10.2 Modems and Security
Modems raise a number of security concerns
because they create links between your computer and the outside
world. Modems can be used by individuals inside your organization to
remove confidential information. Modems can be used by people outside
your organization to gain unauthorized access to your computer. If
your modems can be reprogrammed or otherwise subverted, they can be
used to trick your users into revealing their passwords. And,
finally, an attacker can eavesdrop on a modem communication.
Despite the rise of the Internet, modems remain a popular tool for
breaking into large corporate networks. The reason is simple: while
corporations closely monitor their network connections, modems are
largely unguarded and unaudited. In many organizations, it is
difficult and expensive to prevent users from putting modems on their
desktop computers and running "remote
access" software. This happens much more frequently
than you might expect.
So what can be done? To maximize security, modems should be provided
by the organization and administered in a secure fashion.
The first step is to protect the modems themselves. Be sure they are
located in a physically secure location, so that no unauthorized
individual can access them. The purpose of this protection is to
prevent the modems from being altered or rewired. Some modems can
have altered microcode or passwords loaded into them by someone with
appropriate access, and you want to prevent such occurrences. You
might make a note of the configuration switches (if any) on the
modem, and periodically check them to be certain they remain
unchanged.
Many modems sold these days allow remote configuration and testing.
This capability makes changes simpler for personnel who manage
several remote locations. It also makes abusing your modems simpler
for an attacker. Therefore, be certain that such features, if present
in your modems, are disabled.
The next most important aspect of protecting your modems is to
protect their telephone numbers. Treat the telephone numbers for your
modems the same way you treat your passwords: don't
publicize them to anyone other than those who have a need to know.
Making the telephone numbers for your modems widely known increases
the chances that somebody might try to use them to break into your
system.
When
modems are connected to hardware to allow off-site technicians to
remotely maintain or troubleshoot it, you certainly want to prevent
unauthorized users from connecting to these modems and reconfiguring
your equipment. One simple and effective approach is to leave the
modems unplugged from the phone line, and require off-site
technicians to call your operator before performing maintenance (or,
better yet, the reverse, to make social engineering attacks less
feasible.) The operator connects the phone line for the
technician's work (and notes this in a log book),
and disconnects it thereafter.
|
Unfortunately, you cannot keep the telephone numbers of your modems
absolutely secret. After all, people do need to call them. And even
if you were extremely careful with the numbers, an attacker could
always discover the modem numbers by dialing every telephone number
in your exchange. For this reason, simple secrecy
isn't a solution; your modems need more stringent
protection.
|
You might consider changing your
modem phone numbers on a yearly basis
as a basic precaution. You might also request phone numbers for your
modems that are on a different exchange from the one used by the
business voice and fax numbers that you advertise.
|
|
10.2.1 Banners
A
banner is a message that is displayed by a
modem (or the computer to which the modem is connected) when it is
called. Some banners are displayed by the answering system before the
caller types anything; other banners are displayed only after a
person successfully authenticates. Example 10-1 shows
a simple, but problematic, banner.
Example 10-1. A simple but problematic banner
Welcome to Internet Privacy Corporation (IPC), where privacy comes first.
Don't have an account?
Log in with username "guest" password "guest" to create one!
If you have problems logging in, please call
Paul Johnson in technical support at 203-555-1212.
FreeBSD 4.2 login:
Banners improve the usability of a system by letting the callers know
that they have reached the correct system. They can also include any
necessary legal disclosures or notices. Unfortunately, banners can
also be used by attackers: an attacker who scans a telephone exchange
or a city can use banners to determine which
organization's modems they have found. Banners can
also provide useful clues that help an attacker break into a system,
such as disclosing the operating system version or the modem firmware
revision.
Banners have a troubled history. In the 1980s, it was common for
computer banners to include the word
"welcome." Although it has been
rumored that a person on trial for computer intrusion argued
successfully that the word
"welcome" was essentially an
invitation from the system's management for the
attacker to break in, this never really happened; nevertheless, the
explicit invitation is a bad idea. In other cases, attackers have
successfully had evidence suppressed because system banners did not
inform them that their keystrokes were being recorded.
For all of these reasons, the banner that we presented in Example 10-1 is problematic. A better banner is shown in
Example 10-2.
Example 10-2. A better banner
Unauthorized use of this system is prohibited and may be prosecuted to the
fullest extent of the law. By using this system, you implicitly agree to
monitoring by system management and law enforcement authorities. If you do
not agree with these terms, DISCONNECT NOW.
login:
Here are some recommendations for what to put into your banner:
State that unauthorized use of the system is prohibited and
may be prosecuted. (Do not say that unauthorized
use will be prosecuted. If some unauthorized
users are prosecuted when others are not, the users who are
prosecuted may be able to claim selective enforcement of this
policy.)
