-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 03 of 19 ] -------------------------[ P H R A C K 5 5 L I N E N O I S E ] --------[ Various ] 0x01>------------------------------------------------------------------------ SecurPBX using SecurID by pbxphreak .---------------. | | 037592 | | `--------' | SecureID | `---------------' SecurID Token: ------------- The SecurID token provides an easy, one step process to positively identify network and system users and prevent unauthorized access. Used in conjunction with Security Dynamics Server software, the SecurID token generates a new unpredictable access code every 60 seconds. SecurID technology offers crackproof security for a wide range of platforms in one easy-to-use package. Highlights: ---------- - Easy, one-step process for positive user authentication - Prevents unauthorized access to information resources - Authenticates users at network, system, application or transaction level - Generates unpredictable, one-time- only access codes that auto- matically change every 60 seconds - No token reader required; can be used from any PC, laptop or work- station ideal for remote access and Virtual Private Networks - Works seamlessly with ACE/Agent for secure Web access - Tamperproof The Solution: ------------ For a sophisticated hacker or a determined insider, it doesnt take much to compromise a users password and gain access to confidential resources. And when an unauthorized user enters a supposedly secure system all privilege definition and audit trail functions become virtually meaningless... in essence, the damage is done. Single-factor identification a reusable password is not enough. To identify and authenticate an authorized system user, two factors are necessary. Factor one is something secret only the user knows: a memorized personal identification number (PIN) or password. The second factor is something unique the user possesses: the SecurID token. Carried by authorized system users, SecurID tokens available in three models generate unique, one-time, unpredictable access codes every 60 seconds. To gain access to a protected resource, a user simply enters his or her secret PIN, followed by the current code displayed on the SecurID token. Authentication is assured when the ACM recognizes the tokens unique code in combination with the user's unique PIN. Patented technology synchronizes each token with a hardware or software ACM. The ACM may reside at a host, operating system, network/client resource or communications device virtually any information resource that needs security. This simple, one-step login results in crackproof computer security that easy to use and administer. The tokens require no card readers or time-consuming challenge/response procedures. With SecurID tokens, reusable passwords can no longer be compromised. Most importantly, access control remains in the hands of management. SECURID PINPAD: -------------- An added level of security can be implemented with a SecurID PINPAD token. The PINPAD token enables users accessing the network to login with an encrypted combination of the PIN and SecurID token code. Using the keypad on the face of the PINPAD token, a user enters his or her secret PIN directly into the token, which generates an encrypted passcode. This additional level of security is especially appropriate for users in application environments who are concerned that a secret PIN might be compromised through electronic eavesdropping. SecurID tokens are ideal for any environment. The original SecurID token conveniently fits into a wallet like a credit card. The SecurID key fob offers a new dimension in convenience to those customers requiring high levels of security in multiple environments, along with compact size and durability. In addition to providing the same reliable performance in generating random access codes as the original SecurID token, the SecurID key fob comes in a small, light- weight format. SecurPBX -------- Ok. Plain and simple. SecurPBX is a product to protect PBX systems worldwide and automated Help Desk functions. SecurPBX provides remot access security for telephone lines, modem pools, voicemail ports, internet access lines, and the maintenance port on PBX systems. Used in conjunction with Security Dynamics SecurID, SecurPBX protects valuable PBX resources from remote access by unautorized callers without comprimising the conveniences of remote telephone and data access to teleworking or traveling employees. Callers dial specific numbers on the PBX for long distance services. As an adjunct to the PBX and a client to the server, SecurPBX recieves the callers request for resources. Functioning as a client, SecurPBX requires remote callers to provide SecurID user authentication and an authorized destination telephone number before being transfered to the desired resource. SecurPBX transmits the credentials to the server for authentication and simultaneously validates the telephone number by user specific permissions and denials. SecurPBX integrates with the PBX to process the call based on the validity of the caller via SecurID and the destination number attemped. .