MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Support Telephone Number

Customer Support Information

Issue 1

August 1998

Page A-1

A

Support Telephone Number

8 4

In the USA only, Lucent Technologies provides a toll-tree customer Helpline

(1 800 628-2888) 24 hours a day. If you need assistance when installing, programming, or using your system, call the Helpline or your Lucent Technologies representative. Consultation charges may apply.

Outside the USA, if you need assistance when installing, programming, or using your system, contact your Lucent Technologies representative.

Federal Communications Commission

(FCC) Electromagnetic

Interference Information

8 4

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications.

Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user will be required to correct the interference at his or her own expense.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Canadian Department of Communications (DOC) Interference Information

Issue 1

August 1998

Canadian Department of

Communications (DOC)

Interference Information

8 4

This digital apparatus does not exceed the Class A limits for radio noise emissions set out in the radio interference regulations of the Canadian

Department of Communications.

Page A-2

Le Présent Appareil Numérique n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de la classe A préscrites dans le règlement sur le brouillage radioélectrique edicté par le ministère des

Communications du Canada.

FCC Notification and

Repair Information

8 4

This equipment is registered with the FCC in accordance with Part 68 of its rules.

In compliance with those rules, you are advised of the following:

■ Means of Connection. Connection of this equipment to the telephone network shall be through a standard network interface jack, USOC RJ11C,

RJ14C, RJ21X. Connection to E&M tie trunks requires a USOC RJ2GX.

Connection to off-premises extensions requires a USOC RJ11C or RJ14C.

Connection to 1.544-Mbps digital facilities must be through a USOC RJ48C or RJ48X. Connection to DID requires a USOC RJ11C, RJ14C, or RJ21X.

These USOCs must be ordered from your telephone company. Connection to 56-Kbps or 64-Kbps facilities requires a USOC RJ11C, RJ14C, or RJ21.

■

■

Party Lines and Coin Telephones. This equipment may not be used with party lines or coin telephone lines.

Notification to the Telephone Companies. Before connecting this equipment, you or your equipment supplier must notify your local telephone company’s business office of the following:

— The telephone number(s) you will be using with this equipment.

 The appropriate registration number and ringer equivalence number

(REN), which can be found on the back or bottom of the control unit, as follows:

 If this equipment is to be used as a Key system, report the number

AS593M-72914-KF-E.

 If the system provides both manual and automatic selection of incoming/outgoing access to the network, report the number

AS593M-72682-MF-E.

 If there are no directly terminated trunks, or if the only directly terminated facilities are personal lines, report the number

AS5USA-65646-PF-E.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Installation and Operational Procedures

Issue 1

August 1998

Page A-3

■

■

 The REN (Ringer Equivalence Number) for all three systems is 1.5A.

— The facility interface code (FIC) and service order code (SOC):

 For tie line connection, the FIC is TL31M and the SOC is 9.0F.

 For connection to off-premises stations, the FIC is OL13C and the

SOC is 9.0F.

 For equipment to be connected to DID facilities, the FIC is 02RV2-T and the SOC is AS.2.

— For equipment to be connected to 1.544-Mbps digital service, the SOC is 6.0P and the FIC is:

— 04DU9-BN for D4 framing format with AMI zero code suppression.

— 04DU9-DN for D4 framing format with bipolar 8 zero code suppression (B8ZS).04DU9-IKN for extended superframe format (ESF) with AMI zero code suppression.

— 04DU9-ISN with ESF and B8ZS.

 For equipment to be connected to 56-Kbps or 64-Kbps digital facilities, the FIC is 02B1Q.

— The quantities and USOC numbers of the jacks required.

— For each jack, the sequence in which lines are to be connected, the line types, the FIC, and the REN by position when applicable.

Ringer Equivalence Number (REN). The REN is used to determine the number of devices that may be connected to the telephone line. Excessive

RENs on the line may result in the devices not ringing in response to an incoming call. In most, but not all, areas the sum of the RENs should not exceed five (5.0). To be certain of the number of devices that may be connected to the line, as determined by the total RENs, contact the local telephone company to determine the maximum REN for the calling area.

Disconnection. You must also notify your local telephone company if and when this equipment is permanently disconnected from the line(s).

Installation and

Operational Procedures

8 4

The manuals for your system contain information about installation and operational procedures.

■ Repair Instructions. If you experience trouble because your equipment is malfunctioning, the FCC requires that the equipment not be used and that it be disconnected from the network until the problem has been corrected.

Repairs to this equipment can be made only by the manufacturers, their authorized agents, or others who may be authorized by the FCC. In the

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Installation and Operational Procedures

Issue 1

August 1998

Page A-4

■

■

■

■

■ event repairs are needed on this equipment, contact your authorized

Lucent Technologies dealer or, in the USA only, contact the National

Service Assistance Center (NSAC) at 1 800 628-2888.

