smith@sctc.com (Rick Smith) (04/10/91)
I had posted a note decrying the existence of backdoor passwords in dialback modems. In article <1991Apr5.215301.13807@netcom.COM> gandrews@netcom.COM (Greg Andrews) wrote: >Access to the modem wouldn't compromise security on the computer ... >... unless the computer has no security at all. And sw@ (Steve Warner) wrote: >There is little security risk in this though as all the computers >connected to these modems have secondary password queries. The basic question is *WHY* would someone buy a dialback modem in the first place? Yes, computer systems are pasword protected. For many users (academic classwork and research machines, for example) this is sufficient. However, if you are protecting something serious or pricey, you often want something more than generic authentication techniques. As we all know, *nobody* has ever had their password compromised ;-> The purpose of dialback security is to prevent dialins from arbitrary locations. The existence of a backdoor password eliminates the the dialback modem's whole purpose as a security product. Anyone with the backdoor password can bypass the dialback security that the modem was supposed to provide. How many of those backdoor passwords are floating around pirate BBSes already? The thing I find most annoying is that the backdoor password doesn't provide any features that couldn't be provided securely. At least there could be a DIP switch that enables/disables the master password so that you had the option to be really secure. Or else the DIP switch could enable some magic mode for tweaking the modem via its serial port. On the other hand, giving dialin access to the guts of the modem means that any wily cracker out there could come and play with your modem. Secrets (like ROMmed-in passwords) don't remain secret for long. BTW, does anyone have a list of dialback modem manufacurers who do and don't have backdoor passwords? Rick. smith@sctc.com Arden Hills, Minnesota
gandrews@netcom.COM (Greg Andrews) (04/12/91)
In article <1991Apr10.150745.4628@sctc.com> smith@sctc.com (Rick Smith) writes: > >The basic question is *WHY* would someone buy a dialback modem in the >first place? Yes, computer systems are pasword protected. For many >users (academic classwork and research machines, for example) this is >sufficient. However, if you are protecting something serious or pricey, >you often want something more than generic authentication techniques. >As we all know, *nobody* has ever had their password compromised ;-> > I don't see modem password security (whether dialback or pass-through) as a big benefit for most computers, since they would already have security measures built in. It can be useful for other types of devices that wouldn't otherwise have security measures. One example that was pointed out to me is computer controlled radio transmitter gear located next to the antenna on a remote hilltop. The engineers at the radio station want to dial in and tweak the transmitter, but it was designed for a dumb terminal in a locked room so there's no password security built in. Modem security would let the engineers sleep without nightmares about 14-year-old modem jockeys finding the number and pulling the plug... > >BTW, does anyone have a list of dialback modem manufacurers who do >and don't have backdoor passwords? > Telebit doesn't use a password scheme for remote access. Set S45=0 and it is disabled. I haven't double checked myself yet, but I believe that the security register (S46) can't be changed through remote access even if remote access were enabled. -- .------------------------------------------------------------------------. | Greg Andrews | UUCP: {apple,amdahl,claris}!netcom!gandrews | | | Internet: gandrews@netcom.COM | `------------------------------------------------------------------------'
paulh@cimage.com (Paul Haas) (04/15/91)
In article <PTTe13w164w@dogface> writes: > ... From what I've seen and read, good dialback security isn't a >one modem product, anyway. One modem answers and passes you through to >a security front door, which has your account info and callback number. >When you pass the test, it uses another (auto-answer disabled) modem to >call you back. If somebody hangs on the outbound modem line (by calling >in repeatedly until they catch a phone dialing out and then sending an >answer-style carrier) then they have normal password security. To avoid >this, the outbound modem should terminate the call if it doesn't detect >dial tone. This assumes that your CO or PBX provides a recognizable dial >tone. >Anyway, what I just wrote is more alt.security material, I'll bet. >-- Bob The modem doing the spoofing could present a fake dial tone. A better solution is to get a dial-out only phone line from the phone company. When the bad guy's modem calls the dial-out number they would get one of those fine Bell System messages telling them that they can't call this number. I've mostly seen it used for payphones. If the phone company in your area doesn't provide such a service, use call forwarding. The important thing is to make it so that under no circumstances can anyone call into the dialout modem in the callback pair. --- Paul Haas paulh@cimage.com
tneff@bfmny0.BFM.COM (Tom Neff) (04/18/91)
If and when Caller*ID becomes universally available, it might be
superior to callback for modem security. If the caller's number isn't
on your approved list, don't accept the login. (Further, only accept
certain classes of login based on the caller number's security
classification, etc.)
Issues of ID masking and so forth would be moot. Personal voice callers
may (and, I personally think, should) have the right to some anonymity
for the sake of a free society. But secure corporate telecommunications
is a different matter -- if you want access to a secure system, the
telco line you use to do it ought to be traceable.
--
For the curious: +---+ Tom Neff
Here's what RS-232 pins do! ==|:::|== tneff@bfmny0.BFM.COM
-- Inmac +---+ uunet!bfmny0!tneff