RE: Frame relay security

[Rick Smith <rick_smith () securecomputing com>]

I wrote:

> > I think this hits the nail squarely on the head. If the data owner believes
> > that attackers have the means and motive to intercept their traffic as it
> > traverses public telecom networks, then additional security is warranted.
> > If the data owner doesn't believe the attackers' benefits will outweigh
> > their costs, then encryption is unnecessary.

At 3:21 PM -0600 4/22/98, Henry Hertz Hobbit wrote:

> I have news for you. The public telecom networks are *not* all that
> secure.  ....     I would
> advise you that telcos are far more vulnerable than you want to
> believe.

I would advise you that Kevin Mitnick was accused of playing these games
over 15 years ago and that the technology has simply improved over the
years. The fact that outsiders can manipulate phone switch behavior makes
it just about as vulnerable as anyone might want to believe.

To repeat my original point -- figure out what you have to lose if someone
interferes with your data. Figure out how difficult and reliable the
defense measures are. Make the trade off. Lots of people are going to look
for security measures, but some folks aren't.

> .... Any system you consider for longer distances would be
> best if it had time-based passwords. Please, let's not get into
> a discussion of the hacker stealing the password generating
> algorithm.

If the long distance link is encrypted with a strong algorithm and key,
then reusable passwords aren't quite as risky. If the link isn't encrypted,
then neither a time based password or a challenge response system like
SafeWord is going to protect you from hijacking, unless you reauthenticate
for each transaction. Some really paranoid SafeWord customers do that, like
a certain bank that got burned for several hundred thousand a few years
back. Hijacking is a risk if you've got hackers in the phone switch.

Rick.
smith () securecomputing com