AOH :: P55-03.TXT

Phrack 55 Linenoise


-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 03 of 19  ]


-------------------------[  P H R A C K     5 5     L I N E N O I S E  ]


--------[  Various  ]


0x01>------------------------------------------------------------------------

               SecurPBX using SecurID
                         by pbxphreak <chris@lod.com>


                             .---------------.
                             |      | 037592 |
                             |      `--------'
                             |  SecureID     |
                             `---------------'


SecurID Token:
-------------

The SecurID token provides an easy, one step process to positively identify
network and system users and prevent unauthorized access. Used in conjunction
with Security Dynamics Server software, the SecurID token generates a new
unpredictable access code every 60 seconds. SecurID technology offers
crackproof security for a wide range of platforms in one easy-to-use package.

Highlights:
----------

 - Easy, one-step process for positive user authentication
 - Prevents unauthorized access to information resources
 - Authenticates users at network, system, application or transaction level
 - Generates unpredictable, one-time- only access codes that auto- matically
   change every 60 seconds
 - No token reader required; can be used from any PC, laptop or work- station
   ideal for remote access and Virtual Private Networks
 - Works seamlessly with ACE/Agent for secure Web access
 - Tamperproof


The Solution:
------------

For a sophisticated hacker or a determined insider, it doesnt take much to
compromise a users password and gain access to confidential resources. And
when an unauthorized user enters a supposedly secure system all privilege
definition and audit trail functions become virtually meaningless... in
essence, the damage is done. Single-factor identification a reusable password
is not enough.

To identify and authenticate an authorized system user, two factors are
necessary. Factor one is something secret only the user knows: a memorized
personal identification number (PIN) or password. The second factor is
something unique the user possesses: the SecurID token.

Carried by authorized system users, SecurID tokens available in three models
generate unique, one-time, unpredictable access codes every 60 seconds. To
gain access to a protected resource, a user simply enters his or her secret
PIN, followed by the current code displayed on the SecurID token.
Authentication is assured when the ACM recognizes the tokens unique code in
combination with the user's unique PIN. Patented technology synchronizes each
token with a hardware or software ACM. The ACM may reside at a host, operating
system, network/client resource or communications device  virtually any
information resource that needs security.

This simple, one-step login results in crackproof computer security that easy
to use and administer. The tokens require no card readers or time-consuming
challenge/response procedures. With SecurID tokens, reusable passwords can no
longer be compromised. Most importantly, access control remains in the hands
of management.


SECURID PINPAD:
--------------

An added level of security can be implemented with a SecurID PINPAD token.
The PINPAD token enables users accessing the network to login with an
encrypted combination of the PIN and SecurID token code. Using the keypad on
the face of the PINPAD token, a user enters his or her secret PIN directly
into the token, which generates an encrypted passcode. This additional level
of security is especially appropriate for users in application environments
who are concerned that a secret PIN might be compromised through electronic
eavesdropping.

SecurID tokens are ideal for any environment. The original SecurID token
conveniently fits into a wallet like a credit card. The SecurID key fob
offers a new dimension in convenience to those customers requiring high
levels of security in multiple environments, along with compact size and
durability. In addition to providing the same reliable performance in
generating random access codes as the original SecurID token, the SecurID key
fob comes in a small, light- weight format.

                               SecurPBX
                               --------

Ok. Plain and simple. SecurPBX is a product to protect PBX systems worldwide
and automated Help Desk functions.

SecurPBX provides remot access security for telephone lines, modem pools,
voicemail ports, internet access lines, and the maintenance port on PBX
systems. Used in conjunction with Security Dynamics SecurID, SecurPBX
protects valuable PBX resources from remote access by unautorized callers
without comprimising the conveniences of remote telephone and data access
to teleworking or traveling employees.

Callers dial specific numbers on the PBX for long distance services. As an
adjunct to the PBX and a client to the server, SecurPBX recieves the
callers request for resources. Functioning as a client, SecurPBX requires
remote callers to provide SecurID user authentication and an authorized
destination telephone number before being transfered to the desired resource.
SecurPBX transmits the credentials to the server for authentication
and simultaneously validates the telephone number by user specific
permissions and denials. SecurPBX integrates with the PBX to process the
call based on the validity of the caller via SecurID and the destination
number attemped.