State that all users of the system may be monitored.
Tell the user that he is agreeing to be monitored as a condition of
using the computer system.
In some cases, it is acceptable to display no welcome banner at all.
If your computer is a Federal Interest computer system,
say so. There are additional penalties for breaking into such
systems, and the existence of these penalties may deter some
attackers.
Here are some recommendations for what not to
put into your banner:
Do not use any word expressing
"welcome."
Do not identify the name of your organization.
Do not provide any phone numbers or other contact information.
Do not identify the name or release of your
computer's operating system.
10.2.2 Caller-ID and Automatic Number Identification
In many areas, you can purchase an
additional telephone service called Caller-ID. As its name implies,
Caller-ID identifies the phone number of each incoming telephone
call. The phone number is usually displayed on a small box next to
the telephone when the phone starts ringing. Automatic
Number Identification (ANI) is a version of this service that is
provided to customers of toll-free numbers (800 numbers and other
toll-free exchanges).
Many modems support Caller-ID directly. When these modems are
properly programmed, they will provide Caller-ID information to the
host computer when the information is received over the telephone
lines.
There are many ways that you can integrate Caller-ID with your remote
access services:
Some remote access systems can be programmed to accept the Caller-ID
information directly and log the information for each incoming call
along with the time and the username that was provided. The vast
majority of remote access systems that support telephone lines
delivered over ISDN Basic Rate, ISDN PRI, and T1 FlexPath circuits
include support for logging Caller-ID information in RADIUS
accounting log files.
Caller-ID can be very useful for tracking down perpetrators after a
break-in. Unlike a username and password, which can be stolen and
used by an unauthorized individual, Caller-ID information almost
always points back to the actual source of an attack. Many dialup
ISPs now routinely collect Caller-ID information and make this
information available to law enforcement agencies that investigate
cybercrimes. The author of the Melissa computer worm was identified,
in part, though the use of Caller-ID information.
If your remote access system does not handle Caller-ID, you can set
up a second modem in parallel with the first on the same line.
Program your computer to answer the first modem on the third or
fourth ring. Use a third-party Caller-ID logging program to capture
the Caller-ID information from the second modem. You will then need
to manually combine the two logs.
ISDN offers yet another service called Restricted Calling Groups,
which allows you to specify a list of phone numbers that are allowed
to call your telephone number. All other callers are blocked.
Advanced telephone services such as these are only as secure as the
underlying telephone network infrastructure: many corporate telephone
systems allow the corporation to determine what Caller-ID information
is displayed on the telephone instrument of the person being
called—even for calls that terminate on other parts of the
public switched telephone network. Attackers who have control of a
corporate telephone system can program it to display whatever phone
number they desire, potentially bypassing any security system that
depends solely on Caller-ID or Restricted Calling Groups.
10.2.3 One-Way Phone Lines
Many sites set up their modems and
telephone lines so that they can both initiate and receive calls.
Allowing the same modems to initiate and receive calls may seem like
an economical way to make the most use of your modems and phone
lines. However, this approach introduces a variety of significant
security risks:
Toll fraud can be
committed only on telephone lines that can place outgoing calls. The
more phones you have that can place such calls, the more time and
effort you will need to spend to make sure that your outbound modem
lines are properly configured.
If phone lines can be used for either inbound or outbound calls, then
you run the risk that your inbound callers will use up all of your
phone lines and prevent anybody on your system from initiating an
outgoing call. (You also run the risk that all of your outbound lines
may prevent people from dialing into your system.) By forcing
telephones to be used for either inbound or outbound calls, you
assure that one use of the system will not preclude the other.
If your modems are used for both inbound and outbound calls, an
attacker can use this capability to subvert any
callback systems (see the sidebar) that you
may be employing.
Your system will therefore be more secure if you use separate modems
for inbound and outbound traffic. In most environments the cost of
the extra phone lines is minimal compared to the additional security
and functionality provided by line separation.
You may further wish to routinely monitor the configuration of your
telephone lines to check for the following conditions:
To make sure that telephone lines that are not used to call
long-distance telephone numbers cannot, in fact, place long-distance
telephone calls
To make sure that telephone lines used only for inbound calls cannot
place outbound calls
A callback scheme
is one in which an outsider calls your machine, connects to the
software, and provides some form of identification. The system then
severs the connection and calls the outsider back at a predetermined
phone number. Callback enhances security because the system will dial
only preauthorized numbers, so an attacker cannot get the system to
initiate a connection to his modem.
Callback can be subverted if the callback is performed using the same
modem that received the initial phone call. This is because many
phone systems will not disconnect a call initiated from an outside
line until the outside line is hung up. To subvert such a callback
system, the attacker merely calls the "callback
modem" and then does not hang up when the modem
attempts to sever the connection. When the callback modem tries to
dial out again, it is still connected to the
attacker's modem. The attacker sets his modem to
answer the callback modem, and the system is subverted. This type of
attack can also be performed on systems that are not using callback,
but are doing normal dialout operations.
