Great Circle Associates Firewalls
(February 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Dial-up security
From: smb @ research . att . com
Date: Wed, 02 Feb 94 18:42:23 EST
To: Adam Shostack <adam @ bwh . harvard . edu>
Cc: firewalls @ GreatCircle . COM

	 Another mode of assualt would be to break security on the
	 telephone switch to reroute calls leaving your site.  I'm not
	 sure of the current feasability of an attack, but afew years
	 back, such phone rerouting was not impossible.  (NB: This may
	 be urban legend; I never did it, or saw it done.  Does someone
	 with more telephone knowledge care to comment?)

It's happened, though not necessarily for computer hacking.  See Hafner
and Markoff's ``Cyberpunk''.  My favorite example (I think it's in
there, but a few minutes perusal of the index couldn't find it) was
when the probation office in Delray Beach, Florida, had its phone
number busy-forwarded to Dial-a-Porn in New York.

	 S/Key on the modem ports?  S/Key is a one time passwording
	 scheme available from thumper.bellcore.com.  It would allow
	 anyone to get to your login prompt, but only authorized users
	 (in theory) could get by it.  There are also smart card
	 solutions such as securID.

The big advantage of S/Key over SecureID is that the host doesn't have
to keep any secret more sensitive than a hashed password (which is bad
enough, but not nearly as bad as a cleartext key).  For this reason,
I'm coming more and more to the conclusion that if you can't afford a
dedicated authentication server or a public-key based mechansism, S/Key
(or some other implementation of Lamport's algorithm) is by far the
best choice.  (Before you ask, Lamport's paper is in the November '81
CACM.)

The big disadvantage is that I don't know of any hardware
implementations.  It might be a nice hack to write one for a palmtop
computer.


Follow-Ups:
Indexed By Date Previous: Re: manufactures codes for ethernet
From: smb @ research . att . com
Next: Re: manufactures codes for ethernet
From: Geoff Mulligan <Geoffrey . Mulligan @ Eng . Sun . COM>
Indexed By Thread Previous: Re: Dial-up security
From: Adam Shostack <adam @ bwh . harvard . edu>
Next: Re: Dial-up security
From: bet @ std . sbi . com (Bennett Todd)

Google
 
Search Internet Search www.greatcircle.com