                                     .----------.      |
                                     |  SERVER  |---- -x- <-- Security
                                     `----------'      |
                                          |            |
                                          |           _-_
.--------------.                          |
|     | 037592 |        ,-----.
|     `--------'  ----- | PBX | -----  .-----------.
| SecureID     |        `-----'        | SecurePBX |
`--------------'                       |  Switch   |
                           |           `-----------'
                           |
                            --------------- Users

Each SecurID card is a visually readable credit card sized token or key which
is programmed with Security Dynamics powerful algorithm. Each card
automatically generates an unpredictable, one time access code every 60
seconds. The token is conveinent to carry and simple to use and is resistant
to being counterfeited or reversed engineered.

SecurPBX extends the secure working enviroment of an organization to remote
locations. SecurPBX applies user specific calling restrictions before any
call is completed to prevent unauthorized toll charges and misuse of PBX
resources. The time of day, volume of calls per user, destination telephone
numbers (restricted to NPA and NXX) and customizable classes of service add
a vital layer to access security without compromising the conveinience of
having remote access to telephone resources. SecurPBX logs all successful
and unseccessful attempts including the destination telephone number.
Caller ID/ANI if available also provides the origination telephone number,
pin pointing the location of the caller.

Highlights of SecurPBX:
----------------------

 - Compatible with all major PBX vendor types.
 - Cost effective remote access security for PBX resources.
 - Prevents unauthorized access to valuable voice and data resources.
 - Secures remote long distance, and alternative method for replacing
   calling cards.

 - Works in conjunction with each users SecurID card.
 - Centralized network authentication and security administration.
 - Easy to Use, voice prompting available in multiple languages.
 - Audit trails and reporting assure true caller accountability.
 - Caller ID/ANI option provides originating telephon number identifying
   hacker locations.

SecurPBX operates in Microsoft Windows NT enviroment. Callers and data users
achieve seamless access to PBX resources with validation data gathered as
efficiently as using a calling card and/or attemping a standard logon
procedure. In many cases, SecurPBX can be a calling card replacement and
may also be used with cellular phones to combat calling card fraud.
Fraudulent or suspect callers are denied access before toll charges and
resources damage occur.

Typically, securing a PBX from unauthorized remote access has required
disabling remote access to the PBX. Using dynamic, two factor authentication
through the server and validation destination numbers dialed, SecurPBX
systematically locks out unauthorized callers preventing toll, voicemail,
and data fraud. This provides a secure access point for
teleworking resources.

SecurPBX uniquie voice identification:
-------------------------------------

SecurPBX is a unique indentification solution providing secure remote
access to all major PBX or Centrex telephone systems. Protected resources
included are:

  - Long distance lines and trunks
  - Voice mail access lines
  - Call centers
  - Interactive voice response systems and audio response units

Access is controlled through postive identification by their unique,
individual voice prins. SecurPBX uses SpeakEZ voice print speak
verification service tehcnology to efficiently allow access to authorized
callers while eliminating access to unauthorized callers. The SpeakEZ
voice print system is recognized as the best in the voice verification
industry today.

Significant investments in telephone resources simple cannot be protected
by traditional static passwords or PINs. When making a telephone call from
any telephone using your calling card number, the one condition verifiable
as certain by the PBX or phone company is that someone is making a call with
a known authorization code, however, it could be anyone. Casual calling by
unauthorized personnel, recognized as a major misuse of corporate telephone
resources, must be controlled if not eliminated. SecurPBX provides that
capability to your organization.

SecurPBX prodives reliable, independant two factor user identification and
authentication. Factor one is something the users knows: a memorized personal
identification number or password. The Second factor is something unique
the user possesses: his/her own voice print. Each caller is required to
merely speak his/her chosen password which is compared to a stored voice
print. The password can be in any language or dialect.

SecurPBX extends the unique user authentication provided by SpeakEZ voice
print to include user specific calling restrictions. Time of day, volume of
calls per user, destination telephone numbers which are restricted to NPA
and customizable classes of service add important layers of access security
without compromising the convenience of remote access to telephone resources.


Highlights:
----------

 - Compatible with all major PBX vendor-types and Centrex
 - Cost effective remote access security for PBX resources
 - Prevents unauthorized access to valuable voice resources
 - Secures remote long distance
 - Non-intrusive security, callers are validated by their own voice prints
 - Language independent passwords
 - Centralized authentication and security administration
 - Easy to use, voice prompting available in multiple languages
 - Audit trails and reporting assure true caller accountability
 - Multiple voice prints available per user

Remote Access Security Solution:
-------------------------------

Optionally, after authentication, SecurPBX administrators can manage user
permissions and denials on from either the same SecurPBX workstation or from
another workstation connected via a LAN or remotely by modem in a Windows
friendly environment.

