Title : Phrack Line Noise
Author : various
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 03 of 19 ]
-------------------------[ P H R A C K 5 5 L I N E N O I S E ]
--------[ Various ]
0x01>------------------------------------------------------------------------
SecurPBX using SecurID
by pbxphreak <[email protected]>
.---------------.
| | 037592 |
| `--------'
| SecureID |
`---------------'
SecurID Token:
-------------
The SecurID token provides an easy, one step process to positively identify
network and system users and prevent unauthorized access. Used in conjunction
with Security Dynamics Server software, the SecurID token generates a new
unpredictable access code every 60 seconds. SecurID technology offers
crackproof security for a wide range of platforms in one easy-to-use package.
Highlights:
----------
- Easy, one-step process for positive user authentication
- Prevents unauthorized access to information resources
- Authenticates users at network, system, application or transaction level
- Generates unpredictable, one-time- only access codes that auto- matically
change every 60 seconds
- No token reader required; can be used from any PC, laptop or work- station
ideal for remote access and Virtual Private Networks
- Works seamlessly with ACE/Agent for secure Web access
- Tamperproof
The Solution:
------------
For a sophisticated hacker or a determined insider, it doesnt take much to
compromise a users password and gain access to confidential resources. And
when an unauthorized user enters a supposedly secure system all privilege
definition and audit trail functions become virtually meaningless... in
essence, the damage is done. Single-factor identification a reusable password
is not enough.
To identify and authenticate an authorized system user, two factors are
necessary. Factor one is something secret only the user knows: a memorized
personal identification number (PIN) or password. The second factor is
something unique the user possesses: the SecurID token.
Carried by authorized system users, SecurID tokens available in three models
generate unique, one-time, unpredictable access codes every 60 seconds. To
gain access to a protected resource, a user simply enters his or her secret
PIN, followed by the current code displayed on the SecurID token.
Authentication is assured when the ACM recognizes the tokens unique code in
combination with the user's unique PIN. Patented technology synchronizes each
token with a hardware or software ACM. The ACM may reside at a host, operating
system, network/client resource or communications device virtually any
information resource that needs security.
This simple, one-step login results in crackproof computer security that easy
to use and administer. The tokens require no card readers or time-consuming
challenge/response procedures. With SecurID tokens, reusable passwords can no
longer be compromised. Most importantly, access control remains in the hands
of management.
SECURID PINPAD:
--------------
An added level of security can be implemented with a SecurID PINPAD token.
The PINPAD token enables users accessing the network to login with an
encrypted combination of the PIN and SecurID token code. Using the keypad on
the face of the PINPAD token, a user enters his or her secret PIN directly
into the token, which generates an encrypted passcode. This additional level
of security is especially appropriate for users in application environments
who are concerned that a secret PIN might be compromised through electronic
eavesdropping.
SecurID tokens are ideal for any environment. The original SecurID token
conveniently fits into a wallet like a credit card. The SecurID key fob
offers a new dimension in convenience to those customers requiring high
levels of security in multiple environments, along with compact size and
durability. In addition to providing the same reliable performance in
generating random access codes as the original SecurID token, the SecurID key
fob comes in a small, light- weight format.
SecurPBX
--------
Ok. Plain and simple. SecurPBX is a product to protect PBX systems worldwide
and automated Help Desk functions.
SecurPBX provides remot access security for telephone lines, modem pools,
voicemail ports, internet access lines, and the maintenance port on PBX
systems. Used in conjunction with Security Dynamics SecurID, SecurPBX
protects valuable PBX resources from remote access by unautorized callers
without comprimising the conveniences of remote telephone and data access
to teleworking or traveling employees.
Callers dial specific numbers on the PBX for long distance services. As an
adjunct to the PBX and a client to the server, SecurPBX recieves the
callers request for resources. Functioning as a client, SecurPBX requires
remote callers to provide SecurID user authentication and an authorized
destination telephone number before being transfered to the desired resource.
SecurPBX transmits the credentials to the server for authentication
and simultaneously validates the telephone number by user specific
permissions and denials. SecurPBX integrates with the PBX to process the
call based on the validity of the caller via SecurID and the destination
number attemped.
