smith@sctc.com (Rick Smith) (04/10/91)
I had posted a note decrying the existence of backdoor passwords in dialback modems. In article <1991Apr5.215301.13807@netcom.COM> gandrews@netcom.COM (Greg Andrews) wrote: >Access to the modem wouldn't compromise security on the computer ... >... unless the computer has no security at all. And sw@ (Steve Warner) wrote: >There is little security risk in this though as all the computers >connected to these modems have secondary password queries. The basic question is *WHY* would someone buy a dialback modem in the first place? Yes, computer systems are pasword protected. For many users (academic classwork and research machines, for example) this is sufficient. However, if you are protecting something serious or pricey, you often want something more than generic authentication techniques. As we all know, *nobody* has ever had their password compromised ;-> The purpose of dialback security is to prevent dialins from arbitrary locations. The existence of a backdoor password eliminates the the dialback modem's whole purpose as a security product. Anyone with the backdoor password can bypass the dialback security that the modem was supposed to provide. How many of those backdoor passwords are floating around pirate BBSes already? The thing I find most annoying is that the backdoor password doesn't provide any features that couldn't be provided securely. At least there could be a DIP switch that enables/disables the master password so that you had the option to be really secure. Or else the DIP switch could enable some magic mode for tweaking the modem via its serial port. On the other hand, giving dialin access to the guts of the modem means that any wily cracker out there could come and play with your modem. Secrets (like ROMmed-in passwords) don't remain secret for long. BTW, does anyone have a list of dialback modem manufacurers who do and don't have backdoor passwords? Rick. smith@sctc.com Arden Hills, Minnesota
vernon@hpcvaac.cv.hp.com (Vernon King) (04/11/91)
On older phone systems still located in some areas even call back units are
not secure unless you call in on a different phone line than the modems calls
you back on. Modems with callback are more secure than passthru units but do
not think for a second that it is foolproof. Phone freaks are quite a talented
group of people. True security (as good as it gets) requires a seperate unit
such as Lee-Mah or Defender for security until callback modems are build with
the ability to support a seperate phone line for in and out.
My two cents
Vernongandrews@netcom.COM (Greg Andrews) (04/12/91)
In article <1991Apr10.150745.4628@sctc.com> smith@sctc.com (Rick Smith) writes: > >The basic question is *WHY* would someone buy a dialback modem in the >first place? Yes, computer systems are pasword protected. For many >users (academic classwork and research machines, for example) this is >sufficient. However, if you are protecting something serious or pricey, >you often want something more than generic authentication techniques. >As we all know, *nobody* has ever had their password compromised ;-> > I don't see modem password security (whether dialback or pass-through) as a big benefit for most computers, since they would already have security measures built in. It can be useful for other types of devices that wouldn't otherwise have security measures. One example that was pointed out to me is computer controlled radio transmitter gear located next to the antenna on a remote hilltop. The engineers at the radio station want to dial in and tweak the transmitter, but it was designed for a dumb terminal in a locked room so there's no password security built in. Modem security would let the engineers sleep without nightmares about 14-year-old modem jockeys finding the number and pulling the plug... > >BTW, does anyone have a list of dialback modem manufacurers who do >and don't have backdoor passwords? > Telebit doesn't use a password scheme for remote access. Set S45=0 and it is disabled. I haven't double checked myself yet, but I believe that the security register (S46) can't be changed through remote access even if remote access were enabled. -- .------------------------------------------------------------------------. | Greg Andrews | UUCP: {apple,amdahl,claris}!netcom!gandrews | | | Internet: gandrews@netcom.COM | `------------------------------------------------------------------------'
paulh@cimage.com (Paul Haas) (04/15/91)
In article <PTTe13w164w@dogface> writes: > ... From what I've seen and read, good dialback security isn't a >one modem product, anyway. One modem answers and passes you through to >a security front door, which has your account info and callback number. >When you pass the test, it uses another (auto-answer disabled) modem to >call you back. If somebody hangs on the outbound modem line (by calling >in repeatedly until they catch a phone dialing out and then sending an >answer-style carrier) then they have normal password security. To avoid >this, the outbound modem should terminate the call if it doesn't detect >dial tone. This assumes that your CO or PBX provides a recognizable dial >tone. >Anyway, what I just wrote is more alt.security material, I'll bet. >-- Bob The modem doing the spoofing could present a fake dial tone. A better solution is to get a dial-out only phone line from the phone company. When the bad guy's modem calls the dial-out number they would get one of those fine Bell System messages telling them that they can't call this number. I've mostly seen it used for payphones. If the phone company in your area doesn't provide such a service, use call forwarding. The important thing is to make it so that under no circumstances can anyone call into the dialout modem in the callback pair. --- Paul Haas paulh@cimage.com
tneff@bfmny0.BFM.COM (Tom Neff) (04/18/91)
If and when Caller*ID becomes universally available, it might be
superior to callback for modem security. If the caller's number isn't
on your approved list, don't accept the login. (Further, only accept
certain classes of login based on the caller number's security
classification, etc.)
