dan@watson.bbn.com (Dan Franklin) (12/22/88)
As more people are trying to beef up security by having the system call them back to log in, it's probably worth a reminder: don't use the same telephone line (number) to call in and out. That would render the callback mechanism completely useless. The reason is that there is no reliable indication from the phone company to your modem that a caller has actually hung up. A penetrator can merely call in, request a login, cut off the modem carrier and stay on the line, simulating a dial tone if your modem checks for it (but many don't even do that). The modem can *try* to hang up, but with many phone systems the caller can keep the line open, at least for a little while. If the caller does get hung up, a quick redial can often reestablish the connection before the modem starts dialing. Even if the callback software checks for a ring indication and aborts the procedure any time it gets one, there is still a timing window you can get through if you're persistent. Even using a different line is not a defense, if the number can be discovered. The penetrator can just call it ahead of time. You must use a separate, unrelated (and unlisted) set of phone numbers. It's best if the numbers have a different exchange prefix, to make finding them really difficult. Disclaimer: I'm not a security expert, and this information is several years old. But phone systems don't change all that quickly, so I suspect it's all still true. Dan Franklin