A Security Pitfall: The Dial-Up Modem

[InfoSec News <isn () C4I ORG>]

Forwarded By: Todd Beebe <todd () internetworking com>

http://www.informationweek.com/794/securit3.htm

By George V. Hulme

Crackers don't always use direct and obvious means--such as
deciphering a user ID or a personal identification number--to launch
an assault on a company's network. Sometimes they slither in through a
poorly secured dial-up connection.

One of the most widely used--and overlooked--points of entry into a
company's network is dialing in through an analog modem. Hackers call
a company's phones, one after another, or use "war dialers" to sweep
the company's extensions, hoping to stumble on an open modem to answer
the call.

Once the modem answers, it's only a matter of seconds before the
hacker has access to the data on the client, which could be a notebook
user dialing in from the road or an employee logging on from a home
PC, and possibly the corporate network itself. These breaches bypass
most intrusion-detection systems, so companies won't even know they've
been cracked.

At hard-disk suspension manufacturer Hutchinson Technology in
Hutchinson, Minn., corporate security manager Ron McKinnon says he got
the idea to scan dial-up modem use among notebook-using and remote
employees after attending a class titled "How To Hack Your Own
Network." "Analog access is something most companies really don't
consider," he says, "but it's apparently one of the first things an
external hacker will look at."

InformationWeek Research's Global Security Survey backs this up: Only
28% of companies say they use dial-back or secure modems within their
operations.

Early this spring, McKinnon and his security team set out to discover
exactly what was going on within the company's 3,800 phone extensions.
They chose SecureLogix's distributed scanning tool, TeleSweep Secure.
McKinnon says they immediately found suspect events on the phone
lines. "We identified 38 active, unauthorized modem connections that
had been doing everything from running PCAnywhere to accessing the
AS/400," says Archie Woodworth, information protection specialist at
Hutchinson. The team also noticed incoming modem calls being made to
the PBX system and attempts to connect through the voice-mail system.

Woodworth says Hutchinson has obtained a list of extensions in the
company where unauthorized modem calls originate, as well as
extensions receiving inbound modem calls. "Once we get a handle on all
of that, we'll be able to restrict which outbound numbers we can allow
modemers to call and restrict which inbound destination numbers can
receive modem calls," he says. Hutchinson will use SecureLogix's
TeleWall to limit or block unauthorized traffic on the phone system.
The company will set up TeleWall to let only approved dial-up users
through. Says McKinnon, "All other modem calls will be blocked."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".