----------. | | SERVER |---- -x- <-- Security `----------' | | | | _-_ .--------------. | | | 037592 | ,-----. | `--------' ----- | PBX | ----- .-----------. | SecureID | `-----' | SecurePBX | `--------------' | Switch | | `-----------' | --------------- Users Each SecurID card is a visually readable credit card sized token or key which is programmed with Security Dynamics powerful algorithm. Each card automatically generates an unpredictable, one time access code every 60 seconds. The token is conveinent to carry and simple to use and is resistant to being counterfeited or reversed engineered. SecurPBX extends the secure working enviroment of an organization to remote locations. SecurPBX applies user specific calling restrictions before any call is completed to prevent unauthorized toll charges and misuse of PBX resources. The time of day, volume of calls per user, destination telephone numbers (restricted to NPA and NXX) and customizable classes of service add a vital layer to access security without compromising the conveinience of having remote access to telephone resources. SecurPBX logs all successful and unseccessful attempts including the destination telephone number. Caller ID/ANI if available also provides the origination telephone number, pin pointing the location of the caller. Highlights of SecurPBX: ---------------------- - Compatible with all major PBX vendor types. - Cost effective remote access security for PBX resources. - Prevents unauthorized access to valuable voice and data resources. - Secures remote long distance, and alternative method for replacing calling cards. - Works in conjunction with each users SecurID card. - Centralized network authentication and security administration. - Easy to Use, voice prompting available in multiple languages. - Audit trails and reporting assure true caller accountability. - Caller ID/ANI option provides originating telephon number identifying hacker locations. SecurPBX operates in Microsoft Windows NT enviroment. Callers and data users achieve seamless access to PBX resources with validation data gathered as efficiently as using a calling card and/or attemping a standard logon procedure. In many cases, SecurPBX can be a calling card replacement and may also be used with cellular phones to combat calling card fraud. Fraudulent or suspect callers are denied access before toll charges and resources damage occur. Typically, securing a PBX from unauthorized remote access has required disabling remote access to the PBX. Using dynamic, two factor authentication through the server and validation destination numbers dialed, SecurPBX systematically locks out unauthorized callers preventing toll, voicemail, and data fraud. This provides a secure access point for teleworking resources. SecurPBX uniquie voice identification: ------------------------------------- SecurPBX is a unique indentification solution providing secure remote access to all major PBX or Centrex telephone systems. Protected resources included are: - Long distance lines and trunks - Voice mail access lines - Call centers - Interactive voice response systems and audio response units Access is controlled through postive identification by their unique, individual voice prins. SecurPBX uses SpeakEZ voice print speak verification service tehcnology to efficiently allow access to authorized callers while eliminating access to unauthorized callers. The SpeakEZ voice print system is recognized as the best in the voice verification industry today. Significant investments in telephone resources simple cannot be protected by traditional static passwords or PINs. When making a telephone call from any telephone using your calling card number, the one condition verifiable as certain by the PBX or phone company is that someone is making a call with a known authorization code, however, it could be anyone. Casual calling by unauthorized personnel, recognized as a major misuse of corporate telephone resources, must be controlled if not eliminated. SecurPBX provides that capability to your organization. SecurPBX prodives reliable, independant two factor user identification and authentication. Factor