home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 14.3 The RS-232 Serial Protocol Chapter 14
Telephone Security 		Next: 14.5 Modems and UNIX
 

14.4 Modems and Security

Modems raise a number of security concerns because they create links between your computer and the outside world. Modems can be used by individuals inside your organization to remove confidential information. Modems can be used by people outside your organization to gain unauthorized access to your computer. If your modems can be reprogrammed or otherwise subverted, they can be used to trick your users into revealing their passwords. And, finally, an attacker can eavesdrop on a modem communication.

Today, modems remain a popular tool for breaking into large corporate networks. The reason is simple: while corporations closely monitor their network connections, modems are largely unguarded. In many organizations, there is no good way to prevent users from putting modems on their desktop computers and running "remote access" software.

So what can be done? To maximize security, modems should be provided by the organization and administered in a secure fashion.

The first step is to protect the modems themselves. Be sure they are located in a physically secure location, so that no unauthorized individual can access them. This protection is to prevent the modems from being altered or rewired. Some modems can have altered microcode or passwords loaded into them by someone with appropriate access, and you want to prevent such occurrences. You might make a note of the configuration switches (if any) on the modem, and periodically check them to be certain they remain unchanged.

Many modems sold these days allow remote configuration and testing. This capability makes changes simpler for personnel who manage several remote locations. It also makes abusing your modems simpler for an attacker. Therefore, be certain that such features, if present in your modems, are disabled.

The next most important aspect of protecting your modems is to protect their telephone numbers. Treat the telephone numbers for your modems the same as you treat your passwords: don't publicize them to anyone other than those who have a need to know. Making the telephone numbers for your modems widely known increases the chances that somebody might try to use them to break into your system. We'll describe some approaches in later sections.

Unfortunately, you cannot keep the telephone numbers of your modems absolutely secret. After all, people do need to call them. And even if you were extremely careful with the numbers, an attacker could always discover the modem numbers by dialing every telephone number in your exchange. For this reason, simple secrecy isn't a solution; your modems need more stringent protection.[2]

[2] You might think about changing your modem phone numbers on a yearly basis as a basic precaution.

14.4.1 One-Way Phone Lines

Most sites set up their modems and telephone lines so that they can both initiate and receive calls. Under older versions of UNIX , you could not use a modem for both purposes. Many vendors developed their own mechanisms to allow modems to be used bidirectionally.

Having modems be able to initiate and receive calls may seem like an economical way to make the most use of your modems and phone lines. However, the feature introduces a variety of significant security risks:

  • Toll fraud can only be committed on telephone lines that can place outgoing calls. The more phones you have that can place such calls, the more time and effort you will need to spend to make sure that your outbound modem lines are properly configured.

  • If phone lines can be used for either inbound or outbound calls, then you run the risk that your inbound callers will use up all of your phone lines and prevent anybody on your system from initiating an outgoing call. (You also run the risk that all of your outbound lines may prevent people from dialing into your system.) By forcing telephones to be used for either inbound or outbound calls, you assure that one use of the system will not preclude the other.

  • If your modems are used for both inbound and outbound calls, an attacker can use this capability to subvert any callback systems (see the sidebar) that you may be employing.

Your system will therefore be more secure if you use separate modems for inbound and outbound traffic.

You may further wish to routinely monitor the configuration of your telephone lines to check for the following conditions:

  • Check to make sure that telephone lines used only for inbound calls cannot place outbound calls.

  • Check to make sure that telephone lines that are not used to call long-distance telephone numbers in fact cannot place long-distance telephone calls.

14.4.2

Subverting Callback

A callback scheme is one in which an outsider calls your machine, connects to the software, and provides some form of identification. The system then severs the connection and calls the outsider back at a predetermined phone number. This scheme enhances security because the system will dial only preauthorized numbers, so an attacker cannot get the system to initiate a connection to his or her modem.

Unfortunately, callback can be subverted if the same modem that the outsider called is used to call the user back. Many phone systems, and especially some PBX systems, will not disconnect a call initiated from an outside line until the outside line is hung up.

