In the battle for network security, go to war over your modems
Ironically, network security scanners do not perform the one security check that inspired network scanning: war dialing. When "global network" meant the public switched telephone network, probing remote systems for vulnerabilities boiled down to scripting modems to dial lists of numbers to see which answered with computer-friendly greetings. According to folklore, the 1980's movie WarGames gave rise to the term "war dialing" to describe this technique, and in the decade since, dial-up resources remain the most overlooked portion of a company's network security assessments.
At least that is what Peter Shipley, an independent security researcher and chief security architect at San Francisco-based consultancy KPMG, believes. He has been conducting the largest war-dialing study to date in the San Francisco Bay area, targeting nearly 6 million phone numbers to gauge exposure of information systems to dial-up risk. The study is not yet complete (it will be published on www.dis.org), but results so far show that corporations have more to fear from the analog dial tone than public data connections.
"It appears to be just as easy to break in to most organizations over phone lines than via the Internet in most cases," Shipley says.
More than 80 percent of answering systems give some significant information, such as DNS host name, and a few even give away the whole store, such as configuration-enabled Cisco router prompts. In addition to dial-up routers and PBXes, Shipley is alarmed by the number of electromechanical control systems accessible by modem, such as a building's lighting, temperature, and burglar alarm equipment. Remote manipulation of such systems could bring new meaning to the network denial-of-service attack.
Shipley thinks the problem boils down to IT managers' ignorance of the phone network as the primary access point into most businesses, as well as a lack of policy controls on modem distribution.
"Many companies take the `petty cash' approach, allowing just about anyone to requisition a modem and phone line with little or no accountability. It becomes extremely difficult to assess one's exposure to attack in such an environment, where the total number of modem lines may not even be known," Shipley says.
Shipley also cites three common mistakes made by staffers who use dial-up resources. Most modems are set up by nonexperts. Even security-savvy personnel may assume that because the modem is behind a firewall, standard security practices do not apply, such as not using easily guessed passwords. Also, remote users intentionally configure dial-in access for ease-of-use rather than for security.
The best way to address these issues is with policies, but how do you assess users' compliance? Keep a tight inventory on your phone lines and add war-dialing software to your network security assessment munitions to check for the lines you miss.
Shipley relies on the venerable ToneLoc freeware DOS-based war dialer (www.paranoia.com/~mthreat/toneloc), but uses custom Unix scripts to load and analyze the output of his massive war-dialing effort. Another popular tool is the freeware THC scan (www.infowar.co.uk/thc). PhoneSweep from Sandstorm Enterprises (www.phonesweep.com) is a commercial tool.
These software products are easy to install and use to automatically dial sequential blocks of phone numbers and record results. One note of caution: Automated dialing of resources without the owners' permission is illegal in many jurisdictions, so obtain the proper consent first.
Keeping an open mind about all of the possible methods of access during a network security audit is paramount, and analog phone lines are no exception. Familiarize your staff with the issues and consider a war-dialing effort of your own, or you may end up just one more statistic in Shipley's database.