one is something the users knows: a memorized personal identification number or password. The Second factor is something unique the user possesses: his/her own voice print. Each caller is required to merely speak his/her chosen password which is compared to a stored voice print. The password can be in any language or dialect. SecurPBX extends the unique user authentication provided by SpeakEZ voice print to include user specific calling restrictions. Time of day, volume of calls per user, destination telephone numbers which are restricted to NPA and customizable classes of service add important layers of access security without compromising the convenience of remote access to telephone resources. Highlights: ---------- - Compatible with all major PBX vendor-types and Centrex - Cost effective remote access security for PBX resources - Prevents unauthorized access to valuable voice resources - Secures remote long distance - Non-intrusive security, callers are validated by their own voice prints - Language independent passwords - Centralized authentication and security administration - Easy to use, voice prompting available in multiple languages - Audit trails and reporting assure true caller accountability - Multiple voice prints available per user Remote Access Security Solution: ------------------------------- Optionally, after authentication, SecurPBX administrators can manage user permissions and denials on from either the same SecurPBX workstation or from another workstation connected via a LAN or remotely by modem in a Windows friendly environment. Long distance callers achieve seamless access to PBX outbound trunks with validation criteria gathered as efficiently as a calling card and as easily as talking to a telephone attendant. Fraudulent or suspect callers are denied access before any damaging toll charges can occur. SecurPBX logs all calls, successful and unsuccessful, including the date and time, user ID, and destination telephone number. Depending on the PBX type, Calling Line Identification ANI may be used as part of the validation process and in those cases, will also be logged. Log information can be exported to an external spreadsheet application or displayed in reports generated by the SecurPBX Administrator. SpeakEZ Voice Print: ------------------- SpeakEZ Voice Print Speaker Verification is a highly effective method of confirming a caller's identity. The service is based on the fact that each person's voice is uniquely different, and, as a means of identification, is highly reliable. Speaker Verification is an application of the SpeakEZ Voice Print technology which compares a digitized sample of a person's voice with a stored model "voice print" of that individual's voice for verification. - Authenticates the caller as opposed to information (i.e. PIN) or a piece of equipment. - Easy to use, language independent - Safe: a voice print cannot be lost or stolen - Cost-effective: does not require special hardware for the caller - Virtually fraud-proof: a voice is difficult to forge Applications of SecurPBX: ------------------------ - Secure Telecommuting (all valuable PBX resources) - Call center user authentication - Securing Interactive Voice Response (IVR) and Audio Response Units (ARUs) - Help Yourself suite of products for help desk automation (ASAPTM - ACE/Server Administration Program - PIN reset, SecurNT - Windows NT password reset, E-Help Desk - Entrust/PKITM profile recovery) Technical Requirements: ---------------------- Telephony platforms : All major PBXs including Nortel, AT&T, Rolm and Mitel Processor : 100% IBM compatible PC, Pentium 133 minimum Disk requirement : Hard disk 1 gigabyte minimum, 32MB RAM for Switch I nterface, Client software, 8 MB for Administrator software, actual storage based on size of user population Capacity : An unlimited number of users may be administered and issued SecurID Cards. 32 simultaneous voice channels per Switch Interface Configuration : Multiples of 4, 12 and 24 line telephone interfaces Management : SecurPBX Administrator includes extensive administrative menus in user-friendly Windows 3.1 and 95 environment, real time monitoring and management of multiple PBX sites Conclusion: ---------- SecurPBX is defiantely the way to go to prevent your data and PBX systems from getting hacked and abused. 