Long distance callers achieve seamless access to PBX outbound trunks with
validation criteria gathered as efficiently as a calling card and as easily
as talking to a telephone attendant. Fraudulent or suspect callers are denied
access before any damaging toll charges can occur.

SecurPBX logs all calls, successful and unsuccessful, including the date and
time, user ID, and destination telephone number. Depending on the PBX type,
Calling Line Identification ANI may be used as part of the validation process
and in those cases, will also be logged. Log information can be exported to an
external spreadsheet application or displayed in reports generated by the
SecurPBX Administrator.

SpeakEZ Voice Print:
-------------------

SpeakEZ Voice Print Speaker Verification is a highly effective method of
confirming a caller's identity. The service is based on the fact that each
person's voice is uniquely different, and, as a means of identification, is
highly reliable. Speaker Verification is an application of the SpeakEZ Voice
Print technology which compares a digitized sample of a person's voice with
a stored model "voice print" of that individual's voice for verification.

 - Authenticates the caller as opposed to information (i.e. PIN) or a piece
   of equipment.
 - Easy to use, language independent
 - Safe: a voice print cannot be lost or stolen
 - Cost-effective: does not require special hardware for the caller
 - Virtually fraud-proof: a voice is difficult to forge

Applications of SecurPBX:
------------------------

 - Secure Telecommuting (all valuable PBX resources)
 - Call center user authentication
 - Securing Interactive Voice Response (IVR) and Audio Response Units (ARUs)
 - Help Yourself suite of products for help desk automation (ASAPTM -
   ACE/Server Administration Program - PIN reset, SecurNT - Windows NT
   password reset, E-Help Desk - Entrust/PKITM profile recovery)

Technical Requirements:
----------------------

Telephony platforms :
                       All major PBXs including Nortel, AT&T, Rolm and Mitel

Processor           :  100% IBM compatible PC, Pentium 133 minimum
Disk requirement    :  Hard disk 1 gigabyte minimum, 32MB RAM for Switch I
                       nterface, Client software, 8 MB for Administrator
                       software, actual storage based on size of user
                       population

Capacity            :  An unlimited number of users may be administered and
                       issued SecurID Cards. 32 simultaneous voice channels
                       per Switch Interface

Configuration       :  Multiples of 4, 12 and 24 line telephone interfaces

Management          :  SecurPBX Administrator includes extensive
                       administrative menus in user-friendly Windows 3.1 and
                       95 environment, real time monitoring and management of
                       multiple PBX sites

Conclusion:
----------

SecurPBX is defiantely the way to go to prevent your data and PBX systems
from getting hacked and abused.

0x02>------------------------------------------------------------------------
<++> P55/Linenoise/ckludge.c !2231f4cc
/*                                                                          */
/* CKludge.C (Amiga)                                                        */
/*                                                                          */
/* If you are a PC user you can port this C source easily.                  */
/*                                                                          */
/* You might even want to use it to fix your fucking millenium bug...       */
/*                                                                          */
/* Ha! Ha! Ha! 2000 is nigh.                                                */
/*                                                                          */
/* Clock Kludge 1.0 by `The Warlock'                                        */
/*                                                                          */
/* This little patch will freeze your clock - useful if you wish to bypass  */
/* time restrictions imposed by many programs...                            */
/*                                                                          */
/* It works by patching the level 3 IRQ vector, vertical blank, to hold the */
/* complex interface adapter internal time of day clock registers to zero.  */
/* ($bfe801 = TOD lo, $bfe901 = TOD mid, $bfea01 = TOD hi)                  */
/*                                                                          */
/* Should work on all Amiga models.                                         */
/*                                                                          */
/* Handles relocated vector base correctly.                                 */
/*                                                                          */
/* Compiling info: lc2 -v (disable stack checking so no need to use le.lib) */
/*                                                                          */

#include "exec/types.h"
#include "exec.memory.h"
#include "exec/interrupts.h"
#include "hardware/custom.h"
#include "hardware/intbits.h"

struct Interrupt*VertBIntr;
long count;

main()

{

  extern void VertBServer();