.----------. |
| SERVER |---- -x- <-- Security
`----------' |
| |
| _-_
.--------------. |
| | 037592 | ,-----.
| `--------' ----- | PBX | ----- .-----------.
| SecureID | `-----' | SecurePBX |
`--------------' | Switch |
| `-----------'
|
--------------- Users
Each SecurID card is a visually readable credit card sized token or key which
is programmed with Security Dynamics powerful algorithm. Each card
automatically generates an unpredictable, one time access code every 60
seconds. The token is conveinent to carry and simple to use and is resistant
to being counterfeited or reversed engineered.
SecurPBX extends the secure working enviroment of an organization to remote
locations. SecurPBX applies user specific calling restrictions before any
call is completed to prevent unauthorized toll charges and misuse of PBX
resources. The time of day, volume of calls per user, destination telephone
numbers (restricted to NPA and NXX) and customizable classes of service add
a vital layer to access security without compromising the conveinience of
having remote access to telephone resources. SecurPBX logs all successful
and unseccessful attempts including the destination telephone number.
Caller ID/ANI if available also provides the origination telephone number,
pin pointing the location of the caller.
Highlights of SecurPBX:
----------------------
- Compatible with all major PBX vendor types.
- Cost effective remote access security for PBX resources.
- Prevents unauthorized access to valuable voice and data resources.
- Secures remote long distance, and alternative method for replacing
calling cards.
- Works in conjunction with each users SecurID card.
- Centralized network authentication and security administration.
- Easy to Use, voice prompting available in multiple languages.
- Audit trails and reporting assure true caller accountability.
- Caller ID/ANI option provides originating telephon number identifying
hacker locations.
SecurPBX operates in Microsoft Windows NT enviroment. Callers and data users
achieve seamless access to PBX resources with validation data gathered as
efficiently as using a calling card and/or attemping a standard logon
procedure. In many cases, SecurPBX can be a calling card replacement and
may also be used with cellular phones to combat calling card fraud.
Fraudulent or suspect callers are denied access before toll charges and
resources damage occur.
Typically, securing a PBX from unauthorized remote access has required
disabling remote access to the PBX. Using dynamic, two factor authentication
through the server and validation destination numbers dialed, SecurPBX
systematically locks out unauthorized callers preventing toll, voicemail,
and data fraud. This provides a secure access point for
teleworking resources.
SecurPBX uniquie voice identification:
-------------------------------------
SecurPBX is a unique indentification solution providing secure remote
access to all major PBX or Centrex telephone systems. Protected resources
included are:
- Long distance lines and trunks
- Voice mail access lines
- Call centers
- Interactive voice response systems and audio response units
Access is controlled through postive identification by their unique,
individual voice prins. SecurPBX uses SpeakEZ voice print speak
verification service tehcnology to efficiently allow access to authorized
callers while eliminating access to unauthorized callers. The SpeakEZ
voice print system is recognized as the best in the voice verification
industry today.
Significant investments in telephone resources simple cannot be protected
by traditional static passwords or PINs. When making a telephone call from
any telephone using your calling card number, the one condition verifiable
as certain by the PBX or phone company is that someone is making a call with
a known authorization code, however, it could be anyone. Casual calling by
unauthorized personnel, recognized as a major misuse of corporate telephone
resources, must be controlled if not eliminated. SecurPBX provides that
capability to your organization.
SecurPBX prodives reliable, independant two factor user identification and
authentication. Factor one is something the users knows: a memorized personal
identification number or password. The Second factor is something unique
the user possesses: his/her own voice print. Each caller is required to
merely speak his/her chosen password which is compared to a stored voice
print. The password can be in any language or dialect.
SecurPBX extends the unique user authentication provided by SpeakEZ voice
print to include user specific calling restrictions. Time of day, volume of
calls per user, destination telephone numbers which are restricted to NPA
and customizable classes of service add important layers of access security
without compromising the convenience of remote access to telephone resources.