0x02>------------------------------------------------------------------------ <++> P55/Linenoise/ckludge.c !2231f4cc /* */ /* CKludge.C (Amiga) */ /* */ /* If you are a PC user you can port this C source easily. */ /* */ /* You might even want to use it to fix your fucking millenium bug... */ /* */ /* Ha! Ha! Ha! 2000 is nigh. */ /* */ /* Clock Kludge 1.0 by `The Warlock' */ /* */ /* This little patch will freeze your clock - useful if you wish to bypass */ /* time restrictions imposed by many programs... */ /* */ /* It works by patching the level 3 IRQ vector, vertical blank, to hold the */ /* complex interface adapter internal time of day clock registers to zero. */ /* ($bfe801 = TOD lo, $bfe901 = TOD mid, $bfea01 = TOD hi) */ /* */ /* Should work on all Amiga models. */ /* */ /* Handles relocated vector base correctly. */ /* */ /* Compiling info: lc2 -v (disable stack checking so no need to use le.lib) */ /* */ #include "exec/types.h" #include "exec.memory.h" #include "exec/interrupts.h" #include "hardware/custom.h" #include "hardware/intbits.h" struct Interrupt*VertBIntr; long count; main() { extern void VertBServer(); */ allocate an Interrupt node structure */ VertBIntr=(struct Interrupt *) AllocMem (sizeof(struct Interrupt),MEMF_PUBLIC); if (VertBIntr==0){ printf("not enough memory for interrupt server"); exit (100); } /* initialize the Interrupt node */ VertBIntr->isNode.1n_Type=NT_INTERRUPT; VertBIntr->isNode.1n_Type=Pri=-60; VertBIntr->isNode.1n_Name="Clock Kludge"; VertBIntr->is_Data=(APTR)&count; VertBIntr->is_Code=VertBServer; /* put the new interrupt server into action */ AddIntServer (INTB_VERTB,VertBIntr); /* wait for user to type 'q' */ printf ("Type q to quit...\n); while (getchar()!='q'); /* remove interrupt server */ RemIntServer (INTB_VERTB,VertBIntr); /* free memory */ FreeMem (VertBIntr,sizeof(struct Interrupt)); } /* the VertBServer might look like this */ XDEF _VertBServer _VertBServer: clr.b $bfe801 ; clear TOD lo clr.b $bfe901 ; clear TOD mid clr.b $bfea01 ; clear TOD high move.l a1,a0 ; get address of count addq.l #1,(a0) ; increment value of count moveq #0,d0 ; continue to process other vb-servers rts ; must be rts NOT rte end ; eof <--> 0x03>------------------------------------------------------------------------ <++> P55/Linenoise/IPChange.asm !85660240 *--------------------------------------* * * IPChange.Asm (DevPac) by `The Warlock' * * Nowadays almost all ISPs allocate dynamic IP addresses, meaning your IP * address will change for each connection you make. * * On a shitbox PC, a reset causes the CD signal on the serial port to go low, * meaning that the connection is lost and you must initiate another. * * On an Amiga, a reset does not pull the CD signal low, meaning that * reconnection is possible. * * When you reconnect, your ISP allocates another dynamic IP address, so in * effect, you have changed your IP address without starting a new connection! * * Create a batch file called ipchange.bat as follows: * * echo > s:reconnect * wait 5 * cpu nofastrom > nil: * ipchange * * Make the following additions to your startup-sequence: * * if exists s:reconnect * delete s:reconnect > nil: * execute * else * endif * * Now, whenever called, ipchange.bat will reset, and automatically load your * internet software for quick reconnection. * *--------------------------------------* opt c+,d- case sensitive no debug section ,code code section *--------------------------------------* START bra.s MAIN call main *--------------------------------------* ID dc.b "$VER:IPChange V1.0 by `The Warlock!",0 *--------------------------------------* cnop 0,4 32 bit alignment MAIN move.l 4.w,a6 exec base a6 jsr -$84(a6) call forbid() move.l 4.w,a6 exec base a6 jsr -$78(a6) call disable() lea RESET(pc),a5 supervisor code a5 move.l 4.w,a6 exec base a6 jsr -$1e(a6) call supervisor() *--------------------------------------* cnop 0,4 32 bit alignment RESET lea 2,a0 kickstart rom jump vector reset kickstart rom remapped jmp (a0) kickstart rom restarted *--------------------------------------* end eof *--------------------------------------* <--> 0x04>------------------------------------------------------------------------ THE BULGARIAN PHREAK SCENE ^^^^^^^^^^^^^^^^^^^^^^^^^^ by TOKATA (firestarter)... What to say about the Bulgarian phreak scene - is there really one? