==Phrack Inc.== Volume Three, Issue Thirty-one, Phile #7 of 10 COMPANY CONFIDENTIAL INTERIM MEMORANDUM SUBJECT: TYMNET SUPPORT FOR CUSTOMER'S DATA SECURITY PURPOSE: This document provides background, and general procedures and practices used to support customers with suspected security problems. Field Sales is the intended audience but is a general document and may be useful to other customer support personnel. Currently, this document is in a final review. Meanwhile, it is to retain the status of an internal proprietary document. BACKGROUND: BT Tymnet Inc, and its Network Systems Company, believe information integrity is vital to ourselves and our customers. One way TYMNET insures integrity is by providing good security. TYMNET has a baseline security of user name, password, and user access profile available for all customers. Further, there are two security products. One permits the customer to limit password life (password automatically expires after a customer elected time period) and the other permits the end user to change his/her own password. Since we do consider security a key issue, we continue to develop other security features. Also, we work with Security vendors to certify their security products on our network, thus permitting customers to add such products, should they so desire. We have established Network Systems Company Policies which provide a framework for the information contained herein (see NSC Policy 121 and 122. More policies are in distribution as of this writing). It is highly recommended that these policies be reviewed since they represent the framework of this document. Legal considerations are another key issue in any security case. Support, other then providing the customer with related security data, can only occur if law(s) have been broken. The legal issues are complex and only a minimal information is provided herein. At at the heart of this issue is the fact that the customer is the injured party, not TYMNET. Patience and good communication may be required to get the customer to understand this fact. The customers must act for themselves to obtain law enforcement support. TYMNET will support that activity, and help to the degree possible, much as a "friend of the court". THE SUPPORT: We provide security support as a responsible network service provider. The first step in that support is for the field sales representative to act as a security consultant to the customer, at least to the extent explained below. The customer is well advised to plan in advance "what to do when Captain Midnight strikes" -- contingency planning, pure simple. First there are two basic alternatives to choose from: PROTECT AND PROCEED OR PURSUE AND PROSECUTE "Protect and proceed" means 1) determine how the incident occurred, 2) plug the security leak/hole, and 3) go on with business as normal. (Do we want written notification of the Intent to "Pusue and Prosecute" from the "Injured Party?"). "Pursue and prosecute" is just that. The first step is having the customer obtain legal support, and both we and the customer continue to gather evidence until the suspect is apprehended. The next step is the prosecution in a court of law. (The final step is to return to the first alternative, e.g., now protect and proceed.) The customer needs to judge each case on its own merits, but generally the first choice is the wiser one. The second choice involves considerable effort, mostly by the customer and law enforcement agency(s), possible negative publicity for the customer and does not necessarily result in successful prosecution. Good contingency planning also includes becoming familiar with the laws and the local law enforcement people. The starting point is a suspected incident. Herein, we will address the case where the customer has identified a suspected intruder. Generally, that occurs by a customer's detailed review of billing or host based security exception reports. At this point it is essential the field sales representative open a ticket containing at least the following: 1) customer name and CID, 2) host(s) involved, 3) incident start and stop times, and 4) the customer's objective. Add any other information deemed helpful. Other support may be an on-line trace of the call, if the suspect is currently on-line. Field support should do this trace, or alternately, this same help can be obtained by calling network customer support and/or NetCon. In any case it must be done while the suspect is on-line. Such trace information should be included on the ticket. Based on the customer's position; the case will fit either "prevent and proceed" or, "pursue and prosecute". The former is straight forward, in that TYMNET security will research the incidents(s), and provide data (generally user name and point of origin(s) to the customer via Field Sales, with recommendations on how to prevent any further occurrence. We do provide this service as a responsible vendor, although strict interpretation of NSC policy 121 precludes it. However, we do apply the policy if a customer continues to ask for data without taking preventative action. The "pursue and prosecute" case is complex, and is different for each situation. It will be explained by using a typical scenario. After the first step (as above), it is necessary to gather data sufficient to show a pattern of intrusion from a single TYMNET access point. With this information, the customer (the injured party) must contacts law enforcement agency(s), with the one exception noted below. If that intrusion point is through a gateway from a foreign country, for all practical purposes, the customer can do little to prosecute. The law(s) of the foreign country will apply since extradition is most unlikely. Therefore, action will have to be have to be initiated by the network service provider in the foreign country. In this case, TYMNET security will have MIS research the session details to obtain the Network User Identifier, and External Network Support (Jeff Oliveto's organization) will communicate that information to the foreign network for their action (cases involving U.S. government computers may get special treatment - see for example - Communications of the ACM, May, 1988, article on "Stalking the Wiley Hacker"). Most all security incidents on our network are caused by international hackers using X.121 addressing. Frequently, our customer is unaware of the risk of X.121 addressing, and permits it. BE SURE YOUR CUSTOMERS KNOW THAT THEY CAN CHOOSE FULL TYMNET SECURITY FEATURES, THEREBY PRECLUDING SUCH INTRUSIONS FROM X.121 ADDRESSING FROM FOREIGN NETWORKS. For the domestic case, the customer gets law enforcement (attorney general at incoming call location, secret service if credit card fraud is involved, or possibly the FBI, depending on the incident) to open a case. Note, damage in estimated dollars is usually necessary to open a case, and many agencies will not take action on small claims. For example, as of December, 1988, the Los Angeles Attorney will not open a case for less than $10,000 (they have too big a caseload at higher damages). Assuming legal support is provided, a court order for a wire tap and trace will be obtained, thereby determining the caller's phone number (this step can be very involved and time consuming for long distance calls). The next legal action occurs after the calling number is identified. A search warrant is obtained for searching the facility housing the phone location. Normally, this search will gather evidence sufficient for prosecution. Evidence is typically the necessary terminal equipment, printouts, diskettes, etc. Then, at long last the prosecution. Also note, again at the time the calling number is identified, the injured party should use the "protect and proceed" plan. For further information, contact Data Security, TYMNET Validations, or Ontyme NSC.SECURITY. _______________________________________________________________________________