cjp@beartrk.beartrack.com (CJ Pilzer) (07/30/90)
Several days ago I responded to an article which suggested the use of Call back modems as a way to assure security of a system. In my response I pointed out that call back devices or software may not always be depended upon and stated that a way to penetrate them had been published in a publication of wide circulation. I have received mail that criticized that statement as too broad. Therefore, I will disclose the problem which I hesitated to do so as to avoid suggesting the method to the wrong person, in the hope of giving more help than trouble. The problem revolves around two features of some systems. One is that the computer or call back device often calls out without checking for a dial tone. The other is that some telephone systems do not break the connection until the calling party hangs up. In such cases the cracker merely aranges to stay on the line and issue the necessary signals to complete the connection when the call back is made. Even if the call back device does wait for the dial tone it is still possible for the cracker to remain on line and to issue a fake dial tone. Thus, one should make sure that proper precautions are taken to assure that the call in connection is broken before any call back is made. I was informed by the person who sent me the mail about this subject that most telephone central office switches may be relied upon to disconnect and will prevent this problem. I would suggest that any system administrator who is using or contemplates using call back techniques verify the operation of the system in the operating environment before relying on it. -- cj