COSMOS COmputer System for Mainframe OperationS Introduction %%%%%%%%%%%% Throughout the last decade, computers have played an ever growing role in information storage and retrieval. In most companies, computerized databases have replaced a majority of all paper records. Where in the past it would take 10 minutes for someone to search through stacks of paper for some data, the same information can now be retrieved from a computer in a fraction of a second. Previously, proprietary information could be considered "safe" in a file cabinet; the only way to see the data would be to have physical access to the files. Now, somebody with a computer terminal and a modem can make a quick phone call and access private records. It's unfortunate that there are "hackers" who try to gain unauthorized access to computers. Yet, it is just as unfortunate that most reported computer break-ins could have been prevented if more thought and common sense went into protecting computers. Hackers %%%%%%% There have been many cases of computer crime reported by the Bell Operating Companies (BOCs), but it is hard to say how many actual break-ins there are. Keep in mind that the only reported cases are those which are detected. In an interview with an anonymous hacker, I was told of one of the break-ins that may not have ever been reported. "My friend got the number when he misdialed his business office -- that's how we knew that it was the phone company's. It seems this Unix was part of some real big Bellcore computer network," says the hacker. The hacker explains that this system was one of many systems used by the various BOCs to allow large Centrex customers to rearrange their Centrex groups. It seems he found a text file on the system with telephone numbers and passwords for some of Bellcore's development systems. "On this Bellcore system in Jersey, called CCRS, we found a list of 20 some-odd COSMOS systems.... Numbers, passwords, and wire centers from all over the country!" He adds, "Five states to be exact." The hacker was able to gain access to the original Unix system because, as he says, "Those guys left all the default passwords working." He was able to login with a user name of "games" with the password being "games." "Once we were on we found that a large number of accounts didn't have passwords. Mary, John, test, banana, and system were some, to name a few." From there he was able to eventually access several COSMOS database systems -- with access to ALL system files and resources. COSMOS %%%%%% COSMOS, an acronym for the COmputer System for Mainframe OperationS, is a database package currently supported by Bellcore. COSMOS is presently being used by every BOC, as well as by Cincinnati Bell and Rochester Telephone. COSMOS replaces paper record-keeping and other mechanized record systems for plant administration. COSMOS' original purpose was to alleviate congestion in the Main Distributing Frame (MDF) by maintaining the shortest jumpers. It can now maintain load balance in a switch and assign office equipment, tie pairs, bridge lifters and the like. Additional applications allow COSMOS to aid in "cutting-over" a new switch, or even generate recent change messages to be input into electronic switches. COSMOS is most often used for provisioning new service and maintaining existing service, by the following departments: The frame room (MDF), the Loop Assignment Center (LAC), the Recent Change Memory Assistance Center (RCMAC), the network administration center, and the repair service. Next year COSMOS will celebrate its 15th birthday, which is quite an accomplishment for a computer program. The first version or "generic" of COSMOS was released by Bell Laboratories in 1974. In March 1974, New Jersey Bell was the first company to run COSMOS, in Passaic, New Jersey. Pacific Telesis, NYNEX, Southern Bell, and many of the other BOCs adopted COSMOS soon after. Whereas Southwestern Bell waited until 1977, the Passaic, NJ Wire Center is still running COSMOS today. Originally COSMOS ran on the DEC PDP 11/45 minicomputer. The package was written in Fortran, and ran the COSNIX operating system. Later it was adapted to run on the DEC PDP 11/70, a larger machine. Beverly Cruse, member of Technical Staff, COSMOS system design at Bellcore, says, "COSNIX is a derivation of Unix 1.0, it started out from the original Unix, but it was adapted for use on the COSMOS project. It bears many similarities to Unix, but more to the early versions of Unix than the current... The COSMOS application now runs on other hardware understandard Unix." "The newest version of COSMOS runs on the standard Unix System V operating system. We will certify it for use on particular processors, based on the needs of our clients," says Ed Pinnes, the District Manager of COSMOS system design at Bellcore. This Unix version of COSMOS was written in C language. Currently, COSMOS is available for use on the AT&T 3B20 supermini computer, running under the Unix System V operating system. "There are over 700 COSMOS systems total, of which a vast majority are DEC PDP 11/70's. The number fluctuates all the time, as companies are starting to replace 11/70's with the other machines," says Cruse. In 1981 Bell Laboratories introduced an integrated systems package for telephone companies called the Facility Assignment Control System (FACS). FACS is a network of systems that exchanges information on a regular basis. These are: COSMOS, Loop Facilities Assignment and Control System (LFACS), Service Order Analysis and