of it . What about computer penetrations then , no , nobody

there either due to the fact that a certain teenage hacker

got caught hacking the Penatagon and frightened off half of

the computer undergroud into states of paranoia . If you

want proof then look at the numbers going to the 2600

meetings !



 Although it has been reported by CERT that hackers are loners 

that do not work together sharing information on computer 

penetration and other technical wizardary . If that is the 

case how can all the hackers attending the event learn anything ?



 I think it is time for change , time for us to work together

as brothers in the technilogical revolution that is happening

NOW ! Share the information people and let the UK really be a

nation that is just as advanced as the USA in our hacking and

phreaking exploits .





Phuk-Ed.



+++

EOF

=============================================================================

		PHUK MAGAZINE - Phile 2 of 10

=============================================================================



				------------

				UK NEWSBYTES

				------------



-- FIRST EVER 2600 SE MEETING RAIDED BY POLICE



 The scene is set , saturday 18th of March there would be the 

first 2600 meeting in the South East of London.Slowly members 

of the phreaking and hacking community meet up at the Roebuck 

pub.Alcholic beverages were consumed and hacking / phreaking

information was discussed openly ! (WOW !).

 All was going fine until a small group of fruit machine 

hackers disturbed the atmosphere by blantly and openly abusing

a lone fruit machine.Verbal obsenties and threats were showered 

upon the confused bar staff , who looked on helplessly unwilling 

to face a vilent confrontation.

 The 2600 memebers tried to keep a low profile by drinking more 

beer as they thought it would help. As each person tried to drink 

ecah other under the table , the fruit machine hackers fled into 

the night.

 A fruit machine medic was called for and procceded to examine 

said  machine. After much probing and examination  , he proclaimed 

that yes , the machine had obviously benn tampered with !

 It was at this point that unknowingly to the 2600 members the police 

were called for. 



 When two police officers from the the nearby constabulury walked 

through the door all 2600 members not suffering from mild cardiac 

arrests , did what most people would have done in similiar 

circumstances . More alchol was ordered very quickly . Statements

were taken from the bar staff concerned .

 A finger was pointed in our direction by one of the police officers

and a hidden two finger salute was sent back.It seemed that a proper

communications protocol had been established . The police officer

kept pointing and we kept sending hidden binary.

 

 Just as we thought we were going to be arrested one of the bar maids 

jumped to our defence by saying we had nothing to do with said incident 

and had been very good patrons of said establishment as we had 

consumed large volumes of alcoholic beverages.

 With this new piece of information the police officers duly left

and we drank more beer.



 All in all the night had been a memorable event and yes we going

back next month ....hic ! We need the alchol to get over the 

shock ....hic!



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



[from CTW, 20-03-95]



-- AMERICAN GIANT  JOINS ELSPA AFTER HACKER BUST



 AT&T , the global computer and communications firm , has become

an associate member of ELSPA , following a successful operation

by the trade body's crime unit which uncovered extensive telephone

calling card fraud . The operation , which led to two arrests in the USA 

and one in the UK , began when ELPSA investigators discovered a cache

of over 50,000 stolen AT&T calling card numbers on a bulletin board .

Computer hackers were using the numbers to call all over the world , at 

AT&T's expense , in order to download illegaly pirated material .



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



-- UK VERSION OF WIRED 



Well I think you all know that there is a UK version of WIRED , but 

correct me if you think differently but it sucks big time . I am sorry

but the UK issure does not cut the mustard and I doubt if I will 

continue to buy the UK version but instaed I think I will stick with

the US one . If you have different views the write in and let us know

why you think it is worth a good read .



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  

 That's all for this ish, don't forget, NEWSBYTE exists on

contributions from its readers, so send your snippets, comments etc to

PHUK magazine at anon19143@anon.penet.fi, where we will do our best to

include them in the next issue.



+++

EOF

=============================================================================

		PHUK MAGAZINE - Phile 3 of 10

=============================================================================



			HACKING THE BASICS 

			------------------



  So you want to be a hacker ? Silly question if you are reading this you

 you must think , well I had to ask ! Okay , well where do you start ?

 The equipment is useful I suppose or you would not be reading this phile

 so you must know some thing about computers or at least the computer you

 are using .

  But to hack you need just a little more than the equipment , you also need

 information and a lot of common sense !

  For example , do you know your local hacker at work or in school ? You do !

 Well how many times have you gone up to them and asked how do you hack or 

 how do you manage to do that . After a while they will get fed up and clam

 up about information they might of shared with you . Your not the only one

 who wants to know there is probabiliy a few dozen people who keep asking the 

 same old questions time after time . There is a simple solution to get on 

 side of your mentor , STOP ASKING DUM QUESTIONS !  Simple isn't it .

 Okay , you might think well how do I learn if I don't have a hacker for a 

 teacher ? 

	     READ A LOT OF BOOKS AND MAGAZINES !!!



  Go to the library get out anything on hackers or hacking or general computer

 books and read them and take notes on any thing you might think will come in

 useful . Read computer related magazines , you might read some already if you

 own a computer and look at the comms section , I know that during 1994 there

 was a lot of Internet related information being written . Learn the jargon ,

 do a lot of research , let your friends know that you are into computers and

 to let you know if they hear of any computer related news in the press or on 

 TV .



  Then at least you will be able to hold a decent conversation with your local

 hacker and at least sound knowledgable .



  Right how to hack without getting caught ! Simple DON'T HACK ! Sounds 

 stupid you think , well not really . Use a little bit of common sense , try a 

 hacker trainer , in the old days of computers there was a computer game 

 called SYSTEM 15000 for the ZX Spectrum and I know of a program for the Atari

 ST called NAARJEK . The basic idea of the game is to hack your way in to a 

 computer system by any means neccessary . If you find that you get fed up 

 easily then hacking is not for you . The advantages of this is that you gain 

 experience of hacking without the risk of getting caught and two you will

 not run up a huge phone bill learning some of the basics . There are other

 computer hacking simulators about for other home computers or if you want 

 you could even write your own in BASIC or another computing language and

 set a challenge to all you friends to break into the system . Get them to

 write a hacking trainer that you can try your hand to get into their system .

  At the very least it will get you programming and teach you part of the 

 HACKER ETHIC , " Always yield to the hands-on imperative ! "



  Also you can try programs like MINIX or LINUX to learn UNIX and get a feel

 of the UNIX operating system and you can also set it up to learn other 

 hacking skills .

  There are also PC emulators so you can try the MS DOS / PC DOS operating 

 system and learn a few commands .



  Right now you are ready for some real hacking , try your work or school

 computer network system , put the things you have learned into practice

 and try to gain entry or access to other computer users accounts or disk 

 areas . If you are at school or in a place of eduacation then you might

 have a NIMBUS 186 network running . These are particular easy to abuse if 

 you already have an account on them as you can use a back door to your 

 classmates area ! (ASK ME AT THE 2600 MEETINGS IF YOU WANT TO KNOW MORE !)

 Very handy if you are to lazy to do your own work then copy someone elses !



 Well I think I will leave it there for now ! But I will say if you think you 

 can do better then this article then type it up and send it to PH-UK !



 A FEW THINGS YOU MIGHT LIKE TO READ ! ( HINT  !! )

 -------------------------------------------------



 THE HACKER'S HANDBOOK     - A BIT DATED NOW BUT STILL A GOOD READ IF YOU 

			     CAN FIND IT !   (E-BOOK)

 APPROACHING ZERO          - A GOOD READ TO TEACH YOU ABOUT THE RISKS OF 

			     HACKING  (E-BOOK)

 SECRETS OF A SUPERHACKER  - VERY AMERICAN ! BUT HAS A LOT OF GOOD INFO !                        

			 

 2600 THE HACKER QUARTERLY - HARD TO FIND <GRIN>                        

 

 PHRACK                    - AVAILABLE ON THE INTERNET 



     ( SEE THE D.A ! FOR THE E-BOOKS )





This phile is copyright of DEATH 'S APPRENTICE of H.A.D.E.S.  , 1995



+++

EOF

=============================================================================

   		PHUK MAGAZINE - Phile 4 of 10

=============================================================================









                            ACCESS ALL AREAS

                           Hacking Conference



                          1st - 2nd July, 1995

                          (Saturday &  Sunday)

                       King's College, London, UK





-------------------------------WHAT-IT-IS---------------------------------



The first UK hacking conference, Access All Areas, is to be run in London

later this year.  It is aimed at hackers, phone phreaks, computer security

professionals, cyberpunks, law enforcement officials, net surfers,

programmers, and the computer underground.



It will be a chance for all sides of the computer world to get together,

discuss major issues, learn new tricks, educate others and meet "The

Enemy".



-------------------------------WHERE-IT-IS--------------------------------



Access All Areas is to be held during the first weekend of July, 1995 at

King's College, London.  King's College is located in central London on

The Strand and is one of the premier universities in England.



-----------------------------WHAT-WILL-HAPPEN-----------------------------



There will be a large lecture theatre that will be used for talks by

computer security professionals, legal experts and hackers alike.  The

topics under discussion will include hacking, phreaking, big brother and

the secret services, biometrics, cellular telephones, pagers, magstrips,

smart card technology, social engineering, Unix security risks, viruses,

legal aspects and much, much more.



Technical workshops will be running throughout the conference on several

topics listed above.



A video room, equipped with multiple large screen televisions, will be

showing various films, documentaries and other hacker related footage.



The conference facilities will also include a 10Mbps Internet link

connected to a local area network with various computers hanging off of it

and with extra ports to connect your laptop to.



------------------------------REGISTRATION--------------------------------



Registration will take place on the morning of Saturday 1st July from

9:00am until 12:00 noon, when the conference will commence.  Lectures and

workshops will run until late Saturday night and will continue on Sunday

2nd July from 9:00am until 6:00pm.



----------------------------------COST------------------------------------



The price of admission will be 25.00 (approximately US $40.00) at the

door and will include a door pass and conference programme.



-----------------------------ACCOMMODATION--------------------------------



Accommodation in university halls of residence is being offered for the

duration of the conference.  All prices quoted are per person, per night

and include full English breakfast.





                             SINGLE       TWIN

        WELLINGTON HALL      22.00       16.75





Special prices for British and Overseas university students, holding

current student identification, are also available - please call King's

Campus Vacation Bureau for details.



All bookings must be made directly with the university.  They accept

payment by cash, cheque and credit card.



To making a booking call the following numbers...





        KING'S CAMPUS VACATION BUREAU



        Telephone : +44 (0)171 351 6011

        Fax       : +44 (0)171 352 7376



----------------------------MORE-INFORMATION------------------------------



If you would like more information about Access All Areas, including

pre-registration details then please contact one of the following...





        Telephone : +44 (0)973 500202

        Fax       : +44 (0)181 224 0547

        Email     : info@phate.demon.co.uk





=============================================================================

		PHUK MAGAZINE - Phile 5 of 10

=============================================================================



	  ------------------------------------------------------

	  ANSWERPHONES - AUDIOLINE 815 DIGITAL ANSWERING MACHINE

	  ------------------------------------------------------



Instruction manual for the Audioline 815 Digital Answering System



 Remote Access

 -------------



 1. Dial the telephone number.



 2. Listen to the OGM and subsequent beep , but instead of leaving a

    message enter the remote access code , (depress for at least 3 seconds).

    NOTE: You will not hear the OGM if the total recording time has

	  has been filled .



 3. The 815 will replay your messages to you. Every 3 minutes the 815 will

    automatically check that you are still listening by pausing and 

    prompting you to enter your access code . If you do not enter the code ,

    the remote sequence will be terminated and the system will save the

    messages and return to the answer mode .



 Options at the end of the remote playback

 -----------------------------------------



 At the end of thw message playback you will hear a double beep followed 

 by a 10 second decision period.



 1. To repeat you messages enter the remote access code .



 2. To save the current messages hang up the phone .



 3. To cancel current messages and rest the system ,WAIT FOR A SECOND BEEP ,

    enter the remote access code and hang up the phone .



 Turning on the system remotely

 ------------------------------



 1. Call the system and allow it to ring for 16 times .



 2. The system will respond with a continuous tone for about 3 seconds .



 The system automatically switches to answering mode .



 Of course that is all very well but what if you don't know the access

 code , well it is a single digit and you will find it on the sticker 

 underneath the unit. Most people will leave the instruction manual to the 

 machine with the phone directories , logical huh ?





 HILO



+++

EOF

=============================================================================

		PHUK MAGAZINE - Phile 6 of 10

=============================================================================





		Internet Shopping with DIXONS LINK

		----------------------------------

You know that most LINK shops have modems & inet links available ...

.. no? well wander in when they're not too busy and browse ... or

maybe when they're busy ... whenever you get left alone to play with

their pc's and modems ...:)



Here's a couple of files off the machine in the local LINK ... not a

lot, but maybe useful to somebody out there. One is a 'global

internet dial access phone list', and the other is the set up strings

for loads of modems to dial into the internet. Hope its useful.