Some callback systems attempt to get around this problem by waiting
for a dial tone. Unfortunately, these modems can be fooled by an
attacker who simply plays a recording of a dial tone over the open
line.
The best way to foil attacks on callback systems is to use two sets
of modems—one set for dialing in and one set for dialing out.
Ideally, the incoming lines should be configured so that they cannot
dial out, and the outgoing lines should be unable to receive incoming
calls. This is easily accomplished using call-forwarding.
But it is even possible to subvert a callback system that uses two
modems. If the attacker has subverted a phone company switch, he can
install call-forwarding on the phone number that the callback modem
is programmed to dial, and forward those calls back to his modem.
Callback schemes can enhance your system's overall
security, but you should not depend on them as your primary means of
protection.
|
10.2.4 Protecting Against Eavesdropping
Modems
are
susceptible to eavesdropping and wiretapping. Older modems, including
data modems that are slower than 9,600 baud, and most fax modems can
be readily wiretapped using off-the-shelf hardware. Higher-speed
modems can be eavesdropped upon using moderately sophisticated
equipment that, while less readily available, can still be purchased
for, at most, thousands of dollars.
How common is electronic eavesdropping? No one can say with
certainty. As Whitfield Diffie has observed, for electronic
eavesdropping to be effective, the target must be unaware of its
existence or take no precautions. It's likely that
there are some individuals and corporations that will never be the
target of electronic eavesdropping, while there are others that are
constantly targets.
10.2.4.1 Kinds of eavesdropping
There are basically six different places where a telephone
conversation over a modem can be tapped:
- At your premises
-
Using a remote extension, an attacker can place a second modem or a
tape recorder in parallel with your existing instruments. Accessible
wiring closets with standard punch-down blocks for phone routing make
such interception trivial to accomplish and difficult to locate by
simple inspection. An inductive tap can also be used, and this
requires no alteration to the wiring.
- Outside your window
-
In the spring of 2002, researchers at the University of California at
Berkeley discovered that it is possible to determine what information
is being sent over dialup modems by analyzing the Transmit Data and
Receive Data lights (http://applied-math.org/optical_tempest.pdf).
To protect yourself from this attack you should make sure that the
flashing TD and RD lights cannot be observed from outside your
organization, either by appropriately positioning the modem or by
covering the TD and RD lights with black electrical tape.
- On the wire between your premises and the central office
-
An attacker can splice monitoring equipment along the wire that
provides your telephone service. In many cities, especially older
ones, many splices already exist, and a simple pair of wires can
literally go all over town and into other people's
homes and offices without anybody's knowledge.
- At the phone company's central office
-
A tap can be placed on your line by employees at the telephone
company, operating in either an official or an unofficial capacity.
If the tap is programmed into the telephone switch itself, it may be
impossible to detect its presence. Hackers who penetrate the phone switches
can also install taps in this manner (and, allegedly, have done so).
- Along a wireless transmission link
-
If your telephone call is routed over a satellite or a microwave
link, a skillful attacker can intercept and decode that radio
transmission. This is undoubtedly done by intelligence agencies of
many governments, and may be done by some other large organizations,
such as organized crime.
- At the destination
-
The terminus of your telephone call can be the location of the
wiretap. This can be done with the knowledge or consent of the
operators of the remote equipment, or without it.
Who might be tapping your telephone lines? Here are some
possibilities:
- A spouse or coworker
-
A surprising amount of covert monitoring takes place in the home or
office by those we trust. Sometimes the monitoring is harmless or
playful; at other times, there are sinister motives.
- Industrial spies
-
A tap may be placed by a spy or a business competitor seeking
proprietary corporate information. As almost 75% of businesses have
some proprietary information of significant competitive value, the
potential for such losses should be a concern.
- Law enforcement
-
In 2001, U.S. law enforcement officials obtained court orders to
conduct 1,491 wiretaps, according to the Administrative Office of the
United States Courts. A large majority of those intercepts, 78%, were
the result of ongoing drug investigations. Wiretaps are also used to
conduct investigations into terrorism, white-collar crime, and
organized crime.
Law enforcement agents may also conduct illegal
wiretaps—wiretaps for which the officers have no warrant.
Although information obtained from such a wiretap cannot be used in
court as evidence, it can be used to obtain a legal wiretap or even a
search warrant. (In the late 1980s and 1990s, there was an explosion
in the use of unnamed, paid informants by law enforcement agencies in
the United States; it has been suggested that some of these
"informants" might actually be
illegal wiretaps.) Information could also be used for extralegal
purposes, such as threats, intimidation, or blackmail.
