callbacks: use a different line
Dan Franklin
dan at watson.bbn.com
Thu Dec 22 03:51:09 AEST 1988
As more people are trying to beef up security by having the system call
them back to log in, it's probably worth a reminder: don't use the same
telephone line (number) to call in and out. That would render the
callback mechanism completely useless. The reason is that there is no
reliable indication from the phone company to your modem that a caller has
actually hung up. A penetrator can merely call in, request a login, cut
off the modem carrier and stay on the line, simulating a dial tone if your
modem checks for it (but many don't even do that). The modem can *try* to
hang up, but with many phone systems the caller can keep the line open, at
least for a little while. If the caller does get hung up, a quick redial
can often reestablish the connection before the modem starts dialing.
Even if the callback software checks for a ring indication and aborts the
procedure any time it gets one, there is still a timing window you can get
through if you're persistent.
Even using a different line is not a defense, if the number can be
discovered. The penetrator can just call it ahead of time. You must use
a separate, unrelated (and unlisted) set of phone numbers. It's best if
the numbers have a different exchange prefix, to make finding them really
difficult.
Disclaimer: I'm not a security expert, and this information is several
years old. But phone systems don't change all that quickly, so I suspect
it's all still true.
Dan Franklin
More information about the Comp.sys.sun
mailing list