		Korporate Konsumer







*****************************************************

* IBM Global Network Internet dial access phone list

*****************************************************

01-2144020     Austria Vienna

078-154643     Belgium Brussels

011-884-2870   Brazil  Sao Paulo

1-604-380-2777 Canada  Victoria

1-604-683-3416 Canada  Vancouver

1-403-429-7125 Canada  Edmonton

1-403-266-4013 Canada  Calgary

1-306-525-4022 Canada  Regina

1-204-956-4701 Canada  Winnipeg

1-519-667-2225 Canada  London

1-416-491-7112 Canada  Toronto

1-613-233-4360 Canada  Ottawa

1-514-931-0180 Canada  Montreal

1-418-648-8684 Canada  Quebec

1-902-492-8683 Canada  Halifax

1-800-308-3173 Canada  fee 800

90-4582133   Finland Helsinki

1-43051999   France  Paris (east)

1-47760055   France  Paris (west)

040-6301861  Germany Hamburg

030-7231021  Germany Berlin

0711-7800264 Germany Stuttgart

03-3505-5885 Japan   Tokyo

020-6692333  Netherlands Amsterdam

079-219206   Netherlands Zoetermeer

66803850     Norway Oslo

93-4140122   Spain  Barcelona

94-4157922   Spain  Bilbao

981-266388   Spain  La Coruna

91-5190938   Spain  Madrid

91-4130003   Spain  Madrid

98-5275755   Spain  Oviedo

948-177809   Spain  Pamplona

943-217577   Spain  San Sebastian

95-4280710   Spain  Sevilla

96-3616611   Spain  Valencia

976-212018   Spain  Zaragoza

08-6320224   Sweden Stockholm

01-433-0320  Switzerland Zrich

01179-292037 UK Bristol

0131-5570465 UK Edinburgh

0171-9280771 UK London (South Bank)

0161-9621452 UK Manchester

01926-497855 UK Warwick

1-404-885-5580 US Atlanta, GA

1-617-247-6754 US Boston, MA

1-303-442-0842 US Boulder, CO

1-312-245-0156 US Chicago, IL

1-214-620-9180 US Dallas, TX

1-810-827-7240 US Detroit, MI

1-713-993-7226 US Houston, TX

1-213-687-7247 US Los Angeles, CA

1-305-529-4700 US Miami, FL

1-612-338-3988 US Minneapolis, MN

1-212-644-4153 US New York, NY

1-201-265-0681 US Paramus, NJ

1-215-564-5918 US Philadelphia, PA

1-919-380-4300 US Raleigh, NC

1-314-621-9290 US ST. Louis, MO

1-415-979-0319 US San Fran, CA

1-206-382-0552 US Seattle, WA

1-813-877-1117 US Tampa, FL

1-202-293-5076 US Washington, DC

1-800-933-3997 US fee 800





******************************************************

* IBM Global Network Internet registration phone list

******************************************************

008-811-094    Australia Registration

0660-6832      Austria Registration

1-800-463-8331 Canada Registration

0800-1-1997    Belgium Registration

011-884-2870   Brazil Registration

8001-8278      Denmark Registration

0800-114465    Finland Registration

0590-8561      France Registration

0130-821202    Germany Registration

1-800-709-905  Ireland Registration

1678-72031     Italy Registration

060-228488     Netherlands Registration

0800-105765    New Zealand Registration

800-11783      Norway Registration

900-994443     Spain Registration

020-795181     Sweden Registration

155-9222       Switzerland Registration

0800-614012    United Kingdom Registration

1-800-933-3997 US Registration





		 NOW FOR THE MODEM SET UP LIST

		 -----------------------------





**********************************************

* IBM Global Network Internet dial modem list

**********************************************

Alliance V.32                          AT&F   AT&C1&D2\B1\C5\D0\N3\Q1\V0S7=60

Anchor 2400E                           AT&F   ATE1Q0V1X4&C1&D2S7=30S0=0

Apex PCMCIA                            AT&F   ATE0&K3

Apex V.32, V.32bis Data/Fax            AT&F   ATE0S11=50X4\N7\Q3\V2&C1&D2

Apex 9600 Data/Fax                     AT&F   ATE0S11=50X4\N7\Q3\V2&C1&D2

Arima                                  AT&F   ATE0Q0V1&C1&D2&K3

AT&T DataPort 14.4                     AT&F   ATE0Q0V1X4&C1&D2&R0S11=50

AT&T Model 4000                        AT&F   ATE1Q0V1X1S7=60S0=0

ATI 2400etc                            AT&F1  AT&C1&D2X6S7=60S11=60S9=10S10=18

ATI 2400etc V.42                       AT&F2  AT&C1&D2X6S7=60S11=60

ATI 9600etc                            AT&F2  AT&C1&D2X6S7=60S11=60

Avatech 2400E                          AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

BSM Quik Com MNP                       AT&F   AT\Q3\J0\N3%C1&C1&D2S7=60S0=0

Cardinal 2400 MNP                      AT&F   AT\Q3\N3\J0\C1S0=0S7=60S11=55

Cermetek 2400 R/2400 SPC               AT&F   ATE1Q0V1X4S7=60S11=55S0=0

Codex 2264                             AT&F   AT&C1&D2*FL3*XC1*PT0&R0

Compaq Enhanced Int. V.42bis           AT&F   AT&C1&D2X4W1S7=60S11=60&Q5S46=2&K3S36=7

Compaq Enhanced Internal Modem         AT&F   AT&C1&D2X4W1S7=60&Q5S46=2&K3S36=7

CompuCom Speedmodem                    AT&F2  AT*H1\N3\Q3%C1&C1&D1S7=60S11=55S0=0

Default                                AT&F   ATE0Q0S0=0V1X1&C1&D2

Digicom 9624LE                         AT&F   AT*F3

Digicom DSI9624                        AT&F   AT*F3*E1&C1S0=0S7=60S11=55

Digicom DSI9624 Plus                   AT&F   AT*F3*E9&C1S0=0S7=60S11=55

Eagle V.32 Data/Fax                    AT&F   ATE0Q0V1X4&B0&C1&D2&M0&R2*F3

Everex Carrier 96/24                   AT&F   AT\Q3\N3\J0\V1\C1S7=60S11=55

Everex EV941                           AT&F   ATE1V1Q0X4&C1&D2&I1S7=60S11=55

Everex Evercom 24e                     AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

Everex Evercom 24e+ (MNP 5)            AT&F   ATQ0V1X4&C1&D2\Q3\C1\N3\J0\V1

Forval IM14400                         AT&F   AT&C1&D2\J0\N3\Q3\V1S7=60S11=55

GVC Super Modem 2400 MNP-5             AT&F   AT\V1%C1\C1\J0\N3\Q3S0=0S7=60S11=60

GVC Super Modem 9600 V.32              AT&F   ATE1V1Q0X4&C1&D2%C1\C1\G0\J0\N3\Q3\V1S11=55S7=60

Hayes Personal Modem 2400              AT&F   ATE1Q0V1X4&C1&D2S0=0

Hayes Smartmodem 2400/2400B            AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

Hayes Smartmodem Optima 144 + FAX 144  AT&F   ATE0Q0V1W2X4&Q9S95=46

Hayes Smartmodem Optima 14400FX        AT&F   ATE0Q0V1W2X4&Q9S95=46

Hayes Smartmodem Optima 28800          AT&F   ATB75E0Q0V1W2X4&D2&Q9S37=11S11=50S95=46

Hayes Smartmodem Optima 9600FX         AT&F   ATE0Q0V1W2X4&Q9S95=46

Hayes Smartmodem V Series 2400         AT&F   AT&C1&D2S7=60S11=55

Hayes Smartmodem V Series 9600 V.32    AT&F   AT&C1&D2S7=60S11=55

Hayes Ultima Smartmodem 14400          AT&F   ATE0&D2

Hayes Ultra 14400                      AT&F   AT&C1&D2S7=60S11=55

Hayes Ultra 9600                       AT&F   AT&C1&D2S7=60S11=55

Hayes V Series 2400/2400B V.42         AT&F   AT&C1&D2&K3S7=60S11=55&Q5S36=3

Hayes V Series 9600/9600B V.42         AT&F   AT&C1&D2&K3S7=60S11=55&Q5S36=7

IBM (PNB) 9600 Internal                AT&F   ATE0Q0X4S11=50&C1

IBM 7855 (12000 bps)                   AT&F   ATS0=0E0&M0&AP8&C1&S0#X2)N3)R2)A3)M14&B8N1S25=5

IBM 7855 (9600 bps)                    AT&F   ATS0=0E0&M0&AP7&C1&S0#X2)N3)R2)A3)M14&B8N1S25=5

IBM PCMCIA                             AT&F   ATL3

IBM MWave Windsurfer Adapter           AT&F   ATE0Q0S0=0V1X1&C1&D2\N2%C1

InfoMate 212X/PC                       AT&F   ATE1Q0V1X1S7=60S11=55S0=0

Intel 2400B                            AT&F   ATE1V1Q0X4&C1&D2S11=55

Intel 2400B MNP                        AT&F   AT\Q3\N3\J0\V1\C1S11=55

Intel 2400EX MNP                       AT&F   AT\Q3\N3\J0\V1\C1S11=55

Intel 9600EX                           AT&F   AT\Q3\N3\J0\V1\C1S11=55S7=60

Intel 14400EX                          AT&F   AT&C1&D2S0=0S11=55

Intel 144e external modem              AT&F   ATL0

Intel 144i internal modem              AT&F   ATL0

Intel SatisFAXtion Board               AT&F   AT\C1\N0S11=55

Maxwell Modem 2400PC                   AT&F   ATE1Q0V1X1S7=30S0=0

MegaHertz 14.4 Data/Fax PCMCIA         AT&F   ATE0&D2S11=50

MegaHertz C5144 and C596FM             AT&F1  ATE0

MegaHertz T3144 and T396FM             AT&F1  ATE0

MegaHertz Z3144 and Z396FM             AT&F1  ATE0

MegaHertz EasyTalk 2400                AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

MicroCom AX/2400 MNP4                  AT&F   AT\J0\Q3\N3S0=0

MicroCom AX/2400c MNP5                 AT&F   AT&C1&D2M1\G0\J0\Q3\N3S0=0

MicroCom AX/9612c                      AT&F   AT\J0\Q3\N3S0=0

MicroCom AX/9612c-AX/9624c             AT&F   AT\J0\Q3\N3S0=0

MicroCom AX/9624c                      AT&F   AT\J0\Q3\N3S0=0

MicroCom QX 2400t                      AT&F   AT&C1&D2\Q3\N3\V1%C3\C1\J0S7=60

Microcom QX/V.32c                      AT&F   ATV1&C1\Q3\J0%C3&S0&D3X4

MultiTech MultiModem 224/224PC         AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

MultiTech MultiModem 224E/224EC        AT&F   ATQ0&E1&E4&E7&E13X4$SB9600$BA0$A1S11=55

MultiTech MultiModem 224E7 V.42bis     AT&F   ATQ0&E1&E4&E7&E13X4$SB19200$BA0$A1S11=55

MultiTech MultiModem V.32              AT&F   ATB0&E1&E4&E7&E13X4$SB19200$BA0$A1S7=60S11=55S0=0

MultiTech MultiModem V.32 EAB V.42bis  AT&F   ATB0&E1&E4&E7&E13X4$SB19200$BA0$A1S7=60S11=55S0=0

NEC N2431/2431C                        AT&F   AT&C1&D2&E1S7=60S11=55<C1T1Q

Novation Professional 2400             AT&F   ATE1Q0V1X3YC0YF1YT0S7=45S0=0

Okidata CLP 296                        AT&F   AT&C1&D2\V1\Q3\J0\C1S7=60

Okidata Okitel 2400 Plus/2400B Plus    AT&F   AT&C1&D2\V1\N3\Q3\J0\C1S7=60S11=55

Okidata Okitel 2400/2400B              AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

Okidata Okitel 9600                    AT&F   AT&C1&D2\C1\J0&K3\N3\Q3

PNB (IBM) 9600 Internal                AT&F   ATE0Q0X4S11=50&C1

Practical Peripherals 2400SA           AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

Practical Peripherals 2400SA MNP       AT&F   ATE1Q0V1X4&C1&D2\Q3\N3\J0\V1S7=60S11=55

Practical Peripherals 2400SA V.42bis   AT&F   AT&C1&D2

Practical Peripherals PM14400FXMT      AT&F   ATE0Q0V1W2X4&C1&D2&Q9S95=46

Practical Peripherals PM14400FXSA      AT&F   ATE0Q0V1W2X4&C1&D2&Q9S95=46

Practical Peripherals PM9600FXMT       AT&F   ATE0Q0V1W2X4&C1&D2&Q9S95=46

Practical Peripherals PM9600SA V.32    AT&F   AT&C1&D2S7=60S11=55S95=44

Practical Peripherals Practical 2400   AT&F   ATE1Q0V1X4&C1&D2S11=55S0=0S7=60

Premier Innovations P2400 / P2400E     AT&F   ATS7=60

Prometheus 2400 MCT-24I Half-card      AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

Prometheus 9600 MNP                    AT&F   AT*F3

Prometheus LineLink 144e               AT&F2  AT&C1&D2

Racal-Milgo RMD 3221                   AT&F   ATX9&C1&D2*F2S7=60S11=55S0=0

Racal-Vadic 2400/PS                    AT&F   AT*F2&C1&D2*E1S7=60S11=55

Racal-Vadic 2400LC                     AT&F   AT&C1&D2*E1*F2*P1S7=60S11=55S7=60S11=55

Racal-Vadic 2400PA Model 2             AT&F   AT&C1&D2X4*E1*L1*Q1*F2*P1S7=60S11=55

Racal-Vadic 2400VP                     AT&F   AT&C1*C1&D2*E1*F2Y1S7=60*Q1S11=55

Racal-Vadic 9600VP                     AT&F   AT&C1*C1&D2*F2Y1*Q1S7=60

Racal-Vadic 9632PA                     AT&F   ATS7=60

Racal-Vadic LC2400PC                   AT&F   ATS7=60S11=55

Stowaway 14.4                          AT&F0  ATE0L3S11=50&C1&D2

Supra Fax V.32bis Internal Modem       AT&F   ATE0LW1X4S11=55

Supra Fax Modem V.32                   AT&F2  ATE0

Supra Modem V.32bis                    AT&F2  ATE0LW1X4

Supra Modem 2400                       AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