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hmmm... it's a bad new - in Bulgaria there aren't any phreak-wise peoples at all... But almost second fucked bastard, which has a computer, is interested in hacking. Bastards, which don't know any programming language; their hard drive is full with games, MP3s and porno JPG files; hang on Internet and download hacking programs. They use them (or ask someone to show how to work with them) and imagine - they a superhackers. So Bulgaria is full of motherfucking lamers. We have an electronic underground magazine named "Phreedom Magazine", but the hacking is the main theme. No phreak articles, because there aren't any phreak authors. So, read... Bulgarian phone system - the best phone system in the world! :))) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hmmm... how to begin... err... So, 98% from our local tandem exchanges are SxS A-29 type (made by Siemens). A typical SxS exchange - no computerization, strowger switches, sleeve. The impedans is 600ohms, the battery by off-hook is 60V, by on-hook - 10V. The resistance range is within 0-1600Ohms, the current - within 15-100mA, but usually is 40-60mA. A mini Bulgarian crossbar system (KRS-200) is used in some small villages (up to 200 subscribers). As transit national exchange is used "Crosspoint" (made by Siemens too) aka ESK-1000. The Crosspoint's switch is a ESK-relay. ESK stands for Edelmetal-Schnell-Kontakt auf Deutsch. Also "Crosspoint" is used as local tandem in some of the big cities. In Sofia (our capital) is located a transit international exchange MT-20 (by THOMSON - France). Also year ago our Telco began to install real digital switching systems there. But the tax for these is terrible and their subscribers are companies, offices and some bastards with a lot of money... and the most of capital ISPs ;) The cables are quite old, there is much of background noise in the handset, the modem connections are terrible - with a 14.4K modem the average speed is 1000bps, it drops you on every 3 minutes. After rain there is no subscriber with normal connection. So the number detection here is too hard. By us ONLY the calling party can drop the connection. So if you want to catch someone, you make a complaint to the telco. She put on your Linefinder a device, named 'dog'. That 'dog' effects on the switch contacts, so you can hold the connection. After that, you call the Telco from the neighbors and they catch the called party number by the wires. But 'the dog' don't work by long distance conversations. Also we have an ANI equipment, named 'AMUR' or 'SKAT', specially designed for SxS switches, but in the villages and very small towns, there isn't any ANI. So with ANI the Telco can catch you, but they don't use it for normal cases, I think, you know 'why' ;))) But if you make a call from a different area the Telco can't catch you even with the help of ANI :) But nobody knows that :( All the people think: "The Telco ALWAYS CAN DETECT your number! There is no chance to mislead them". Blah, what for idiots. Btw I try to test here the forced ANIF, so I hope to get it in work. In my town (47 000 citizens) we ha- ve ANI equipment, but all the Telco employers says - it's used only for sub- scribers info. The billing information here is still collecting with the help of photographs. No operator comes on my line when I flash the switchhook. Signaling ~~~~~~~~~~ I devoted a 2 years on learning the signaling methods in Bulgaria, but: 1. There aren't good tech books about signaling. In some books it is menti- oned quite cursory. 70% and higher about signaling I have learned from several Phrack articles. 2. Nobody from the local Telco in my town knows anything about this. I talked with a few high educated employers, but they knew less than me :( Well, I have learned the following from the books (and from other places): N4 and N5 is used on international circuits, otherwise R2 is used. Well, I know that "Crosspoint" uses R2, but I'm not sure that the stupid A-29 (SxS type) uses the R2 signaling system. Also, I have read in a tech book, that (!) R2 is in-band signaling system. But we all know, that this is not true, because the blow-off frequency for R2 is 3825Hz. The major multiplexing is FDM with 4KHz channels. So if you whistle 3825Hz tone in the microphone, when speaking on LD, the other end will hear that. So we try to blue box with programs. If that success, we will announce that :) But I think - there are line and rejector filters at the end of our trunks and the signal must be clear (a straight sinusoide). An telco employer said to me, he heard about 2100Hz signal, but he wasn't sure :( Can anyone help? Our beloved Telco ~~~~~~~~~~~~~~~~~ So by us, the BTC (Bulgarian Telecomunication Company) was always monopo- listic. Also they try now to occupy and take under full control all ISP in Bulgaria. The local calls are not free and our taxes are the highest in Euro- pe. Our average salary is 100$ and we pay 0.04$ for each tax unit. There are also permanent taxes and other thing and for comparison if you have 200 units you'll pay 10$. That's 12% from the average salary in country!!! Also if you dial from Canada to Bulgaria that'll cost you 0.8$ per minute, BUT IF YOU CALL Canada from Bulgaria (btw we can't dial direct