*/ allocate an Interrupt node structure */

    VertBIntr=(struct Interrupt *)
      AllocMem (sizeof(struct Interrupt),MEMF_PUBLIC);

    if (VertBIntr==0){
      printf("not enough memory for interrupt server");
      exit (100);

}

/* initialize the Interrupt node */

VertBIntr->isNode.1n_Type=NT_INTERRUPT;
VertBIntr->isNode.1n_Type=Pri=-60;
VertBIntr->isNode.1n_Name="Clock Kludge";
VertBIntr->is_Data=(APTR)&count;
VertBIntr->is_Code=VertBServer;

/* put the new interrupt server into action */

AddIntServer (INTB_VERTB,VertBIntr);

/* wait for user to type 'q' */

printf ("Type q to quit...\n);
while (getchar()!='q');

/* remove interrupt server */

RemIntServer (INTB_VERTB,VertBIntr);

/* free memory */

FreeMem (VertBIntr,sizeof(struct Interrupt));

}

/* the VertBServer might look like this */

XDEF _VertBServer

_VertBServer:

  clr.b $bfe801  ; clear TOD lo
  clr.b $bfe901  ; clear TOD mid
  clr.b $bfea01  ; clear TOD high

  move.l a1,a0   ; get address of count
  addq.l #1,(a0) ; increment value of count
  moveq #0,d0    ; continue to process other vb-servers
  rts            ; must be rts NOT rte

  end            ; eof
<-->
0x03>------------------------------------------------------------------------
<++> P55/Linenoise/IPChange.asm !85660240
*--------------------------------------*
*
* IPChange.Asm (DevPac) by `The Warlock'
*
* Nowadays almost all ISPs allocate dynamic IP addresses, meaning your IP
* address will change for each connection you make.
*
* On a shitbox PC, a reset causes the CD signal on the serial port to go low,
* meaning that the connection is lost and you must initiate another.
*
* On an Amiga, a reset does not pull the CD signal low, meaning that
* reconnection is possible.
*
* When you reconnect, your ISP allocates another dynamic IP address, so in
* effect, you have changed your IP address without starting a new connection!
*
* Create a batch file called ipchange.bat as follows:
*
* echo > s:reconnect
* wait 5
* cpu nofastrom > nil:
* ipchange
*
* Make the following additions to your startup-sequence:
*
* if exists s:reconnect
* delete s:reconnect > nil:
* execute <your internet startup script>
* else
* endif
*
* Now, whenever called, ipchange.bat will reset, and automatically load your
* internet software for quick reconnection.
*
*--------------------------------------*

                opt     c+,d-                   case sensitive no debug

                section ,code                   code section

*--------------------------------------*

START           bra.s   MAIN                    call main

*--------------------------------------*

ID              dc.b    "$VER:IPChange V1.0 by `The Warlock!",0

*--------------------------------------*

                cnop    0,4                     32 bit alignment

MAIN            move.l  4.w,a6                  exec base a6
                jsr     -$84(a6)                call forbid()

                move.l  4.w,a6                  exec base a6
                jsr     -$78(a6)                call disable()

                lea     RESET(pc),a5            supervisor code a5
                move.l  4.w,a6                  exec base a6
                jsr     -$1e(a6)                call supervisor()

*--------------------------------------*

                cnop    0,4                     32 bit alignment

RESET           lea     2,a0                    kickstart rom jump vector
                reset                           kickstart rom remapped
                jmp     (a0)                    kickstart rom restarted

*--------------------------------------*

                end                             eof

*--------------------------------------*
<-->
0x04>------------------------------------------------------------------------

                    THE BULGARIAN PHREAK SCENE
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^

                     by TOKATA (firestarter)...


  What to say about the Bulgarian phreak scene - is there really one?
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hmmm... it's a bad new - in Bulgaria there aren't any phreak-wise peoples at
all... But almost second fucked bastard, which has a computer, is interested
in hacking. Bastards, which don't know any  programming language; their hard
drive is full  with games, MP3s  and porno  JPG files; hang on Internet  and
download  hacking programs. They use  them (or ask  someone to show  how to
work  with them) and  imagine - they a  superhackers. So Bulgaria is full of
motherfucking lamers.
We have an  electronic underground  magazine named  "Phreedom Magazine", but
the hacking is  the main theme. No phreak articles, because there aren't any
phreak authors. So, read...