Sysdyne MDM 24H                        AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

Telebit Internal PC Card w/ MNP        AT&F   ATS11=60S51=5S58=2S66=1S95=2

TeleBit QBlazer 9600                   AT&F   ATE0X2&D2S58=2S59=3

Telebit T1000                          AT&F   ATS51=5S11=55S52=1S54=2S58=2S66=1S68=2S95=2S131=1

Telebit T1500                          AT&F   ATS11=60S50=6S51=254S52=1S131=1S58=2S66=1S97=1S106=1

Telebit T1600                          AT&F   ATS11=60S51=253&C1&D2L1X12S58=2S59=15

Telebit T2000                          AT&F   ATS51=5S11=55S52=1S53=1S58=2S66=1S68=2S95=2S110=1

Telebit T2500                          AT&F   ATS11=60S51=254S52=1S131=1S58=2S66=1S97=1S106=1

Telebit Trailblazer                    AT&F   ATS11=60S51=5S52=1S53=1S58=2S66=1

Telebit Trailblazer Plus               AT&F   ATS11=60S51=5S52=1S53=1S58=2S66=1

Telebit Worldblazer                    AT&F   ATE0&C1&D2S11=50S68=2S52=4S58=2S96=1

Twincom 14400                          AT&F   ATE0Q0V1W2X4&C1&K3&L0&D2&Q5&R0%C1

UDS Fastalk V.32/V.42                  AT&F   AT&C1&D2%B9600C%C1\C1\J0\N3\Q3

UDS V.3224/V.3225                      AT&F   AT&C1&D2%B6\N3\C1\J0\Q3\V1

Universal Data Systems Fastalk 2400    AT&F   ATE1Q0V1X4&C1&D2S7=60S0=0

US Robotics 2400PC                     AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

US Robotics Courier 2400               AT&F   ATE1Q0V1X6&C1&D2S7=60S11=55S0=0

US Robotics Courier 2400e/ 2400e/ps    AT&F   ATX6&B6&H1&R2S7=60S11=55

US Robotics Courier 2400PC             AT&F   ATX6&B7&H1&R2S7=60S11=55

US Robotics Courier V.32bis with ASL   AT&F   ATE0S11=50&B1&D2&H1&R2

US Robotics Courier V.34               AT&F   ATE0S11=50&B1&D2&H1&R2&A3

US Robotics Dual Standard              AT&F   ATX6&B1&H1&R2S7=60S11=55

US Robotics HST                        AT&F   ATX6&B1&H1&R2S7=60S11=55

US Robotics HST V.42                   AT&F   ATX6&B1&H1&R2&M4&A3S7=60S11=55

US Robotics Sportster 14400            AT&F   ATE0Q0V1X4S11=50&A3&B1&C1&D2&H1&K3&R2

US Robotics Sportster 2400/2400 PC     AT&F   ATE1Q0V1X6&C1&D2S7=60S11=55S0=0

US Robotics Sportster 9600FX           AT&F   ATE0Q0V1X4S11=50&A3&B1&C1&D2&H1&K3&R2

US Robotics TelePath 14.4              AT&F   ATE0Q0V1X4&C1&D2&H1&R2

US Robotics V.32                       AT&F   ATX6&H1&R2&B1S7=60S0=0

US Robotics WorldPort 9600FX           AT&F   ATE0Q0V1X4S11=50&A3&B1&C1&D2&H1&K3&R2

Ven-Tel 212Plus                        AT&F   ATE1Q0V1X1S7=60S11=55S0=0

Ven-Tel 2400 Plus II                   AT&F   AT&C1&D2S7=60S11=55S0=0\N3\Q3%C1\C1\G0\J0\V1

Ven-Tel 9600 Plus / Plus II            AT&F   AT&C1&D2S7=60S11=55S0=0*S0%F2\N3\Q3%C1\V11

Ven-Tel Halfcard                       AT&F   ATE1Q0V1X4S7=60S0=0

Ven-Tel Halfcard 24                    AT&F   ATE1Q0V1X4S7=30S0=0

Ven-Tel Pathfinder                     AT&F   ATS51=5ATS11=55S52=1S53=1S58=2S66=1S68=2S95=2S110=1

Ven-Tel PCM2400E                       AT&F   AT&C1&D2X4E1\N3\Q1\G1\V1S7=60S11=55

Viva 14.4                              AT&F   ATE0S0=0Q0V1X1&C1&D2

Zoom 2400 V.42bis                      AT&F   AT&C1&D2S7=60S11=55S36=7S95=43

Zoom Modem PC 2400                     AT&F   ATE1Q0V1X4&C1&D2S7=60S11=55S0=0

Zoom V.32 14.4                         AT&F   AT&C1&D2

Zoom 9600 V.32bis                      AT&F   AT&C1&D2





th...th...thats all ffolks!! - KK



+++

EOF

=============================================================================

		PHUK MAGAZINE - Phile 7 of 10

=============================================================================



		     PHONE CARDS AROUND THE GLOBE

		     ----------------------------



Here is a list of all the different types of phonecard in the world ...

it comes from an industry mag called "Card Technology Today", a DTP based

A4 magazine which costs a STAGGERING 249 UK Pounds per year for its

photocopied 18 pages !!! Seeing as though they print at the bottom of

EVERY page that "No part of this publication may be copied etc etc", I

thought I'd "contribute" their article on phone cards to PHUK magazine.



			  - Korporate Mole







COUNTRY     SYSTEM      SUPPLIERS           COMMENTS



Albania     -           Alcatel Bell        Trial Card

Algeria     Smart       Gemplus             -

Andorra     Smart       Schlumberger        -

Anguilla    -           GPT                 Caribbean Series

Antigua     Magnetic    GPT                 -

Antigua     Smart       GPT                 -

Ascension   magnetic    GPT, Datacard       -

Argentina   smart       Schlumberger,       Telefonica

						Gemplus

Argentina   Optical     Landis & Gyr        Provinox

Argentina   Magnetic    Urmet               Telecom

Argentina   Smart       Gemplus             Telecom

Aruba       Optical     Landis & Gyr        -

Austria     Optical     Landis & Gyr        -

Australia   Magnetic    -                   Payphonics

Australia   Magnetic    -                   Pay*Tels

Australia   Optical     -                   Telecom

Azerbaijan  Smart       Schlumberger,       -

						Alcatel Bell

Bahamas     Smart       Gemplus             -

Bahrain     Magnetic    GPT                 -

Bangladesh  Magnetic    Urmet               -

Belgium     Optical     Alcatel Bell        -

Belgium     Smart       Alcatel Bell        -

Benin       Optical     Landis & Gyr        -

Bermuda     Smart       Gemplus             -

Bolivia     Magnetic    Tamura              -

Botswana    Smart       Solaic              -

Brazil      Inductive   -                   -

Brazil      Magnetic    -                   Bus cardphone

Brunei      Magnetic    Ascom Autelca       -

BVI (1)     Magnetic    GPT                 Caribbean Series

Burkina     Smart       Schlumberger        -

Burkina     Optical     Landis & Gyr        -

Burundi     Optical     Landis & Gyr        -

Bulgaria    -           GPT                 Betkom

Cambodia    Magnetic    Amritsu             -

Cameroon    Smart       Schlumberger,       -

						Gemplus    

Cameroon    Magnetic    Ascom Autelca       -                   

Canada      -           Landis & Gyr        BTel

Canada      Remote      -                   Bell

Canada      -           -                   Phoneline Int.

Canada      Magnetic    -                   Calgary

Cayman I.   -           Datacard            -

Cayman I.   -           GPT                 -

Cape Verde  Optical     Landis & Gyr        Previously in use

Cape Verde  Smart       Schlumberger        Now in use

CAR (2)     Smart       Schlumberger        -

CAR         Optical     Landis & Gyr        -

Chile       Smart       Gemplus             -

Chile       Magnetic    Tamura              -

China       Magnetic    GPT                 Shenda Telephone

China       -           -                   Shenzen

China       -           -                   Beijing

China       -           -                   Guangzhou

Cyprus      Magnetic    GPT                 -

Czech       Smart       GPT                 Prague CityCard

Colombia    Magnetic    Tamura              Barranquilla

Colombia    Smart       Alcatel Bell        Local Company

Congo       Smart       Schlumberger        Braziville

Cook I.     Magnetic    GPT                 -

Costa Rica  Magnetic    GPT                 -

Costa Rica  Smart       Schlumberger        -

Croatia     Smart       Amper, Gemplus      -

Cuba        Smart       Schlumberger        -

Curacao     Optical     Landis & Gyr        -

Cyprus      Magnetic    GPT                 -

Denmark     Smart       -                   KTAS

Diego G.    Magnetic    Ascom Autelca       Cable & Wireless

Djbouti     Smart       Schlumberger        Chip in AFNOR Position

Dominica    Magnetic    GPT                 Caribbean Series

Egypt       -           Gemplus             Africa Telecom

Egypt       -           Schlumberger        Special Event Cards

Egypt       Magnetic    Amritsu             -

Estonia     -           Landis & Gyr        Estonian Telecom

Estonia     Magnetic    Alcatel Bell        On Trial

EG (3)      Smart       Schlumberger        Chip in AFNOR Position

Falkands    -           Datacard            Cable & Wireless

Falklands   Magnetic    Alcatel Bell        On Trial

Faroes      -           DZ Danmark          -

Fiji        Magnetic    GPT                 Fintel (C&W)

Fiji        Magnetic    GPT                 Post & Telecom NZ

Finland     Smart       Avant               Avant Electronic Purse

France      Smart       Solaic, Gemplus     France Telecom,

						Schlumberger        Chip in ISO Position

France      Smart       Monetel             -

France      Smart       Smart Ingeniere     Private Cardphones

Fr.Poly     Smart       Schlumberger        -

Gabon       Smart       Schlumberger        -

Gabon       Magnetic    Ascom Autelca       -

Gambia      Smart       Schlumberger,       -

						Gemplus         

Gibraltar   Optical     Landis & Gyr        -

Ghana       Optical     Landis & Gyr        -

Ghana       Smart       Schlumberger        -

GB          Smart       Delphic             Cambridge Telephones, plan to

											launch Cardphones & Chipcards

GB          Smart       GPT, Gemplus,       BT start converting all card        

						Schlumberger        and cashphones this year.

GB          Optical     Landis & Gyr        BT, now being phased out.