Highlights:
----------
- Compatible with all major PBX vendor-types and Centrex
- Cost effective remote access security for PBX resources
- Prevents unauthorized access to valuable voice resources
- Secures remote long distance
- Non-intrusive security, callers are validated by their own voice prints
- Language independent passwords
- Centralized authentication and security administration
- Easy to use, voice prompting available in multiple languages
- Audit trails and reporting assure true caller accountability
- Multiple voice prints available per user
Remote Access Security Solution:
-------------------------------
Optionally, after authentication, SecurPBX administrators can manage user
permissions and denials on from either the same SecurPBX workstation or from
another workstation connected via a LAN or remotely by modem in a Windows
friendly environment.
Long distance callers achieve seamless access to PBX outbound trunks with
validation criteria gathered as efficiently as a calling card and as easily
as talking to a telephone attendant. Fraudulent or suspect callers are denied
access before any damaging toll charges can occur.
SecurPBX logs all calls, successful and unsuccessful, including the date and
time, user ID, and destination telephone number. Depending on the PBX type,
Calling Line Identification ANI may be used as part of the validation process
and in those cases, will also be logged. Log information can be exported to an
external spreadsheet application or displayed in reports generated by the
SecurPBX Administrator.
SpeakEZ Voice Print:
-------------------
SpeakEZ Voice Print Speaker Verification is a highly effective method of
confirming a caller's identity. The service is based on the fact that each
person's voice is uniquely different, and, as a means of identification, is
highly reliable. Speaker Verification is an application of the SpeakEZ Voice
Print technology which compares a digitized sample of a person's voice with
a stored model "voice print" of that individual's voice for verification.
- Authenticates the caller as opposed to information (i.e. PIN) or a piece
of equipment.
- Easy to use, language independent
- Safe: a voice print cannot be lost or stolen
- Cost-effective: does not require special hardware for the caller
- Virtually fraud-proof: a voice is difficult to forge
Applications of SecurPBX:
------------------------
- Secure Telecommuting (all valuable PBX resources)
- Call center user authentication
- Securing Interactive Voice Response (IVR) and Audio Response Units (ARUs)
- Help Yourself suite of products for help desk automation (ASAPTM -
ACE/Server Administration Program - PIN reset, SecurNT - Windows NT
password reset, E-Help Desk - Entrust/PKITM profile recovery)
Technical Requirements:
----------------------
Telephony platforms :
All major PBXs including Nortel, AT&T, Rolm and Mitel
Processor : 100% IBM compatible PC, Pentium 133 minimum
Disk requirement : Hard disk 1 gigabyte minimum, 32MB RAM for Switch I
nterface, Client software, 8 MB for Administrator
software, actual storage based on size of user
population
Capacity : An unlimited number of users may be administered and
issued SecurID Cards. 32 simultaneous voice channels
per Switch Interface
Configuration : Multiples of 4, 12 and 24 line telephone interfaces
Management : SecurPBX Administrator includes extensive
administrative menus in user-friendly Windows 3.1 and
95 environment, real time monitoring and management of
multiple PBX sites
Conclusion:
----------
SecurPBX is defiantely the way to go to prevent your data and PBX systems
from getting hacked and abused.
0x02>------------------------------------------------------------------------
<++> P55/Linenoise/ckludge.c !2231f4cc
/* */
/* CKludge.C (Amiga) */
/* */
/* If you are a PC user you can port this C source easily. */
/* */
/* You might even want to use it to fix your fucking millenium bug... */
/* */
/* Ha! Ha! Ha! 2000 is nigh. */
/* */
/* Clock Kludge 1.0 by `The Warlock' */
/* */
/* This little patch will freeze your clock - useful if you wish to bypass */
/* time restrictions imposed by many programs... */
/* */
/* It works by patching the level 3 IRQ vector, vertical blank, to hold the */
/* complex interface adapter internal time of day clock registers to zero. */
/* ($bfe801 = TOD lo, $bfe901 = TOD mid, $bfea01 = TOD hi) */
