==Phrack Inc.==
                  Volume Three, Issue Thirty-one, Phile #7 of 10
                              COMPANY CONFIDENTIAL
                               INTERIM MEMORANDUM

              SUBJECT:  TYMNET SUPPORT FOR CUSTOMER'S DATA SECURITY
       PURPOSE:  This document provides background, and general procedures
       and practices used to support customers with suspected security
       problems.  Field Sales is the intended audience but is a general
       document and may be useful to other customer support personnel.
       Currently, this document is in a final review.  Meanwhile, it is to
       retain the status of an internal proprietary document.
       BACKGROUND:  BT Tymnet Inc, and its Network Systems Company,
       believe information integrity is vital to ourselves and our
       customers.  One way TYMNET insures integrity is by providing good
       security.  TYMNET has a baseline security of user name, password,
       and user access profile available for all customers.  Further, there
       are two security products.  One permits the customer to limit
       password life (password automatically expires after a customer
       elected time period) and the other permits the end user to change
       his/her own password.  Since we do consider security a key issue,
       we continue to develop other security features.  Also, we work with
       Security vendors to certify their security products on our network,
       thus permitting customers to add such products, should they so
       desire.
       We have established Network Systems Company Policies which provide
       a framework for the information contained herein (see NSC Policy
       121 and 122.  More policies are in distribution as of this
       writing).  It is highly recommended that these policies be reviewed
       since they represent the framework of this document.
       Legal considerations are another key issue in any security case.
       Support, other then providing the customer with related security
       data, can only occur if law(s) have been broken.  The
       legal issues are complex and only a minimal information is
       provided herein.  At at the heart of this issue is the fact that
       the customer is the injured party, not TYMNET.  Patience and good
       communication may be required to get the customer to understand
       this fact.  The customers must act for themselves to obtain
       law enforcement support.  TYMNET will support that activity, and
       help to the degree possible, much as a "friend of the court".
       THE SUPPORT:  We provide security support as a responsible
       network service provider.  The first step in that support is for
       the field sales representative to act as a security consultant to
       the customer, at least to the extent explained below.
       The customer is well advised to plan in advance "what to do
       when Captain Midnight strikes" -- contingency planning, pure
       simple.  First there are two basic alternatives to choose from:
                              PROTECT AND PROCEED
                                       OR
                              PURSUE AND PROSECUTE
       "Protect and proceed" means 1) determine how the incident
       occurred, 2) plug the security leak/hole, and 3) go on with
       business as normal.
       (Do we want written notification of the Intent to "Pusue and
       Prosecute" from the "Injured Party?").
       "Pursue and prosecute" is just that.  The first step is having
       the customer obtain legal support, and both we and the customer
       continue to gather evidence until the suspect is apprehended.  The
       next step is the prosecution in a court of law.  (The final step is
       to return to the first alternative, e.g., now protect and
       proceed.)
       The customer needs to judge each case  on its own merits, but
       generally the first choice is the wiser one.  The second choice
       involves considerable effort, mostly by the customer and law
       enforcement agency(s), possible negative publicity for the
       customer and does not necessarily result in successful prosecution.
       Good contingency planning also includes becoming familiar with the
       laws and the local law enforcement people.
       The starting point is a suspected incident.  Herein, we will address
       the case where the customer has identified a suspected intruder.
       Generally, that occurs by a customer's detailed review of billing
       or host based security exception reports.
       At this point it is essential the field sales representative open a
       ticket containing at least the following:  1) customer name and CID,
       2) host(s) involved, 3) incident start and stop times, and 4) the
       customer's objective.  Add any other information deemed helpful.
       Other support may be an on-line trace of the call, if the
       suspect is currently on-line.  Field support should do this trace, or
       alternately, this same help can be obtained by calling network
       customer support and/or NetCon.  In any case it must be done while
       the suspect is on-line.  Such trace information should be
       included on the ticket.
       Based on the customer's position; the case will fit either
       "prevent and proceed" or, "pursue and prosecute".  The former is
       straight forward, in that TYMNET security will research the
       incidents(s), and provide data (generally user name and point of
       origin(s) to the customer via Field Sales, with recommendations
       on how to prevent any further occurrence.  We do provide this
       service as a responsible vendor, although strict interpretation
       of NSC policy 121 precludes it.  However, we do apply the policy if
       a customer continues to ask for data without taking preventative
       action.
       The "pursue and prosecute" case is complex, and is different for each
       situation.  It will be explained by using a typical scenario.  After
       the first step (as above), it is necessary to gather data sufficient
       to show a pattern of intrusion from a single TYMNET access point.
       With this information, the customer (the injured party) must contacts
       law enforcement agency(s), with the one exception noted below.
       If that intrusion point is through a gateway from a foreign
       country, for all practical purposes, the customer can do little to
       prosecute.  The law(s) of the foreign country will apply since
       extradition is most unlikely.  Therefore, action will have to be
       have to be initiated by the network service provider in the
       foreign country.  In this case, TYMNET security will have MIS
       research the session details to obtain the Network User
       Identifier, and External Network Support (Jeff Oliveto's
       organization) will communicate that information to the foreign
       network for their action (cases involving U.S. government computers
       may get special treatment - see for example - Communications of the
       ACM, May, 1988, article on "Stalking the Wiley Hacker").
       Most all security incidents on our network are caused by international
       hackers using X.121 addressing.  Frequently, our customer is unaware
       of the risk of X.121 addressing, and permits it.  BE SURE YOUR
       CUSTOMERS KNOW THAT THEY CAN CHOOSE FULL TYMNET SECURITY FEATURES,
       THEREBY PRECLUDING SUCH INTRUSIONS FROM X.121 ADDRESSING FROM
       FOREIGN NETWORKS.
       For the domestic case, the customer gets law enforcement (attorney
       general at incoming call location, secret service if credit card
       fraud is involved, or possibly the FBI, depending on the incident)
       to open a case.  Note, damage in estimated dollars is usually
       necessary to open a case, and many agencies will not take action on
       small claims.  For example, as of December, 1988, the Los Angeles
       Attorney will not open a case for less than $10,000 (they have too
       big a caseload at higher damages).
       Assuming legal support is provided, a court order for a wire tap
       and trace will be obtained, thereby determining the caller's phone
       number (this step can be very involved and time consuming for long
       distance calls).  The next legal action occurs after the calling
       number is identified.  A search warrant is obtained for searching the
       facility housing the phone location.  Normally, this search will
       gather evidence sufficient for prosecution.  Evidence is typically
       the necessary terminal equipment, printouts, diskettes, etc.  Then,
       at long last the prosecution.  Also note, again at the time the
       calling number is identified, the injured party should use the
       "protect and proceed" plan.
       For further information, contact Data Security, TYMNET Validations,
       or Ontyme NSC.SECURITY.

_______________________________________________________________________________