GB          Smart       Siemens             ACC, private site service

GB          Magnetic    GPT                 Mercury, being phased out

GB          Magnetic    Ascom Autelca       Kite, took over from IPLS

GB          -           GPT                 BR Telecom, railway payphones

Greece      Smart       GPT, Gemplus        -

Grenada     Smart       GPT                 Caribbean Series

Guatemala   Smart       Gemplus             About to be introduced

Guernsey    Smart       GPT                 Guernsey Telecom

Guinea B.   Optical     Landis & Gyr        -

Guinea C.   Smart       Schlumberger        -

Hong Kong   Remote      GPT                 Telecom

Hong Kong   Magnetic    Ascom Autelca       -

Hungary     Smart       GPT, Gemplus        -

Iceland     Smart       Schlumberger        Radiomidun, ship to shore use

Iceland     Optical     Landis & Gyr        -

India       Smart       Aplab, Urmet        SGS-Thomson Module

Indonesia   Magnetic    Tamura              Indonesia Telkom

Iran        Smart       Solaic              Square Centred Contact

Ireland     Smart       Gemplus,            Telecom Eireann

						Schlumeberger       

Ireland     Smart       Gemplus             Superphone, Ferries & Buses

Isle of Man Smart       GPT                 -

Israel      Optical     Landis & Gyr        Bezeq

Italy       Magnetic    Urmet               -

Ivory C'st  Magnetic    Ascom Autelca       CI Telecom

Jamaica     Magnetic    GPT                 -

Japan       Remote      -                   -

Japan       Magnetic    Tamuru, Anritsu     NTT

Jersey      -           McCorquodale, GPT   Jersey Telecom

Jordan      Magnetic    Ascom Autelca?      PTT, withdrawn

Kazakhstan  Smart       Schlumberger        AlmaAta, Trial card

S.Korea     Magnetic    Ascom Autelca       -

Kuwait      Magnetic    GPT, Tamura         -

Latvia      -           Alcatel Bell        -

Lebanon     Smart       Schlumberger        Chip in AFNOR Position

Libya       Smart       Gemplus             Chip in AFNOR Position

Lithuania   Magnetic    Urmet               -

Lux'bourg   Smart       Schlumberger,       -

						Gemplus             

Macau       Magnetic    GPT                 CTM

Macedonia   Smart       Schlumberger        -

Madagascar  Smart       Schlumberger        -

Malaysia    Magnetic    GPT                 Uniphone, smart cards soon

Maldives    Magnetic    GPT                 -

Mali        Optical     Landis & Gyr        -

Mali        Smart       Schlumberger        -

Malta       Smart       Schlumberger        -

Mauritius   Optical     Landis & Gyr        -

Mexico      Smart       Monetel, Gemplus,   Telmex

						Schlumberger,

						Anritsu

Mexico      Smart       Amper, Gemplus,     Telnor

						GPT

Micronesia  Magnetic    Tamura              FSMTC

Micronesia  Magnetic    Tamura              MTC

Monaco      Smart       Gemplus, Solaic,    -

						Schlumberger

Monserrat   Magnetic    GPT                 Caribbean Series

Morocco     Smart       Schlumberger        Alfatel, field trial

Morocco     Optical     Landis & Gyr        For GATT Meeting

Namibia     Smart       GPT                 -

N.Caledonia Smart       Schlumberger        Chip in AFNOR Position

N.Zealand   -           -                   Global Telecom Systems,

											about to launch 1st cards

N.Zealand   Remote      GPT                 Telecom NZ    

Netherlands Smart       Solaic, Gemplus,    PTT Telecom

						SDU                 Payphones accept optical,

											magnetic & smartcards

Netherlands Optical     Landis & Gyr        -

Nicaragua   Smart       Gemplus             -

Niger       Optical     Landis & Gyr        -

Nigeria     Magnetic    Ascom Autelca       -

Nigeria     Smart       Schlumberger,       AVE

						Gemplus     

Norway      Smart       Schlumberger,       -

						Gemplus

Norway      Magnetic    -                   Long Distance railcard

Oman        Magnetic    GPT                 -

Pakistan    -           Landis & Gyr        Telecom Foundation

Pakistan    Smart       Schlumberger        -

Pakistan    Magnetic    Urmet               Telips, partnership with

											Telefon & Int. Payphones

Papua N.G.  Optical     Landis & Gyr        -

Peru        Smart       Solaic              Telepoint

Peru        Smart       Gemplus             Provincial Telco

Peru        Magnetic    Tamura              -

Philippines Magnetic    GPT                 Eastern Telecom

Philippines Magnetic    DZ Danmark          -

Poland      Optical     Landis & Gyr        Trial Cards

Poland      Magnetic    Urmet               Trial Cards

Poland      Smart       Schlumberger        Trial Cards

Portugal    Smart       Schlumberger        Telecom Portugal

Portugal    Optical     Landis & Gyr        Telecom Portugal

Portugal    Smart       Schlumberger        TLP

Puerto Rico -           -                   Puerto Rico Telecom, mainly

											for US islands

Puerto Rico Remote      -                   Trescom, expected shortly

Qatar       Magnetic    Ascom Autelca       -

Romania     Smart       Schlumberger        Rom Telecom

Romania     Smart       Alcatel             -

Romania     Smart       Gemplus             Emcom

Romania     Magnetic    -                   Telefonica Romania, attendant

											operated

Russia      Smart       Gemplus             Moscow cellular Systems                                           

Russia      Smart       Gemplus             St. Petersburg, field trials

Russia      Optical     Landis & Gyr        -

Russia      Magnetic    GPT                 Peterstar, owned with GPT

Russia      Magnetic    GPT                 Nakhoda

Russia      Magnetic    GPT                 Sakhalin Telecom

Russia      -           Alcatel Bell        Combelga, installation soon

Sao Tome    Optical     Landis & Gyr        -

San Marino  -           Urmet               -

Saudi       Magnetic    GPT                 -

Senegal     Smart       Schlumberger,

						Gemplus

Seychelles  Optical     Landis & Gyr        Cable & Wireless

Singapore   Smart       Gemplus, GPT        -

Sierra L.   Magnetic    Urmet               -

Slovakia    Smart       GPT                 Slovakian Telecom

Solomon I.  Magnetic    GPT                 -

Sth. Africa Smart       GPT                 Telkom SA

Sth. Africa Smart       Solaic              Transtel

Sth. Africa Smart       -                   Telkor, International Payphone

											Conference

Sth. Africa -           -                   Transnet Railways

Slovenia    Smart       Gemplus             -

Spain       Smart       -                   CabiTel

Spain       Smart       -                   Telefonica

Sri Lanka   Optical     GPT                 -

Sri Lanka   Magnetic    Anritsu             Sri Lanka Telecom

St Helena   Magnetic    GPT                 -

St Lucia    Magnetic    GPT                 Caribbean Series

St Kitts    Magnetic    GPT                 Caribbean Series

St Martin   Smart       Gemplus             Chip in AFNOR Position

St Vincent  Magnetic    GPT                 Caribbean Series

Sweden      Optical     Landis & Gyr        Stena Link Ferries

Sweden      Magnetic    -                   -

Sweden      Smart       -                   Televerket

Switz'land  Smart       -                   From 1996

Switz'land  Optical     Landis & Gyr        -

Syria       Magnetic    Urmet               -

Taiwan      Opticla     Landis & Gyr        -

Tanzania    -           Landis & Gyr        Trial cards

Tchad       Smart       Gemplus,            -

						Schlumberger

Thailand    Optical     Landis & Gyr        Field Trials

Thailand    Smart       GPT                 Lenso Phone, for International

											Use.

Togo        Magnetic    GPT                 Rumoured to be changing to

											smartcard

Tonga       -           GPT                 -

T&T (4)     Magnetic    GPT                 -

Tunisia     Optical     Urmet               Field Trials

Tunisia     Smart       Schlumberger        -

Turkey      Magnetic    Alcatel Bell        -

Turkey      Optical     Landis & Gyr        -

Turkey      Smart       Schlumberger        Event Card

T&C (5)     Magnetic    GPT                 Caribbean Series

Ukraine     Magnetic    Ascom Autelca       -

Uganda      Magnetic    Tamura              -

UAE         Magnetic    Tamura              -

Uraguay     Magnetic    Tamura              -

USA         Remote      -                   ACI, small new company

USA         Remote      -                   AFSCOM, military

USA         Smart       Schlumberger        Alaska, fish processing plants

USA         Magnetic/   -                   Americtech, Known as Coinsavers

			Remote  

USA         Remote      -                   Ameratel, launch soon

USA         Remote      -                   American Public & Private Comms

USA         Remote      -                   Amerivox

USA         Remote      -                   AT&T

USA         Remote      -                   Bell Atlantic

USA         Magnetic    -                   Bell South

USA         Remote      -                   Cable & Wireless

USA         Remote      -                   Cardcaller, maybe withdrawn

USA         Remote      -                   CCT, minor player

USA         Smart       Schlumberger        Comsat, ship to shore

USA         Remote      -                   Communications Gateway Network

USA         Remote      -                   Connect 1 Comms

USA         Remote      -                   Conquest 6, debit card

USA         Remote      -                   DCD Comms, dialback service

USA         Magnetic    Tamura              FSMTC

USA         Remote      -                   Fone America

USA         Remote      -                   Global Telecomms Solutions

USA         Remote      -                   Gophone/Actionline, uses

											Amerivox system

USA         Magnetic    Tamura              GTE Hawaii

USA         Remote      -                   Metromedia Comms Corp

USA         Magnetic    Tamura              MTC. Nt. Marianna Islands

USA         Magnetic    Tamura              NYNEX

USA         Remote      -                   Peoples Telephone Co, prompts

											in 12 languages

USA         Remote      -                   Phoneline USA

USA         Remote      -                   Phonetime

USA         Remote      -                   Quest Comms

USA         Remote      -                   Select Net

USA         Remote      -                   Sprint

USA         Magnetic    Tamura              Teleconcepts

USA         Remote      -                   Renewal through credit card

											debit

USA         Remote      -                   Telekey, uses 9 languages

USA         Remote      -                   Timemachine, uses autorenewal

USA         Remote      -                   Teletext, uses 9 languages

USA         Remote      -                   Varetic Telecom

USA         Smart       Gemplus             US West

USA         Smart       Schlumberger        US South

USA         Remote      -                   Western Union

USA         Remote      -                   Worldwide Comms

UN          -           -                   Telepax, cards for peace

											related projects

Uzbekistan  Smart       Schlumberger        -

Vatican     Magnetic    Urmet               -

Vanuatu     Smart       Schlumberger        -

Venezuela   Smart       Solaic, Gemplus     CANTV

Venezuela   Smart       Solaic              Yellow Pages

Vietnam     -           -                   Telecom Australia

Vietnam     Smart       Schlumberger        Trials in Hanoi

Vietnam     Magnetic    Sapura              Hanoi City PTT

W&F (6)     Smart       Schlumberger        Chip in AFNOR Position

Yemen       Magnetic    Ascom Autelca       TeleYemen





(1) British Virgin Isles

(2) Central African Republic

(3) Equatorial Guinea

(4) Trinidad & Tobago

(5) Turks & Caicos

(6) Wallace & Fortuna





+++

EOF

=============================================================================

		PHUK MAGAZINE - Phile 8 of 10

=============================================================================



		------------------------------------------

		British Telecom - Computer Security Manual

		------------------------------------------

			Mrs. Brady, of Doncaster

			------------------------



 Sent to us anonymously by someone who wishes only to be known by 

the name of Mrs. Brady of Doncaster .

Run in PHUK as a three part series, here is the second part of 

British Telecom Computer Security manual right up to the bits about 

personal computers and software and data ... which should make you 

all look forward to the next issue of PHUK magazine for the final part

of this classified manual !

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Personal computers



Contents



5.1   Introduction  . . . . . . . . . . . . . . . . . 5-2

5.1.1 Use outside BT premises . . . . . . . . . . . . 5-2



5.2   Personal security responsibility. . . . . . . . 5-3



5.3   PC and data access security . . . . . . . . . . 5-4

5.3.1 Keylocks  . . . . . . . . . . . . . . . . . . . 5-4

5.3.2 Password protection . . . . . . . . . . . . . . 5-5

5.3.3 Removable disks and cassettes . . . . . . . . . 5-6

5.3.4 Protection of data in memory. . . . . . . . . . 5-6

5.3.5 Hard copy (printouts) . . . . . . . . . . . . . 5-7



5.4   Security of software. . . . . . . . . . . . . . 5-8



5.5   Personal computer communications. . . . . . . . 5-8

5.5.1 Public network access . . . . . . . . . . . . . 5-8

5.5.2 Use of PC as a computer terminal. . . . . . . . 5-9



5.6   Contingeny planning . . . . . . . . . . . . . . 5-10

5.6.1 Archiving and backup. . . . . . . . . . . . . . 5-10



5.7   Flle Servers. . . . . . . . . . . . . . . . . . 5-12



5.1 Introduction



Personal Computers (PCs) are often sited in open plan offices and, as such, are

accessible by many people. In general, PCs and their peripherals can be removed

more easily than other types of computer. Due to these two facts, PCs are more

vulnerable than equipment housed in purpose built accommodation, for example

dedicated computer centres, and so require additional provisions for their

protection.

The following threats are more likely:



o the theft of PC or peripherals,

o the theft or damage to the information stored on the PC,

o accidental or malicious physical damage, and

o the possibility of screens displaying sensitive information being overlooked.



Some deterrent against theft can be offered by clearly marking equipment with

the name and office address of the person responsible for the equipment. The

serial numbers of the equipments should also be recorded.

PC users should pay careful attention to the environment of the machine:



o ensure vents on the PC are not blocked by printout, manuals etc.

o eating, drinking and smoking while using a PC can cause damage to the machine

and should therefore be avoided.



When choosing a site for the machine in an open plan office, ensure that

consideration has been given to the confidentiality required for data on the

machine. In particular ensure that visitors or people outside a building cannot

overlook the screen if sensitive information is displayed.



5.1.1 Use outside BT premises



There are dangers in using PCs outside BT premises, for example, on trains or at

home. These threats include the increased possibility of theft, the likelihood of

onlookers and potential damage by extending access to inexperienced users. An

unprotected communications link may also present a security risk. Managers

must consider carefully whether the risks involved are justified.



POLICY 5.1: USE OF BT COMPUTING EQUIPMENT OUTSIDE BT

PREMISES



Privacy marked or commercially sensitive information shall not be processed

on portable computers anywhere other than BT premises unless the computer

or the information stored therein is adequately protected.



5.2 Personal security responsibility



Fundamental to good security is control. Control of access and resources can only

be achieved by co-ordination. For this reason it is important to distinguish

between the person responsible for a personal computer (PC) and those that use it.

Although the actual assignment of responsibilities for personal computers is a

local management issue, the following issues shall be addressed by the person

nominated as responsible for the PC:



o Physical security of the PC,

o Controlling the access of individuals to the PC,

o Ensuring that users are aware of their responsibilities,

o Controlling external access to the PC (LANs, PSI N etc),

o Backup of software (see contingency planning section),

o Maintain a list of the software and hardware,

o Co-ordinate maintenance engineers access,

o Regular audit of PC hardware and software against licences held.



The users of the PC should be made aware of their responsibilities by the person

who controls the PC. Authorisation should only be granted if the proposed user

accepts the responsibilities in writing.

The responsibilities of the users must include:



o To use only legitimate authorised and licensed socware from a proven source,

o To ensure that no sensitive data is put on the hard disk (unless it is equipped with

appropriate protection),

o To ensure that they take backups of their data at appropriate intervals,

o To read and abide by the guidance of the Computer Security Manual and the

Information Security Code.



Where the person responsible for the machine is also the user of the machine, the

duties of audit and checking outlined above fall upon that individual's line manager

or nominated representative.



POLICY 5.2: CONTROL OF PERSONAL COMPUTERS



Every personal computer shall have a named individual who is responsible for

controlling its use.



The owner must maintain a list of sensitive data in a secure place, in addition to

the list of applications. The degree of compromise should local data be lost must

be known.

Any user who stores sensitive data on servers used by the PC must never assume

that backups are being done. It is incumbent upon the user to verify the server

conditions.



5.3 PC and data access security



Many PCs are sited in open-plan offices and there may be no particular physical

security measures to restrict access to the processor, network features or

peripherals. For this reason, care needs to be exercised over the use of the PC and

access to the data. The criteria for choosing suitable controls should be the

sensitivity of the data processed, and the physical environment (who may have

physical access to the PC).