Rights of the Local Telephone Company. If this equipment causes harm to the telephone network, the local telephone company may discontinue your service temporarily. If possible, they will notify you in advance. But if advance notice is not practical, you will be notified as soon as possible.

You will also be informed of your right to file a complaint with the FCC.

Changes at Local Telephone Company. Your local telephone company may make changes in its facilities, equipment, operations, or procedures that affect the proper functioning of this equipment. If they do, you will be notified in advance to give you an opportunity to maintain uninterrupted telephone service.

Hearing Aid Compatibility. The custom telephone sets for this system are compatible with inductively coupled hearing aids as prescribed by the FCC.

Automatic Dialers. WHEN PROGRAMMING EMERGENCY NUMBERS

AND/OR MAKING TEST CALLS TO EMERGENCY NUMBERS:

— Remain on the line and briefly explain to the dispatcher the reason for the call.

— Perform such activities in off-peak hours, such as early morning or late evening.

Direct Inward Dialing (DID). This equipment returns answer supervision signals to the PSTN when:

— Answered by the called station

— Answered by the attendant

— Routed to a recorded announcement that can be administered by the customer premises equipment user

— Routed to a dial prompt

This equipment returns answer supervision on all DID calls forwarded back to the PSTN. Permissible exceptions are when:

— A call is unanswered

— A busy tone is received

— A reorder tone is received

Allowing this equipment to be operated in such a manner as not to provide proper answer supervision signaling is in violation of Part 68 rules.

New Network Area and Exchange Codes. The MERLIN LEGEND

Communications System software does not restrict access to any new area codes or exchange codes established by a local telephone company. If the user has established toll restrictions on the system that could restrict access, then the user should check the lists of allowed and disallowed dial codes and modify them as needed.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

DOC Notification and Repair Information

Issue 1

August 1998

Page A-5

Equal Access Codes. This equipment is capable of providing users access to interstate providers of operator services through the use of access codes.

Modifications of this equipment by call aggregators to block access dialing codes is a violation of the Telephone Operator Consumers Act of 1990.

DOC Notification and

Repair Information

8 4

NOTICE: The Canadian Department of Communications (DOC) label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operational, and safety requirements.

The DOC does not guarantee the equipment will operate to the user’s satisfaction.

Before installing this equipment, users should ensure that it is permissible to connect it to the facilities of the local telecommunications company. The equipment must also be installed using an acceptable method of connection. In some cases, the company’s inside wiring for single-line individual service may be extended by means of a certified connector assembly (telephone extension cord).

The customer should be aware that compliance with the above conditions may not prevent degradation of service in some situations.

Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier. Any repairs or alterations made by the user to this equipment, or any equipment malfunctions, may give the telecommunications company cause to request the user to disconnect the equipment.

Users should ensure for their own protection that the electrical ground connections of the power utility, telephone lines, and internal metallic water pipe system, if present, are connected. This precaution may be particularly important in rural areas.

!

CAUTION:

Users should not attempt to make such connections themselves, but should contact the appropriate electrical inspection authority or electrician, as appropriate.

To prevent overloading, the Load Number (LN) assigned to each terminal device denotes the percentage of the total load to be connected to a telephone loop used by the device. The termination on a loop may consist of any combination of devices subject only to the requirement that the total of the Load Numbers of all the devices does not exceed 100.

DOC Certification No.: 230 4095A

CSA Certification No.: LR 56260

Load No.: 6

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Renseignements sur la notification du ministère des Communications

Issue 1

August 1998

Page A-6

Renseignements sur la notification du ministère des Communications

8 4

AVIS: L’étiquette du ministère des Communications du Canada identifie le matériel homologué. Cette étiquette certifie que le matériel est conforme à certaines normes de protection, d’exploitation et de sécurité des réseaux de télécommunications. Le Ministère n’assure toutefois pas que le matériel fonctionnera à la satisfaction de l’utilisateur.

Avant d’installer ce matériel, l’utilisateur doit s’assurer qu’il est permis de le raccorder aux installations de l’entreprise locale de télécommunication. Le matériel doit également être installé en suivant une méthode acceptée de raccordement. Dans certains cas, les fils intérieurs de l’enterprise utilisés pour un service individuel à ligne unique peuvent être prolongés au moyen d’un dispositif homologué de raccordement (cordon prolongateur téléphonique interne).

L’abonné ne doit pas oublier qu’il est possible que la conformité aux conditions

énoncées ci-dessus n’empêchent pas la dégradation du service dans certaines situations. Actuellement, les entreprises de télécommunication ne permettent pas que l’on raccorde leur matériel à des jacks d’abonné, sauf dans les cas précis prévus pas les tarifs particuliers de ces entreprises.

