==Phrack Inc.==
                 Volume Three, Issue Thirty-one, Phile #7 of 10
                             COMPANY CONFIDENTIAL
                              INTERIM MEMORANDUM

             SUBJECT:  TYMNET SUPPORT FOR CUSTOMER'S DATA SECURITY
      PURPOSE:  This document provides background, and general procedures
      and practices used to support customers with suspected security
      problems.  Field Sales is the intended audience but is a general
      document and may be useful to other customer support personnel.
      Currently, this document is in a final review.  Meanwhile, it is to
      retain the status of an internal proprietary document.
      BACKGROUND:  BT Tymnet Inc, and its Network Systems Company,
      believe information integrity is vital to ourselves and our
      customers.  One way TYMNET insures integrity is by providing good
      security.  TYMNET has a baseline security of user name, password,
      and user access profile available for all customers.  Further, there
      are two security products.  One permits the customer to limit
      password life (password automatically expires after a customer
      elected time period) and the other permits the end user to change
      his/her own password.  Since we do consider security a key issue,
      we continue to develop other security features.  Also, we work with
      Security vendors to certify their security products on our network,
      thus permitting customers to add such products, should they so
      desire.
      We have established Network Systems Company Policies which provide
      a framework for the information contained herein (see NSC Policy
      121 and 122.  More policies are in distribution as of this
      writing).  It is highly recommended that these policies be reviewed
      since they represent the framework of this document.
      Legal considerations are another key issue in any security case.
      Support, other then providing the customer with related security
      data, can only occur if law(s) have been broken.  The
      legal issues are complex and only a minimal information is
      provided herein.  At at the heart of this issue is the fact that
      the customer is the injured party, not TYMNET.  Patience and good
      communication may be required to get the customer to understand
      this fact.  The customers must act for themselves to obtain
      law enforcement support.  TYMNET will support that activity, and
      help to the degree possible, much as a "friend of the court".
      THE SUPPORT:  We provide security support as a responsible
      network service provider.  The first step in that support is for
      the field sales representative to act as a security consultant to
      the customer, at least to the extent explained below.
      The customer is well advised to plan in advance "what to do
      when Captain Midnight strikes" -- contingency planning, pure
      simple.  First there are two basic alternatives to choose from:
                             PROTECT AND PROCEED
                                      OR
                             PURSUE AND PROSECUTE
      "Protect and proceed" means 1) determine how the incident
      occurred, 2) plug the security leak/hole, and 3) go on with
      business as normal.
      (Do we want written notification of the Intent to "Pusue and
      Prosecute" from the "Injured Party?").
      "Pursue and prosecute" is just that.  The first step is having
      the customer obtain legal support, and both we and the customer
      continue to gather evidence until the suspect is apprehended.  The
      next step is the prosecution in a court of law.  (The final step is
      to return to the first alternative, e.g., now protect and
      proceed.)
      The customer needs to judge each case  on its own merits, but
      generally the first choice is the wiser one.  The second choice
      involves considerable effort, mostly by the customer and law
      enforcement agency(s), possible negative publicity for the
      customer and does not necessarily result in successful prosecution.
      Good contingency planning also includes becoming familiar with the
      laws and the local law enforcement people.
      The starting point is a suspected incident.  Herein, we will address
      the case where the customer has identified a suspected intruder.
      Generally, that occurs by a customer's detailed review of billing
      or host based security exception reports.
      At this point it is essential the field sales representative open a
      ticket containing at least the following:  1) customer name and CID,
      2) host(s) involved, 3) incident start and stop times, and 4) the
      customer's objective.  Add any other information deemed helpful.
      Other support may be an on-line trace of the call, if the
      suspect is currently on-line.  Field support should do this trace, or
      alternately, this same help can be obtained by calling network
      customer support and/or NetCon.  In any case it must be done while
      the suspect is on-line.  Such trace information should be
      included on the ticket.
      Based on the customer's position; the case will fit either
      "prevent and proceed" or, "pursue and prosecute".  The former is
      straight forward, in that TYMNET security will research the
      incidents(s), and provide data (generally user name and point of
      origin(s) to the customer via Field Sales, with recommendations
      on how to prevent any further occurrence.  We do provide this
      service as a responsible vendor, although strict interpretation
      of NSC policy 121 precludes it.  However, we do apply the policy if
      a customer continues to ask for data without taking preventative
      action.
      The "pursue and prosecute" case is complex, and is different for each
      situation.  It will be explained by using a typical scenario.  After
      the first step (as above), it is necessary to gather data sufficient
      to show a pattern of intrusion from a single TYMNET access point.
      With this information, the customer (the injured party) must contacts
      law enforcement agency(s), with the one exception noted below.
      If that intrusion point is through a gateway from a foreign
      country, for all practical purposes, the customer can do little to
      prosecute.  The law(s) of the foreign country will apply since
      extradition is most unlikely.  Therefore, action will have to be
      have to be initiated by the network service provider in the
      foreign country.  In this case, TYMNET security will have MIS
      research the session details to obtain the Network User
      Identifier, and External Network Support (Jeff Oliveto's
      organization) will communicate that information to the foreign
      network for their action (cases involving U.S. government computers
      may get special treatment - see for example - Communications of the
      ACM, May, 1988, article on "Stalking the Wiley Hacker").
      Most all security incidents on our network are caused by international
      hackers using X.121 addressing.  Frequently, our customer is unaware
      of the risk of X.121 addressing, and permits it.  BE SURE YOUR
      CUSTOMERS KNOW THAT THEY CAN CHOOSE FULL TYMNET SECURITY FEATURES,
      THEREBY PRECLUDING SUCH INTRUSIONS FROM X.121 ADDRESSING FROM
      FOREIGN NETWORKS.
      For the domestic case, the customer gets law enforcement (attorney
      general at incoming call location, secret service if credit card
      fraud is involved, or possibly the FBI, depending on the incident)
      to open a case.  Note, damage in estimated dollars is usually
      necessary to open a case, and many agencies will not take action on
      small claims.  For example, as of December, 1988, the Los Angeles
      Attorney will not open a case for less than $10,000 (they have too
      big a caseload at higher damages).
      Assuming legal support is provided, a court order for a wire tap
      and trace will be obtained, thereby determining the caller's phone
      number (this step can be very involved and time consuming for long
      distance calls).  The next legal action occurs after the calling
      number is identified.  A search warrant is obtained for searching the
      facility housing the phone location.  Normally, this search will
      gather evidence sufficient for prosecution.  Evidence is typically
      the necessary terminal equipment, printouts, diskettes, etc.  Then,
      at long last the prosecution.  Also note, again at the time the
      calling number is identified, the injured party should use the
      "protect and proceed" plan.
      For further information, contact Data Security, TYMNET Validations,
      or Ontyme NSC.SECURITY.

_______________________________________________________________________________

You are viewing proxied material from gopher.black. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.