Copy Link
Add to Bookmark
Report
The United Phreakers Incorporated Newsletter Volume 1 Issue 3
(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)
(*) (*)
(*) The Lost Avenger And United Phreaker's Incorporated Proudly Presents (*)
(*) (*)
(*) UPi Newsletter Volume #1, Issue #3 (*)
(*) (*)
(*) What Corporate Users Should Know About Data Network Security (*)
(*) (*)
(*) Copyright 1991 - All Rights Reserved (*)
(*) (*)
(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)
This article was originally published in Telecommunications - North America
Edition May 1990. This article was republished without permission.
What Corporate Users Should Know About Data Network Security
By Stephen T. Irwin
As network security becomes more critical, new approaches to preventing
unauthorized use are evolving. Which kind of system is right for you needs?
----------------------------------------------------------------------------
Sometime late night last year, hackers repeatedly broke into the network of
the National Aeronautics And Space Administration (NASA) (TLA: Fucking right!)
and helped themselves to free telephone service from one of the nation's most
technically sophisticated agencies. Whether the purloined long-distance
charges totaled over $12 million (TLA: Hmm, I think that's a little too high of
a estimate), as reported in the Houston Chronicle, or "only" $10,000 (TLA:
Naa!, I don't think that is accurate either), as NASA estimates, cannot be
determined. In an alarming admission of its inability to monitor access to the
highly sensitive network, NASA says that it does not know exactly how much was
illegally charged to the agency.
The break-in NASA is just one in a series of many such incidents that have
brought into sharp relief the problem of protecting computer networks against
theft and damage by unauthorized users. A recent government report, "Computers
at Risk," stated that the nation's "computer and communications systems are
vulnerable to potentially catastrophic security breaches..." Experts estimate
that computer crime costs American business millions of dollars a year.
In response to this threat, vendors have devised a variety of network
access control devices designed to limit access to host computers. Available
security systems fall into five major categories. They are:
o host resident-based security software (TLA: No big deal.....easy to
get though)
o encryption devices that encode the data before transmission and decode
it upon arrival at it destination (TLA: Ahh, ok this isn't too hard.
They is a ways to get by this but is hard to come by)
o call-back systems that call-back preprogrammed phone numbers (TLA:
again no problem here to get by this security feature)
o handheld password generators (TLA: It's hard to say anything about
this one as I don't have much information on this type of security)
o physical token or magnetic cards that are actually inserted into the
remote computer or terminal and "read." (TLA: This sucks you have to
be right at the terminal or PC in order to access this. But kind of
stupid to since you can loose you key or card and then you screwed)
These systems have advantages and disadvantages that must be weighed
carefully by the telecom manager in light of the security needs of his or her
company's computer system and the price/performance trade-offs of each
solution. What follows is an examination of the leading security methods,
analyzing their advantages, disadvantages, and cost-effectiveness.
Host Computer Security Software
Resident on the host computer, this method utilizes a password system that
is relatively east to use - which is simultaneously its biggest advantage and
disadvantage. The user at the remote site must first enter his or her computer
the password, which is then transmitted through to the security software on the
host. if incorrect, the password is rejected, and the remote user is blocked
from further access.
In theory, a password system is relatively secure. In practice, it is
highly vulnerable approach. Passwords are generally widely available among the
staff (in some cases, employees even tape the password to the side if their
computer). It is a simple matter for outsiders (or former employees) to obtain
a password from firebds within the company and break into the system, resulting
in theft of information or damage to data.
Depending on the specific package utilized, hostbased computer software can
be expensive and timeconsuming to install, and can tie up the system
administrator's time. If a password system is selected or already in use, it
important to change the password at least once a month - preferably one a week.
Keep in mind, however, that passwords are child's play for computer criminals
(TLA: Hehe, like me) - particularly if the password is an actual work rather
than an arbitrary string or letters and numbers. Computer thieves use simple
spelling checkers to randomly generate almost an infinite number of words until
they finally break in.
(TLA: I have noticed for this type of security method that some accounts on a
system have no passwords at all which means that the system is open to hackers.