Les réparations de matériel homologué doivent être effectuées par un centre d’entretien canadien autorisé désigné par le fournisseur. La compagnie de télécommunications peut demander à l’utilisateur de débrancher un appareil à la suite de réparations ou de modifications effectuées par l’utilisateur ou à cause de mauvais fonctionnement.

Pour sa propre protection, l’utilisateur doit s’assurer que tous les fils de mise à la terre de la source d’énergie électrique, des lignes téléphoniques et des canalisations d’eau métalliques, s’il y en a, sont raccordés ensemble. Cette précaution est particuliérement importante dans les régions rurales.

AVERTISSEMENT: L’utilisateur ne doit pas tenter de faire ces raccordements lui-même; il doit avoir recours à un service d’inspection des installations

électriques, ou à un électricien, selon le cas.

L’indice de charge (IC) assigné à chaque dispositif terminal indique, pour éviter toute surcharge, le pourcentage de la charge totale qui peut être raccordée à un circuit téléphonique bouclé utilisé par ce dispositif. La terminaison du circuit bouclé peut être constituée de n’importe quelle combinaison de dispositifs, pourvu que la somme des indices de charge de l’ensemble des dispositifs ne dépasse pas 100.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Renseignements sur la notification du ministère des Communications

No d’homologation: 230 4095A

No de certification: CSA LR 56260

L’indice de charge: 6

MERLIN LEGEND D.O.C.

Location Label Placement

Ministère des Communications du Canada emplacement de l’étiquette

Issue 1

August 1998

Page A-7

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Security of Your System: Preventing Toll Fraud

Issue 1

August 1998

Page A-8

Security of Your System:

Preventing Toll Fraud

8 4

As a customer of a new telephone system, you should be aware that there is an increasing problem of telephone toll fraud. Telephone toll fraud can occur in many forms, despite the numerous efforts of telephone companies and telephone equipment manufacturers to control it. Some individuals use electronic devices to prevent or falsify records of these calls. Others charge calls to someone else’s number by illegally using lost or stolen calling cards, billing innocent parties, clipping on to someone else’s line, and breaking into someone else’s telephone equipment physically or electronically. In certain instances, unauthorized individuals make connections to the telephone network through the use of the

Remote Access features of your system.

The Remote Access features of your system, if you choose to use them, permit off-premises callers to access the system from a remote telephone by using a telephone number with or without a barrier code. The system returns an acknowledgment signaling the user to key in his or her barrier code, which is selected and administered by the system manager. After the barrier code is accepted, the system returns dial tone to the user. In Release 3.1 and later systems, barrier codes are by default restricted from making outside calls. In prior releases, if you do not program specific outward calling restrictions, the user is able to place any call normally dialed from a telephone associated with the system. Such an off-premises network call is originated at, and will be billed from, the system location.

The Remote Access feature, as designed, helps the customer, through proper administration, to minimize the ability of unauthorized persons to gain access to the network. Most commonly, phone numbers and codes are compromised when overheard in a public location, through theft of a wallet or purse containing access information, or through carelessness (for example, writing codes on a piece of paper and improperly discarding it). Additionally, hackers may use a computer to dial an access code and then publish the information to other hackers. Enormous charges can be run up quickly. It is the customer’s responsibility to take the appropriate steps to properly implement the features, evaluate and administer the various restriction levels, protect access codes, and distribute access codes only to individuals who have been fully advised of the sensitive nature of the access information.

Common carriers are required by law to collect their tariffed charges. While these charges are fraudulent charges made by persons with criminal intent, applicable tariffs state that the customer of record is responsible for payment of all long-distance or other network charges. Lucent Technologies cannot be responsible for such charges and will not make any allowance or give any credit for charges that result from unauthorized access.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Toll Fraud Prevention

Issue 1

August 1998

Page A-9

To minimize the risk of unauthorized access to your communications system:

■ Use an unpublished Remote Access number.

■ Assign access codes randomly to users on a need-to-have basis, keeping a log of all authorized users and assigning one code to one person.

■

■

■

■

■

■

■

■

■

■

Use random-sequence access codes, which are less likely to be easily broken.

Use the longest-length access codes the system will allow.

Deactivate all unassigned codes promptly.

Ensure that Remote Access users are aware of their responsibility to keep the telephone number and any access codes secure.

When possible, restrict the off-network capability of off-premises callers, using calling restrictions, Facility Restriction Levels (FRLs) (Hybrid/PBX mode only), and Disallowed List capabilities. In Release 3.1 and later systems, a prepared Disallowed List (number 7) is provided and is designed to prevent the types of calls that toll-fraud abusers often make.

When possible, block out-of-hours calling.