/* */
/* Should work on all Amiga models. */
/* */
/* Handles relocated vector base correctly. */
/* */
/* Compiling info: lc2 -v (disable stack checking so no need to use le.lib) */
/* */
#include "exec/types.h"
#include "exec.memory.h"
#include "exec/interrupts.h"
#include "hardware/custom.h"
#include "hardware/intbits.h"
struct Interrupt*VertBIntr;
long count;
main()
{
extern void VertBServer();
*/ allocate an Interrupt node structure */
VertBIntr=(struct Interrupt *)
AllocMem (sizeof(struct Interrupt),MEMF_PUBLIC);
if (VertBIntr==0){
printf("not enough memory for interrupt server");
exit (100);
}
/* initialize the Interrupt node */
VertBIntr->isNode.1n_Type=NT_INTERRUPT;
VertBIntr->isNode.1n_Type=Pri=-60;
VertBIntr->isNode.1n_Name="Clock Kludge";
VertBIntr->is_Data=(APTR)&count;
VertBIntr->is_Code=VertBServer;
/* put the new interrupt server into action */
AddIntServer (INTB_VERTB,VertBIntr);
/* wait for user to type 'q' */
printf ("Type q to quit...\n);
while (getchar()!='q');
/* remove interrupt server */
RemIntServer (INTB_VERTB,VertBIntr);
/* free memory */
FreeMem (VertBIntr,sizeof(struct Interrupt));
}
/* the VertBServer might look like this */
XDEF _VertBServer
_VertBServer:
clr.b $bfe801 ; clear TOD lo
clr.b $bfe901 ; clear TOD mid
clr.b $bfea01 ; clear TOD high
move.l a1,a0 ; get address of count
addq.l #1,(a0) ; increment value of count
moveq #0,d0 ; continue to process other vb-servers
rts ; must be rts NOT rte
end ; eof
<-->
0x03>------------------------------------------------------------------------
<++> P55/Linenoise/IPChange.asm !85660240
*--------------------------------------*
*
* IPChange.Asm (DevPac) by `The Warlock'
*
* Nowadays almost all ISPs allocate dynamic IP addresses, meaning your IP
* address will change for each connection you make.
*
* On a shitbox PC, a reset causes the CD signal on the serial port to go low,
* meaning that the connection is lost and you must initiate another.
*
* On an Amiga, a reset does not pull the CD signal low, meaning that
* reconnection is possible.
*
* When you reconnect, your ISP allocates another dynamic IP address, so in
* effect, you have changed your IP address without starting a new connection!
*
* Create a batch file called ipchange.bat as follows:
*
* echo > s:reconnect
* wait 5
* cpu nofastrom > nil:
* ipchange
*
* Make the following additions to your startup-sequence:
*
* if exists s:reconnect
* delete s:reconnect > nil:
* execute <your internet startup script>
* else
* endif
*
* Now, whenever called, ipchange.bat will reset, and automatically load your
* internet software for quick reconnection.
*
*--------------------------------------*
opt c+,d- case sensitive no debug
section ,code code section
*--------------------------------------*
START bra.s MAIN call main
*--------------------------------------*
ID dc.b "$VER:IPChange V1.0 by `The Warlock!",0
*--------------------------------------*
cnop 0,4 32 bit alignment
MAIN move.l 4.w,a6 exec base a6
jsr -$84(a6) call forbid()
move.l 4.w,a6 exec base a6
jsr -$78(a6) call disable()
lea RESET(pc),a5 supervisor code a5
move.l 4.w,a6 exec base a6
jsr -$1e(a6) call supervisor()
*--------------------------------------*
cnop 0,4 32 bit alignment
RESET lea 2,a0 kickstart rom jump vector
reset kickstart rom remapped
jmp (a0) kickstart rom restarted
*--------------------------------------*
end eof
*--------------------------------------*
<-->
0x04>------------------------------------------------------------------------
THE BULGARIAN PHREAK SCENE
^^^^^^^^^^^^^^^^^^^^^^^^^^
by TOKATA (firestarter)...
What to say about the Bulgarian phreak scene - is there really one?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hmmm... it's a bad new - in Bulgaria there aren't any phreak-wise peoples at
all... But almost second fucked bastard, which has a computer, is interested
in hacking. Bastards, which don't know any programming language; their hard
drive is full with games, MP3s and porno JPG files; hang on Internet and
download hacking programs. They use them (or ask someone to show how to
work with them) and imagine - they a superhackers. So Bulgaria is full of
motherfucking lamers.
We have an electronic underground magazine named "Phreedom Magazine", but
the hacking is the main theme. No phreak articles, because there aren't any
phreak authors. So, read...
