UnauthorizedModems_7
Protecting Data Networks by Securing Telephone Networks
6
This same opinion is echoed by Jeromie Jackson, a computer security consultant
from Austin, Texas:
I would say that none of the companies that I work with are totally
secure. Ninety-nine percent of the time we go in and we see modems
sitting on people’s desks; people are allowed to bring in pcAnywhere
software. They can get into their computer with nothing: no id or
password. Then they connect with T1 lines out to their vendors; they
have no security between them and their vendors.
I mean, the Internet is nothing. They have plenty of problems internally
already. If your management’s freaking out about getting on the
Internet because of the security, then they’re under the false
assumption that their network is already secure. I would bet your and
my bottom dollar I could go into just about any company in the United
States and find huge, gaping holes…everywhere. [7]
Both individuals are discussing the threat posed by modems – devices used to
connect computers to other computers or networks via normal telephone lines.
The real question raised by these statements is why do these seemingly
innocuous devices pose such a great risk to corporate computers and networks?
The Problem Associated With
Modems
Modems are not new, they have been around for a number of years. The use and
exploitation of them by the “hacking” community to gain access to computers
and networks is also not new. In the 1983 movie War Games, Matthew
Broderick used a modem attached to a computer in his bedroom to dial numbers
searching for other numbers that would be answered by a computer connected to
a modem. The software used to accomplish this is now referred to as a war
dialer. Even though this movie was released more than a dozen years ago, the
vulnerabilities exploited by the star of the movie still exist today. In fact, not
only are they exploited by the “hacking” community but they are also known
and used by companies hired to perform security audits. The most famous
example of this was described in a cover story for the February 3, 1997, edition
of Fortune magazine.
The week before Christmas, 1996, employees of Wheelgroup Corp. (a San
Antonio, Texas security firm which has since been purchased by Cisco Systems)
attempted to penetrate the computer systems of a Fortune 500 company in New
York City from their own offices in San Antonio. Two days later they had
gained “root access” on five systems. This meant they had the same privileges as
system administrators on those systems. The Fortune 500 company, which had
agreed to the test, certainly felt they were secure. After all, they had an active
security program and had purchased a sophisticated firewall to protect them
from malicious activity coming from the Internet. The Wheelgroup employees at
first attempted to access the company’s systems from the Internet but were
blocked by the firewall. The parameters of the test and their compliance with the
law (which may not impede a resolute hacker) didn’t allow them much time so
they quickly discarded this avenue of attack and instead utilized the same
method Matthew Broderick did – war dialing. [2, 4] Specifically, they used a
publicly available war dialer downloaded from the Internet to test 1,500
numbers at the target company in 16 hours. At the conclusion of this time they
had identified more than 50 numbers that were answered by computers with
modems. Testing the more promising of these numbers (ones that had responded
to the war dialer in a very specific manner), the Wheelgroup employees were