Frequently monitor system call detail reports for quicker detection of any unauthorized or abnormal calling patterns.

Limit Remote Call Forwarding to persons on a need-to-have basis.

Change access codes every 90 days.

Use the longest-length barrier codes possible, following the guidelines for

passwords. (See “Choosing Passwords.”)

Toll Fraud Prevention

8 4

Toll fraud is the unauthorized use of your telecommunications system by third parties to make long-distance telephone calls. Under the law, you, the customer, are responsible for paying part or all of those unauthorized calls. Thus, the following information is of critical importance.

Unauthorized persons concentrate their activities in two areas with the MERLIN

LEGEND Communications System:

■ They try to transfer out of the MERLIN LEGEND Communications System to gain access to an outgoing trunk and make long-distance calls.

■ They try to locate unused or unprotected mailboxes and use them as drop-off points for their own messages.

The following is a discussion of how toll fraud is often perpetrated and ways to prevent unauthorized access that can lead to toll fraud.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Toll Fraud Prevention

Issue 1

August 1998

Page A-10

Physical Security, Social Engineering, and

General Security Measures 8 4

Criminals called hackers may attempt to gain unauthorized access to your communications system and voice messaging system in order to use the system features. Hackers often attempt to trick employees into providing them with access to a network facility (line/trunk) or a network operator. This is referred to as social engineering. Hackers may pose as telephone company employees and employees of Lucent Technologies or your authorized dealer. Hackers will go through a company’s trash to find directories, dialing instructions, and other information that will enable them to break into the system. The more knowledgeable they appear to be about the employee names, departments, telephone numbers, and the internal procedures of your company, the more likely it is that they will be able to trick an employee into helping them.

Preventive Measures 8 4

Take the following preventive measures to limit the risk of unauthorized access by hackers:

■

■

■

■

■

Provide good physical security for the room containing your telecommunications equipment and the room with administrative tools, records, and system manager information. These areas should be locked when not attended.

Provide a secure trash disposal for all sensitive information, including telephone directories, call accounting records, or anything that may supply information about your communications system. This trash should be shredded.

Educate employees that hackers may try to trick them into providing them with dial tone or dialing a number for them. All reports of trouble, requests for moving extensions, or any other administrative details associated with the MERLIN LEGEND Communications System should be handled by one person (the system manager) or within a specified department. Anyone claiming to be a telephone company representative should be referred to this person or department.

No one outside of Lucent Technologies needs to use the MERLIN

LEGEND Communications System to test facilities (lines/trunks). If a caller identifies him- or herself as a Lucent Technologies employee, the system manager should ask for a telephone number where the caller can be reached. The system manager should be able to recognize the number as a Lucent Technologies telephone number. Before connecting the caller to the administrative port of the MERLIN LEGEND Communications System, the system manager should feel comfortable that a good reason to do so exists . In any event, it is not advisable to give anyone access to network facilities or operators, or to dial a number at the request of the caller.

Any time a call appears to be suspicious, call the Lucent Technologies BCS

Fraud Intervention Center at 1 800 628-2888 (fraud intervention for System

25, PARTNER

® and MERLIN systems).

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Toll Fraud Prevention

Issue 1

August 1998

Page A-11

■ Customers should also take advantage of Lucent Technologies monitoring services and devices, such as the NetPROTECT

SM

family of fraud-detection services, CAS with HackerTracker

®

, and CAT Terminal with

Watchdog. Call 1 800 638-7233 to get more information on these Lucent

Technologies fraud detection services and products.

Security Risks Associated with Transferring through Voice Messaging Systems 8 4

Toll fraud hackers try to dial into a voice mailbox and then execute a transfer by dialing 7 . The hacker then dials an access code (either for Automatic Route

Selection or a pooled facility code) followed by the appropriate digit string to either direct dial or access a network operator to complete the call.

NOTE:

In Release 3.1 and later systems, all extensions are initially and by default restricted from dial access to pools. In order for an extension to use a pool to access an outside line/trunk, this restriction must be removed.

Preventive Measures 8 4

Take the following preventive measures to limit the risk of unauthorized transfers by hackers:

■

■

Outward restrict all MERLIN LEGEND Communications System voice mail port extension numbers. This denies access to facilities (lines/trunks). In

Release 3.1 and later systems, voice mail ports are by default outward restricted.

As an additional security step, network dialing for all extensions, including voice mail port extensions, should be processed through ARS using dial access code .

!