Bulgarian phone system - the best phone system in the world! :)))
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hmmm... how to begin... err... So, 98% from our local tandem exchanges are
SxS A-29 type (made by Siemens). A typical SxS exchange - no computerization,
strowger switches, sleeve. The impedans is 600ohms, the battery by off-hook
is 60V, by on-hook - 10V. The resistance range is within 0-1600Ohms, the
current - within 15-100mA, but usually is 40-60mA.
A mini Bulgarian crossbar system (KRS-200) is used in some small villages
(up to 200 subscribers). As transit national exchange is used "Crosspoint"
(made by Siemens too) aka ESK-1000. The Crosspoint's switch is a ESK-relay.
ESK stands for Edelmetal-Schnell-Kontakt auf Deutsch. Also "Crosspoint" is
used as local tandem in some of the big cities.
In Sofia (our capital) is located a transit international exchange MT-20
(by THOMSON - France). Also year ago our Telco began to install real digital
switching systems there. But the tax for these is terrible and their subscribers are companies, offices and some bastards with a lot of money... and the
most of capital ISPs ;)
The cables are quite old, there is much of background noise in the handset,
the modem connections are terrible - with a 14.4K modem the average speed is
1000bps, it drops you on every 3 minutes. After rain there is no subscriber
with normal connection.
So the number detection here is too hard. By us ONLY the calling party can
drop the connection. So if you want to catch someone, you make a complaint to
the telco. She put on your Linefinder a device, named 'dog'. That 'dog'
effects on the switch contacts, so you can hold the connection. After that,
you call the Telco from the neighbors and they catch the called party number
by the wires. But 'the dog' don't work by long distance conversations. Also
we have an ANI equipment, named 'AMUR' or 'SKAT', specially designed for SxS
switches, but in the villages and very small towns, there isn't any ANI. So
with ANI the Telco can catch you, but they don't use it for normal cases, I
think, you know 'why' ;))) But if you make a call from a different area the
Telco can't catch you even with the help of ANI :) But nobody knows that :(
All the people think: "The Telco ALWAYS CAN DETECT your number! There is no
chance to mislead them". Blah, what for idiots. Btw I try to test here the
forced ANIF, so I hope to get it in work. In my town (47 000 citizens) we ha-
ve ANI equipment, but all the Telco employers says - it's used only for sub-
scribers info. The billing information here is still collecting with the help
of photographs. No operator comes on my line when I flash the switchhook.
Signaling
~~~~~~~~~~
I devoted a 2 years on learning the signaling methods in Bulgaria, but:
1. There aren't good tech books about signaling. In some books it is menti-
oned quite cursory. 70% and higher about signaling I have learned from
several Phrack articles.
2. Nobody from the local Telco in my town knows anything about this. I talked
with a few high educated employers, but they knew less than me :(
Well, I have learned the following from the books (and from other places):
N4 and N5 is used on international circuits, otherwise R2 is used. Well, I
know that "Crosspoint" uses R2, but I'm not sure that the stupid A-29 (SxS
type) uses the R2 signaling system. Also, I have read in a tech book, that
(!) R2 is in-band signaling system. But we all know, that this is not true,
because the blow-off frequency for R2 is 3825Hz.
The major multiplexing is FDM with 4KHz channels. So if you whistle 3825Hz
tone in the microphone, when speaking on LD, the other end will hear that.
So we try to blue box with programs. If that success, we will announce that :)
But I think - there are line and rejector filters at the end of our trunks
and the signal must be clear (a straight sinusoide). An telco employer said
to me, he heard about 2100Hz signal, but he wasn't sure :( Can anyone help?