10.2.4.2 Eavesdropping countermeasures
There are several measures that you can take against electronic
eavesdropping, with varying degrees of effectiveness:
- Visually inspect your telephone line
-
Look for spliced wires, taps, or boxes that you cannot explain. Most
eavesdropping by people who are not professionals is easy to detect.
- Have your telephone line electronically "swept"
-
Using a device called a signal
reflectometer, a trained technician can electronically detect any
splices or junctions on your telephone line. Junctions may or may not
be evidence of taps; in some sections of the country, many telephone
pairs have multiple arms that take them into several different
neighborhoods. If you do choose to sweep your line, you should do so
on a regular basis. Detecting a change in a telephone line that has
been watched over time is easier than looking at a line one time only
and determining if the line has a tap on it.
Sweeping may not detect certain kinds of taps, such as digital taps
conducted by the telephone company for law enforcement agencies or
other organizations, nor will it detect inductive taps.
- Use cryptography
-
The best way to protect your communications from eavesdropping is to
assume that your communications equipment is already compromised and
to encrypt all the information as a preventative measure. If you use
a dialup connection to the Internet, you can use cryptographic
protocols such as SSL and SSH to form a cryptographic barrier that
extends from your computer system to the remote server. Packet-based
encryption systems such as Point-to-Point Tunneling Protocol (PPTP)
and IPsec can be used to encrypt all communications between your
computer and a remote server, and you should assume that your
Internet service provider is being eavesdropped upon.
A few years ago, cryptographic telephones or modems cost more than
$1,000 and were available only to certain purchasers. Today, there
are devices costing less than $300 that fit between a computer and a
modem and create a cryptographically secure line. Most of these
systems are based on private key cryptography and require that the
system operator distribute a different key to each user. In practice,
such restrictions pose no problem for most organizations. But there
are also a growing number of public key systems that offer
simple-to-use security that's still of the highest
caliber. There are also many affordable modems that include built-in
encryption and require no special unit to work.
10.2.5 Managing Unauthorized Modems with Telephone Scanning and Telephone Firewalls
Many organizations have policies
that forbid the installation and operation of modems without specific
permission from the site security manager. Each authorized modem is
then audited on a regular basis to assure that it is correctly
configured and complies with the site's policies
regarding banners, usernames, passwords, and so forth.
Because it is so easy to install a modem, many organizations have
modems of which they are unaware. There are two ways to deal with the
threat of these so-called rogue modems:
telephone scanning and telephone firewalls.
10.2.5.1 Telephone scanning
You can use a program called a
telephone scanner to locate unknown and
unauthorized modems. A telephone scanner systematically calls every
telephone number in a predefined range and notes the banners of the
systems that answer. Some telephone scanners can be programmed to
attempt to break into the computer systems that they find by using a
predetermined list of usernames and passwords. There are both free
and commercial telephone scanners available with a wide range of
options. Additionally, some computer-consulting firms will perform
telephone scanning as part of a security audit.
10.2.5.2 Telephone firewalls
In
some situations, the risk of penetration by modem is so high that
simply scanning for unauthorized modems is not sufficient. In these
situations, you may wish to use a telephone
firewall to mediate telephone calls between your
organization and the outside world.
Similar to an Internet firewall, a telephone firewall is a device
that is placed between your telephone system and an outside
communications circuit. Typically, a telephone firewall is equipped
with multiple ports for digital T1 telephone lines: instead of
plugging a PBX into a T1 from a telephone company, the PBX is plugged
into the telephone firewall, and the firewall is plugged into the
exterior T1s.
A telephone firewall analyzes the content of every telephone
conversation. If it detects modem tones originating or terminating at
an extension that is not authorized to operate a modem, the call is
terminated, and the event is logged. Telephone firewalls can also be
used to control fax machines, incoming phone calls, and even
unauthorized use of long-distance calls and the use of 800 numbers
and 900 services.
10.2.5.3 Limitations of scanning and firewalls
It is important to realize that neither telephone scanning nor
telephone firewalls can do more than detect or control modems that
use telephone lines that you know about. Suppose that your
organization has a specific telephone exchange; in all likelihood,
you will confine your telephone scanning and telephone firewall to
that exchange. If some worker orders a separate
telephone
line from the phone company and pays for that line with his own
funds, that phone number will not be within your
organization's telephone exchange and will,
therefore, not be detected by telephone scanning. Nor will it be
subject to a telephone firewall. A cell phone connected to a modem is
also not going to be within your defined exchange.
In many cases, the only way to find rogue telephone lines is through
a detailed physical inspection of wiring closets and other points
where external telephone lines can enter an organization. In an
environment that is rich with authorized wireless devices, it can be
even harder to find unauthorized wireless devices.
|