gandrews@netcom.COM (Greg Andrews) (04/06/91)
In article <1991Apr5.170644.3076@sctc.com> smith@sctc.com (Rick Smith) writes: >I heard a rumor recently that some dialback modems are manufactured >with a "backdoor" password that can't be disabled, which gives an >outsider rather complete access to the modem. So check out your >manufacturer closely. Evidently modem design/manufacturing skills are >independent of good sense where security is concerned. > Access to the modem wouldn't compromise security on the computer. If you give the matter some thought, the worst thing that can happen is the caller could screw up your modem settings. Big Deal. That still won't allow them into the computer. There's no connection between modem access and computer security unless the computer has no security at all. -- .------------------------------------------------------------------------. | Greg Andrews | UUCP: {apple,amdahl,claris}!netcom!gandrews | | | Internet: gandrews@netcom.COM | `------------------------------------------------------------------------'
urlichs@smurf.sub.org (Matthias Urlichs) (04/06/91)
In alt.security, article <1991Apr5.215301.13807@netcom.COM>,
gandrews@netcom.COM (Greg Andrews) writes:
<
< Access to the modem wouldn't compromise security on the computer.
< If you give the matter some thought, the worst thing that can happen
< is the caller could screw up your modem settings. Big Deal. That
< still won't allow them into the computer.
<
Almost correct.
The problem is that many modems can be configured to keep the carrier detect
line turned on when you hang up, so the processes on the host would still run
and/or your terminal server would still keep you connected.
You can't rule out lost lines due to screwups on the phone line, or users
who fail to lot out properly.
Moral: Configure your modems so that they can't be configured remotely.
Or at all, if possible (AT&B ?).
--
Matthias Urlichs -- urlichs@smurf.sub.org -- urlichs@smurf.ira.uka.de /(o\
Humboldtstrasse 7 - 7500 Karlsruhe 1 - FRG -- +49-721-621127(0700-2330) \o)/sw@ (Steve Warner) (04/08/91)
In article <1991Apr5.215301.13807@netcom.COM> gandrews@netcom.COM (Greg Andrews) writes: >In article <1991Apr5.170644.3076@sctc.com> smith@sctc.com (Rick Smith) writes: >>I heard a rumor recently that some dialback modems are manufactured >>with a "backdoor" password that can't be disabled, which gives an >>outsider rather complete access to the modem. So check out your >>manufacturer closely. Evidently modem design/manufacturing skills are >>independent of good sense where security is concerned. >> I happen to own several dial-back "security" type modems. They do have a backdoor password, which cannot be changed. The purpose of this is to allow the manuafcurer to call your modem for you and change YOUR password, if you forget that your is. I have modfied the formware in these modems so that the backdoor password is no longer what the mfr thinks it is. There is little security risk in this though as all the computers connected to these modems have secondary password queries. -- ---- Steve Warner - Fremont, CA, USA etc... replies to: sun!indetech!stables!sw (forget what the header says)
rscott@Daisy.EE.UND.AC.ZA (Richard F Scott) (04/09/91)
In article <1991Apr5.215301.13807@netcom.COM> gandrews@netcom.COM (Greg Andrews) writes: >In article <1991Apr5.170644.3076@sctc.com> smith@sctc.com (Rick Smith) writes: >>I heard a rumor recently that some dialback modems are manufactured >>with a "backdoor" password that can't be disabled, which gives an >>outsider rather complete access to the modem. So check out your >>manufacturer closely. Evidently modem design/manufacturing skills are >>independent of good sense where security is concerned. >> > >Access to the modem wouldn't compromise security on the computer. >If you give the matter some thought, the worst thing that can happen >is the caller could screw up your modem settings. Big Deal. That >still won't allow them into the computer. > >There's no connection between modem access and computer security unless >the computer has no security at all. > I beg to differ. If a modem is intelegent enough to have a "backdoor" password , then it should be able to remember the last number dialed out, as well as the corresponding user-name typed in after the _LOGIN_ prompt and then the characters typed for the _PASSWORD_. As these are fairly standard prompts, it should get it right most of the time !!! Richard Scott.