[comp.sys.ibm.pc.misc] Dial in- Call back Security

cjp@beartrk.beartrack.com (CJ Pilzer) (07/30/90)

Several days ago I responded to an article which suggested the use of Call
back modems as a way to assure security of a system.  In my response I pointed
out that call back devices or software may not always be depended upon and
stated that a way to penetrate them had been published in a publication of 
wide circulation.  I have received mail that criticized that statement as too
broad.  Therefore, I will disclose the problem which I hesitated to do so as
to avoid suggesting the method to the wrong person, in the hope of giving
more help than trouble.

The problem revolves around two features of some systems.  One is that the
computer or call back device often calls out without checking for a dial tone.
The other is that some telephone systems do not break the connection until the
calling party hangs up.  In such cases the cracker merely aranges to stay on
the line and issue the necessary signals to complete the connection when the
call back is made.  Even if the call back device does wait for the dial tone
it is still possible for the cracker to remain on line and to issue a fake
dial tone.  Thus, one should make sure that proper precautions are taken to
assure that the call in connection is broken before any call back is made.  
I was informed by the person who sent me the mail about this subject that 
most telephone central office switches may be relied upon to disconnect and
will prevent this problem.  I would suggest that any system administrator who
is using or contemplates using call back techniques verify the operation of 
the system in the operating environment before relying on it.  

-- cj