Control (SOAC), and Work Manager (WM). A service order from the business office is input in to SOAC. SOAC analyzes the order and then sends an assignment request, via the WM, to LFACS. WM acts as a packet switch, sending messages between the other components of FACS. LFACS assigns distribution plant facilities (cables, terminals, etc.) and sends the order back to SOAC. After SOAC receives the information form LFACS, it sends an assignment request to COSMOS. COSMOS responds with data for assigning central office equipment: Switching equipment, transmission equipment, bridge lifters, and the like. SOAC takes all the information from LFACS and COSMOS and appends it to the service order, and sends the service order on its way. Computer Security %%%%%%%%%%%%%%%%% Telephone companies seem to take the brunt of unauthorized access attempts. The sheer number of employees and size of most telephone companies makes it very difficult to keep tabs on everyone and everything. While researching computer security, it has become evident that COSMOS is a large target for hackers. "The number of COSMOS systems around, with dial-ups on most of the machines... makes for a lot of possible break-ins," says Cruse. This is why it's all the more important for companies to learn how to protect themselves. "COSMOS is power, the whole thing is a big power trip, man. It's like Big Brother -- you see the number of some dude you don't like in the computer. You make a service order to disconnect it; COSMOS is too stupid to tell you from a real telco dude," says one hacker. "I think they get what they deserve: There's a serious dearth of security out there. If kids like us can get access this easily, think about the real enemy -- the Russians," jokes another. A majority of unauthorized access attempts can be traced back to an oversight on the part of the system operators; and just as many are the fault of the systems' users. If you can keep one step ahead of the hackers, recognize these problems now, and keep an eye out for similar weaknesses, you can save your company a lot of trouble. A hacker says, "In California, a friend of mine used to be able to find passwords in the garbage. The computer was supposed to print some garbled characters on top of the password. Instead the password would print out AFTER the garbled characters." Some COSMOS users have half duplex printing terminals. At the password prompt COSMOS is supposed to print a series of characters and then send backspaces. Then the user would enter his or her password. When the password is printed on top of the other characters, you can't see what it is. If the password is being printed after the other characters, then the printing terminal is not receiving the back space characters properly. Another big problem is lack of password security. As mentioned before, regarding CCRS, many accounts on some systems will lack passwords. "On COSMOS there are these standardized account names. It makes it easier for system operators to keep track of who's using the system. For instance: all accounts that belong to the frame room will have an MF in them. Like MF01, you can tell it belongs to the frame room. (MF stands for Main Frame.) Most of these names seem to be common to most COSMOS systems everywhere. In one city, none of these user accounts have passwords. All you need is the name of the account and you're in. In another city, which will remain unnamed, the passwords are the SAME AS THE DAMN NAMES! Like, MF01 has a password of MF01. These guys must not be very serious about security." One of the biggest and in my eyes one of the scariest problems around is what hackers refer to as "social engineering". Social engineering is basically the act of impersonating somebody else for the sake of gaining proprietary information. "I know this guy. He can trick anybody, does the best BS job I've ever seen. He'll call up a telco office, like the repair service bureau, that uses COSMOS. We found that most clerks at the repair service aren't too sharp." The hacker said the conversation would usually take the following course: Hacker: Hi, this is Frank, from the COSMOS computer center. We've had a problem with our records, and I'm wondering if you could help me? Telco: Oh, what seems to be the problem? H: We seem to have lost some user data. Hopefully, if I can correct the problem, you people won't lose any access time today. Could you tell me what your system login name is? T: Well, the one I use is RS01. H: Hmm, this could present a problem. Can you tell me what password and wire center you use that with? T: Well, I just type s-u-c-k-e-r for my password, and my wire centers are: TK, KL, GL, and PK. H: Do you call into the system, or do you only have direct connect terminals? T: Well, when I turn on my machine I get a direct hook up. It just tells me to login. But I know in the back they have to dial something. Hold on, let me check. (3 Minutes later...) Well, she says all she does is call 555-1212. H: OK, I think I have everything taken care of. Thanks, have a nice day. T: Good, so I'm not gonna have any problems? H: No, but if you do just give the computer center a call, and we'll take care of it. T: Oh, thank you honey. Have a nice day now. "It doesn't work all the time, but we get away with it a good part of the time. I guess they just don't expect a call from someone who isn't really part of their company," says the hacker. "I once social engineered the COSMOS control center. They gave me dial-ups for several systems, and