Previous Section Next Section

10.2 Modems and Security

Modems raise a number of security concerns because they create links between your computer and the outside world. Modems can be used by individuals inside your organization to remove confidential information. Modems can be used by people outside your organization to gain unauthorized access to your computer. If your modems can be reprogrammed or otherwise subverted, they can be used to trick your users into revealing their passwords. And, finally, an attacker can eavesdrop on a modem communication.

Despite the rise of the Internet, modems remain a popular tool for breaking into large corporate networks. The reason is simple: while corporations closely monitor their network connections, modems are largely unguarded and unaudited. In many organizations, it is difficult and expensive to prevent users from putting modems on their desktop computers and running "remote access" software. This happens much more frequently than you might expect.

So what can be done? To maximize security, modems should be provided by the organization and administered in a secure fashion.

The first step is to protect the modems themselves. Be sure they are located in a physically secure location, so that no unauthorized individual can access them. The purpose of this protection is to prevent the modems from being altered or rewired. Some modems can have altered microcode or passwords loaded into them by someone with appropriate access, and you want to prevent such occurrences. You might make a note of the configuration switches (if any) on the modem, and periodically check them to be certain they remain unchanged.

Many modems sold these days allow remote configuration and testing. This capability makes changes simpler for personnel who manage several remote locations. It also makes abusing your modems simpler for an attacker. Therefore, be certain that such features, if present in your modems, are disabled.

The next most important aspect of protecting your modems is to protect their telephone numbers. Treat the telephone numbers for your modems the same way you treat your passwords: don't publicize them to anyone other than those who have a need to know. Making the telephone numbers for your modems widely known increases the chances that somebody might try to use them to break into your system.

Physical Intervention for Use

When modems are connected to hardware to allow off-site technicians to remotely maintain or troubleshoot it, you certainly want to prevent unauthorized users from connecting to these modems and reconfiguring your equipment. One simple and effective approach is to leave the modems unplugged from the phone line, and require off-site technicians to call your operator before performing maintenance (or, better yet, the reverse, to make social engineering attacks less feasible.) The operator connects the phone line for the technician's work (and notes this in a log book), and disconnects it thereafter.

Unfortunately, you cannot keep the telephone numbers of your modems absolutely secret. After all, people do need to call them. And even if you were extremely careful with the numbers, an attacker could always discover the modem numbers by dialing every telephone number in your exchange. For this reason, simple secrecy isn't a solution; your modems need more stringent protection.

You might consider changing your modem phone numbers on a yearly basis as a basic precaution. You might also request phone numbers for your modems that are on a different exchange from the one used by the business voice and fax numbers that you advertise.

10.2.1 Banners

A banner is a message that is displayed by a modem (or the computer to which the modem is connected) when it is called. Some banners are displayed by the answering system before the caller types anything; other banners are displayed only after a person successfully authenticates. Example 10-1 shows a simple, but problematic, banner.

Example 10-1. A simple but problematic banner
Welcome to Internet Privacy Corporation (IPC), where privacy comes first.

Don't have an account? 
Log in with username "guest" password "guest" to create one!

If you have problems logging in, please call
Paul Johnson in technical support at 203-555-1212. 

FreeBSD 4.2 login:

Banners improve the usability of a system by letting the callers know that they have reached the correct system. They can also include any necessary legal disclosures or notices. Unfortunately, banners can also be used by attackers: an attacker who scans a telephone exchange or a city can use banners to determine which organization's modems they have found. Banners can also provide useful clues that help an attacker break into a system, such as disclosing the operating system version or the modem firmware revision.

Banners have a troubled history. In the 1980s, it was common for computer banners to include the word "welcome." Although it has been rumored that a person on trial for computer intrusion argued successfully that the word "welcome" was essentially an invitation from the system's management for the attacker to break in, this never really happened; nevertheless, the explicit invitation is a bad idea. In other cases, attackers have successfully had evidence suppressed because system banners did not inform them that their keystrokes were being recorded.

For all of these reasons, the banner that we presented in Example 10-1 is problematic. A better banner is shown in Example 10-2.

Example 10-2. A better banner
Unauthorized use of this system is prohibited and may be prosecuted to the 
fullest extent of the law. By using this system, you implicitly agree to
monitoring by system management and law enforcement authorities. If you do 
not agree with these terms, DISCONNECT NOW.

login:

Here are some recommendations for what to put into your banner:

  • State that unauthorized use of the system is prohibited and may be prosecuted. (Do not say that unauthorized use will be prosecuted. If some unauthorized users are prosecuted when others are not, the users who are prosecuted may be able to claim selective enforcement of this policy.)

  • State that all users of the system may be monitored.

  • Tell the user that he is agreeing to be monitored as a condition of using the computer system.

  • In some cases, it is acceptable to display no welcome banner at all.