North America without ope- rator assistance) that'll cost you 2.3$ per minute he-he-he :) So this year our Telco is going to go private. There was 3 candidates to buy 51% from Telco's shares - Deutsche Telecom/Turkey firm, Telefonica and the Holland/Greece telcos. The price was 500 000 000$. But Telefonica and DT gave up in the last moment. Maybe you guess why? Nobody want to throw his mo- ney for Telco, that uses 98% SxS switches, where a big part from peoples (70%) are poor and don't make many calls (under 100 units), in which country you don't know what will happen tomorrow and etc... So, as I've read about Argentina's telco, I can say: the situation is al- most the same. But by us there is ONLY ONE company which control anything - all the phones, pagers, a big part of GSM network, all public phones, runs the only X.25 datapac network - BULPAC, they are also ISP... Total monopoly! The Laws ~~~~~~~~ Ha-ha-ha? What for laws? Against phreaking? There is no way :) Also nobody in Bulgaria don't understand what {the fuck} term 'phreaking' means. And not just the ordinary people. If you are in the IRC channel #bulgaria and ask: "Hey, what does the phreaking mean?", I'm sure that nobody shall know. Up to now, I didn't hear about someone to get busted for phreaking. Our telco (and all of their employers) think - the system is unbreakable! But they also have an law about devices, that are illegally hooked to the phone line. At the first time you'll be warned 'bout that, and at the second time you'll be dis- connected. But you pay the tax for new phone (100$) and congratulations - you already have a phone :) So, our legislation don't contain anything about hacking, cracking, phreaking and all kinds of electronic frauds. In Bulgaria there is no term such as 'illegal software' or 'illegal access to someone's computer'. The PayphoneZ ~~~~~~~~~~~~~ There is no good word to say about our shitty motherfucking Telco, even for payphones. You think - you can do red boxing in Bulgaria. Forget it! Our Payphones a COCOT and are used only for local calls! There are huge, metal boxes :) full mechanical, no fine electronics! You can see inside a capacitor like a hand bomb! The Payphones worked with coins, but there was so many idi- ots, who took out there coins from the payphones with a thread (string). So our beloved Telco become a mad about this and they replace the coins with a special made by them phone-coins with borders, which made them impossible to take out ;). As I have said, the payphones are COCOT - you take the handset, hear a dialtone, dial a number (pulse, with a dialing disk!!!), the called person answers... and then the polarity is reversed. A relay inside the phone notice that and after 3 seconds cuts off the mouthpiece... and the earpiece. Then the hole for the money gets opened and the coin falls inside. There are no such terms such a coin return. There is a trick to make free calls (local) on these phones. If you press the hook, when the polarity is reversed, there is no current on the line in that moment, and because there is no current in that moment, the relay wouldn't be noticed for the answer, and it wouldn't cut the mouth- earpiece. Another trick is to unlock the phone and fill your pockets with coins :) The lock picking on these is quite easy... There was also payphones for international and LD calls operating with money, but 10 years before began an big inflation and these phones died. Now you should to put a lot of coins (2-5kg) to make a 3 min international call. So 5-6 years before our telco installed two types of card-phones: BetCom and Bulfon. BetCom is British-Bulgarian Company (GPT&BTC) and their card phones are magnetic strip style. The security of these card was too weak so a few people began to make free phone calls. After 3 years loosing a lot of money from these frauds, BetCom install new phones and change the cards with elec- tronic ones, but there are still many old phones :) You just copy the magnetic strip of the card and here it is... The Bulfon phones are much intelligent. They are the same such as these in Argentina and Germany. The test signal is 16KHz, with nice LCD display, have button for several languages, for replacing exhausted cards, for signal am- plification and other options. I forgot to say, that both the cardphones use pulse dialing. They usual don't have a number to dial the cardphone, but for a short time the phones in the capital have already a number... and MF dialing. There was a very popular trick on Bulfon cardphones with 2 cards - full one and empty one (bat at least with 1 unit). You quickly push and pull the full card into the slot