  Bulgarian phone system - the best phone system in the world!  :)))
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Hmmm... how to begin... err... So, 98% from our local tandem exchanges are
SxS A-29 type (made by Siemens). A typical SxS exchange - no computerization,
strowger switches, sleeve. The impedans is 600ohms, the battery by  off-hook
is 60V, by on-hook - 10V. The resistance range  is  within 0-1600Ohms, the
current - within 15-100mA, but usually is 40-60mA.
  A mini Bulgarian crossbar system (KRS-200) is  used in some small villages
(up to 200 subscribers). As transit  national exchange is  used "Crosspoint"
(made by Siemens too) aka ESK-1000. The Crosspoint's switch is  a ESK-relay.
ESK stands  for Edelmetal-Schnell-Kontakt  auf Deutsch. Also "Crosspoint" is
used as local tandem in some of the big cities.
  In Sofia (our capital) is located a  transit international exchange  MT-20
(by THOMSON - France). Also year ago our Telco began to install real digital
switching systems there. But the tax for these is terrible and their subscribers are companies, offices and some  bastards with a lot of money... and the
most of capital ISPs ;)
  The cables are quite old, there is much of background noise in the handset,
the modem connections are terrible - with a 14.4K modem the average speed is
1000bps, it drops you on every 3 minutes. After rain  there is no subscriber
with normal connection.
  So the number detection here is too hard. By us ONLY the calling party can
drop the connection. So if you want to catch someone, you make a complaint to
the  telco. She put on  your  Linefinder  a device, named  'dog'. That 'dog'
effects on the switch contacts, so you can hold  the connection. After that,
you call the Telco from the neighbors and they catch the called party number
by the wires. But 'the dog' don't work by long distance  conversations. Also
we have an ANI equipment, named 'AMUR' or 'SKAT', specially designed for SxS
switches, but in the villages and very  small towns, there isn't any ANI. So
with ANI the Telco can  catch you, but they don't use it for normal cases, I
think, you know 'why' ;))) But if you make a call from a  different area the
Telco can't catch you even with the  help of ANI :) But nobody knows that :(
All the people think: "The Telco  ALWAYS CAN DETECT your number!  There is no
chance to mislead them". Blah, what for idiots. Btw I try  to test  here the
forced ANIF, so I hope to get it in work. In my town (47 000 citizens) we ha-
ve ANI equipment, but all the Telco employers says - it's used only for sub-
scribers info. The billing information here is still collecting with the help
of photographs. No operator comes on my line when I flash the switchhook.

  Signaling
  ~~~~~~~~~~
I devoted a 2 years on learning the signaling methods in Bulgaria, but:
1. There aren't good tech books about signaling. In some books it is menti-
   oned quite cursory. 70% and higher about signaling I have  learned from
   several Phrack articles.
2. Nobody from the local Telco in my town knows anything about this. I talked
   with a few high educated employers, but they knew less than me :(

Well, I have learned the following from  the books  (and from other places):
N4 and N5  is used on  international circuits, otherwise R2 is used. Well, I
know that "Crosspoint" uses R2, but I'm not  sure that the stupid  A-29 (SxS
type) uses the R2 signaling  system. Also, I have read in a tech book, that
(!) R2 is in-band signaling system. But we all know, that this is not true,
because the blow-off frequency for R2 is 3825Hz.
  The major multiplexing is FDM with 4KHz channels. So if you whistle 3825Hz
tone in  the microphone, when speaking on LD, the other end  will hear that.
So we try to blue box with programs. If that success, we will announce that :)
But I think - there are line and rejector filters at  the end  of our trunks
and the signal must  be clear (a straight sinusoide). An telco employer said
to me, he heard about 2100Hz signal, but he wasn't sure :(  Can anyone help?

  Our beloved Telco
  ~~~~~~~~~~~~~~~~~
  So by us, the BTC (Bulgarian Telecomunication Company) was  always monopo-
listic. Also they try now to occupy  and take under full control all ISP  in
Bulgaria. The local calls are not free and our taxes are the highest in Euro-
pe. Our average salary is 100$ and we pay 0.04$ for each tax unit. There are
also permanent taxes and other thing and for comparison if you have 200 units
you'll pay 10$. That's 12% from the average salary in country!!! Also if you
dial from  Canada to Bulgaria that'll  cost you 0.8$  per minute, BUT IF YOU
CALL Canada from Bulgaria (btw we can't dial direct North America without ope-
rator assistance) that'll cost you 2.3$ per minute he-he-he :)
  So this year  our Telco is going to go private. There was 3  candidates to
buy 51%  from Telco's  shares - Deutsche Telecom/Turkey firm, Telefonica and
the Holland/Greece telcos. The price was 500 000 000$. But Telefonica and DT
gave up in the last moment. Maybe you guess why? Nobody want to throw his mo-
ney for Telco, that  uses 98%  SxS switches, where a  big part from  peoples
(70%) are poor and don't make many calls (under 100 units), in which country
you don't know what will happen tomorrow and etc...
  So, as I've read about  Argentina's telco, I can say:  the situation is al-
most the same. But by us there is ONLY ONE company  which control anything -
all  the phones, pagers, a big part of  GSM network, all public  phones, runs
the only X.25 datapac  network - BULPAC, they are also ISP... Total monopoly!

