Computer crime often hits you when -- and where -- you're not looking. Nowhere is this more true than the oft-forgotten analog dial-up access point into the corporate network. Expensive and intimidating firewalls that guard your various public gateways can lead to a false sense of protection against outsider access to your computing resources. Almost no one contemplates the fact that firewalls are most easily circumvented by taking a back door -- a poorly secured dial-up server or an inadequately policed desktop modem -- to get into the network.
As businesses increasingly rely on automated systems, such as lighting and air conditioning, that run by computers that are probably remotely controlled via dial-up connection, the term 'denial of service' takes on a whole new meaning. If someone can break into such systems and gain access to configuration settings, that person is only a keystroke away from delivering a debilitating blow to operations. Not many companies can function well in total darkness and subzero temperatures. An upcoming study on dial-up security by security consultant Peter Shipley indicates that there are many exposed systems out there. (Stay tuned to www.network-security.com/sec_research.html.)The good news is that there's an easy way to keep tabs on your exposure to dial-up dangers: war dialling. As with many of today's security-assessment techniques, war dialling is derived from a long-standing hacker technique for automatically dialling massive quantities of phone numbers to determine which are modems worthy of further attention.
If you manage (or suspect that you manage) a large number of dial-up access lines, it's important to include them in the security assessment you regularly perform on your network. As always, the best approach to dial-up security is to formulate and enforce a policy of control over who gets dial-up access and why, but we also suggest periodic examination of the dial-up resources themselves.
Tools of the trade
The first thing to do to begin your war-dialling effort is to obtain the proper permissions: in many localities, automated testing of communications resources not under your direct control or ownership is illegal. Once permission has been obtained or verified, you need the right tools. Many tools exist to probe large databases of phone numbers, but none is more popular than Toneloc, short for Tone Locator (available at www.paranoia.com/~mthreat/toneloc). Toneloc, which runs under DOS (or in a DOS shell on Windows), is an industrial-strength utility that offers a great deal of flexibility. It's a bit inscrutable because of its DOS heritage, but it comes with an ample user manual that explains the many configuration options.
Running Toneloc is fairly simple. First, run the utility tlcfg.exe in a DOS session to configure modem init strings (if a prefix is necessary to dial out of your phone system), then modem hardware options such as COM port, interrupt request (IRQ), and I/O port. Toneloc can now be run with the simple command toneloc 555-12XX, which tells it to dial the 100 phone numbers that start with 555-12. There are many other command-line options that are better left to in-depth reading of the manual. Toneloc records the answers it receives to a file named 555-12XX.dat (using our example), which must be read using the Tonemap utility to display results in a graphical format.
For those interested in a simpler Windows-based tool, we recommend Phonetag (we found a copy at www.geocities.com/Area51/Dunes/1729/phonetag.zip). It's not as robust as Toneloc, but it gets the job done and even offers a screen-capture function for systems that answer its calls. However, we found it to be somewhat slower than Toneloc.
For those averse to using freeware tools for security work, we recently tested Sandstorm Enterprises' Phonesweep (found at www.phonesweep.com), which offers a functional Windows interface, support for as many as four modems, more robust data management, and carrier detection and penetration. Of course, it costs about $1,000 for 300-number profiles and one port, or nearly $US3000 for 10,000-number profiles and four ports. Plus Phonesweep's software license -- enforced by a hardware dongle -- specifies that users can't copy it to multiple machines, whereas you have unlimited distribution with freeware.
Testing your environment
We recommend starting with Toneloc, then evaluating more advanced and costly tools such as Phonesweep if you manage a large number of dial-up lines. Phonesweep's multiple modem support, penetration logic, and data management will make it worthwhile if you require it. Whichever earns a permanent place in your security toolbox, at least you'll sleep better at night knowing that you've rattled all of the doorknobs leading into your company's information systems.
How seriously have you taken the threat from innocuous dial tone? Let us know at email@example.com.
Stuart McClure, a senior manager at Ernst & Young's Information Security Services, and InfoWorld Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years.