even gave me one password. I told them I was calling from the RCMAC and I was having trouble logging into COSMOS," says another. This last problem illustrates a perfect example of what I mean when I say these problems can be prevented if more care and common sense went into computer security. "Sometimes, if we want to get in to COSMOS, but we don't have the password, we call a COSMOS dial-up at about 5 o'clock. To logoff of COSMOS you have to hit a CONTROL-Y. If you don't, the next person who calls will resume where you left off. A lot of the time, people forget to logoff. They just turn their terminals off, in the rush of going home." A) Dial-Up Security: When securing a computer system, regardless of its type, it's important to remember this: the only way someone can remotely access your system is if there is a dial-up line leading to that system. If your system has a dial-up, make sure that you have taken every possible precaution to secure that line. "The one piece of advice I would give is: Be careful with dial-up lines," says Bellcore's Ed Pinnes. Dave Imparato, Manager of Database Management at New York Telephone, says, "We have devices that sit in front of our computers that you have to gain access to. In order to even get to COSMOS, there are three or four levels of security you have to go through, and that's before you even get to the system." Rules for protection of Dial-Up lines: 1. Have as few dial-up lines as possible. Private lines or direct connections are often a viable replacement for dial-up lines. 2. If you must have phone lines going to your computer, use external hardware, if possible. For instance, the Datakit Virtual Circuit Switch (VCS) will require a user to specify an "access password" and a system destination to specify which system you are calling. The VCS would then connect you to the requested system which would prompt you for a login and password. Using hardware similar to this serves a double purpose: A) It is harder for someone to get into your computer, due to additional passwords; B) Employees need only dial a single number to access a number of systems. Another good type of hardware is a callback modem. A callback modem will prompt users for a login and password. If these are correct, the modem will automatically callback to a predetermined number. At that point you would login to the computer. The advantage of callback is that unless a call is placed from a certain phone, there is no way to connect. Unfortunately, this is not always efficient for systems with large numbers of users. Lastly, and the most effective means of access, is to have a system which does not identify itself. A caller has to enter a secret password, which doesn't display on the screen. If a caller doesn't type the correct password, the system will hang up, without ever telling the caller what has happened. 3. If you ever detect "hackers" calling a certain number, it is advisable to change that number. Phone numbers should be unlisted. According to a hacker, he once got the number to an AT&T computer by asking directory assistance for the number of AT&T at 976 Main Street. 4. If dial-up lines aren't used on nights or weekends, they should be disabled. Computer hackers usually conduct their "business" on nights or weekends. The COSMOS system has the ability to restrict access by time of day. B) Password Security: Using the analogy between a computer and a file cabinet, you can compare a password to the lock on your file cabinet. By having accounts with no passwords you are, in effect, leaving your file cabinet wide open. A system's users will often want passwords that are easy to remember. This is not an advisable idea, especially for a database system with many users. The first passwords tried by hackers are the obvious. For instance if MF01 is known to be the user name for the frame room, a hacker might try MF01, FRAME, MDF, or MAINFRAME as passwords. If it's known to a hacker that the supervisor at the MDF is Peter Pinkerton, PETE or PINKERTON would not be very good passwords. Rules for password selection: 1. Passwords should be chosen by system administrators or the like. Users will often choose passwords which provide no security. They should not be within the reach of everybody in the computer room, but instead should be sent via company mail to the proper departments. 2. Passwords should be changed frequently, but on an irregular basis -- every four to seven weeks is advisable. Department supervisors should be notified of password changes via mail, a week in advance. This would ensure that all employees are aware of the change at the proper time. One thing you don't want is mass confusion, where everybody is trying to figure out why they can't access their computers. 3. System administrators' passwords should be changed twice as often because they can allow access to all system resources. If possible, system administrator accounts should be restricted from logging in on a dial-up line. 4. A password should NEVER be the same as the account name. Make sure that ALL system defaults are changed. 5. Your best bet is to make passwords a random series of letters and numbers. For example 3CB06W1, Q9IF0L4, or F4W21D0. All passwords need not be the same length or format. Imparato says, "We built a program in a PC that generates different security passwords for different systems and makes sure there's no duplication." 