  The Laws
  ~~~~~~~~
  Ha-ha-ha? What for  laws? Against phreaking? There is  no way :) Also nobody
in Bulgaria don't understand what  {the fuck} term 'phreaking'  means. And not
just the  ordinary people. If you are  in the IRC  channel #bulgaria  and ask:
"Hey, what does the phreaking mean?", I'm sure that nobody shall know.
Up to now, I didn't hear about someone  to get busted for phreaking. Our telco
(and all of their employers) think - the system  is unbreakable! But they also
have an law about devices, that are illegally  hooked to the phone line. At the
first time you'll be warned 'bout that, and at the  second time you'll be dis-
connected. But you  pay the  tax for  new phone  (100$) and congratulations - you
already have a phone :)
 So, our legislation don't contain anything about hacking, cracking, phreaking
and  all kinds  of electronic  frauds. In Bulgaria  there is  no term  such as
'illegal software' or 'illegal access to someone's computer'.

  The PayphoneZ
  ~~~~~~~~~~~~~
  There is no good word to say about our shitty motherfucking Telco, even for
payphones. You  think - you  can do  red boxing  in Bulgaria. Forget  it! Our
Payphones a  COCOT and are  used only for local calls! There are huge, metal
boxes :) full mechanical, no fine electronics! You can see inside a capacitor
like a hand bomb! The Payphones worked with coins, but there was so many idi-
ots, who took  out there  coins from the payphones with a thread (string). So
our beloved Telco  become a mad  about this and they replace the coins with a
special made by them  phone-coins with borders, which made them impossible to
take out ;). As I  have said, the payphones are COCOT - you take the handset,
hear a dialtone, dial a  number (pulse, with a  dialing disk!!!), the  called
person answers... and then the polarity is reversed. A relay inside the phone
notice that and after 3 seconds cuts off the mouthpiece... and the earpiece.
  Then the hole for the money gets opened and the coin falls inside. There are
no such terms such a coin return.
  There is a trick to make  free calls (local) on  these phones. If you press
the hook, when the  polarity is reversed, there is no current  on the line in
that moment, and because there is no current in that moment, the relay
wouldn't
be noticed for the answer, and it wouldn't cut the mouth- earpiece.
  Another trick is to unlock the phone and fill your pockets with coins :)
The lock picking on these is quite easy...
  There  was also  payphones for  international and  LD calls  operating with
money, but 10 years before began an big inflation and  these phones died.
Now you should to  put a lot of  coins (2-5kg) to make a 3 min  international
call.
So 5-6 years before our telco installed two  types of card-phones: BetCom and
Bulfon. BetCom is  British-Bulgarian Company (GPT&BTC) and their  card phones
are magnetic  strip style. The security of  these card was too weak  so a few
people began to  make free phone calls. After 3 years  loosing a lot of money
from these frauds, BetCom install new  phones and change the cards with elec-
tronic ones, but there are still many old phones :) You just copy the
magnetic strip of the card and here it is...

The Bulfon  phones are much  intelligent. They are the same such  as these in
Argentina and Germany. The test  signal is 16KHz, with nice LCD display, have
button for  several languages, for replacing  exhausted cards, for signal am-
plification and other options. I forgot to say, that both  the cardphones use
pulse dialing. They usual don't have a  number to dial the cardphone, but for
a  short  time the  phones in  the capital  have already  a number...  and MF
dialing.

