bart@reed.UUCP (Bart Massey) (03/10/86)
> I hear IBM's mainframe has a fool-proof way of dealing with hackers. > The computer stores each users phone number in memory. When the user > calls in and completes the login correctly, the mainframe hangs up > and calls the user back. This way the hacker would have to be at the > users house to do any hacking! Or something. I have a friend whose father works at a large bank in the area, which was actually thinking of using dialback as its sole security mechanism (outside of a simple password scheme). I pointed out to him that if he was honestly willing to trust his millions of dollars to the security of the U.S. phone system, he was welcome to... I don't know what ever came of it. But it's not like there are guys out there who not only know how to break into computer systems, but how to phreak the phone lines :-) ... I suggested to him (and still think it might be a good idea) that with micros costing what they do these days, he should give bank employees working remotely one to use, complete with a terminal program that does public-key signaturing for identification! It seems secure to me. What does anyone think? Bart Massey ..tektronix!reed!bart
kort@hounx.UUCP (B.KORT) (03/12/86)
Bart Massey suggests an improvement on the Dialback scheme, wherein PC's in the user's premises provided the software for the password protocol. Bart asks if such a system is vulnerable. I think every system is ultimately vulnerable, but you have to get up pretty early in the morning to beat the harder ones. If you ever watched Mission Impossible, you may have seen an episode in which the techno-wizard hooked up a box to the bad guy's phone line. When the unsuspecting dude went off-hook, the box simulated the dial tone and answer protocol and sucked the information out of the user's terminal. A simple audio recording of the phone line signals can be played back to the main computer. This means that the logon handshake has to have a random word from the host, which is responded to in real time by the PC, so that the handshake is different every time. The only way to stay ahead of the nefarious password foilers is to use a system more complex than will fit in the foiler's system, but this means frequent evolutionary changes in the password system. A moving target, especially a receding target is the hardest to hit. --Barry Kort ...ihnp4!hounx!kort
kludge@gitpyr.UUCP (03/13/86)
>> I hear IBM's mainframe has a fool-proof way of dealing with hackers. >> The computer stores each users phone number in memory. When the user >> calls in and completes the login correctly, the mainframe hangs up >> and calls the user back. This way the hacker would have to be at the >> users house to do any hacking! These devices do take some time to break into. First of all, a hacker has to obtain a valid access code. Having done that, he calls up the port, gives the access code, then calls the machine back on the line which is used by the machine to dialout (often the same line used to dialin). The machine gets a carrier and connects. We had one of these devices at work, and I would often do this while I was on the road and away from my home phone (which the machine knew about). ------- Disclaimer: Everything I say is probably a trademark of someone. But don't worry, I probably don't know what I'm talking about. Scott Dorsey Kaptain_kludge ICS Programming Lab (Where old terminals go to die), Rich 110, Georgia Institute of Technology, Atlanta, Georgia 30332 ...!{akgua,allegra,amd,hplabs,ihnp4,seismo,ut-ngp}!gatech!gitpyr!kludge USnail: Box 36681, Atlanta GA. 30332 -- ------- Disclaimer: Everything I say is probably a trademark of someone. But don't worry, I probably don't know what I'm talking about. Scott Dorsey Kaptain_kludge ICS Programming Lab (Where old terminals go to die), Rich 110, Georgia Institute of Technology, Atlanta, Georgia 30332 ...!{akgua,allegra,amd,hplabs,ihnp4,seismo,ut-ngp}!gatech!gitpyr!kludge USnail: Box 36681, Atlanta GA. 30332
hes@ncsu.UUCP (Henry Schaffer) (03/16/86)
There was a discussion last year in either net.dcom or fa.telecom on methods of beaking into dialback (without physical access.) They mostly related to the window in which an incoming call may be received by the line being used for dialback. If the cracker then plays a dial-tone, the dialback site can be convinced that it has reached its intended number. (I don't have the article to repost.) --henry schaffer n c state univ