Our beloved Telco
~~~~~~~~~~~~~~~~~
So by us, the BTC (Bulgarian Telecomunication Company) was always monopo-
listic. Also they try now to occupy and take under full control all ISP in
Bulgaria. The local calls are not free and our taxes are the highest in Euro-
pe. Our average salary is 100$ and we pay 0.04$ for each tax unit. There are
also permanent taxes and other thing and for comparison if you have 200 units
you'll pay 10$. That's 12% from the average salary in country!!! Also if you
dial from Canada to Bulgaria that'll cost you 0.8$ per minute, BUT IF YOU
CALL Canada from Bulgaria (btw we can't dial direct North America without ope-
rator assistance) that'll cost you 2.3$ per minute he-he-he :)
So this year our Telco is going to go private. There was 3 candidates to
buy 51% from Telco's shares - Deutsche Telecom/Turkey firm, Telefonica and
the Holland/Greece telcos. The price was 500 000 000$. But Telefonica and DT
gave up in the last moment. Maybe you guess why? Nobody want to throw his mo-
ney for Telco, that uses 98% SxS switches, where a big part from peoples
(70%) are poor and don't make many calls (under 100 units), in which country
you don't know what will happen tomorrow and etc...
So, as I've read about Argentina's telco, I can say: the situation is al-
most the same. But by us there is ONLY ONE company which control anything -
all the phones, pagers, a big part of GSM network, all public phones, runs
the only X.25 datapac network - BULPAC, they are also ISP... Total monopoly!
The Laws
~~~~~~~~
Ha-ha-ha? What for laws? Against phreaking? There is no way :) Also nobody
in Bulgaria don't understand what {the fuck} term 'phreaking' means. And not
just the ordinary people. If you are in the IRC channel #bulgaria and ask:
"Hey, what does the phreaking mean?", I'm sure that nobody shall know.
Up to now, I didn't hear about someone to get busted for phreaking. Our telco
(and all of their employers) think - the system is unbreakable! But they also
have an law about devices, that are illegally hooked to the phone line. At the
first time you'll be warned 'bout that, and at the second time you'll be dis-
connected. But you pay the tax for new phone (100$) and congratulations - you
already have a phone :)
So, our legislation don't contain anything about hacking, cracking, phreaking
and all kinds of electronic frauds. In Bulgaria there is no term such as
'illegal software' or 'illegal access to someone's computer'.
The PayphoneZ
~~~~~~~~~~~~~
There is no good word to say about our shitty motherfucking Telco, even for
payphones. You think - you can do red boxing in Bulgaria. Forget it! Our
Payphones a COCOT and are used only for local calls! There are huge, metal
boxes :) full mechanical, no fine electronics! You can see inside a capacitor
like a hand bomb! The Payphones worked with coins, but there was so many idi-
ots, who took out there coins from the payphones with a thread (string). So
our beloved Telco become a mad about this and they replace the coins with a
special made by them phone-coins with borders, which made them impossible to
take out ;). As I have said, the payphones are COCOT - you take the handset,
hear a dialtone, dial a number (pulse, with a dialing disk!!!), the called
person answers... and then the polarity is reversed. A relay inside the phone
notice that and after 3 seconds cuts off the mouthpiece... and the earpiece.
Then the hole for the money gets opened and the coin falls inside. There are
no such terms such a coin return.
There is a trick to make free calls (local) on these phones. If you press
the hook, when the polarity is reversed, there is no current on the line in
that moment, and because there is no current in that moment, the relay
wouldn't
be noticed for the answer, and it wouldn't cut the mouth- earpiece.
Another trick is to unlock the phone and fill your pockets with coins :)
The lock picking on these is quite easy...
There was also payphones for international and LD calls operating with
money, but 10 years before began an big inflation and these phones died.
Now you should to put a lot of coins (2-5kg) to make a 3 min international
call.
So 5-6 years before our telco installed two types of card-phones: BetCom and
Bulfon. BetCom is British-Bulgarian Company (GPT&BTC) and their card phones
are magnetic strip style. The security of these card was too weak so a few
people began to make free phone calls. After 3 years loosing a lot of money
from these frauds, BetCom install new phones and change the cards with elec-
tronic ones, but there are still many old phones :) You just copy the
magnetic strip of the card and here it is...
The Bulfon phones are much intelligent. They are the same such as these in
Argentina and Germany. The test signal is 16KHz, with nice LCD display, have
button for several languages, for replacing exhausted cards, for signal am-
plification and other options. I forgot to say, that both the cardphones use
pulse dialing. They usual don't have a number to dial the cardphone, but for
a short time the phones in the capital have already a number... and MF
dialing.