There was a very  popular trick on Bulfon  cardphones with 2 cards - full one
and empty one (bat at least with 1 unit). You quickly push  and pull the full
card into the slot  and the display  begin to flash. After  that you  do this
again and  put the  empty card. The phone remember the  units from  the first
card and you talk for free. A big amount of people became familiar  with this
and they  began to  use it  for and  without need. And since our telco is mad
for  every loosed  penny, this feature  bombed out. Also I have heard, that a
few people recharge cards and make unlimited ones (a PIC emulator), but since
I'm  not a  cardphreaker, I don't  know much  about it. But I  know that  the
bulfon exchange is very sophisticated and it's  very hard to  fool those. For
example, you can't  dial more than  400 units  with  the same  card from  one
cardphone. And yet one  funny feature - every night, a built-in modem  in the
cardphone establish a connection with the Bulfon exchange and transfer info.
Info such as - how many units are used, the cards serial number and much more
(such as frauds).
If you, for example, steal a few  cards from the  post  office, the  exchange
send to all the phones, that cards with a number 444 xxx xxx ... are invalid.
 Ahh... I forgot, the public phone cables  don't go through PVC or metal pi-
pes. But... on Bulfon (and I think - and on BetCom) phones you can't just cut
the wire and hook with a handset, because as you  know the line  device can't
find the phone - when you  pick up the handset  on Bulfon, the exchange  send
16KHz test signal and the phone must answer  with the same signal. The CPU of
these is 68HC11 (Motorola).

btw we have a GSM network since 1995. Also we have a pager network.

Phreaking methods
~~~~~~~~~~~~~~~~~
As I have said, there aren't phreak wise people in Bulgaria (but almost every
is interested in hacking). A lot of  falsely accused  'phreaks' do  pitting -
hooking  with a  handset to a  pair of  wires or  the outside  connection box.
Phreak methods  used by me are:

-  forced 3way calling = some type of abuse the structure of the connector.
So, in my  town the  NPA is X-YY-ZZ. So lets  imagine, that someone  called
4-33-28. I begin to dial 4-33 and when I hit the right pause  after the 3rd
it's puts me into their conversation.

- free calling from local payphones = already talked bout that.

- free calling on local and short haul calls - by dialing a chain of prefi-
xes (such as in UK). I dial the prefix (NPA) of the town X, and after that
dial the prefix for another place and then the number. But not every exchan
ge allows you to make that. Your exchange waits a signal from exchange X,
that a called party is answered, but the X waits too for that... But the
connection is terrible... and after 3 minutes without taxing on the trunk
your Telco cuts the connection ;(

Also I think that black and blue boxing is still possible, but didn't test
it entirely.

 There also "hidden" long distance numbers and prefixes, which are very use-
ful in some cases (I also found 3-4 of them), but nobody try to find it :(
There aren't  free numbers in Bulgaria, except these  for police, fire alarm,
hospital and the telco number for  failure complaints, but they  are ONLY FOR
LOCAL DIALING! I also discover a method to  call these as trunk-calls, BUT...
but our phone  system is made so, that if on a trunk-call  there isn't  a tax
signal coming after 3 minutes, the call is terminated.
   Some people with knowledge of electronic also make "free calls" through
their neighbor's lines, but BTC is familiar with those methods and  it always
check the line (plus these  of the neighbors) when a subscriber made a com-
plaint for big bill.
 In Bulgaria there are NO PBX-es, Voice Mail Systems, WATS numbers, Call for-
warding, Call waiting, DTMF requesting, Speed dialing and other.
 About PBX - some of our factories  have PBX-es, but I still learn how to use/
abuse them.

In almost every town with more than 10 000 subscribers we have a conference
phone, which can  be dialed only  local (errrr... quite not true ;))  for 1
tax unit per  3/5/10/30 minutes. But the stupid people don't  know that and
in many towns (such as mine) this phone is *forever* free.

 I also have heard about peoples, which emulate the GSM SIM card to make free
calls.


PHREAK'EM ALL!!!


0x05>------------------------------------------------------------------------

----[  PDM

Phrack Doughnut Movie (PDM) last issue was `Dark City`.

PDM54 recipients:

    I forget.  I think Adam Shostack was definitely one.  It's been a while
    though.

PDM55 Challenge:

    "Beware my wrath."

0x06>------------------------------------------------------------------------

----[  Super Elite People That REad Phrack (SEPTREP)

New additions:


Why they are SEP:

----[  Current List

W. Richard Stevens
Ron Rivest

-----------------------------------------------------------------------------

----[  EOF

AOH Site layout & design copyright © 2006 AOH