  • If your computer is a Federal Interest computer system,[2] say so. There are additional penalties for breaking into such systems, and the existence of these penalties may deter some attackers.

    [2] This is a term defined in federal law. We won't provide a specific definition here, but if your system is involved in banking, defense, or support of any federally funded activity, your system may be included. You should consult with competent legal counsel for details.

Here are some recommendations for what not to put into your banner:

  • Do not use any word expressing "welcome."

  • Do not identify the name of your organization.

  • Do not provide any phone numbers or other contact information.

  • Do not identify the name or release of your computer's operating system.

10.2.2 Caller-ID and Automatic Number Identification

In many areas, you can purchase an additional telephone service called Caller-ID. As its name implies, Caller-ID identifies the phone number of each incoming telephone call. The phone number is usually displayed on a small box next to the telephone when the phone starts ringing. Automatic Number Identification (ANI) is a version of this service that is provided to customers of toll-free numbers (800 numbers and other toll-free exchanges).

Many modems support Caller-ID directly. When these modems are properly programmed, they will provide Caller-ID information to the host computer when the information is received over the telephone lines.

There are many ways that you can integrate Caller-ID with your remote access services:

  • Some remote access systems can be programmed to accept the Caller-ID information directly and log the information for each incoming call along with the time and the username that was provided. The vast majority of remote access systems that support telephone lines delivered over ISDN Basic Rate, ISDN PRI, and T1 FlexPath circuits include support for logging Caller-ID information in RADIUS accounting log files.[3]

    [3] RADIUS , the Remote Authentication Dial In User Service, is a protocol designed to allow terminal servers to authenticate dialup users against a remote database. It is described in RFC 2138.

    Caller-ID can be very useful for tracking down perpetrators after a break-in. Unlike a username and password, which can be stolen and used by an unauthorized individual, Caller-ID information almost always points back to the actual source of an attack. Many dialup ISPs now routinely collect Caller-ID information and make this information available to law enforcement agencies that investigate cybercrimes. The author of the Melissa computer worm was identified, in part, though the use of Caller-ID information.

  • If your remote access system does not handle Caller-ID, you can set up a second modem in parallel with the first on the same line. Program your computer to answer the first modem on the third or fourth ring. Use a third-party Caller-ID logging program to capture the Caller-ID information from the second modem. You will then need to manually combine the two logs.

  • ISDN offers yet another service called Restricted Calling Groups, which allows you to specify a list of phone numbers that are allowed to call your telephone number. All other callers are blocked.

Advanced telephone services such as these are only as secure as the underlying telephone network infrastructure: many corporate telephone systems allow the corporation to determine what Caller-ID information is displayed on the telephone instrument of the person being called—even for calls that terminate on other parts of the public switched telephone network. Attackers who have control of a corporate telephone system can program it to display whatever phone number they desire, potentially bypassing any security system that depends solely on Caller-ID or Restricted Calling Groups.

10.2.3 One-Way Phone Lines

Many sites set up their modems and telephone lines so that they can both initiate and receive calls.

Allowing the same modems to initiate and receive calls may seem like an economical way to make the most use of your modems and phone lines. However, this approach introduces a variety of significant security risks:

  • Toll fraud can be committed only on telephone lines that can place outgoing calls. The more phones you have that can place such calls, the more time and effort you will need to spend to make sure that your outbound modem lines are properly configured.

  • If phone lines can be used for either inbound or outbound calls, then you run the risk that your inbound callers will use up all of your phone lines and prevent anybody on your system from initiating an outgoing call. (You also run the risk that all of your outbound lines may prevent people from dialing into your system.) By forcing telephones to be used for either inbound or outbound calls, you assure that one use of the system will not preclude the other.

  • If your modems are used for both inbound and outbound calls, an attacker can use this capability to subvert any callback systems (see the sidebar) that you may be employing.

Your system will therefore be more secure if you use separate modems for inbound and outbound traffic. In most environments the cost of the extra phone lines is minimal compared to the additional security and functionality provided by line separation.

You may further wish to routinely monitor the configuration of your telephone lines to check for the following conditions:

  • To make sure that telephone lines that are not used to call long-distance telephone numbers cannot, in fact, place long-distance telephone calls

  • To make sure that telephone lines used only for inbound calls cannot place outbound calls

Subverting Callback

A callback scheme is one in which an outsider calls your machine, connects to the software, and provides some form of identification. The system then severs the connection and calls the outsider back at a predetermined phone number. Callback enhances security because the system will dial only preauthorized numbers, so an attacker cannot get the system to initiate a connection to his modem.