SECURITY l ALERT:

The MERLIN LEGEND Communications System ships with ARS activated with all extensions set to FRL 3, allowing all international calling. To prevent toll fraud, ARS FRLs should be established using:

■

■

■

■

FRL 0 for restriction to internal dialing only

FRL 2 for restriction to local network calling only

FRL 3 for restriction to domestic long-distance (excluding area code 809 for the Dominican Republic as this is part of the North American Numbering Plan, unless 809 is required)

RL 4 for international calling

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Toll Fraud Prevention

Issue 1

August 1998

Page A-12

In Release 3.1 and later systems, default local and default toll tables are factory-assigned an FRL of 2. This simplifies the task of restricting extensions: the FRL for an extension merely needs to be changed from the default of 3.

■

■

Each extension should be assigned the appropriate FRL to match its calling requirements. All voice mail port extensions not used for

Outcalling should be assigned to FRL 0 (the default setting in

Release 3.1 and later).

Deny access to pooled facility codes by removing pool dial-out codes 70,

890-899, or any others on your system.

Create a Disallowed List or use the pre-prepared Disallowed List number 7

(Release 3.1 and later systems only) to disallow dialing 0, 11, 10, 1700,

1809, 1900, and 976 or 1(wildcard)976. In Release 3.1 and later systems,

Disallowed List number 7 does not include 800 and 1800 and 411 and

1411, but Lucent Technologies recommends that you add them. Assign all voice mail port extensions to this Disallowed List. Lucent

Technologies recommends assigning Disallowed List number 7.

This is an added layer of security, in case outward restriction is inadvertently removed.

(In Release 3.1 and later systems, voice messaging ports are assigned by default to Disallowed List number 7.)

If Outcalling is required by voice messaging system extensions:

■

Program an ARS FRL of 2 on voice mail port extension(s) used for

Outcalling.

■

■

If 800 and 411 numbers are used, remove 1800, 800, 411, and 1411 from

Disallowed List number 7.

If Outcalling is allowed to long-distance numbers, build an Allowed List for the voice mail port extension(s) used for Outcalling. This list should contain the area code and the first three digits of the local exchange telephone numbers to be allowed.

Additional general security for voice messaging systems:

■

Use a secure password for the General Mailboxes.

■

■

The default administration mailbox, 9997, must be reassigned to the system manager’s mailbox/extension number and securely password protected.

All voice messaging system users must use secure passwords known only to the user.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Toll Fraud Prevention

Issue 1

August 1998

Page A-13

Security Risks Associated with the Automated

Attendant Feature of Voice Messaging Systems 8 4

Two areas of toll fraud risk associated with the Automated Attendant feature of voice messaging systems are the following:

■ Pooled facility (line/trunk) access codes are translated to a menu prompt to allow Remote Access. If a hacker finds this prompt, the hacker has immediate access. (In Release 3.1 and later systems, dial access to pools is initially factory-set to restrict all extensions: to allow pool access, this restriction must be removed by the system manager.)

■ If the Automated Attendant prompts callers to use Remote Call Forwarding

(RCF) to reach an outside telephone number, the system may be susceptible to toll fraud. An example of this application is a menu or

Submenu that says, “To reach our answering service, select prompt number 5,” and transfers a caller to an external telephone number.

Remote Call Forwarding can be used securely only when the central office provides “reliable disconnect” (sometimes referred to as forward disconnect or disconnect supervision), which guarantees that the central office does not return a dial tone after the called party hangs up. In most cases, the central office facility is a loop-start line/trunk which does not provide reliable disconnect. When loop-start lines/trunks are used, if the calling party stays on the line, the central office does return a dial tone at the conclusion of the call, enabling the caller to place another call as if it were being placed from your company. Ground-start trunks provide reliable disconnect and should be used whenever possible.

Preventive Measures 8 4

Take the following preventive measures to limit the risk of unauthorized use of the

Automated Attendant feature by hackers:

■

■

■

Do not use Automated Attendant prompts for Automatic Route Selection

(ARS) Codes or Pooled Facility Codes.

Assign all unused Automated Attendant Selector Codes to zero, so that attempts to dial these are routed to the system attendant.

If Remote Call Forwarding (RCF) is required, MERLIN LEGEND

Communications System owners should coordinate with their Lucent

Technologies Account Team or authorized dealer to verify the type of central office facility used for RCF. If it is a ground-start line/trunk, or if it is a loop-start line/trunk and central office reliable disconnect can be ensured, then nothing else needs to be done.

NOTE:

In most cases these are loop-start lines/trunks without reliable disconnect.

The local telephone company must be involved in order to change the facilities used for RCF to ground start lines/trunks. Usually a charge applies for this change. Also, hardware and software changes may be necessary in

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Toll Fraud Prevention

Issue 1

August 1998

Page A-14 the MERLIN LEGEND Communications System. The MERLIN MAIL

MERLIN and MERLIN LEGEND MAIL Automated Attendant feature merely accesses the RCF feature in the MERLIN LEGEND

Communications System. Without these changes being made, this feature is highly susceptible to toll fraud. These same preventive measures must be taken if the RCF feature is active for MERLIN LEGEND

Communications System extensions whether or not it is accessed by an

Automated Attendant menu.

