==Phrack Inc.==
Volume Three, Issue Thirty-one, Phile #7 of 10
COMPANY CONFIDENTIAL
INTERIM MEMORANDUM
SUBJECT: TYMNET SUPPORT FOR CUSTOMER'S DATA SECURITY
PURPOSE: This document provides background, and general procedures
and practices used to support customers with suspected security
problems. Field Sales is the intended audience but is a general
document and may be useful to other customer support personnel.
Currently, this document is in a final review. Meanwhile, it is to
retain the status of an internal proprietary document.
BACKGROUND: BT Tymnet Inc, and its Network Systems Company,
believe information integrity is vital to ourselves and our
customers. One way TYMNET insures integrity is by providing good
security. TYMNET has a baseline security of user name, password,
and user access profile available for all customers. Further, there
are two security products. One permits the customer to limit
password life (password automatically expires after a customer
elected time period) and the other permits the end user to change
his/her own password. Since we do consider security a key issue,
we continue to develop other security features. Also, we work with
Security vendors to certify their security products on our network,
thus permitting customers to add such products, should they so
desire.
We have established Network Systems Company Policies which provide
a framework for the information contained herein (see NSC Policy
121 and 122. More policies are in distribution as of this
writing). It is highly recommended that these policies be reviewed
since they represent the framework of this document.
Legal considerations are another key issue in any security case.
Support, other then providing the customer with related security
data, can only occur if law(s) have been broken. The
legal issues are complex and only a minimal information is
provided herein. At at the heart of this issue is the fact that
the customer is the injured party, not TYMNET. Patience and good
communication may be required to get the customer to understand
this fact. The customers must act for themselves to obtain
law enforcement support. TYMNET will support that activity, and
help to the degree possible, much as a "friend of the court".
THE SUPPORT: We provide security support as a responsible
network service provider. The first step in that support is for
the field sales representative to act as a security consultant to
the customer, at least to the extent explained below.
The customer is well advised to plan in advance "what to do
when Captain Midnight strikes" -- contingency planning, pure
simple. First there are two basic alternatives to choose from:
PROTECT AND PROCEED
OR
PURSUE AND PROSECUTE
"Protect and proceed" means 1) determine how the incident
occurred, 2) plug the security leak/hole, and 3) go on with
business as normal.
(Do we want written notification of the Intent to "Pusue and
Prosecute" from the "Injured Party?").
"Pursue and prosecute" is just that. The first step is having
the customer obtain legal support, and both we and the customer
continue to gather evidence until the suspect is apprehended. The
next step is the prosecution in a court of law. (The final step is
to return to the first alternative, e.g., now protect and
proceed.)
The customer needs to judge each case on its own merits, but
generally the first choice is the wiser one. The second choice
involves considerable effort, mostly by the customer and law
enforcement agency(s), possible negative publicity for the
customer and does not necessarily result in successful prosecution.
Good contingency planning also includes becoming familiar with the
laws and the local law enforcement people.
The starting point is a suspected incident. Herein, we will address
the case where the customer has identified a suspected intruder.
Generally, that occurs by a customer's detailed review of billing
or host based security exception reports.
At this point it is essential the field sales representative open a
ticket containing at least the following: 1) customer name and CID,
2) host(s) involved, 3) incident start and stop times, and 4) the
customer's objective. Add any other information deemed helpful.
Other support may be an on-line trace of the call, if the
suspect is currently on-line. Field support should do this trace, or
alternately, this same help can be obtained by calling network
customer support and/or NetCon. In any case it must be done while
the suspect is on-line. Such trace information should be
included on the ticket.
Based on the customer's position; the case will fit either
"prevent and proceed" or, "pursue and prosecute". The former is
straight forward, in that TYMNET security will research the
incidents(s), and provide data (generally user name and point of
origin(s) to the customer via Field Sales, with recommendations
on how to prevent any further occurrence. We do provide this
service as a responsible vendor, although strict interpretation
of NSC policy 121 precludes it. However, we do apply the policy if
a customer continues to ask for data without taking preventative
action.
The "pursue and prosecute" case is complex, and is different for each
situation. It will be explained by using a typical scenario. After
the first step (as above), it is necessary to gather data sufficient
to show a pattern of intrusion from a single TYMNET access point.
With this information, the customer (the injured party) must contacts
law enforcement agency(s), with the one exception noted below.
If that intrusion point is through a gateway from a foreign
country, for all practical purposes, the customer can do little to
prosecute. The law(s) of the foreign country will apply since
extradition is most unlikely. Therefore, action will have to be
have to be initiated by the network service provider in the
foreign country. In this case, TYMNET security will have MIS
research the session details to obtain the Network User
Identifier, and External Network Support (Jeff Oliveto's
organization) will communicate that information to the foreign
network for their action (cases involving U.S. government computers
may get special treatment - see for example - Communications of the
ACM, May, 1988, article on "Stalking the Wiley Hacker").
Most all security incidents on our network are caused by international
hackers using X.121 addressing. Frequently, our customer is unaware
of the risk of X.121 addressing, and permits it. BE SURE YOUR
CUSTOMERS KNOW THAT THEY CAN CHOOSE FULL TYMNET SECURITY FEATURES,
THEREBY PRECLUDING SUCH INTRUSIONS FROM X.121 ADDRESSING FROM
FOREIGN NETWORKS.
For the domestic case, the customer gets law enforcement (attorney
general at incoming call location, secret service if credit card
fraud is involved, or possibly the FBI, depending on the incident)
to open a case. Note, damage in estimated dollars is usually
necessary to open a case, and many agencies will not take action on
small claims. For example, as of December, 1988, the Los Angeles
Attorney will not open a case for less than $10,000 (they have too
big a caseload at higher damages).
Assuming legal support is provided, a court order for a wire tap
and trace will be obtained, thereby determining the caller's phone
number (this step can be very involved and time consuming for long
distance calls). The next legal action occurs after the calling
number is identified. A search warrant is obtained for searching the
facility housing the phone location. Normally, this search will
gather evidence sufficient for prosecution. Evidence is typically
the necessary terminal equipment, printouts, diskettes, etc. Then,
at long last the prosecution. Also note, again at the time the
calling number is identified, the injured party should use the
"protect and proceed" plan.
For further information, contact Data Security, TYMNET Validations,
or Ontyme NSC.SECURITY.