To subvert such a callback system, the attacker merely calls the "callback modem" and then does not hang up when the modem attempts to sever the connection. The modem tries to hang up, then picks the phone back up and tries to dial out. The attacker's modem is then set to answer the callback modem, and the system is subverted. This type of attack can also be performed on systems that are not using a callback, but are doing normal dialout operations. For example, the attack can be used to intercept messages that are sent over a UUCP connection; the attacker merely configures a computer system to have the same name and UUCP login account as the system that is being called.

Some callback systems attempt to get around this problem by waiting for a dial tone. Unfortunately, these modems can be fooled by an attacker who simply plays a recording of a dial tone over the open line.

The only way to foil an attacker who is attempting this kind of trick is to have two sets of modems - one set for dialing in, and one set for dialing out. To make this work, you should have the telephone company install the lines so that the incoming lines cannot be used to dial out, and the outgoing lines have no telephone number for dialing in. This setup costs more than a regular line, but adds an extra measure of security for your phone connections.

Note that even with these precautions, there are other ways to subvert a calback. For example, someone could install call-forwarding on the called-back number and reroute the call through the switches at the phone company. Callback schemes can enhance your system's overall security, but you should not depend on them as your only means of protection.

14.4.3 Caller-ID (CNID)

In many areas, you can purchase an additional telephone service called Caller-ID. As its name implies, Caller-ID identifies the phone number of each incoming telephone call. The phone number is usually displayed on a small box next to the telephone when the phone starts ringing. (Note that this feature may not be available to you if you own your own PBX or switch.)

The telephone company sells Caller-ID on the virtues of its privacy and security: by knowing the phone number of an incoming call, you can make the decision as to whether or not you wish to answer it.

Caller-ID can also be used with computers. Several modem makers now support Caller-ID directly. With one of these modems, you can program the modem to send the telephone number of the calling instrument to the computer. You can then write custom software to limit incoming calls to a specified list of phone numbers, or to only allow certain users to use certain phones.

The telephone company's Integrated Services Digital Network ( ISDN [3]) digital phone service also provides the phone number of the caller through a similar service called Automatic Number Identification ( ANI ). This service is available to many corporate 800-number subscribers. ISDN offers yet another service called Restricted Calling Groups, which allows you to specify a list of phone numbers that are allowed to call your telephone number. All other callers are blocked.

[3] In many areas of the country, ISDN still stands for "Interesting Services Doing Nothing."

Advanced telephone services such as these are only as secure as the underlying telephone network infrastructure: if an attacker managed to break into the telephone company's computers, that attacker could reprogram them to display incorrect numbers on the Caller-ID display, or to bypass Restricted Calling Groups. Although there are no officially acknowledged cases of such attacks, the possibility exists, and many credible but "informal" accounts of such incidents have been recounted.

14.4.4 Protecting Against Eavesdropping

Modems that are not adaptive are very susceptible to eavesdropping and wiretapping. Non-adaptive modems include data modems that are slower than 9600 baud and most fax modems. The conversations between these modems can be recorded with a high-quality audio tape and played into a matching unit at a later point in time, or the telephone line can simply be bridged and fed into a separate surveillance modem. Cellular telephone modems are even easier to tap, as their communications are broadcast and readily intercepted by anyone.

Adaptive modems are less susceptible to eavesdropping with ordinary equipment, although even their communications may be intercepted using moderately sophisticated techniques.

How common is electronic eavesdropping? No one can say with certainty. As Whitfield Diffie points out, for electronic eavesdropping to be effective, the target must be unaware of its existence or take no precautions. Unfortunately, such a scenario is often the case.

14.4.4.1 Kinds of eavesdropping

There are basically four different places where a telephone conversation can be tapped:

  • At your premises. Using a remote extension, an attacker can place a second telephone or a tape recorder in parallel with your existing instruments. Accessible wiring closets with standard punch-down blocks for phone routing make such interception trivial to accomplish and difficult to locate by simple inspection. An inductive tap can also be used, and this requires no alternation to the wiring.