Security Risks Associated with the Remote

Access Feature 8 4

Remote Access allows the MERLIN LEGEND Communications System owner to access the system from a remote telephone and make an outgoing call or perform system administration, using the network facilities (lines/trunks) connected to the

MERLIN LEGEND Communications System. Hackers, scanning the public switched network by randomly dialing numbers with war dialers (a device that randomly dials telephone numbers, including 800 numbers, until a modem or dial tone is obtained), can find this feature, which will return a dial tone to them. They can even employ war dialers to attempt to discover barrier codes.

Preventive Measures 8 4

Take the following preventive measures to limit the risk of unauthorized use of the

MERLIN LEGEND Communications System Remote Access feature by hackers:

■

■

■

■

The Remote Access feature can be abused by criminal toll fraud hackers, if it is not properly administered. Therefore, this feature should not be used unless there is a strong business need.

It is strongly recommended that customers invest in security adjuncts, which typically use one-time passcode algorithms. These security adjuncts discourage hackers. Since a secure use of the Remote Access feature generally offers savings over credit-card calling, the break-even period can make the investment in security adjuncts worthwhile.

If a customer chooses to use the Remote Access feature without a security adjunct, then multiple barrier codes should be employed, with one per user if the system permits. The MERLIN LEGEND Communications System permits a maximum of 16 barrier codes.

The maximum length should be used for each barrier code, and should be changed periodically. Barrier codes, like passwords, should consist of a random, hard-to-guess sequence of digits. While MERLIN LEGEND

Communications System Release 3.0 permits a barrier code of up to 11 digits, systems prior to Release 3.0 permit barrier codes of up to only four digits.

If Remote Access is used, an upgrade to MERLIN LEGEND Communications

System Release 3.0 is encouraged to take advantage of the longer barrier code.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Other Security Hints

Issue 1

August 1998

Page A-15

Other Security Hints

8 4

Make sure that the Automated Attendant Selector Codes do not permit outside line selection.

Following are a number of measures and guidelines that can help you ensure the security of your communications system and voice messaging system.

Multiple layers of security are always recommended to keep your system secure.

Educating Users 8 4

Everyone in your company who uses the telephone system is responsible for system security. Users and attendants/operators need to be aware of how to recognize and react to potential hacker activity. Informed people are more likely to cooperate with security measures that often make the system less flexible and more difficult to use.

■ Never program passwords or authorization codes onto Auto Dial buttons.

Display telephones reveal the programmed numbers and internal abusers can use the Auto Dial buttons to originate unauthorized calls.

■

■

■

Discourage the practice of writing down barrier codes or passwords. If a barrier code or password needs to be written down, keep it in a secure place and never discard it while it is active.

Operators or attendants should tell their system manager if they answer a series of calls where there is silence on the other end or the caller hangs up.

Users who are assigned voice mailboxes should frequently change personal passwords and should not choose obvious passwords.

■

■

■

■

■

The system manager should advise users with special telephone privileges

(such as Remote Access, Outcalling, and Remote Call Forwarding) of the potential risks and responsibilities.

Be suspicious of any caller who claims to be with the telephone company and wants to check an outside line. Ask for a callback number, hang up and confirm the caller’s identity.

Never distribute the office telephone directory to anyone outside the company; be careful when discarding it (shred the directory).

Never accept collect telephone calls.

Never discuss your telephone system’s numbering plan with anyone outside the company.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Other Security Hints

Issue 1

August 1998

Page A-16

Educating Operators 8 4

Operators or attendants need to be especially aware of how to recognize and react to potential hacker activity. To defend against toll fraud, operators should follow the guidelines below:

■ Establish procedures to counter social engineering . Social engineering is a con game that hackers frequently use to obtain information that may help them gain access to your communications system or voice messaging system.

■ When callers ask for assistance in placing outside or long-distance calls, ask for a callback extension.

■

■

Verify the source. Ask callers claiming to be maintenance or service personnel for a callback number. Never transfer to * 10 without this verification. Never transfer to extension 900.

Remove the headset and/or handset when the console is not in use.

Detecting Toll Fraud 8 4

To detect toll fraud, users and operators should look for the following:

■ Lost voice mail messages, mailbox lockout, or altered greetings

■

■

Inability to log into voice mail

Inability to get an outside line

■

■

■

■

■

Foreign language callers

Frequent hang-ups

Touch-tone sounds

Caller or employee complaints that the lines are busy

Increases in internal requests for assistance in making outbound calls

(particularly international calls or requests for dial tone)

■

■

■

Outsiders trying to obtain sensitive information

Callers claiming to be the “phone” company

Sudden increase in wrong numbers

Establishing a Policy 8 4

As a safeguard against toll fraud, follow these guidelines for your MERLIN

LEGEND Communications System and voice messaging system:

■

■

Change passwords frequently (at least quarterly). Changing passwords routinely on a specific date (such as the first of the month) helps users to remember to do so.