Callback can be subverted if the callback is performed using the same modem that received the initial phone call. This is because many phone systems will not disconnect a call initiated from an outside line until the outside line is hung up. To subvert such a callback system, the attacker merely calls the "callback modem" and then does not hang up when the modem attempts to sever the connection. When the callback modem tries to dial out again, it is still connected to the attacker's modem. The attacker sets his modem to answer the callback modem, and the system is subverted. This type of attack can also be performed on systems that are not using callback, but are doing normal dialout operations.

Some callback systems attempt to get around this problem by waiting for a dial tone. Unfortunately, these modems can be fooled by an attacker who simply plays a recording of a dial tone over the open line.

The best way to foil attacks on callback systems is to use two sets of modems—one set for dialing in and one set for dialing out. Ideally, the incoming lines should be configured so that they cannot dial out, and the outgoing lines should be unable to receive incoming calls. This is easily accomplished using call-forwarding.

But it is even possible to subvert a callback system that uses two modems. If the attacker has subverted a phone company switch, he can install call-forwarding on the phone number that the callback modem is programmed to dial, and forward those calls back to his modem.

Callback schemes can enhance your system's overall security, but you should not depend on them as your primary means of protection.

10.2.4 Protecting Against Eavesdropping

Modems are susceptible to eavesdropping and wiretapping. Older modems, including data modems that are slower than 9,600 baud, and most fax modems can be readily wiretapped using off-the-shelf hardware. Higher-speed modems can be eavesdropped upon using moderately sophisticated equipment that, while less readily available, can still be purchased for, at most, thousands of dollars.

How common is electronic eavesdropping? No one can say with certainty. As Whitfield Diffie has observed, for electronic eavesdropping to be effective, the target must be unaware of its existence or take no precautions. It's likely that there are some individuals and corporations that will never be the target of electronic eavesdropping, while there are others that are constantly targets.

10.2.4.1 Kinds of eavesdropping

There are basically six different places where a telephone conversation over a modem can be tapped:

At your premises

Using a remote extension, an attacker can place a second modem or a tape recorder in parallel with your existing instruments. Accessible wiring closets with standard punch-down blocks for phone routing make such interception trivial to accomplish and difficult to locate by simple inspection. An inductive tap can also be used, and this requires no alteration to the wiring.

Outside your window

In the spring of 2002, researchers at the University of California at Berkeley discovered that it is possible to determine what information is being sent over dialup modems by analyzing the Transmit Data and Receive Data lights (http://applied-math.org/optical_tempest.pdf). To protect yourself from this attack you should make sure that the flashing TD and RD lights cannot be observed from outside your organization, either by appropriately positioning the modem or by covering the TD and RD lights with black electrical tape.

On the wire between your premises and the central office

An attacker can splice monitoring equipment along the wire that provides your telephone service. In many cities, especially older ones, many splices already exist, and a simple pair of wires can literally go all over town and into other people's homes and offices without anybody's knowledge.

At the phone company's central office

A tap can be placed on your line by employees at the telephone company, operating in either an official or an unofficial capacity. If the tap is programmed into the telephone switch itself, it may be impossible to detect its presence.[4] Hackers who penetrate the phone switches can also install taps in this manner (and, allegedly, have done so).

[4] Under the terms of the 1994 Communications Assistance to Law Enforcement Act, telephone providers have a legal obligation to make it impossible to detect a lawfully ordered wiretap. Those telltale clicks, snaps, and pops on a telephone line that indicate the presence of wiretaps have been relegated to movies, illegal wiretaps, and those weird situations in which the person conducting the wiretap is trying to "send a message" to the target.

Along a wireless transmission link

If your telephone call is routed over a satellite or a microwave link, a skillful attacker can intercept and decode that radio transmission. This is undoubtedly done by intelligence agencies of many governments, and may be done by some other large organizations, such as organized crime.

At the destination

The terminus of your telephone call can be the location of the wiretap. This can be done with the knowledge or consent of the operators of the remote equipment, or without it.

Who might be tapping your telephone lines? Here are some possibilities:

A spouse or coworker

A surprising amount of covert monitoring takes place in the home or office by those we trust. Sometimes the monitoring is harmless or playful; at other times, there are sinister motives.

Industrial spies

A tap may be placed by a spy or a business competitor seeking proprietary corporate information. As almost 75% of businesses have some proprietary information of significant competitive value, the potential for such losses should be a concern.

Law enforcement

In 2001, U.S. law enforcement officials obtained court orders to conduct 1,491 wiretaps, according to the Administrative Office of the United States Courts. A large majority of those intercepts, 78%, were the result of ongoing drug investigations. Wiretaps are also used to conduct investigations into terrorism, white-collar crime, and organized crime.

