Last month we talked about remote access and the risks of passive attacks such as password sniffing and other dangers such of data interception. This month I would like to comment about modem access.

With the explosive growth if the Internet (and the explosive amounts of hype along with it) traditional security policies and procedures are being ignored and lost in the hype of Firewalls and other Internet security technologies.

One of the more commonly ignored security problem are modems and network dialups onto the corporate Intranet. With the proliferation of personal ``fax'' modems on employee desks it rates near impossible for a support staff to maintain, audit and police thus access methods.

War dialing was popularized by the 1983 hacker-classic movie "War Games," where a young man innocently stumble on to a direct connection with a military computer while looking for new games and BBSs.

A classic technique used by system crackers is wardialing. In days past, hackers would mass-dial tens of thousands of phone numbers to find open systems from which to make further assaults. This is the ancient technique of sequentially searching through a exchanges of phone numbers seeking modem dialups or other ``useful'' numbers such as phone company diagnostic lines.

In the San Francisco / Bay Area over one percent (1%) of phone lines are answered my a modem. Thus the effort of wardialing is some that a computer cracker can scan a exchange in less then a matter of days

Unfortunately to date there has been little written or documented on the results of ``wardialing''.

The Author, Peter Shipley, will be publishing a report and analysis of the data obtained from over a year of wardailing.

The following is a short list of what was discovered to not have any password protection (all parties have already been notified):

• A Fortune 100 company's air conditioner and environmental control units accessible by modem. can be easily changed by modem, enabling a hacker to overheat buildings or kill lights at will.
• Corporate Dialup network access lines, allowing anyone to access the companies Intranet.
• Medical records for several Bay Area facilitys
• Oakland Fire Departments computerized dispatch computers.

The controlling console for many corporate firewalls were also discovered in Silicon Valley so poorly configured that intruders could easily gain full access of the firewall and the network behind it.

It can easily be observed that the risks of unauthorized modem access is a great as unauthorized Internet access.

Other risks include employees setup and installing software on there desk top system to allow themselves unrestricted access to the corporate IntraNet. Reasons for this can be for the use of telecommuting or just stealing for free Internet access via the office LAN.

As with any other remote access method, the selection of good password for authentication is a crucial (this will be a topic of a upcoming article). Given a list of four hundred and thirty (430) of the most common passwords it is possible to try to login to ten (10) most common accounts names in less then eight (8) hours! Even with a five (5) second delay between bad login attempt and automaticly dropping the modem connection after four (4) failed attempts. This is a very important number since this eight hours can happen at night when everyone is at home asleep, thus allowing the intruders to access a system and over their tracks before anyone returns to work in the morning. Recommendations:

• Restrict use of desktop modems. Desktop are a inefficient use of company recourses compared to centralized dialup and Fax modem. Also by centralizing
• Require a one time password or a separate password for dialup access. It is very important that a users login password and access password are different.
• Remove Identifying information from Login / Connect Banners. My Identifying yourself or you system type you can be unknownly inviting system crackers to break into your system/site.
• Place warning "no trespassing" banners on all external login banner. This legally protect your from intruders and make it easier to convict the electronic trespassers if you so chouse. Do not under any circumstances place a "Welcome" message on the login banner.
• If a employee must have a dial out modem on his/her desk, make sure that inbound dialup access is blocked.