and the display begin to flash. After that you do this again and put the empty card. The phone remember the units from the first card and you talk for free. A big amount of people became familiar with this and they began to use it for and without need. And since our telco is mad for every loosed penny, this feature bombed out. Also I have heard, that a few people recharge cards and make unlimited ones (a PIC emulator), but since I'm not a cardphreaker, I don't know much about it. But I know that the bulfon exchange is very sophisticated and it's very hard to fool those. For example, you can't dial more than 400 units with the same card from one cardphone. And yet one funny feature - every night, a built-in modem in the cardphone establish a connection with the Bulfon exchange and transfer info. Info such as - how many units are used, the cards serial number and much more (such as frauds). If you, for example, steal a few cards from the post office, the exchange send to all the phones, that cards with a number 444 xxx xxx ... are invalid. Ahh... I forgot, the public phone cables don't go through PVC or metal pi- pes. But... on Bulfon (and I think - and on BetCom) phones you can't just cut the wire and hook with a handset, because as you know the line device can't find the phone - when you pick up the handset on Bulfon, the exchange send 16KHz test signal and the phone must answer with the same signal. The CPU of these is 68HC11 (Motorola). btw we have a GSM network since 1995. Also we have a pager network. Phreaking methods ~~~~~~~~~~~~~~~~~ As I have said, there aren't phreak wise people in Bulgaria (but almost every is interested in hacking). A lot of falsely accused 'phreaks' do pitting - hooking with a handset to a pair of wires or the outside connection box. Phreak methods used by me are: - forced 3way calling = some type of abuse the structure of the connector. So, in my town the NPA is X-YY-ZZ. So lets imagine, that someone called 4-33-28. I begin to dial 4-33 and when I hit the right pause after the 3rd it's puts me into their conversation. - free calling from local payphones = already talked bout that. - free calling on local and short haul calls - by dialing a chain of prefi- xes (such as in UK). I dial the prefix (NPA) of the town X, and after that dial the prefix for another place and then the number. But not every exchan ge allows you to make that. Your exchange waits a signal from exchange X, that a called party is answered, but the X waits too for that... But the connection is terrible... and after 3 minutes without taxing on the trunk your Telco cuts the connection ;( Also I think that black and blue boxing is still possible, but didn't test it entirely. There also "hidden" long distance numbers and prefixes, which are very use- ful in some cases (I also found 3-4 of them), but nobody try to find it :( There aren't free numbers in Bulgaria, except these for police, fire alarm, hospital and the telco number for failure complaints, but they are ONLY FOR LOCAL DIALING! I also discover a method to call these as trunk-calls, BUT... but our phone system is made so, that if on a trunk-call there isn't a tax signal coming after 3 minutes, the call is terminated. Some people with knowledge of electronic also make "free calls" through their neighbor's lines, but BTC is familiar with those methods and it always check the line (plus these of the neighbors) when a subscriber made a com- plaint for big bill. In Bulgaria there are NO PBX-es, Voice Mail Systems, WATS numbers, Call for- warding, Call waiting, DTMF requesting, Speed dialing and other. About PBX - some of our factories have PBX-es, but I still learn how to use/ abuse them. In almost every town with more than 10 000 subscribers we have a conference phone, which can be dialed only local (errrr... quite not true ;)) for 1 tax unit per 3/5/10/30 minutes. But the stupid people don't know that and in many towns (such as mine) this phone is *forever* free. I also have heard about peoples, which emulate the GSM SIM card to make free calls. PHREAK'EM ALL!!!  0x05>------------------------------------------------------------------------ ----[ PDM Phrack Doughnut Movie (PDM) last issue was `Dark City`. PDM54 recipients: I forget. I think Adam Shostack was definitely one. It's been a while though. PDM55 Challenge: "Beware my wrath." 0x06>------------------------------------------------------------------------ ----[ Super Elite People That REad Phrack (SEPTREP) New additions: Why they are SEP: ----[ Current List W. Richard Stevens Ron Rivest ----------------------------------------------------------------------------- ----[ EOF