Law enforcement agents may also conduct illegal wiretaps—wiretaps for which the officers have no warrant. Although information obtained from such a wiretap cannot be used in court as evidence, it can be used to obtain a legal wiretap or even a search warrant. (In the late 1980s and 1990s, there was an explosion in the use of unnamed, paid informants by law enforcement agencies in the United States; it has been suggested that some of these "informants" might actually be illegal wiretaps.) Information could also be used for extralegal purposes, such as threats, intimidation, or blackmail.

10.2.4.2 Eavesdropping countermeasures

There are several measures that you can take against electronic eavesdropping, with varying degrees of effectiveness:

Visually inspect your telephone line

Look for spliced wires, taps, or boxes that you cannot explain. Most eavesdropping by people who are not professionals is easy to detect.

Have your telephone line electronically "swept"

Using a device called a signal reflectometer, a trained technician can electronically detect any splices or junctions on your telephone line. Junctions may or may not be evidence of taps; in some sections of the country, many telephone pairs have multiple arms that take them into several different neighborhoods. If you do choose to sweep your line, you should do so on a regular basis. Detecting a change in a telephone line that has been watched over time is easier than looking at a line one time only and determining if the line has a tap on it.

Sweeping may not detect certain kinds of taps, such as digital taps conducted by the telephone company for law enforcement agencies or other organizations, nor will it detect inductive taps.

Use cryptography

The best way to protect your communications from eavesdropping is to assume that your communications equipment is already compromised and to encrypt all the information as a preventative measure. If you use a dialup connection to the Internet, you can use cryptographic protocols such as SSL and SSH to form a cryptographic barrier that extends from your computer system to the remote server. Packet-based encryption systems such as Point-to-Point Tunneling Protocol (PPTP) and IPsec can be used to encrypt all communications between your computer and a remote server, and you should assume that your Internet service provider is being eavesdropped upon.

A few years ago, cryptographic telephones or modems cost more than $1,000 and were available only to certain purchasers. Today, there are devices costing less than $300 that fit between a computer and a modem and create a cryptographically secure line. Most of these systems are based on private key cryptography and require that the system operator distribute a different key to each user. In practice, such restrictions pose no problem for most organizations. But there are also a growing number of public key systems that offer simple-to-use security that's still of the highest caliber. There are also many affordable modems that include built-in encryption and require no special unit to work.

10.2.5 Managing Unauthorized Modems with Telephone Scanning and Telephone Firewalls

Many organizations have policies that forbid the installation and operation of modems without specific permission from the site security manager. Each authorized modem is then audited on a regular basis to assure that it is correctly configured and complies with the site's policies regarding banners, usernames, passwords, and so forth.

Because it is so easy to install a modem, many organizations have modems of which they are unaware. There are two ways to deal with the threat of these so-called rogue modems: telephone scanning and telephone firewalls.

10.2.5.1 Telephone scanning

You can use a program called a telephone scanner to locate unknown and unauthorized modems. A telephone scanner systematically calls every telephone number in a predefined range and notes the banners of the systems that answer. Some telephone scanners can be programmed to attempt to break into the computer systems that they find by using a predetermined list of usernames and passwords. There are both free and commercial telephone scanners available with a wide range of options. Additionally, some computer-consulting firms will perform telephone scanning as part of a security audit.

10.2.5.2 Telephone firewalls

In some situations, the risk of penetration by modem is so high that simply scanning for unauthorized modems is not sufficient. In these situations, you may wish to use a telephone firewall to mediate telephone calls between your organization and the outside world.

Similar to an Internet firewall, a telephone firewall is a device that is placed between your telephone system and an outside communications circuit. Typically, a telephone firewall is equipped with multiple ports for digital T1 telephone lines: instead of plugging a PBX into a T1 from a telephone company, the PBX is plugged into the telephone firewall, and the firewall is plugged into the exterior T1s.

A telephone firewall analyzes the content of every telephone conversation. If it detects modem tones originating or terminating at an extension that is not authorized to operate a modem, the call is terminated, and the event is logged. Telephone firewalls can also be used to control fax machines, incoming phone calls, and even unauthorized use of long-distance calls and the use of 800 numbers and 900 services.

10.2.5.3 Limitations of scanning and firewalls

It is important to realize that neither telephone scanning nor telephone firewalls can do more than detect or control modems that use telephone lines that you know about. Suppose that your organization has a specific telephone exchange; in all likelihood, you will confine your telephone scanning and telephone firewall to that exchange. If some worker orders a separate telephone line from the phone company and pays for that line with his own funds, that phone number will not be within your organization's telephone exchange and will, therefore, not be detected by telephone scanning. Nor will it be subject to a telephone firewall. A cell phone connected to a modem is also not going to be within your defined exchange.

In many cases, the only way to find rogue telephone lines is through a detailed physical inspection of wiring closets and other points where external telephone lines can enter an organization. In an environment that is rich with authorized wireless devices, it can be even harder to find unauthorized wireless devices.

    Previous Section Next Section