Issues of ID masking and so forth would be moot. Personal voice callers
may (and, I personally think, should) have the right to some anonymity
for the sake of a free society. But secure corporate telecommunications
is a different matter -- if you want access to a secure system, the
telco line you use to do it ought to be traceable.
--
For the curious: +---+ Tom Neff
Here's what RS-232 pins do! ==|:::|== tneff@bfmny0.BFM.COM
-- Inmac +---+ uunet!bfmny0!tneffdpletche@jarthur.Claremont.EDU (Nuclear Warrior) (04/19/91)
In article <21400047@bfmny0.BFM.COM> tneff@bfmny0.BFM.COM (Tom Neff) writes: >If and when Caller*ID becomes universally available, it might be >superior to callback for modem security. This might be useful as an additional line of defense, but I don't know if it would guarantee the same security. If you trust the caller-id signal, you are delegating some responsibility for the security of your computer to the PSTN. It doesn't seem at all inconceivable that some mildly clever cracker might figure out a way to spoof the caller-id. I imagine it would be much harder to reroute an actual callback, on the other hand. The two might be used in conjunction: an incoming caller-id signal could be looked up (without any need to answer), then if it is a valid number the callback modem could call the number and the system could allow the correct set of privileges. This system could surely still be breached, but I think it would be harder than just fooling caller-id. -- David Pletcher dpletche@jarthur.claremont.edu
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) (04/19/91)
Nope. It isn't likely. The Supreme Court of Pennsylvania (or was it Ohio?) at any rate, struck down the feature because it is in clear violation of privacy rights. Since I can't call anyone without them knowing who I am the court decided that the privacy of the caller was being violated. As a result, we won't be seeing the feature in any states that I know of for a long time to come... Mikey. Mac Admin WSOM CSG CWRU Mike@pyrite.som.cwru.edu
cs352a41@cs.iastate.edu (Adam Goldberg) (04/19/91)
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) writes: >Nope. It isn't likely. The Supreme Court of Pennsylvania (or was it Ohio?) [I assume he's talking about Caller*ID] >at any rate, struck down the feature because it is in clear violation of >privacy rights. Since I can't call anyone without them knowing who I am >the court decided that the privacy of the caller was being violated. As a >result, we won't be seeing the feature in any states that I know of for a >long time to come... >Mike@pyrite.som.cwru.edu Buzzzzzz. Parts of Kentucky have had Caller*ID for about 5 months now. If you're dialing someone and you don't want them to know who you are, you can dial a special code (something like 78*) before the # and they won't be able to tell who you are. However, if you're receiving obscene phone calls, you can ask the phone company to keep a log of the #s that call you and even if the caller does teh 78*, the phone company still knows who you are and you can be caught (and prosecuted). -- +-----------------------------------------------------------------------------+ ! Adam Goldberg ! * ! "It's simple! Even a PASCAL ! ! cs352a41@cs.iastate.edu ! * ! programmer could do it!" ! +-----------------------------------------------------------------------------+
paulf@shasta.Stanford.EDU (paulf) (04/20/91)
In article <21400047@bfmny0.BFM.COM> tneff@bfmny0.BFM.COM (Tom Neff) writes: >If and when Caller*ID becomes universally available, it might be >superior to callback for modem security. If the caller's number isn't >on your approved list, don't accept the login. (Further, only accept >certain classes of login based on the caller number's security >classification, etc.) Great. So when you get access to some site that uses caller*id to do authentication, I'll hunt down your house sometime, and make a midnight visit to your demarc with my laptop....;-) Authentication is just another reason why public cryptography is absolutely essential to ensuring privacy in the days to come. And yet another reason to haggle against the proposed cryptography trapdoors; do you want your congresscritters to be able to sign *for* you? -=Paul Flaherty, N9FZX | "Think of it as evolution in action." ->paulf@shasta.Stanford.EDU | -- Larry Niven and Jerry Pournelle
dmturne@PacBell.COM (Dave Turner) (04/20/91)
In article <21400047@bfmny0.BFM.COM> tneff@bfmny0.BFM.COM (Tom Neff) writes: >If and when Caller*ID becomes universally available, it might be >superior to callback for modem security. If the caller's number isn't >on your approved list, don't accept the login. (Further, only accept >certain classes of login based on the caller number's security >classification, etc.) > I may be wrong but I believe that call forwarding will defeat both dialback modems and Caller*ID screening. In the case of dialback modems, the approved dialback number may have call forwarding (possibly installed illegally) so that a badguy really receives the call. Unless Caller*ID displays the original calling number and not the forwarding number, screening will fail. -- Dave Turner 415/823-2001 {att,bellcore,sun,ames,decwrl}!pacbell!dmturne