To assess the sensitivity of the data it is necessary to consider the effect of a loss

of confidentiality (to competitors, to the press, to other employees etc.); the effect

of inaccurate data or incomplete data, and the effect if data on the PC were

unavailable. The implications of the Data Protection Act and other legislation and

regulatory issues should also be considered.

The security principles to be borne in mind are:



o Need to know,

o Need to modify,

o Individual responsibility, and

o Accountability.



To enforce these security principles access to the PC, and more importantly to

data must be controlled. It is important to segregate data into compartments so as

to ensure that the security principles can be enforced. This can be achieved by use

of removable disks, or by encryption of individual files on a hard disk.



While it is not always practicable for PCs to be locked in a room if they operated

unattended, access to their contents must be restricted. Without adequate

protection, the PC, the data it is processing, and networks to which it may be

connected are at risk not only from unauthorised access but also accidental or

deliberate corruption.



An unprotected and unattended PC is vulnerable to being used to run

unauthorised software, for example games, which may carry a computer virus.

Some security can be achieved by:



o provision of key locks to safeguard internal pre-set hardware,

o physical locks to prevent use of the floppy disk drive,

o hardware-based password protection invoked during the startup procedure,

o an add-in hardware assisted access control protection device,

o hardware-based data encryption,

o removable hard-disks.



5.3.1 Key locks



A PC may have a key lock built into it. Some of these locks give a degree of

security by disabling the processor power unit. Others may simply disable the

screen or keyboard.



There is also a (somewhat limited) range of external locks for most PCs. These

locks can be fitted over the mains and auxiliary power switches to the processor

thus preventing unauthorised operation of the computer and providing safeguards

against theft of hard disks, plug-in cards and the system unit.



Lockable devices may also be fitted over, or into, the floppy disk unit so guarding

against loading of unauthorised software.



5.3.2 Password protection



There are numerous proprietary packages available which control access to the

PC operating system and disk storage by means of a user ID and password

system. Some of these packages depend on the installation of a plug-in card within

the PC, others are totally software-controlled. In some cases encryption of files on

the hard disk is an option, however the following points must be considered

before using this facility:



o whether or not the password protection can be circumvented,

o whether the method of encryption (the algorithm) is strong enough,

o whether the danger exists that encrypted files could accidentally or deliberately

become corrupted and irretrievable.



For technical guidance, refer to Chapter 10 for contacts.



5.3.2.1 Protection of data on non-removable disks



Files resident on fixed disks are particularly vulnerable. Unless an encryption

system approved by the Director of Security and Investigation is used or the PC is

protected by other suitable means, sensitive data must not be stored on

non-removable disks.



Many application programs used on personal computers use the (often larger and

faster) non-removable disk to temporarily store user data automatically, even if the

file being edited is being held on removable media After processing, the

temporary files are deleted from the disk; the data, however, remains intact until

the space it is occupying is ovenvritten by another file. Many word-processing

packages and similar programs produce back-up files and these also need to be

erased.



PCs on which has been loaded unknown or unauthorised software are particularly

vulnerable to attack by a Trojan Horse which may copy software or sensitive data

in a way that is unobserved and unknown by the usual PC user. Trojan Horse

software is often distributed by means of a computer virus.



Files deleted from disks, for example with the DOS DELETE command can be

easily recovered as only the directory entry is amended to indicate the disk space

is free for reuse; the data remains intact on the disk until it is overwritten. To

completely delete a file it must be erased by overwriting it with zeros or a random

data pattern. For increased privacy, this may need to be performed several times

in succession. There are third-party programs available to do this.



Files stored on file servers, such Novell's Network Operating System (NOS),

when deleted, are actually moved to a 'deleted' directory, still accessible by system

administrators. These files are not fully deleted until the Deleted directory space

is exhausted. Administrators should set up procedures for the automatic deletion

of these files. Copies may also exist on backup tapes.



Should a non-removable disk, or a PC containing a non-removable disk, require

maintenance, special precautions may be necessary to render unusable any

information contained on the disk. If an approved encryption system is used on a

non-removable disk, the privacy marking then applies only to the encryption key

protecting that information. If the information is very sensitive, it may be

appropriate to destroy the disk using destruction procedures approved by the

Director of Security and Investigations. See also Software And Data: Disposal Of

Media for policies on this subject.



POLICY 5.3: STORAGE OF DATA ON NON-REMOVABLE DISKS



Any personal computer fitted with a non-removable disk and containing privacy

marked information shall be handled and stored accordingly. IN

CONFIDENCE data shall be protected by an approved software access control

and IN STRICTEST CONFIDENCE data protected by a hardware based access

control and encryption system approved by the Director of Security and

Investigation.



POLICY 5.4: SENSITIVE DATA PROCESSED ON A PERSONAL COMPUTER



When using a personal computer with a non-removable disk to process

sensitive information, even if the data is held on a removable disk, the

non-removable disk shall be assumed to contain sensitive information, and be

treated appropriately.



5.3.3 Removable disks and cassettes



All disks and cassettes must be put away when not in use. To guard against

extraneous magnetic influences they should be stored away from any electrical

equipment. Any removable media which contain sensitive information should be

clearly labelled with the appropriate privacy marking. If sensitive information is

being held they must be locked away in a suitable cabinet or drawer appropriate to

its privacy marking. Lockable plastic disk cases by themselves are not sufficient

protection.



CSM Policy 7.17: MARKING OF MEDIA applies.



5.3.4 Protection of data in memomy



Random Access Memory (RAM) is the PC's working memory. It holds the

programs currently running and the data currently being processed.

Frequently-accessed data on a floppy or non-removable disk may be loaded into

RAM to improve access time. When the PC is powered off, RAM is normally

erased. On some PCs, however, data in RAM is saved when the power is turned

off, and can be reloaded when the power is turned on again.



Some multitasking Operating Systems (OSs), such as UNIX in all its variants,

OS/2 and Microsoft Windows manage virtual memory areas on a per process

basis. When free memory becomes low on such systems, parts of memory are

written out to a special disk area managed by the OS. The data remains on disk

and can be accessed by persons familiar with the OS.



Some OSs also generate memory dumps when the system malfunctions, at which

point some, if not all, of memory is written out to disk before the system goes

down. It may, under certain circumstances, be advantageous to make this

information available to vendor representatives to help debug the problem, but the

security implications associated with doing this must be assessed.



If sensitive data is held on a PC and the operating system uses virtual memory, or

RAM, is saved when the PC is powered off, then the person responsible must

protect the PC in accordance with Policies 5.3 and 5.4.



POLICY 5.5: RANDOM ACCESS MEMORY



Where there is a possibility that an unauthorised person may have gained

access to an unattended Personal Computer, it shall be switched off to clear

volatile memory.



PCs containing non-volatile memory shall be protected as though they

contained a non-removable disk.



5.3.5 Hard copy (printouts)



Where resources such as printers are shared, or several are available, special

precautions should be effected to ensure privacy marked material is not seen by,

or delivered to an inappropriate person.



Printout should always have the appropriate privacy marking clearly displayed at

the top and bottom of each page and handled in accordance with the appropriate

rules in the Information Security Code. Partial printouts, perhaps resulting from

failures or aborted print runs, should be disposed of in accordance with their

intended privacy marking. Note that many printers contain a memory which holds

information used for printing. In the event of failure during a print this information

may remain in memory until the printer is powered off.



Because some personal computers (and dumb terminals) offer the facility to take a

printed copy of the contents of the screen (for example, screen dumps or print

screen), each screen displayed should contain the sensitivity marking for that

information.



It should be noted that most laser printers hold a copy of the last printed page on

the laser printer drum and that it is a relatively easy task to read this page of

information directly from the drum.Therefore, whenever particularly sensitive

information is printed on is type of device, the user should consider printing a

full page of non-sensitive text in order to overwrite the previous page.



POLICY 5.6: MANAGEMENT OF PRINTERS



A Procedure shall be prepared and implemented when a shared or networked

printer is used for producing privacy marked material.



Printing over networked printers introduces additional possibilities for the

compromise of sensitive information. The network, comprising both the hardware

and software, maintains buffers for information to be printed. In some cases the

data remains in the buffers after printing has occurred. The buffers may be

accessed by unauthorised users or by mistake and data compromised. Sensitive

information should only be printed to approved print locations where an analysis

has been done on the security risks.



5.4 Security of software



Only legitimate (licensed) authorised copies of software from reputable sources

supplied by a secure distribution mechanism should be used on PCs.



Any software from colleges etc, legitimately used by BT students, for instance,

should be checked for hazardous code before loading as this is a potential source

of viruses or untrustworthy software.



Computer games are recognised as a source of computer viruses and their use is

explicitly forbidden.



POLICY 5.7: PUBLIC DOMAIN AND OTHER UNTRUSTWORTHY

SOFTWARE



Public domain and other untrustworthy software shall not be held or used on

BT's personal computers. Exemptions to this policy may only be granted by the

Director of Security and Investigation if there is a proven operational need.



POLICY 5.8: GAMES



Games shall not be used on BT's personal computers. Games must not be

loaded onto BT's personal computers except where they come as part of a

legitimate business sofhvare package and there is no facility for not installing

the games. Exemptions to this policy may only be granted by the Director of

Security and Investigation if there is a proven business need.



5.5 Personal computer communications



PCs are capable of connection by means of modem cards and interface cards to

the PSTN, Local Area Networks and other computers by various means. The

connection of a PC to a network introduces additional threats to both the PC and,

in some instances, the network. Although the chapter on Networks and

Communications covers this topic in depth, this section considers the subject in

the context of personal computers.



5.5.1 Public netvork access



In general communication sessions controlled externally to the PC from the public

network should be avoided. Where network access is unavoidable, strict controls

should be applied.



5.5.2 Use of PC as a computer terminal



Most PCs are capable of emulating various types of terminal, either by the use of

sohware packages or the installation of an extension board. When used in this

mode the PC appears to the mainframe processor as if it were the appropriate

terminal type but it also retains the capabilities of a PC.

As a consequence of the above, three major threats to security arise as follows:



1 programmable interrogation,

2 storage playback capability,

3 bridging of communication capability to other systems.



5.5.2.1 Interroga1ion and storage



Fixed mode (dumb) terminals can only interrogate and search authorised

transactions at a rate which is limited by the human operator. The results would

normally have to be transcribed from the VDU or printed on a slave printer. A PC,

on the other hand, could be programmed to carry out a range of interrogations,

examine the resultant responses and store the details of any transactions which

satisfy predetermined criteria.



Once a procedure is established this exchange can take place at speeds which are

limited only by the speed of the communications interface and a great deal of

information could be sifted in a short period. When used legitimately this is

considered to be a authorised use of PC power. However the security of the

system may rely to some extent on the (perhaps limited) rate at which information

can be extracted.



5.5.2.2 Connection to other systems



Suitably equipped PCs could connect to a mainframe computer and a public access

or BT-private network at the same time. Although the capability may seem

attractive to the PC user, the administrator of the mainframe computer might view

the potentially increased user community that may gain access to his system with

some trepidation. It could be the view that, if incorrectly managed, such a PC

could act as a switch or slave processor in order to connect the two. Thus an

unanticipated method of communication could be established which would allow

remote access from an unauthorised location and so constitute a breach of

security particularly if the PC were left on all day.



Similar concerns might be raised if the PC were to be simultaneously connected to

two networks, for example, the PSTN and a BT internal network.



It will be frequently both convenient and operationally legitimate to substitute a

PC for a terminal device in order to limit the items installed on the desk-top and to

streamline procedures. In recognition however of the risks to security, any

proposal to substitute a PC for a terminal device must have the approval of the

appropriate network or systems administration. They, in turn, must satisfy

themselves with regard to the additional risks which might arise as a consequence

of either enhanced interrogation or extended communication.



POLICY 5.9: PCs USED AS TERMINALS FOR SYSTEMS



A PC shall be used as a terminal for a BT system if, and only if, the use of a PC

has been permitted in the Security Policy Document of that system.



POLICY 5.10: PCs CONNECTED TO SYSTEMS



A PC shall not be connected to more than one system at a time unless approval

has been granted by the administrators of those systems.



5.6 Contingency planning



The business is dependent for its functions on information of which a greater

amount is being stored and processed on PCs. There is now, therefore, a business

imperative to ensure that information on PCs is available when the business needs

it. PC users should evaluate the needs of the business process supported by

information on PCs, and ensure that these requirements can be met, even if there

is a computer or disk failure.



Mistakes are made and machines can fail, either potentially leading to corruption

of data or software. Measures must be taken so that when corruption does occur,

service can be restored with the minimum of inconvenience and cost to the

business. The following are measures can be taken to reduce the impact of such a

failure.



5.6.1 Archinng and backup



Data and/or software should periodically be copied to removable media for one of

several reasons:



o in order to ensure that data is not lost in the event of a failure (BACKUP),

o to free up the space occupied when the information is no longer required for

immediate access (ARCHIVE), or

o because the information must be retained for some time to meet legal obligations

(ARCHIVE).



The software and hardware products needed to achieve the above are usually

identical; only the strategy of their use changes. Neither a backup nor archive is of

any value unless it can be demonstrated that the information can be recovered

reliably.



Data held on non-removable disks should be backed-up regularly, perhaps daily or

weekly depending on usage and criticality. The backup might be of the whole

system or only of those parts that have recently changed - an 'incremental backup'.

The copy should be stored either off-site or in a fire resistant cabinet, suitable for

its level of sensitivity.



There are four methods by which archive or backup copies of a system can be

taken:



Utility software

Most PCs have a software facility on the system disk to back-up and restore files to

and from a floppy disk. The process is time consuming but there is no other cost

except that of the floppy disks used.