Always use the longest-length password allowed.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Other Security Hints

Issue 1

August 1998

Page A-17

■

■

■

■

■

■

■

■

■

Establish well-controlled procedures for resetting passwords.

Limit the number of invalid attempts to access a voice mailbox to five or less.

Monitor access to the MERLIN LEGEND Communications System dial-up maintenance port. Change the access password regularly and issue it only to authorized personnel. Disconnect the maintenance port when not in use.

(However, this eliminates Lucent Technologies’ 24-hour maintenance surveillance capability and may result in additional maintenance costs.)

Create a communications system management policy concerning employee turnover and include these suggestions:

— Delete all unused voice mailboxes in the voice mail system.

— If a terminated employee had Remote Access calling privileges and a personal authorization code, remove the authorization code immediately.

— If barrier codes and/or authorization codes were shared by the terminated employee, these should be changed immediately.

Regularly back up your MERLIN LEGEND Communications System files to ensure a timely recovery should it be required. Schedule regular, off-site backups.

Keep the Remote Maintenance Device turned off when not in use by

Lucent Technologies or your authorized dealer.

Limit transfers to registered subscribers only.

Use the Security Violations Notification options (Mailbox Lock or Warning

Message) to alert you of any mailbox break-in attempts. Investigate all incidents.

Review security policies and procedures and keep them up to date.

Choosing Passwords 8 4

Passwords should be the maximum length allowed by the system.

Passwords should be hard to guess and should

not

contain:

■

■

■

■

All the same numbers (for example, 1111, 666666)

Sequential characters (for example 123456)

Numbers that can be associated with you or your business, such as your name, birthday, business name, business address, telephone number, or social security number.

Words and commonly used names.

Passwords should be changed regularly, at least on a quarterly basis. Recycling old passwords is not recommended. Never program passwords (or authorization codes or barrier codes) onto a speed dial button.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Limited Warranty and Limitation of Liability

Issue 1

August 1998

Page A-18

Physical Security 8 4

You should always limit access to the system console (or attendant console) and supporting documentation. The following are some recommendations:

■ Keep the system console and supporting documentation in an office that is secured with a changeable combination lock. Provide the combination only to those individuals having a real need to enter the office.

■

■

■

■

Keep telephone wiring closets and equipment rooms locked.

Keep telephone logs and printed reports in locations that only authorized personnel can enter.

Design distributed reports so they do not reveal password or trunk access code information.

Keep the voice messaging system Remote Maintenance Device turned off.

Limiting Outcalling 8 4

When Outcalling is used to contact subscribers who are off-site, use the MERLIN

LEGEND Communications System Allowed Lists and Disallowed Lists or

Automatic Route Selection features to minimize toll fraud.

If the Outcalling feature will not be used, outward restrict all voice messaging system ports. If Outcalling will be used, ports not used for Outcalling should be

Outward Restricted (for MERLIN MAIL Voice Messaging Systems, port 2 on a

2-port system, port 4 on a 4-port system, ports 5 and 6 on a 6-port system; for

MERLIN LEGEND MAIL Voice Messaging Systems, port 7 of the system’s module). Use Outward Restriction, Toll Restrictions, Allowed Lists, Disallowed

Lists and Facility Restrictions Levels, as appropriate, to minimize the possibility of toll fraud.

Limited Warranty and

Limitation of Liability

8 4

Lucent Technologies warrants to you, the customer, that your MERLIN LEGEND

Communications System will be in good working order on the date Lucent

Technologies or its authorized reseller delivers or installs the system, whichever is later (“Warranty Date”). If you notify Lucent Technologies or its authorized reseller within one year of the Warranty Date that your system is not in good working order, Lucent Technologies will without charge to you repair or replace, at its option, the system components that are not in good working order. Repair or replacement parts may be new or refurbished and will be provided on an exchange basis. If Lucent Technologies determines that your system cannot be repaired or replaced, Lucent Technologies will remove the system and, at your option, refund the purchase price of your system, or apply the purchase price towards the purchase of another Lucent Technologies system.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Limited Warranty and Limitation of Liability

Issue 1

August 1998

Page A-19

If you purchased your system directly from Lucent Technologies, Lucent

Technologies will perform warranty repair in accordance with the terms and conditions of the specific type of Lucent Technologies maintenance coverage you selected. If you purchased your system from an a Lucent

Technologies-authorized reseller, contact your reseller for the details of the maintenance plan applicable to your system.