There was a very popular trick on Bulfon cardphones with 2 cards - full one
and empty one (bat at least with 1 unit). You quickly push and pull the full
card into the slot and the display begin to flash. After that you do this
again and put the empty card. The phone remember the units from the first
card and you talk for free. A big amount of people became familiar with this
and they began to use it for and without need. And since our telco is mad
for every loosed penny, this feature bombed out. Also I have heard, that a
few people recharge cards and make unlimited ones (a PIC emulator), but since
I'm not a cardphreaker, I don't know much about it. But I know that the
bulfon exchange is very sophisticated and it's very hard to fool those. For
example, you can't dial more than 400 units with the same card from one
cardphone. And yet one funny feature - every night, a built-in modem in the
cardphone establish a connection with the Bulfon exchange and transfer info.
Info such as - how many units are used, the cards serial number and much more
(such as frauds).
If you, for example, steal a few cards from the post office, the exchange
send to all the phones, that cards with a number 444 xxx xxx ... are invalid.
Ahh... I forgot, the public phone cables don't go through PVC or metal pi-
pes. But... on Bulfon (and I think - and on BetCom) phones you can't just cut
the wire and hook with a handset, because as you know the line device can't
find the phone - when you pick up the handset on Bulfon, the exchange send
16KHz test signal and the phone must answer with the same signal. The CPU of
these is 68HC11 (Motorola).
btw we have a GSM network since 1995. Also we have a pager network.
Phreaking methods
~~~~~~~~~~~~~~~~~
As I have said, there aren't phreak wise people in Bulgaria (but almost every
is interested in hacking). A lot of falsely accused 'phreaks' do pitting -
hooking with a handset to a pair of wires or the outside connection box.
Phreak methods used by me are:
- forced 3way calling = some type of abuse the structure of the connector.
So, in my town the NPA is X-YY-ZZ. So lets imagine, that someone called
4-33-28. I begin to dial 4-33 and when I hit the right pause after the 3rd
it's puts me into their conversation.
- free calling from local payphones = already talked bout that.
- free calling on local and short haul calls - by dialing a chain of prefi-
xes (such as in UK). I dial the prefix (NPA) of the town X, and after that
dial the prefix for another place and then the number. But not every exchan
ge allows you to make that. Your exchange waits a signal from exchange X,
that a called party is answered, but the X waits too for that... But the
connection is terrible... and after 3 minutes without taxing on the trunk
your Telco cuts the connection ;(
Also I think that black and blue boxing is still possible, but didn't test
it entirely.
There also "hidden" long distance numbers and prefixes, which are very use-
ful in some cases (I also found 3-4 of them), but nobody try to find it :(
There aren't free numbers in Bulgaria, except these for police, fire alarm,
hospital and the telco number for failure complaints, but they are ONLY FOR
LOCAL DIALING! I also discover a method to call these as trunk-calls, BUT...
but our phone system is made so, that if on a trunk-call there isn't a tax
signal coming after 3 minutes, the call is terminated.
Some people with knowledge of electronic also make "free calls" through
their neighbor's lines, but BTC is familiar with those methods and it always
check the line (plus these of the neighbors) when a subscriber made a com-
plaint for big bill.
In Bulgaria there are NO PBX-es, Voice Mail Systems, WATS numbers, Call for-
warding, Call waiting, DTMF requesting, Speed dialing and other.
About PBX - some of our factories have PBX-es, but I still learn how to use/
abuse them.
In almost every town with more than 10 000 subscribers we have a conference
phone, which can be dialed only local (errrr... quite not true ;)) for 1
tax unit per 3/5/10/30 minutes. But the stupid people don't know that and
in many towns (such as mine) this phone is *forever* free.
I also have heard about peoples, which emulate the GSM SIM card to make free
calls.
PHREAK'EM ALL!!!
0x05>------------------------------------------------------------------------
----[ PDM
Phrack Doughnut Movie (PDM) last issue was `Dark City`.
PDM54 recipients:
I forget. I think Adam Shostack was definitely one. It's been a while
though.
PDM55 Challenge:
"Beware my wrath."
0x06>------------------------------------------------------------------------
----[ Super Elite People That REad Phrack (SEPTREP)
New additions:
Why they are SEP:
----[ Current List
W. Richard Stevens
Ron Rivest
-----------------------------------------------------------------------------
----[ EOF