Great Circle Associates Firewalls
(July 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Security of Appletalk and Dial back modems
From: shibumi @ cisco . com (Kenton A. Hoover)
Date: Sun, 24 Jul 1994 17:26:44 -0700
To: John Gibbins <johng @ ichr . uwa . edu . au>, firewalls @ GreatCircle . COM

At 19:07 20/07/94, John Gibbins wrote:
>I have a user who is trying to tell me that allowing him to log into
>a Mac behind our firewall via a dial-back modem (ie not through the firewall)
>will not reduce the security of our network.

>I would be very interested in any comments that people on this group have
>about doing this.  In particular:
>1) Security of dial back modems.
>2) Security of Appletalk Remote Access (the software he wants to use which
>   allows his Mac at home to appear to be directly on the ethernet).
>3) Security of Appletalk (Ethertalk) generally.

Well, its not by definition secure.  Any device plugged into the network
can play.  Some services (like AppleShare) are protected by pretty tight
security mechanisms.

>His arguments saying that it is safe consist mainly of:
>1) The phone number is not listed so noone will find it.

I don't know; a wrong number with a modem answering would be awfully
suspicous to me.  Would he assume that you can protect your University
dial-ins the same way?  I wouldn't think so...

>2) They will not be able to subvert the dial-back process.

How to subvert dial-back, the cheap and easy way:

Requires: physical access to the Telco demarc at their house

1) Find your target user.  You'll need a source of identifying information.
You can use a modem connected in parallel to sniff stuff off, or get the
information thru other means.  Depending on how inside you are to the
target, you may not need this step.  If you can work out some elements of
the target sites security practices and equipment, you may also be able to
skip this step (modems that use iterative registers can be attacked by
trial and error in some cases).

2) Find their phone number.  I won't list the 700 number that gives you
this information, but its trivial.

3) Call the local phone company.  Identify yourself as the user and order
'call forward on busy' service.  Just about all the RBOCs offer this now to
support their voicemail services.  At this time, change the mailing address
associated  with the billing so the service order confirmation won't go to
the persons house. BTW, PacBell can turn on custom services (like call
forward on busy) within hours of the order.

4) Go back to the house, connect a phone to the NIC.  Set the forwarding
number to a number you select for your modem.

5) Call the dial-back bank.  Give the identifying information aquired in
step one.

6) Before the call disconnects, use another line to busy out the line at
the targets house.  If someone answers, give them a false sales pitch.
Keep the line busy until the target system calls you back.

>3) They will not know that they need to talk the Appletalk Remote Access
>   protocol if they do get through.

ARA is distinctive, if you know what you are looking for.  Its not even
obscure, as it used to be.

>4) ARA will prompt for a password so you can't get in without knowing it.

Assuming the password is secure.  So, this means that you can't be using
that password anywhere on the network one could sniff it.  However, what
boxes are planning to be used for the ARA dial-in service anyway?

>5) All of the above need to be false before a breakin can occur.

1-3 are false.  4 may be false.

>6) If they did break into a machine on our network, they would not be able
>   to go any further.

Bullsh...I mean, thats incorrect.

>I suggested that all they would need is a packet sniffer and they could go
>a LOT further.
>His response was that there are not any generally accessible packet sniffers
>available for Macs, only some very expensive commercial ones.

His arguement is valid, but not for the reasons he thinks.  Most of the ARA
server boxes I have seen only pass traffic down the line for the node that
is known to be connected (if you think about the fact that an ARA server is
really connecting a 238.4K network via a 14.4K or less line, the reason for
this choice should be clear).  So a packet sniffer would see only traffic
for that node.  Either way, thats not a hole.

>On a related matter:  Does anyone allow any Appletalk (ethertalk) through their
>firewalls?  We have three University campuses running appletalk on the
>other side of our firewall.

I'm currently looking at this to work out a safe way to do ShowNets for
Cisco.  I'll post my analysis at some point in the future.

| Kenton A. Hoover                       Security Dude |  shibumi @
 cisco .
 com |
| Engineering Computer Services                        |                    |
| Cisco Systems, Inc.                                  |    +1 415 324 5249 |
|    If a Cisco Vice Presdient can use ARA, I'm not doing my job right...   |

Indexed By Date Previous: Bad Advise from Vendor
From: Christopher Klaus <cklaus @ shadow . net>
Next: Re: how to automatically put files on external ftp server
From: shibumi @ cisco . com (Kenton A. Hoover)
Indexed By Thread Previous: RE: Security of Appletalk and Dial back modems
From: "Spaulding" <spaulding @ maillink . calgene . com>
Next: Re: Security of Appletalk and Dial back modems
From: hue @ island . com (Pond Scum)

Search Internet Search