gandrews@netcom.COM (Greg Andrews) (04/06/91)
In article <1991Apr5.170644.3076@sctc.com> smith@sctc.com (Rick Smith) writes: >I heard a rumor recently that some dialback modems are manufactured >with a "backdoor" password that can't be disabled, which gives an >outsider rather complete access to the modem. So check out your >manufacturer closely. Evidently modem design/manufacturing skills are >independent of good sense where security is concerned. > Access to the modem wouldn't compromise security on the computer. If you give the matter some thought, the worst thing that can happen is the caller could screw up your modem settings. Big Deal. That still won't allow them into the computer. There's no connection between modem access and computer security unless the computer has no security at all. -- .------------------------------------------------------------------------. | Greg Andrews | UUCP: {apple,amdahl,claris}!netcom!gandrews | | | Internet: gandrews@netcom.COM | `------------------------------------------------------------------------'
urlichs@smurf.sub.org (Matthias Urlichs) (04/06/91)
In alt.security, article <1991Apr5.215301.13807@netcom.COM>,
gandrews@netcom.COM (Greg Andrews) writes:
<
< Access to the modem wouldn't compromise security on the computer.
< If you give the matter some thought, the worst thing that can happen
< is the caller could screw up your modem settings. Big Deal. That
< still won't allow them into the computer.
<
Almost correct.
The problem is that many modems can be configured to keep the carrier detect
line turned on when you hang up, so the processes on the host would still run
and/or your terminal server would still keep you connected.
You can't rule out lost lines due to screwups on the phone line, or users
who fail to lot out properly.
Moral: Configure your modems so that they can't be configured remotely.
Or at all, if possible (AT&B ?).
--
Matthias Urlichs -- urlichs@smurf.sub.org -- urlichs@smurf.ira.uka.de /(o\
Humboldtstrasse 7 - 7500 Karlsruhe 1 - FRG -- +49-721-621127(0700-2330) \o)/stachour@sctc.com (Paul Stachour) (04/07/91)
urlichs@smurf.sub.org (Matthias Urlichs) writes: >In alt.security, article <1991Apr5.215301.13807@netcom.COM>, > gandrews@netcom.COM (Greg Andrews) writes: >< >< Access to the modem wouldn't compromise security on the computer. >< If you give the matter some thought, the worst thing that can happen >< is the caller could screw up your modem settings. Big Deal. That >< still won't allow them into the computer. >< ..... >Moral: Configure your modems so that they can't be configured remotely. >Or at all, if possible (AT&B ?). However, how do you **KNOW** they can't be remotely configured. We found out several months ago (when we had a modem problem and called the manufacturer) that the manufacturer had built a trap-door access into his modem software to enable him to diagnose modem software problems. Unfortunately, it also enabled him to re-configure our modems from his site, thus effectively negating any of the security that we had "prgrammed" in from our side. ==== Moral to buyers: Make sure your modems you buy to enhance your security don't in fact lower it. Moral to developers: If you feel you should / must / ... place a test-mode into your equipement, make sure you do it such a way that: a) Your customer can control whether it is on or off b) You can't remotely control test-mode from the front-end c) You document your back-door access test-mode. ==== We were unhappy. We're not using that setup anymore. ..Paul -- Paul Stachour SCTC, 1210 W. County Rd E, Suite 100 stachour@sctc.com Arden Hills, MN 55112 [1]-(612) 482-7467
sw@ (Steve Warner) (04/08/91)
In article <1991Apr5.215301.13807@netcom.COM> gandrews@netcom.COM (Greg Andrews) writes: >In article <1991Apr5.170644.3076@sctc.com> smith@sctc.com (Rick Smith) writes: >>I heard a rumor recently that some dialback modems are manufactured >>with a "backdoor" password that can't be disabled, which gives an >>outsider rather complete access to the modem. So check out your >>manufacturer closely. Evidently modem design/manufacturing skills are >>independent of good sense where security is concerned. >> I happen to own several dial-back "security" type modems. They do have a backdoor password, which cannot be changed. The purpose of this is to allow the manuafcurer to call your modem for you and change YOUR password, if you forget that your is. I have modfied the formware in these modems so that the backdoor password is no longer what the mfr thinks it is. There is little security risk in this though as all the computers connected to these modems have secondary password queries. -- ---- Steve Warner - Fremont, CA, USA etc... replies to: sun!indetech!stables!sw (forget what the header says)
rscott@Daisy.EE.UND.AC.ZA (Richard F Scott) (04/09/91)
In article <1991Apr5.215301.13807@netcom.COM> gandrews@netcom.COM (Greg Andrews) writes: >In article <1991Apr5.170644.3076@sctc.com> smith@sctc.com (Rick Smith) writes: >>I heard a rumor recently that some dialback modems are manufactured >>with a "backdoor" password that can't be disabled, which gives an >>outsider rather complete access to the modem. So check out your >>manufacturer closely. Evidently modem design/manufacturing skills are >>independent of good sense where security is concerned. >> > >Access to the modem wouldn't compromise security on the computer. >If you give the matter some thought, the worst thing that can happen >is the caller could screw up your modem settings. Big Deal. That >still won't allow them into the computer. > >There's no connection between modem access and computer security unless >the computer has no security at all. > I beg to differ. If a modem is intelegent enough to have a "backdoor" password , then it should be able to remember the last number dialed out, as well as the corresponding user-name typed in after the _LOGIN_ prompt and then the characters typed for the _PASSWORD_. As these are fairly standard prompts, it should get it right most of the time !!! Richard Scott.