UnauthorizedModems_8
Protecting Data Networks by Securing Telephone Networks
7
able to penetrate a system in less than two hours. Firewalls are the biggest form
of false security was the conclusion arrived at by David Rivera, a computer
expert from Coopers & Lybrand who had been hired specifically for this test by
Fortune to ensure the target companys computers were not inadvertently
damaged by Wheelgroup during the test. [2]
Wheelgroup is not the only security firm that has employed this method to
access targeted computer networks. Mark Abene, originally known for his
hacking exploits under the handle of phiber optik but now a computer security
consultant, has described very similar techniques to penetrate a corporate
network. After first obtaining as much information as he can about the target and
its computer systems and network, Abene attempts to identify any dial-up
terminal servers or workstations with directly connected modems. He has stated:
Dial-up access through a terminal server ensures that we will not be
locked out of the network if the organization discovers it is under attack
and decides to shut off all Internet access. Dial-up lines are almost
always overlooked by security administrators or are managed by a
separate group with minimal communication between the two groups.
As an added bonus, most organizations rely on remote dial-up access,
rather than Internet connections, as part of their core business and will
not shut it down even in the event of an attack. And it is very difficult
to change all dial-up passwords and notify the users in a short period
of time. It is also rare for an organization to have any significant
monitoring capability for dial-up usage. This gives us a stealthy and
almost guaranteed way into their network. [1]
Abene also addressed the issue of rogue modemsmodems that are not
authorized by the organization, but have been connected to a computer system
by an employee, usually with good intentions. Abene stated:
As all seasoned network professionals know, theres always at least
one employee who decides to set up his or her own remote access to a
desktop machine using Symantec Corp.s pc ANYWHERE or a similar
product without a password. [1]
The extent of the problem posed by rogue modems was amply demonstrated by
Peter Shipley in 1998. At DEFCON (an annual hacker convention) Shipley
discussed an experiment in war dialing which he had conducted. In the
experiment he instructed his computer to dial 5.3 million phones in the San
Francisco Bay area looking for computers connected to modems. He found
numerous modems including ones that allowed him access to the environmental
controls for a large building as well as a fire departments deployment system.
He further stated 75 percent of the computer systems accessible via modem were
insecure enough for an intruder to penetrate the system.
This is not just a theoretical vulnerability. It is actually actively being exploited
today. A good example of this is the story about jester described at the
beginning of this paper. This is not an isolated case. There have been many other
cases of intrusion via modem. As another example, an organization hired the
Global Security Analysis Laboratory at IBM to perform an analysis of their
computer systems security. The analysis team found the system had indeed
been penetrated. The computer was supposed to maintain client medical records.
Instead, the team found approximately two gigabytes of pornographic pictures
and very few medical records! [13] Further investigation revealed the hackers
had penetrated the system via the modem attached to the system and had posted
the phone number in the computer underground so others could take
advantage of it too.