Note there are compatibility problems between differing versions of the DOS

BACKUP and RESTORE utility programs such that may it impossible to restore

files written using one version of BACKUP using a version of RESTORE from a

different vendor or different version of DOS. For this reason, it is advisable that a

copy of the RESTORE program is kept with the backup or archive.



2 Third-party archive sofare

Off the shelf software is available that enables files to be copied onto floppy disks

or a tape streamer. This software is often considerably faster than using the utility

software that came with the operating system, it is more flexible, and usually more

reliable. There is a small charge for this software.



3 Tape streamer

This is a separate item of equipment and often is supplied with the software to

drive it. Though the cost of a tape streamer is not insignificant, it can usually be

justified in the savings in time and floppy disks. Remember that a complete backup

of an 80% full 40Mb hard disk will use well over 30 720Kb floppies or in excess of

60 360Kb floppies. The task may take over an hour and is often used as the excuse

why a backup was not taken after the disk crashed!



A tape streamer is essential equipment where several users share a file-server on a

LAN. The capital cost can be spread amongst all of the LAN users, and all user

files can be copied at once.



4 External disk drives

External disk drives are available for many machines and can be used as a means

of archiving. Though fast, they are sometimes neither rugged nor particularly

economical. Iis situation may change with the introduction of high capacity

floppy disk drives.



Should any of the information copied for backup or archive purposes be in

encrypted form, it is prudent to retain a copy of the cryptographic key so that the

information can be recovered. The cryptographic key should be kept securely

because it may be used to gain access to both the backup/archive and the original

information still on the PC.



5.7 File Servers



File Servers on Local Area Networks pose similar security problems to PCs, due

to the fact that they are often sited in open plan offices, are small and are

accessible by many people. If privacy marked information is held on a LAN server

then precautions must be taken to safeguard that data.



POLICY 5.11: FILE SERVER SECURlTY



File servers shall be protected in accordance with the sensitivity of the

information they contain, either through physical access controls, or through

logical controls. Policies 4.6 and 5.3 refer.



User access to computers



Contents



6.1    Introduction  . . . . . . . . . . . . . . . . . . . 6-3



6.2    Regulating access to computers. . . . . . . . . . . 6-3

6.2.1  Identification and authorisation principles . . . . 6-3

6.2.2  Logical access control packages . . . . . . . . . . 6-4

6.2.3  Siting of terminals . . . . . . . . . . . . . . . . 6-4

6.2.4  Intelligent terminals . . . . . . . . . . . . . . . 6-4



6.3    Identification  . . . . . . . . . . . . . . . . . . 6-4

6.3.1  User identification . . . . . . . . . . . . . . . . 6-5

6.3.2  Terminal identification . . . . . . . . . . . . . . 6-5



6.4    Passwords . . . . . . . . . . . . . . . . . . . . . 6-6

6.4.1  Password management . . . . . . . . . . . . . . . . 6-6

6.4.2  Password selection. . . . . . . . . . . . . . . . . 6-6

6.4.3  System passwords. . . . . . . . . . . . . . . . . . 6-7

6.4.4  Password secrecy. . . . . . . . . . . . . . . . . . 6-7

6.4.5  Dual passwords. . . . . . . . . . . . . . . . . . . 6-7

6.4.6  Preprogramming of passwords . . . . . . . . . . . . 6-7

6.4.7  Computer storage of passwords . . . . . . . . . . . 6-8

6.4.8  Password change . . . . . . . . . . . . . . . . . . 6-8

6.4.9  Administrator control of passwords. . . . . . . . . 6-8

6.4.10 Manufacturer's installed UIDs and passwords . . . . 6-9

6.4.11 Software maintenance by third parties . . . . . . . 6-9

6.4.12 Password transmission . . . . . . . . . . . . . . . 6-9



6.5    Limitations of password security. . . . . . . . . . 6-10

6.5.1  Weaknesses  . . . . . . . . . . . . . . . . . . . . 6-10

6.5.2  Random one-time passwords . . . . . . . . . . . . . 6-10

6.5.3  Challenge systems . . . . . . . . . . . . . . . . . 6-10



6.6    Logging on. . . . . . . . . . . . . . . . . . . . . 6-11

6.6.1  Welcome screens . . . . . . . . . . . . . . . . . . 6-11

6.6.2  Silent logon  . . . . . . . . . . . . . . . . . . . 6-11

6.6.3  Log on security . . . . . . . . . . . . . . . . . . 6-12

6.6.4  Prescribed warning screen . . . . . . . . . . . . . 6-12

6.6.5  Log on failure conditions . . . . . . . . . . . . . 6-12

6.6.6  Repeated log on attempts. . . . . . . . . . . . . . 6-12

6.6.7  Recording access attempts . . . . . . . . . . . . . 6-13

6.6.8  Last access . . . . . . . . . . . . . . . . . . . . 6-13

6.6.9  Unauthorised access . . . . . . . . . . . . . . . . 6-14



6.7    Logging off . . . . . . . . . . . . . . . . . . . . . . 6-14

6.7.1  Terminal inactivity . . . . . . . . . . . . . . . . . . . . 6-14

6.7.2  Prolonged activity . . . . . . . . . . . . . . . . . . . . 6-14



6.7.3  Link interruption . . . . . . . . . . . . . . . . . . 6-14



6.8    User privileges . . . . . . . . . . . . . . . . . . . 6-15

6.8.1  Privilege table establishment . . . . . . . . . . . . 6-15

6.8.2  Facility privileges . . . . . . . . . . . . . . . . . 6-15

6.8.3  Function privileges . . . . . . . . . . . . . . . . . 6-16



6.9    Access to user files. . . . . . . . . . . . . . . . . 6-16

6.9.1  Implementation of logical access controls . . . . . . 6-16

6.9.2  Default privileges. . . . . . . . . . . . . . . . . . 6-17

6.9.3  Password control of file access . . . . . . . . . . . 6-17

6.9.4  Encryption of files . . . . . . . . . . . . . . . . . 6-17



6.10   Customer access to BT computers . . . . . . . . . . . 6-17



6.11   Contractors . . . . . . . . . . . . . . . . . . . . . 6-18

6.11.1 Software development by third parties . . . . . . . . 6-18

6.11.2 Operational activities by third parties .  .  .  .  . 6-19



6.1 Introduction



The Computer Misuse Act 1990, has been in force in the United Kingdom since

August. This law makes the unauthorised access to, and misuse of computer

facilities a criminal offence.



No amount of legislation will actually prevent unauthorised access and misuse of

facilities. This chapter offers guidance on methods that may be employed to

reduce or eliminate unauthorised access.



Access to computers by users, in contrast to system operators and maintainers will

normally be via a terminal device. It can vary from a simple Visual Display Unit

(VDU), a sophisticated Personal Computer (PC), or a workstation. In order to

regulate access, it is essential that controls are exercised which are capable of

identifying both the source and origin of each session.



POLICY 6.1: COMPUTER MISUSE ACT 1990



It is a criminal offence for an unauthorised person to attempt to access systems

or information within systems, or to attempt to exceed the computer facilities

and privileges granted to them. Wherever possible, BTwill prosecute using the

Computer Misuse Act 1990.



6.2 Regulating access to computers



Logical access control and associated audit trails and logs provide essential

deterrents against abuse of privilege by authorised system users.



The unauthorised testing of the security controls of an operational system is

expressly forbidden.



POLICY 6.2: OPERATIONAL SYSTEM PENETRATION TESTING



The testing of the security controls of an operational system shall only be done

under strictly controlled conditions. All testing shall be carried out in

accordance with a written schedule. Prior approval of the Director of Security

and Investigation shall be obtained.



6.2.1 Identification and authorisation principles



To prevent unauthorised individuals attempting to access computer systems,

identification and authentication controls of users are necessary. The most

common practice is to use identifiers and passwords when logging onto the

computer system. Other methods such as keys, badges, and smart cards can also

be used effectively. Other techniques are possible (for example,

challenge-response systems) using some form of personal token. Specialist advice

should be sought on the security characteristics of proposed systems prior to their

adoption.



6.2.2 Logical access control packages



For some major operating systems, special purpose access control packages are

available. These provide degrees of protection by ensuring that all users are

positively identified and only granted access to the system resources and files for

which they have previously been authorised.



The packages frequently complement the standard operating system by exploiting

hooks or by the replacement of standard routines and log details of all accesses for

later analysis. They may or may not identify that the data has been seen or

changed.



Before implementing any security enhancement package it should be thoroughly

evaluated to ensure it meets the operational requirement.



6.2.3 Siting of terminals



Terminal devices must be sited so that they cannot be easily overlooked by

unauthorised individuals. This is especially important when it is necessary to site

terminals in reception areas, telephone shops or other public places. Customer

information displayed on a screen which can be overlooked by the public or even

unauthorised employees potentially constitutes a breach of Data Protection

Legislation, Section 45 of the Telecommunications Act 1984, and the Code of

Practice on Disclosure of Customer Information. The inadvertent disclosure of

logon details may also result.



When it is operationally necessary to site a terminal in a public area, it must be

screened so that it can only be viewed by authorised employees. If this is not

practical then serious consideration must be given to the benefits derived weighed

against the possible risk of irregular divulgence of information displayed on the

screen.



The communication links for terminals in public places should be adequately

protected from the threat of tampering and rerouting.



POLICY 63: SITING OF REMOTE TERMINAL



Terminals in public view but not for public access shall be sited carefully, and

particular attention shall be given to their physical security and

communications links.



6.2.4 Intelligent terminals



Special care must be taken if ever a 'dumb' terminal is replaced by one with local

processing power, for example, a personal computer. Iis subject is covered in

detail in the chapter on Personal Computers.



6.3 Identification



Identifiers are used to keep track of, and control the use of system resources.

Users and terminals may both have identifiers which can be used for the purposes

of auditing.



6.3.1 User identification



Each user of a computer system should have an exclusive user identification

(UID).



o UIDs are used to uniquely identify users and their associated characteristics

(access rights, capabilities, time based access and control privileges) to permit the

correct allocation of resources,



o UIDs provide a means of recording system usage



o UIDs should be allocated to individual users to permit unambiguous identification

in the interests of accountability. They should not be shared among groups of

individuals and may be constant as long as the user is authorised on the system



o UIDs are not usually confidential (indeed in some systems users can obtain lists of

UIDs) and security must never depend solely on the user's ability to provide a

valid UID.



POLICY 6.4: UNIQUE USER IDENTIFIER



Each user of a multi-user system shall be uniquely identifiable to that system.



A network of computers that allows remote processes access to information on

any of the networked computers must also maintain unique user identification

for users, unless other means of security are implemented, for example by

disabling the facility for cross-machine recognition of UIDs. Separate UID

naming strategies for each machine can greatly assist in ensuring uniqueness.



6.3.2 Terminal identification



Each terminal authorised to access the system may also have a Terminal

Identification (TID) built into it which is automatically communicated to the host

during log on. The system may then check that an attempted access comes from a

bona fide source at the correct physical location, and by comparing the signalled

TID with the UID of the user, may confirm an appropriate match.



TIDs should not be implemented alone since this does not assist accountability.

Moreover as a security measure they are rather limited. It is difficult to engineer

an unmodifiable TID into a terminal and TIDs may also become known in which

case they can be simulated.



Terminal identification can also be by means of physical access controls such as

locks or removable badges and keys. In this case a code may be transmitted

automatically by the terminal over the communications link at the beginning of

every message. Any badges or keys must be removed when the terminal is not in

use and securely stored.



POLICY 6.5: TERMINAL IDENTIFERS IN A NETWORK



In the design of systems, the use of terminal identities shall be considered

where technically feasible.



On some systems, source identification uniquely identifying the device and user,

for example, based on Kerberos, can be implemented. These systems provide a

very secure mechanism for forming a closed network of systems and users.



6.4 Passwords



The knowledge of a password is sometimes used as corroborating evidence that

the accessor is entitled to the facilities associated with a particular UID.

Passwords must be allocated on an individual basis and not be shared.



6.4.1 Password management



To afford reasonable protection against unauthorised access, passwords should be

a minimum of six characters long, with at least one non-alphabetic. Passwords

used for system privileges should contain at least eight characters. It is desirable

that the system software should check for too simple a combination such as all the

same characters. There is an advantage in allowing a range of password lengths

(down to the prescribed minimum) since this makes searching by adversaries

harder.



POLICY 6.6: PASSWORD MANAGEMENT



Passwords to systems shall be properly managed so that:



o They are not easily guessable,



o They are changed at least every 90 days,



o They are at least 6 characters long for user access and at least 8 for system

privilege access,



o Preferably they consist of all the possible character set,



o They contain at least one non-alphabetical character,



o They cannot be easily changed back to previously used passwords,



o They cannot be easily exhaustively searched (unless denial of service is a

threat),



o They are not echoed to screens or paper,



o They are not written down, except if treated with appropriate security levels to

protect their confidentiality, integrity and accountability, and where there is a

valid business reason



o Not related to the UID,



o They are not related to the identity of the user.



6.4.2 Password selection



Users should be permitted to select their own passwords since these are more

easily remembered but users must be warned against guessable or predictable

values. The system should check that all passwords are not one of the 'standard'

or guessable words that an adversary would try, for example, password the same

as the UID.



Meaningful terms such as SYS or SYSTEM, initials, Christian names, car

registration numbers and the names of spouses are all popular choices for

password and are worthless from a security viewpoint, as are certain popular

words such as FRED.



The more common or computer-relevant meaningful words of the English

language are also to be avoided. There are surprisingly few of them - perhaps only

4000, and many cases exist of hackers breaking a system by simply trying a few

hundred of the most likely words one after another.