There is also the possibility that you can get into the system using the system
default passwords (if there is any). Also, I have noticed that some account
use personal information for the passwords or a lame number/word combination
too. For example 1234 or the account name as the password or the guys real
name for the password. So seriously that really puts the type of system method
down the drain as for reliable and secure.)
Encryption
The encryption method generates an unreadable version of the data stream
and is generally used when transmitting highly sensitive data, such as
financial transfers between banks and other institutions. Most commercially
available devices utilize the Data Encryption Standard (DES) algorithm to
encrypt data. Most banks, however, use a MAC system of encryption in which the
information is transmitted in readable form. Included with that information is
transmitted in readable form. Included with that information is an encrypted
message - based on the information transmitted - which will be incorrect if the
information is changed or intercepted in any way. In other words, even if
someone does break into the system and transforms a $1000 credit into $1
million, the interference will be detected.
Encryption systems are available as hardware, software, or a combination of
the two. While the encrypted information itself is highly secure, in order to
crack the code, a data thief must have a great deal of time and access to some
heavy computing power. Thus, encryption methods of and by themselves do not
necessarily ensure that the information is being accessed by an authorized
user. Nor can users who are authorized to access some information be barred
from accessing other data, unless the system has the ability to exchange
"session" keys.
The identification of authorized users in an encryption system requires the
use of additional methods (and expense), such as software resident on the host
computer. Encryption systems can also incur additional user of additional
expense and administrative time as the needs of the system change. System
administrators must initially set up the data access between the designated
encryptors - not to mention the synchronization headaches that occur when
locations of the devices are changed from one site to another. This can be a
major problem when the system is expanded to accommodate a larger number of
units and telephone lines.
Also, to ensure the highest level of security, encryption devices are
usually physically transported to the host site, where the "encryption key" is
installed into the nonvolatile memory of the encryptor (or modem/encryptor) via
the data port or a dedicated security port. It is possible to send the key to
remote devices through the mail - which, of course, can be intercepted by a
determined data thief.
If the system manager wants to permit access to remote users for a specific
time or application, a random one-time-only session key can be exchanged.
(TLA: Hmm, this is kind of hard to get by as the key can be changed at any time
and making hacking it hard to do.) A cryptographic fragment (based on the ANSI
X-17 protocol) is generated, sent to the remote user's modem or encryptor
device, used for the duration of the transmission, and the becomes invalid.
(TLA: Well as for type of security I find that it's kind of hard to get by unless
you have the right decryption code. Which for the Data Encryption Standard
(DES) method is virtually impossible to get as there is hundreds of
possibilities for the code. But then again nothing is impossible when you are
a hacker.....hehe)
Call-Back
The highly publicized, sometimes spectacular computer break-ins in the
1980s fueled the development of the call-back system. Today, the majority of
the network security devices in the market are call-back systems. They work in
the following way: when the remote user dials in, the call-back unit intercept
the call. These units can be configured on either the analog or digital side
of the host modem. The user user then inputs a code or access number, which
the call-back unit checks against its library of authorized users. The host
computer then calls back the user at an authorized phone number, the user
signals back and is allowed access to the computer.
A variety of call-back systems can be put into place. Some systems allow
users to enter a variety of phone numbers so that they can access the host
computer from several sites (a type of "roaming" call-back). Some systems
support a secure call-in mode whereby the caller enters an access code and is
then passed directly to the host computer. Most systems incorporated a type of
automatic disconnect after several unsuccessful attempt have been made at
entry.
Another feature of some call-back systems is a type of host port
"deception" in which would-be illegal entrants cannot determine whether or not
they have reached a modem. Some devices user voice synthesis requesting a code
in order to "veil" the modem tone and disconnect if the code is invalid. (TLA:
Come on a code?? That's the worst type of security method I have heard of.
All you need to hack the code out is a program like Fuckin' Hacker or Code
Thief. Geeze how lame!)
A well-designed call-back system, such as Millidyne's Auditor system,
should support what is know as modem-interchanged control (MI-MIC), which
actually changes the modem's way of operating. This feature is advantageous
because of the ability of a determined thief to piggyback onto phone calls in
the instant when the remote user has hung up and the computer is calling back -
an event known as "glare". Computer criminals with their "demon dialer"
programs capable of automatically redialing a number will eventually seize on
the return phone calls by the computer and gain access.
