==Phrack Inc.== Volume Three, Issue Thirty-one, Phile #4 of 10 / Everything you always wanted to know.. \ / about Telenet Security, But were to stupid to find out. \ By Phreak_Accident Ever since the early 80's GTE Telenet has been expanding their public packet switching system to hold enormous amounts of users. Currently GTE SprintNet (Yes, Telenet is out, SprintNet is in.) has over 300 nodes in the United States and over 70 other nodes abroad. SprintNet provides private X.25 networks for larger companies that may have the need. These private networks are all based on SprintNet's 3270 Dedicated Access Facility which is currently operating for public use, Hence for the major security Sprint- Net has aquired. SprintNet's security department is a common idea of what any large public packet network should be. With their home office located in Virgina (703), most Hacker's who run into trouble with them would wind up talking to Steve Mathews (Not the head of security but a prime force against the major attacks Sprintnet recieves from Hackers anually.), who is a very intelligable security analysist that deals with this type of problem daily. Because of Steve's awarness on Hackers invading "His" system (As most security personnel refer to the system's they work for as their own.), He often does log into Bulletin Boards accross the country looking for Sprint- Net related contraband. At the time of this article, Steve is running an investigation on "Dr. Dissector's" NUAA program. (NUA attacker is a Sprint- Net NUA scanner.) Besides this investigation, he currently stays in contact with many Hackers in the United States and Abroad. It seems Steve recieves many calls a month from selected Hackers that have interests in the Security of SprintNet. Wow. Who the Hell would want to call this guy. From many observations of Steve Mathews, I find him to in deed be the type to feel a bit scared of Hackers. Of course, his fright is really quite common amoung security personnel since most fear for their systems as well as themselves. (Past experiences have showed them not to take Hackers lightly, Hence they have more contacts then 60 rolodex's put together.) For now, let's forget Steve Mathews. He's not important an important influence in this article. Trying to pin a one-person in a security depart- ment that handles security is like finding a someone on a pirate board that doesn't use the word "C0DE" in their daily vocabulary. Telenet's main form of security lies in their security software called TAMS (Telenet Access Manager System). The TAMS computers are located in Res- tin, Virginia but are accessable throughout the network. Mostly, the main functions of TAMS are to: * Check to see if the NUI/Password entered is a valid one. * Check to see if the Host has list of NUI's that can access that host. If another NUI is used, a Rejection occurs. * Processes SprintNet's CDR (Call Detail Recording), which includes Source and Destination, Time of call, Volumes of data recieved, and the Total time of the call. * Can be used by host to add an optional "ALPHA" NUA for "easy" access. * Can secure Hosts further by adding an NUA security password. * Restricts calls without an NUI for billing (I.E. No collect calls to be processed). * Accepts all calls to host as a prepaid call (I.E. Accepts all calls). TAMS is really for the handling of NUI and corresponding NUA's, therefore being a security concept. TAMS holds all the data of NUI's and restricting NUAS for the ENTIRE network. If one could gain the access to TAMS, one could have the entire network at his/her disposal. This of course if highly impossible to SprintNet's security department, but not for a couple of hackers I have ran into. Yes, TAMS is quite interesting. In other aspects of SprintNet security, lets focus on the actual X.25 software that they use. Anybody who tells you that Telenet can monitor the sessions currently taking place on THEIR network is WRONG (And probably very stupid as well). Monitoring is a basic feature of all X.25 networks, whether it's a little PeeShooter network or not, they can and do monitor sessions. Of course their are far to many calls being placed on SprintNet to be monitored, but a scared host can always request a full CDR to be put on their address to record all sessions comming in on that NUA. Such as the many re- corded sessions of the ALTOS chat(s) in Germany that was a hot-spot for many Hackers across the United States and Abroad. After the detection of ALTOS, through the hundereds of illegally used NUIs, CDR's and direct host monitoring were used on the ALTOS hosts. As far as prosecutions concern, I doubt their were any. Now, as far as other security software on SprintNet, they have a call tracking service that is called AUTOTRAIL. Basically, AUTOTRAIL traces the connections through the DNIC's and back to the orginating NUI and/or NODE loca- tion that placed the call. AUTOTRAIL has nothing to do with ANI. Not at all. In fact, the many dialups that lead into SprintNet's PDM gateway do NOT have any type of ANI. That is basically a telephony problem. ALthough I would think twice about messing with a dialup that is run on a GTE carrier. That's up to you though. Another aspect of security in which Telenet offers is an ASCII tape that can be obtained by a host customer, which contains all CDR information of any connection to that host for the last week/month/year. So, it is obvious to say that SprintNet does have a hudge database of all CDRs. Yes, another point: This database is located in the TAMS computer. Hmm, ahh.. Wouldn't that be neat. :PA _______________________________________________________________________________