This Lucent Technologies limited warranty covers damage to the system caused by power surges, including power surges due to lightning.

The following will not be deemed to impair the good working order of the system, and Lucent Technologies will not be responsible under the limited warranty for damages resulting from:

■

■

Failure to follow Lucent Technologies’ installation, operation, or maintenance instructions

Unauthorized system modification, movement, or alteration

■

■

■

Unauthorized use of common carrier communications services accessed through the system

Abuse, misuse, or negligent acts or omissions of the customer and persons under the customer’s control

Acts of third parties and acts of God

LUCENT TECHNOLOGIES’ OBLIGATION TO REPAIR, REPLACE, OR REFUND

AS SET FORTH ABOVE IS YOUR EXCLUSIVE REMEDY.

EXCEPT AS SPECIFICALLY SET FORTH ABOVE, LUCENT TECHNOLOGIES,

ITS AFFILIATES, SUPPLIERS, AND AUTHORIZED RESELLERS MAKE NO

WARRANTIES, EXPRESS OR IMPLIED, AND SPECIFICALLY DISCLAIM ANY

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR

PURPOSE.

Limitation of Liability 8 4

Except as provided below, the liability of Lucent Technologies and its affiliates and suppliers for any claims, losses, damages, or expenses from any cause whatsoever (including acts or omissions of third parties), regardless of the form of action, whether in contract, tort, or otherwise, shall not exceed the lesser of:

(1) the direct damages proven; or (2) the repair cost, replacement cost, license fee, annual rental charge, or purchase price, as the case may be, of the equipment that gives rise to the claim. Except as provided below, Lucent

Technologies and its affiliates and suppliers shall not be liable for any incidental, special, reliance, consequential, or indirect loss or damage incurred in connection with the equipment. As used in this paragraph, consequential damages include, but are not limited to, the following: lost profits, lost revenues, and losses arising out of unauthorized use (or charges for such use) of common carrier telecommunications services or facilities accessed through or connected to the equipment. For personal injury caused by Lucent Technologies’s negligence,

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Remote Administration and Maintenance

Issue 1

August 1998

Page A-20

Lucent Technologies’s liability shall be limited to proven damages to person. No action or proceeding against Lucent Technologies or its affiliates or suppliers may be commenced more than twenty-four (24) months after the

cause of action accrues. THIS PARAGRAPH SHALL SURVIVE FAILURE OF

AN EXCLUSIVE REMEDY.

Remote Administration and Maintenance

8 4

The Remote Administration and Maintenance feature of your telecommunications system, if you choose to use it, permits users to change the system features and capabilities from a remote location.

The Remote Administration and Maintenance feature, through proper administration, can help you reduce the risk of unauthorized persons gaining access to the network. However, telephone numbers and access codes can be compromised when overheard in a public location, or lost through theft of a wallet or purse containing access information or through carelessness (for example, writing codes on a piece of paper and improperly discarding them). Additionally, hackers may use a computer to dial an access code and then publish the information to other hackers. Substantial charges can accumulate quickly. It is your responsibility to take appropriate steps to implement the features properly, evaluate and administer the various restriction levels, and protect and carefully distribute access codes.

Under applicable tariffs, you will be responsible for payment of toll charges.

Lucent Technologies cannot be responsible for such charges and will not make any allowance or give any credit resulting from unauthorized access.

To reduce the risk of unauthorized access through Remote Administration and

Maintenance, please observe the following procedures:

■ The System Administration and Maintenance capability of a Hybrid/PBX or

Key system is protected by a password.

— Change the default password immediately.

— Continue to change the password regularly.

■

— Give the password only to people who need it and impress upon them the need to keep it secret.

— If anyone who knows the password leaves the company, change the password immediately.

If you have a special telephone line connected to your Hybrid/PBX or Key system for Remote Administration and Maintenance, you should do one of the following:

— Unplug the line when it is not being used.

— Install a switch in the line to turn it off when it is not being used.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Remote Administration and Maintenance

Issue 1

August 1998

Page A-21

— Keep the Remote Administration and Maintenance telephone number secret. Give it only to people who need to know it, and impress upon them the need to keep it a secret. Do not write the telephone number on the Hybrid/PBX or Key system, the connecting equipment, or anywhere else in the system room.

If your Remote Administration and Maintenance feature requires that someone in your office transfer the caller to the Remote Administration and Maintenance extension, you should impress upon your employees the importance of transferring only authorized individuals to that extension.

MERLIN LEGEND Communications System Release 6.1

Feature Reference 555-661-110

A Customer Support Information

Remote Administration and Maintenance

Issue 1

August 1998

Page A-22