Password strength is greatly enhanced by the selection of non-meaningful

character combinations. An adversary is far less likely to guess a password such as

XAC/9 than ANDREW although initial memorisation may be more difficult.



6.4.3 System passwords



An extra level of security is obtained if users are required to enter a system

password prior to and as well as their own selected application password. System

passwords provide the additional facility of rapid lock-out of groups of users if

need be.



System passwords must never be used as a substitute for personal passwords.

They must be chosen in line with the password generation guidelines and be

controlled by the systems administrator.



6.4.4 Password secrecy



Users must be properly briefed on the importance of the correct use of passwords

and that they have a responsibility to safeguard them.



All passwords should be assumed to be as valuable as the system or information to

which it can be used to gain access. If the password is written down, the text

should be protected accordingly. A password should not be disclosed to others

nor should it ever be entered at a terminal when others are in a position to watch

so closely as to deduce the password.



When a password is used to gain access to a system or entered for the purposes of

password change, the password text must be obscured either by overprinting, in

the case of hardcopy local echo terminals, or the echo suppressed where

full-duplex communications are used between the terminal and the host.



6.4.5 Dual passwords



Under some circumstances, business transactions might be so important that no

one individual may be permitted to initiate the transaction by themselves. If these

transactions are actually carried out by computer then a way must be found to

ensure that two people are present to 'authorise' the transaction and be

responsible for it. One approach is to ensure that system accounts that have the

privilege to initiate such transactions need two passwords to access them. An

alternative approach might be to have one long password formed by the

concatenation of two shorter passwords. Other schemes could be devised.



6.4.6 Preprogramming of passwords



Storage of preprogrammed passwords or entire logon sequences on intelligent

terminals or function keys or stored files is extremely dangerous practice and is

forbidden unless the circumstances have been agreed by the Director of Security

and Investigation. Any brief unauthorised access to the terminal or stored data will

then permit the password to be compromised.



POLICY 6.8: PREPROGRAMMING OF PASSWORDS



The automation of entire logon sequences is expressly forbidden except with

the permission of the Director of Security and Investigation.



6.4.7 Computer storage of passwords



Users' passwords should be under their own control and should not be available

from the system to anybody else including operational or maintenance staff.



To this end it is highly desirable that the computer logon procedures use one-way

encrypted password files. This means that passwords are stored in irreversibly

encrypted form within the computer.



Passwords entered by users at logon are encrypted using the same algorithm, and

the two encrypted forms are checked for a match to prove authentication.



The encryption algorithm must however be strong and guidance must be sought

from The Director of Security and Investigations, since some password encryption

systems have been found to be very weak indeed.



6.4.8 Password change



The system should ensure that all passwords (individual and system) are changed

regularly. Passwords should be changed at least every 90 days.

Password change may be enforced by:



o forcing users to change their passwords after a given period, or

o allowing users to change their passwords at will ess desirable since less reliable),

o or preferably both.



The change of existing passwords should involve a verification of the user's

identity on the basis of the existing password and double entry of the proposed

new password as a check against input errors. The system should not permit an

old password to be used again until at least a certain number of different new

passwords have been registered.



Where forced password change is not implemented the system should record the

date of last change to permit identification of users not complying with security

requirements. If there is a possibility that a password has been compromised, it

must be changed immediately.



6.4.9 Administrator control of passwords



It should be possible for the system administrator to force a user's password to a

value of the administrator's choosing in the event that a user genuinely forgets his

or her password. However neither the administrator nor anybody else should be

able to obtain the value of a current password from the computer.



As an alternative, stronger security is obtained (at slightly greater administrative

cost) if password forcing is simply not allowed. In this case forgetting a password

compels full reauthorisation.



POLICY 6.21: UID EXPIRY



When a UID remains unused for greater than 60 days, it shall be disabled.



6.4.10 Manufacturer's installed UIDs and passwords



Manufacturer's installed UIDs and passwords present at equipment and software

delivery must be changed to user-selected values as soon as practicable since the

manufacturer's choice of values may be standard and well known.



It is also essential that passwords are changed after every visit by the

manufacturer or computer servicing agency to remove the danger of passwords

becoming known to contractors. Care must be taken when the system is reloaded

and upgraded that any manufacturers passwords are not reinstated.



POLICY 6.9: MANUFACTURERS PASSWORDS



Manufacturer installed passwords shall be removed and replaced with new

passwords in operational systems.



6.4.11 Sofware maintenance by third parties



Systems requiring access for software maintenance by non-BT personnel should

not permit total system software and data file eedom to the contractor.

Maintenance should only be possible at agreed times and under BT supervision.

Sensitive data should, if necessary, be removed from the system prior to

maintenance.



Some computer vendors encourage remote access to their customers computer

systems via the PSTN for the purposes of fault diagnosis. If this option is taken,

access must be very strictly controlled since large quantities of information could

easily be made available, perhaps by means of uncontrolled software dumps.

Access to the system should be controlled manually, for example using a port

configured for outward dialled calls only with incoming calls barred. Special care

must be taken to change passwords after maintenance sessions by contractors.



POLICY 6.10: REMOTE ACCES FOR MAINTENANCE PURPOSES



Remote access for diagnostic or preventative maintenance purposes shall be

strictly controlled so as to protect the security of the system.



6.4.12 Password transmission



Passwords used to protect information of a given sensitivity must be afforded at

least the same protection and preferably a higher level of protection than the

information and processes to which they give access. This is particularly important

when accessing a system remotely across a public network. Distribution of

passwords must be done in a way which ensures that disclosure en route would

not result in a compromise of the system on which the password would be used. In

particular, electronic mail systems must not be used for distribution of passwords.



6.5 Limitations of password security



Most experts no longer regard traditional password practices as fully secure. This

section outlines their limitations and indicates favoured methods of enhancing

security



6.5.1 Weaknesses



The advice concerning minimum password length, secrecy and frequency of

change should be viewed as the minimum requirements. Unless users are

strongly encouraged (or forced) to employ highly random passwords they will

tend only to select passwords from a total of about 4000 English words.



Even if passwords are highly random the fact that they are used more than once

represents a security weakness since any person obtaining a password value (by

line tapping, by watching the operator key in the value, by finding a written

copy...) can then penetrate the system freely until that password is changed.



These weaknesses can be overcome by both using truly random passwords, and

changing passwords every access.



6.5.2 Random one-time passwords



This can be achieved by adopting one-time password procedures whereby each

user is given a list of random password values which must be used once only each

and in the given order. However, this would involve writing down passwords

which is contrary to good practice.



In certain systems, the distribution of such lists may be acceptable, but generally

the challenge system of the next paragraph is to be preferred.



6.5.3 Challenge systems



In a challenge system, random one-time passwords are obtained by providing

each user with a Personal Identification Unit (PIU) usually resembling a pocket

calculator. On attempted access with a valid UID, the host generates a random

number or challenge value which it sends to the user. The user must then enter

the value manually on their PIU. The PIU then performs a complex mathematical

operation on this number and displays the result on its display. The user then

transcribes this number to the terminal which, in turn, is sent to the host for

checking. If the check is successful, the host can be reasonable certain that the

user has the correct PIU in his possession and access can be granted.



Each PIU should use a different cryptographic key to permit identification of an

individual user. The PIU will work correctly only in conjunction with its associated

UID. Attempts to use the PIU with an alternative or incorrect UID will result in an

incorrect response being generated. To prevent unauthorised system access

should a PIU fall into the wrong hands the user may also be required to enter a

secret Personal Identification Number (PIN) into the PIU prior to keying in the

challenge value.



The access thus depends on something:



o possessed by the user (the PIU), and



o known by the user (the PIN).



The algorithm should be cryptographically strong so as to prevent analysis of the

method by an adversary.



Alternative types of PIU, which generate a new one-time password every minute or

so, obviate the need for a challenge-response sequence, are also available.

Biometric devices are becoming more commercially available and are worthy of

consideration for sensitive systems, they are however rather costly for widespread

use.



POLICY 6.11: USER AUTHENTICATION DEVICES



In the design of systems, the use of user authentication devices should be

considered and documented.



6.6 Logging on



No user should be able to log onto a system containing high integrity,

commercially sensitive, or privacy marked information without first executing a

security dialogue, such as a correct entry of a valid UID and matching password

(or equivalent). This ensures full identification and authentication and permits

logging for subsequent accountability.



6.6.1 Welcome screens



The initial screen (traditionally called the "Welcome" screen) displayed before

successful completion of the security dialogue should be designed to reveal the

minimum amount of information about the system.



POLICY 6.12: WELCOME SCREENS



Text displayed before logon shall provide only the minimum amount of

information for access authorisation.



6.6.2 Silent log on



No system facilities, not even the 'HELP' command, should be available to the

user prior to successful completion of these steps. Security is appreciably

enhanced by adopting log on procedures which give no help to potential

adversaries.



POLICY 6.13: SILENT LOGON



Other than a minimal prompt for user ID and password, no additional help shall

be given when logging on to BT multi-user, administration or management

systems. Failure of a logon sequence shall not identify which part of the logon

process failed.



6.6.3 Log on security



The logon procedure should be fully secure. No trap-door method shall be

possible by, for example, through use of zero-length, excessive length UIDs or

passwords, or by control, escape or break signals.



6.6.4 Prescribed warning screen



As soon as access has been successfully achieved, the following screen should be

displayed by all BT multi-user, administration and management systems

processing high integrity, commercially sensitive, or privacy-marked material.



British Telecommunications plc



COMPUTER NAME



WARNING: You have accessed the COMPUTER NAME operated by BT. You are required to

have a personal authorisation from the system administrator before you use this

computer and you are strictly limited to the use set out in that written

authorisation, Unauthorised access or use of this system is prohibited.

Unauthorised access to or misuse of a computer constitutes an offence under the

Computer Misuse Act 1990.



If you understand this message and have been authorised to use this system

please type YES. Otherwise type NO to terminate this access.



Are you authorised to use this computer? <Yes/No>



POLlCY 6.14: PRESCRIBED WARNING SCREEN AND AUTHORISATION



A prescribed warning screen shall be displayed immediately after an accessor

successfully completes the logon sequence. The system administrator shall set

up procedures to provide written authorisation to users stating their access

privileges.



6.6.5 Log on failure conditions

Logon must not be permitted if:



o the UID is invalid,

o the UID is barred,

o the password is invalid,

o the UID and password combination is invalid,

o the claimed UID is already active unless it is a system requirement,

o the logon would contravene local policy, for example, time of day restrictions.



6.6.6 Repeated log on attempts



The rate at which an adversary can make log on attempts must be limited to

prevent exhaustive searching of UID and password combinations.

Such an attack can be rendered imoractical bv compelling:



o a modest time delay (eg. two seconds) between each individual access attempt

made on any given port, and

o a substantial time delay (eg. one minute) every few attempts (eg. three).



This may be accomplished by including an attempt counter in the log on

procedure such that no more than three attempts may be made subject only to the

modest time delay, after which attempts from that port are disabled for a

substantial time delay. The preferred option is that the link is actually

disconnected and the user compelled to obtain reconnection.



A stronger measure would be to permanently disable the UID or port with

appropriate messages being sent to system log and the system administrator. In

such cases the UIDs should be taken out of service automatically after a

predefined number of consecutive unsuccessful access attempts - perhaps three.

Before the locked-out UID can be used again, an approach has to be made to the

Systems Administrator who will decide, if necessary in consultation with the

Application Manager, whether to reactivate the original UID or issue a new one.

This strategy is recommended for consideration only for High Impact Systems

because an adversary may abuse the feature to disable all UID and/or ports

causing a 'Denial of Service' problem. The running of verification utilities against

system critical commands should be considered prior to reinstatement of the UID.



POLICY 6.15: TERMINAL OR UID LOCKOUT



When a terminal or UID is repeatedly misused in an attempt to breach a

system, the terminal or UID shall be disabled and an alarm given. The period

during which the terminal or UID is disabled must be commensurate with the

impact of Denial of Service.



6.6.7 Recording access attempts



Where possible all access attempts (whether or not successful and whether or not

exceeding the counter limit) should be recorded on the system log. Alarms to the

system manager may also be raised in real-time depending on the sensitivity of the

system following repeated logon failures. The record should indicate the

attempted UID, the time of the event and the link involved but should not record

the attempted passwords.



Exceptional events (such as apparent exhaustive trialling of password on a

particular UID) should be so recorded as to come rapidly to the attention of

supervisory personnel. The log must be scrutinised at frequent intervals for any

evidence of unauthorised access attempts. Any unusual logged events must be

investigated.



POLICY 6.16: SECURE ALARMS



Security alarms shall be used to inform the system administrator when an

attempted breach of security has been detected.



6.6.8 Last access

On successful logon the user should be informed of the time and date of last

access, and of any unsuccessful access attempts since then.



6.6.9 Unauthorised access



Any (suspected or known) unauthorised access attempt or criminal activity should

be reported immediately to the BT Investigation Department Help Desk and line

management. Further investigatory action should await specialist advice from

BTID.



POLICY 8.8: REPORTING OF SECURITY INCIDENTS applies.



6.7 Logging off



6.7.1 Terminal inactinty



The system should include an activity sensing feature to identify terminals which,

although logged on, appear to have been abandoned. These are a security risk

since an adversary finding such a terminal unattended could employ it with all the

access rights of the previous user. If no input is detected after a certain timeout

(eg. five minutes) the system should log the terminal off automatically.



This may be undesirable for some very limited facilities, such as batch processing

or program development, in which case longer timeouts may be associated with

specific UIDs.