6. It's important to change passwords whenever an employee leaves the company or even changes departments. Imparato says, "When managers leave our organization, we make sure we change those passwords which are necessary to operate the system." 7. The Unix operating system has a built-in "password aging" feature, which requires a mandatory change of passwords after a period of time. If you run any Unix-based systems, it's important to activate password aging. 8. When you feel you have experienced a problem, change ALL passwords, not just those passwords involved with the incident. C) Site security: There have been a number of articles written by hackers and published in 2600 Magazine dealing with garbage picking or what hackers call "trashing". It's important to keep track of what you throw out. In many companies, proprietary operations manuals are thrown out. COSMOS itself is not a user-friendly system. In other words, without previous exposure to the system it would be very difficult to operate. Bellcore's Beverly Cruse says, "COSMOS is used in so many places around the country, I wouldn't be surprised if they found books... in the garbage, especially after divestiture. One interesting thing about a COSMOS article written by hackers, is that there was a lot of obsolete information, so it shows that wherever the information came from... it was old." Rules for site security: 1. Although it may seem evident, employees should be required to show proper identification when entering terminal rooms or computer facilities. It's doubtful that a hacker would ever attempt to infiltrate any office, but hackers aren't the only people you have to worry about. 2. Urge employees to memorize login sequences. It's a bad idea for passwords to be scribbled on bits of paper taped to terminals. Eventually, one of those scraps may fall into the wrong hands. 3. Garbage should be protected as much as possible. If you use a private pick-up, keep garbage in loading docks, basements, or fenced-off areas. If you put your garbage out for public sanitation department pick-up, it's a good idea to shred sensitive materials. 4. Before throwing out old manuals or books, see if another department could make use of them. The more employees familiar with the system, the less of a chance that there will be a security problem. 5. Printing terminals should be inspected to make sure that passwords are not readable. If passwords are found to echo, check to see if the duplex is correct. Some operating systems allow you to configure dial-ups for printer use. D) Employee Security: When a hacker impersonates an employee, unless he is not successful there is a great chance the incident will go unreported. Even if the hacker doesn't sound like he knows what he's talking about, employees will often excuse the call as an unintelligent or uninformed person. It's unpleasant to have to worry about every call with an unfamiliar voice on the other end of the phone, but it is necessary. Rules for employee security: 1. When making an inter-departmental call, always identify yourself with: 1) Your name; 2) Your title; and 3) Your department and location. 2. Be suspicious of callers who sound like children, or those who ask you questions that are out of the ordinary. Whenever someone seems suspicious, get their supervisor's name and a callback number. Don't discuss anything sensitive until you can verify their identity. Don't ever discuss passwords over the phone. 3. When there is a security problem with a system, send notices to all users instructing them not to discuss the system over the phone, especially if they do not already know the person to whom they are talking. 4. Remind all dial-up users of systems, before hanging up. 5. If security-minded posters are put up around the workplace, employees are bound to take more care in their work and in conversations on the phone. 6. If managers distribute this and other computer security articles to department supervisors employee security will be increased. E) General Security: Bellcore recently sent a package to all system administrators of COSMOS systems. The package detailed security procedures which applied to COSMOS and Unix-based systems. If you are a recipient of this package, you should re-read it thoroughly to ensure that your systems are secure. Cruse says, "Last year... I had a call from someone within an operating company with a COSMOS security problem. All we really did was give them documentation which reminded them of existing security features... There is built-in security in the COSNIX operating system... We really didn't give them anything new at the time. The features were already there; we gave them the recommendation that they implement all of them." If you feel you may not be using available security features to the fullest, contact the vendors of your computer systems and request documentation on security. Find out if there are security features that you may not be currently taking advantage of. There are also third party software companies that sell security packages for various operating systems and computers. Computer security is a very delicate subject. Many people try to pretend that there is no such thing as computer crime. Since the problem exists, the best thing to do is to study the problems and figure out the best possible solutions. If more people were to write or report about computer security, it would be easier for everyone else to protect themselves. I would like to see Bellcore publish security guidelines, available to the entire telecommunications industry. Keep in mind, a chain is only as strong as its weakest link.