To be effective, MI-MIC must be supported by both the local and remote
modems. The call-back device, when calling back the designated number,
actually seizes control of the remote modem by activating its MI-MIC Support
leads. The host modem then acts as if it had initiated rather than answered
the call. This serves two functions to foil would-be illegal entrants into
the system. First, the modems assume reverse transmit and recieve frequencies
so that even if the illegal user gets a return call from the host modem,
his/her modem will not be able to exchange handshake protocols with host modem.
Second, because the remote modem does not answer by transmitting an answer-back
tone, the illegal entrant will not be aware that there was another modem on the
line.
Call-back systems offer many advantages for the system administrator. They
are considered among the more secure systems on the market, and they are
cheaper than using leased lines, which are generally not cost-effective for
smaller companies.
Most call-back systems have the ability to audit network activity and
produce management reports, logging line activity, point-of-access origin,
failed calls, network usage per user, etc. Productivity, as well as security,
can be improved with these call-back system reports. Call-back systems are
also less expensive than encryption devices, and are easier to maintain.
According to some estimates, encryption can cost as much as 50 percent more
than call-back devices.
Call-back systems, however, have some disadvantages. Telephone cost are
high because the company assumes the cost when the system returns the call (and
costs accelerate when data are transmitted for long stretches of time).
However, many less expensive telecom options, such as WATS, or various MCI or
Sprint services (TLA: How about AT&T?), can support call-back devices. And for
employees calling the computer from a remote location, utilizing the company's
WATS line or other discount telecom service is cheaper than billing the call to
a credit card.
Call-back functions, however, cannot be supported if the call is
intercepted by a hotel operator, office receptionist, or other human voice.
(Call-back, however, can be accomplished if the PBX utilizes voice synthesis,
allowing the call to be passed through after the extension is entered.) While
many call-back systems can be configured to allow a password and direct
password through option to be utilizes for travelers, it is a less secure
option. (This of course assumes that the hotel is equipped with an RJ-11
jack.)
(TLA: Well it might not cost as much to go through a service such as MCI or
Sprint or a WATS line but still is going to cost quite a lot anyways, if you
have a lot of people logging on and then have the system has to call you back.
As for the direct passwords and normal password they aren't that hard to get
through. As I mention earlier in this article there might be stupid people who
don't even use one. - See above for more information -)
Other Options
About the size of a pocket calculator, the portable password generator
can be issued to authorized personnel when a call-back is either impossible or
undesirables. Each handheld password generator has a unique encryption key
tied to the user's personal identification number (PIN). In response to a
challenge from the network access control device (after the user enters his/her
PIN number), the handheld device - which shares the same encryption algorithm
as the access control device - generates a unique password that the user then
enters into his PC or terminal. If correct, the user is passed through to the
host computer.
This system has advantages of enhanced security over a password-only
system, yet requires only one phone call with no call-back in order to be
effective. This is a cost-effective, relatively inexpensive and secure
network access system.
Finally, token devices are physical "keys" or magnetic cards that enable
users to make to make one call to the host system. The caller accesses the
host computer via a PC or terminal, and then, in order to obtain
authentication, inserts a magnetic card or key into a reader or lock on the PC
or terminal when asked to do so by the host computer. If correct, the caller
is passed directly to the computer.
The token system's disadvantages is that if a card or token is lost or
stolen, a data thief can easily access the network. To maintain security, the
lost tokens must be reported to the system administrator quickly so they can be
immediately disabled.
QSD Mailbox (NUA: 208057040540): UPi
Member Listing
Founder/President: The Lost Avenger (416)
Vice President: Scarlet Spirit (416)
Couriers: The Serious One (819)
Programmers: Logic Master (514)
Writers: Dantesque (416), Master Of Gold (Argentina)
Node Listing
-------------------------------------------------------------------------------
Node BBS Name Area Baud Megs BBS Sysop
Number Code Rate Program
-------------------------------------------------------------------------------
WHQ The Violent Underground 416 2400 85 Pc Board The Lost Avenger
Node #1 The Shining Realm 416 2400 95 Telegard Scarlet Spirit
-------------------------------------------------------------------------------