  • On the wire between your premises and the central office. An attacker can splice monitoring equipment along the wire that gives you telephone service. In many cities, especially older ones, many splices already exist, and a simple pair of wires can literally go all over town and into other people's homes and offices without anybody's knowledge.

  • At the phone company's central office. A tap can be placed on your line by employees at the telephone company, operating in either an official or an unofficial capacity. If the tap is programmed into the telephone switch itself, it may be almost impossible to detect its presence.[4] Hackers who penetrate the phone switches can also install taps in this manner (and, allegedly, have done so).

    [4] Under the terms of the 1994 Communications Assistance to Law Enforcement Act (formerly called the Digital Telephony Act), telephone providers have a legal obligation to make it impossible to detect a lawfully ordered wiretap.

  • Along a wireless transmission link . If your telephone call is routed over a satellite or a microwave link, a skillful attacker can intercept and decode that radio transmission.

Who might be tapping your telephone lines? Here are some possibilities:

  • A spouse or coworker. A surprising amount of covert monitoring takes place in the home or office by those we trust. Sometimes the monitoring is harmless or playful; other times, there are sinister motives.

  • Industrial spies. A tap may be placed by a spy or a business competitor seeking proprietary corporate information. According to Current and Future Danger, a 1995 publication by the Computer Security Institute, the monthly theft of proprietary data increased 260% from 1988 to 1993, and over 30% of those cases included foreign involvement. As almost 75% of businesses have some proprietary information of significant competitive value, the potential for such losses should be a concern.

  • Law enforcement. In 1994, U.S. law enforcement officials obtained court orders to conduct 1,154 wiretaps, according to the Administrative Office of the United States Courts. A large majority of those intercepts, 76%, were the result of ongoing drug investigations. Wiretaps are also used to conduct investigations in terrorism, white-collar crime, and organized crime.

    Law enforcement agents may also conduct illegal wiretaps - wiretaps for which the officers have no warrant. Although information obtained from such a wiretap cannot be used in court as evidence, it can be used to obtain a legal wiretap or even a search warrant. (In the late 1980s and early 1990s, there was an explosion in the use of unnamed, paid informants by law enforcement agencies in the United States.) Information could also be used for extralegal purposes, such as threats, intimidation, or blackmail.

14.4.4.2 Protection against eavesdropping

There are several measures that you can take against electronic eavesdropping, with varying degrees of effectiveness:

  • Visually inspect your telephone line.

    Look for spliced wires, taps, or boxes that you cannot understand. Most eavesdropping by people who are not professionals is very easy to detect.

  • Have your telephone line electronically "swept."

    Using a device called a signal reflectometer, a trained technician can electronically detect any splices or junctions on your telephone line. Junctions may or may not be evidence of taps; in some sections of the country, many telephone pairs have multiple arms that take them into several different neighborhoods. If you do choose to sweep your line, you should do so on a regular basis. Detecting a change in a telephone line that has been watched over time is easier than looking at a line one time only and determining if the line has a tap on it.

    Sweeping may not detect certain kinds of taps, such as digital taps conducted by the telephone company for law enforcement agencies or other organizations, nor will it detect inductive taps.

  • Use cryptography.

    A few years ago, cryptographic telephones or modems cost more than $1,000 and were only available to certain purchasers. Today, there are devices costing less than $300 that fit between a computer and a modem and create a cryptographically secure line. Most of these systems are based on private key cryptography and require that the system operator distribute a different key to each user. In practice, such restrictions pose no problem for most organizations. But there is also a growing number of public key systems, which offer simple-to-use security that is still of the highest caliber. There are also many affordable modems that include built-in encryption and which require no special unit to work.

Previous: 14.3 The RS-232 Serial Protocol Practical UNIX & Internet Security Next: 14.5 Modems and UNIX
14.3 The RS-232 Serial Protocol Book Index 14.5 Modems and UNIX

[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]