PCs should have approved security programs installed on them such that, if no

user activity has been detected for a period of time, the program will lock the PC

terminal and require a password entry to be reactivated. is must be done

especially for PCs logged into a server system. Such programs should also blank

out the actual contents of the display (it may be replaced by some other display)

until the PC has been reactivated through the password. Screen blanking options

that only jumble the contents of the screen should not be used. Preferably, the

blanking of data should be combined with a screen saver function, which reduces

the display duty cycle significantly, to help prolong the life of the display.



POLICY 6.17: TERMINAL OR UID TIMEOUT



When a port or UID remains dormant for a period of time, it shall be disabled.

Terminal timeout shall also occur when a terminal remains logged onto a

system, but remains unused for a period of time. The screen shall be cleared of

any display when the forced logoff occurs.



6.7.2 Prolonged activity



The system should require users present on the system for prolonged periods

(hours rather than days) to reenter their log on sequence (UID and password) .

This is to ensure that the authorised user is still present and that the

communication link has not been hijacked by an adversary.



6.7.3 Link interruption



The system should similarly automatically log off and clear down completely and

immediately the session with any terminal whose communications path is

interrupted. Many terrninals have a carrier detection light to show at the

communications path is open and the failure of this may indicate an interruption.



POLICY 6.18: LOG OFF WHEN COMMUNICATION SESSION IS

INTERRUPTED



Precautions shall be taken during the design of systems to ensure that active

sessions are aborted if a failure in communications occurs.



6.8 User privileges



It is usually a requirement that user capabilities still be restricted after log on. This

is to prevent unauthorised use of computer facilities and unauthorised access of

system software and data to which the user is not entitled. It is generally

accomplished by establishing a set of 'privileges' associated with each UID such

that users are not permitted to perform functions or access data except as

indicated in their privilege tables. Controls shall ensure this by such means as

password controls, access control lists, labelling of data fields.



POLICY 6.19: DATA ACCESS CONTROLS



Processing capability and data shall be accessible only by authorised staff with

the appropriate privileges.



6.8.1 Privilege table establishment



The default condition of all privilege tables should be that corresponding to no

privileges. Privilege tables must be under the ultimate control of user

management who must authorise all changes.



6.8.2 Facility privileges

Privileges speciing the computer facilities available to users should be controlled

only by system administrator staff. Facility privileges include:



o I/O device allocations,

o available storage volume,

o maximum job size,

o financial budget and its consumption.



This restriction must be applied with particular rigour to security privileges. It

must not be possible under any circumstances for an ordinary user to redefine

himself as a system operator or system administrator for example or obtain access

to their data files or facilities or obtain access to security-related software such as:



o operating systems,

o password control software,

o system log software,

o access control software,

o time restrictions.



Where a job consists of several tasks run in sequence, the authority of the user

should be checked at each task and not solely on the first one.



Staff whose job is to run a limited set of programs should not have the facility to

edit, read or write programs. Menu-driven software may be helpful to ensure this.



POLICY 6.20: ADMINISTRATION OF PRIVILEGES



Privileges shall be administered only by the system administrator (or

equivalent role) .



6.8.3 Function privileges



Privileges defining the computer functions available to users should also be

controlled by system administration staff only. Procedures for the replication of

user privileges should only allow the minimum to be created appropriate with the

users authority. Users should only be permitted to use those commands required

in the normal course of their duties.



6.9 Access to user files



Privileges defining the rights of users to access each other's data files may be

exclusively under system administrator control, especially on high risk systems.

However, on less sensitive systems discretionary control is frequently all that is

required whereby each user controls the access of others to his own data files. In

general systems developers should not have access to live files.



6.9.1 Implementation of logical access controls



In this context 'access' may imply any of a number of operations (eg read, write,

delete, modify, execute...) and it is essential that each of these should be

separately specifiable. In any case there is implied the creation of a more or less

detailed set of access restrictions for each user data file and the existence of

special system control software for enforcement.



There may also be a need for user identification control within applications, for

example to test for the maintenance of separation of duties.



Software development tools, for example, compilers, program libraries, source

code etc, should not be available on operational systems. If they are present, their

use must be strictly controlled.



It is important that as much as possible of the control procedure should be

performed automatically by the system and in a 'user friendly' and efficient

manner. User acceptance and co-operation cannot be obtained otherwise and the

security system will be viewed as an enemy by those it is intended to serve with

the result that users will tend to avoid and circumvent its protective measures

where possible.



Most Operating Systems implement some form of access control but the degree of

real security obtained varies dramatically from one system to another.



6.9.2 Default privileges



The preferable default privilege is that no user other than the file owner can

access (read, write, etc.) any given file unless given explicit authority to do so by

the owner.



6.9.3 Password control of file access



A limited degree of control may be obtained by password protection of files such

that access is only available to users who know the correct password. Separate

control of the different types of access (read, write, etc.) is then not generally

possible, and the overall degree of security is much poorer than the fully

specifiable, fully managed systems indicated above.



This is partly because of user reluctance to undertake the burden of the additional

passwords especially when all the issues concerning randomness and regular

change of password are taken into account.



6.9.4 Encryption of files



Files may also be encrypted by users to obtain a degree of protection rather

higher than password control since simple access to the file no longer yields

useful information.



6.10 Customer access to BT computers



As communications technology becomes more and more sophisticated, and

external companies become more demanding in the flexibility and management of

the BT services which they use, BT is required to offer management and

administrative services to its customers. The risks associated with this are well

known and understood within the security community. However, systems

implementors and administrators are not always aware of these. Systems which

provide customer access are vulnerable in a number of areas, specifically the risk

of access to system facilities which are beyond their anticipated privilege profile.

Ihis can lead to:



Compromise of the BT system

Compromise of connected networked systems

Compromise of other customers data



Where customers are given access to a BT system, the system must be designed

in a way that separates the customer access facility from the system's internal BT

facilities. Where access to the system is initially regulated by the standard

operating system User ID/password system, access to the internal BT facilities

must be via a strong authentication method, preferably based upon a token or

one-time password system.



Customers place a high degree of trust in the service BT provides. It is the

responsibility of systems implementors to consider the impact of failure upon a

customer. Depending upon the risks it may be beneficial to provide access upon

strong authentication techniques.



When customers are given access to BT Service Management Systems, used by

other customers, or holding sensitive information about other customers,

processes or contracts undertaken by BT, then the Service Management System

shall be considered to be a "high impact" system and subject to accreditation by

the Director of Security and Investigation. (See section 2.8)



POLICY 6.21: SENSlTIVllY OF SYSTEMS WlTH CUSTOMER ACCESS



Systems providing customer access are deemed to be HIGH IMPACT systems

where there is a connection between that system and other BT systems.



POLICY 6.22- AUIHENTFICATION ON SYSTEMS VVlTH CUSIOMER

ACCESS



Access to non-customer facilities on a system providing customer access shall

be via strong authentication methods.



6.11 Contractors



6.11.1 Software development by third parties



Development of applications for BT by external companies should adhere to the

same standards of development practice that we expect of internal developments.

The quality assurance of the system is a crucial issue, particularly for systems

which are of an operational or mission critical nature. Assurance standards should

be quoted in terms of the Information Technology Security Evaluation Criteria

(ISEC) levels, which should be specified at the start of the project.



There are greater risks associated with software produced by external companies,

where the level of direct BT supervision is likely to be minimal. The introduction

of Trojan horse code is not easy to detect without extensive analysis of the

program code.



On-line systems need to be afforded protection from development people, and

segregation of roles is a key element of this. Development contractors need to be

separated from live environments.



Default access to live data is not permitted. Access to live data in support of the

contract should be for specific activities and must be monitored. Access must be

withdrawn immediately following completion of the activity, or between phases of

it.



POLICY 6.23: CONTRACTOR ACCESS TO DATA



Third Party Contractors used for development of systems shall not have direct

access to on-line BT systems or live data, unless such facilities are absolutely

necessary for execution of the contract. In this case, the contract shall specify

the security requirements to protect BT's information.



Operational activies by third parties



BT has used outside contractors and agents for carrying out work for many years.

Examples of this are building maintenance and other non-communications related

activities. Increasingly, activities are being transferred to outside specialists.

However, over the last decade, almost all of our activities and functions have been

computerised and have become highly integrated with other systems. Therefore,

outsourcing of an activity has to be viewed against the threats to BT as a whole

from such a scheme.



POLlcY 6.24: OUTSOURCING



Proposals to outsource a process, to be carried out without direct BT

supervision off BT premises, and which requires electronic access to BT

information, must be supported by a Security Policy Document. If the process

involves on-line access to a BT system processing information at Sensitivity

level 2 or higher, the system must be accredited in accordance with Policy 2.7



Software and data



Contents



7.1   Introduction. . . . . . . . . . . . . . . . 7-2



7.2   Software installation and maintenance . . . 7-2

7.2.1 Software changes. . . . . . . . . . . . . . 7-2

7.2.2 Protection of production systems. . . . . . 7-2

7.2.3 Software copyright. . . . . . . . . . . . . 7-3

7.2.4 System backup . . . . . . . . . . . . . . . 7-4

7.2.5 Failures and recovery . . . . . . . . . . . 7-4



7.3   Log faciliffes and system data. . . . . . . 7-4

7.3.1 Log facilities. . . . . . . . . . . . . . . 7-4

7.3.2 Logging system activity . . . . . . . . . . 7-5

7.3.3 Logging user activity . . . . . . . . . . . 7-5

7.3.4 Checking logs . . . . . . . . . . . . . . . 7-5

7.3.5 Retention of logs and journals. . . . . . . 7-6

7.3.6 Condition records . . . . . . . . . . . . . 7-6

7.3.7 Storage of logs in microfiche form. . . . . 7-6

7.3.8 Encryption of system data . . . . . . . . . 7-7

7.3.9 Back-up copies. . . . . . . . . . . . . . . 7-7



7.4   Data sensiffvity

7.4.1 Data ownership. . . . . . . . . . . . . . . 7-7



7.5   Storage . . . . . . . . . . . . . . . . . . 7-8

7.5.1 Write protection. . . . . . . . . . . . . . 7-8

7.5.2 Labelling . . . . . . . . . . . . . . . . . 7-8

7.5.3 Documentation . . . . . . . . . . . . . . . 7-9

7.5.4 Extraneous magnetic influences. . . . . . . 7-9



7.6   Disposal of media . . . . . . . . . . . . . 7-9

7.6.1 Magnetic media. . . . . . . . . . . . . . . 7-9

7.6.2 Disposal of computer equipment. . . . . . . 7-11

7.6.3 Documents, printout and consumables . . . . 7-11



7.7   Computer viruses. . . . . . . . . . . . . . 7-11

7.7.1 Vulnerability of systems. . . . . . . . . . 7-12

7.7.2 What a computer virus does. . . . . . . . . 7-12

7.7.3 Detection of computer viruses . . . . . . . 7-13

7.7.4 Group policy on computer viruses. . . . . . 7-13

7.7.5 Guidance. . . . . . . . . . . . . . . . . . 7-14



7.1 Introduction



It is a security objective that software and data are correct complete and available

to authorised users. Full use should be made of the security features provided by

the operating system to achieve this objective. If software needs to be written,

security and audit requirements should be considered at the system design stage.

Users must ensure that the Statement of Requirements document contains a

definition of security requirements and access restrictions.



7.2 Software installation and maintenance



7.2.1 Software changes



All software modifications to a computer system must be authorised and fully

recorded. The modification log should be held by the system administrator.

Emergency patches (those that are not scheduled) must be properly documented

and reviewed by the appropriate authority within one working day.



Checks should be implemented to ensure that only one change is carried out at a

time. If development pressure compels the packaging of changes in order to

minimise the system testing overheads, the checking must be even more vigilant.



Expert personnel should check all new and modified software for correctness and

completeness with special regard to the possibility of security flaws. It should also

be verified to ensure that it functions according to design, that it does not

adversely affect other functions in the system and that no unauthorised changes

have been made to the system. These checks should be conducted on an off-line

system and not on operational machines.



Verification should be performed after all software changes and on a regular basis.



While full verification testing of the type outlined above is not always possible due

to operational constraints, use of unverified software provided by a third party

represents an unknown quantity from a security viewpoint, especially in cases

where the source code is not available. In any case assurances must be obtained

from the supplier about the integrity of the software and especially about the

removal of undeclared commands incorporated for debugging purposes.



It is preferable that user software should be written in a high level language. Only

compiled programs should be released. Source code should only be available to

the programmer creating or amending the program or for the verification of the

validity of any changes; this applies equally to operational Job Control Language

text. Job Control Language which cannot be compiled should be held in a discrete

library store with controlled access.



7.2.2 Protection of production systems



Ideally the software development cycle should involve a separation of

Development, Test and Production environments. These three areas often have

quite different security requirements. As far as technical restraints and costs

permit, they should be isolated from each other. Technical and procedural



controls should be applied to the promotion of software from Development to Test

and from Test to Production environments. Special care should be taken to protect

the integrity of code accepted into Production use.



POLICY 7.1: VERSION CONTROL OF SOFTWARE



Software shall be subject to version control to ensure that only current and

approved software is in use on an electronic system.



POLICY 7.2: PROTECTION OF DATA IN SYSTEM TESTING



Live data shall not be used in system testing. Test data derived from, and

traceable to, live data shall be afforded a similar level of protection to the

original source.



POLICY 7.3: SOFTWARE OF UNKNOWN INTEGRlTY



Unless a trustworthy method has been used to create and distribute software

then the integrity of the software shall be considered to