In late 2005, the government of Sri Lanka was forced to block direct dialing to 13 neighboring countries. Hackers had tapped into dial-up modems and swapped local Internet dial-up numbers for overseas numbers. Users—and their Internet service providers (ISPs)—were unaware of any changes to their modem configurations until they received their phone bills. While Sri Lankan ISPs and telecommunications providers restructured their security standards, consumers making international calls had to use a time-consuming and expensive human international operator.
Luckily, Sri Lanka had some guidance in its IT reconfigurations—from the government of Ireland, whose dial-up modems had been similarly compromised in 2004.
Even in the US, with its pervasive broadband Internet access, modems are still under attack by hackers and criminals. In 2004, a Louisiana man was charged with using a virus to reprogram 21 dial-up modems connecting to WebTV (now MSN TV) set boxes. The reprogrammed modems, rather than dialing up to WebTV, dialed the users' local emergency number, resulting in 10 false alarms to subscriber homes.
Dial-ups: If You Still Use Them, You Are Still Vulnerable
Zero-day attacks, broadband uncapping, war driving— hackers, like any other community, have their fashion trends. Flashy exploits that manipulate new and pervasive technologies make headlines in the press and on underground hacker web sites. Conversely, attacks on the pedestrian dial-up modem no longer command attention, nor are there as many old-style modems to attack. In 2005, more than 60 percent of home and corporate users accessed the Internet via broadband, with that percentage expected to increase significantly again in 2006.
Nevertheless, dial-up modems continue to be used across business and industry, including in such critical infrastructures as electrical grids and other public utilities. Organizations of every size have found that their legacy systems work well enough to not need upgrading. Many virtual private networks (VPNs) for on-the-road employees are still served by banks of dial-up modems. Organizations in rural areas, where broadband has not penetrated as deeply, still rely on modems for their daily business. Warehouses and distribution centers for companies of all kinds maintain dial-up network access. And, in the US as well as in other parts of the world, dial-up modems are routinely sold to corporations and government agencies.
As a result, dial-up modems continue to be hacker targets, internally and externally. In fact, the modem's lowliness makes it tempting prey for miscreants who have forsaken hacker glitz in favor of an easy back door to snoop, sniff and compromise data and networks.
Telephone Scanning: A Best Practice
The ISO 17799 security standard (formally known as the ISO/IEC 17799: 2005) has been available from the International Organization for Standardization (ISO) since 2000 and has existed in other forms since the 1990s. ISO defines 17799 as "a comprehensive set of controls comprising best practices in information security."1 It is an internationally recognized, generic standard, and adopting it lets an organization become ISO 17799-certified.
The 2005 edition of ISO 17799 identifies the need to "conduct a modem sweep to search for back doors"2 as a best security practice. Meanwhile, the SANS Institute has also identified modem sweeping, otherwise known as telephone line scanning or war dialing, as an organizational best practice that should be performed regularly. This information appears, for example, in SANS' proprietary Security Consensus Operational Readiness Evaluation (SCORE) 2006 "Essential Security Actions" document.
Other organizations that handle crucial infrastructure via modems continue to implement their own standards or have taken the best practice of scanning and modified it to their own needs. For instance, as part of its "Cyber Security Management, Operations, and Design Considerations" document, the 57,000-member American Water Works Association suggests that its members' IT departments "use commercial telephone-scanning software that can usually identify modem connections not sanctioned by the utility"3 to protect vulnerable infrastructure.
Additionally, Texas's (USA) Department of Informational Resources (DIR) offers war dialing as a service to its state clients: "DIR Analysts utilize commercial software and custom scripts, to perform a comprehensive sweep of all devices and equipment attached to a customer's telephone lines.... Upon conclusion, DIR will provide a custom report detailing vulnerabilities found, with recommendations on how to remediate and/or mitigate the vulnerabilities. In addition, DIR will provide the comprehensive scan results from the commercial tool."4
In other words, telephone line scanning—by whatever name—continues to be a relevant, timely and necessary practice for any organization routinely using dial-up modems as part of its IT infrastructure.
Telephone Line Scanning: Transforming the War Dialer
Prior to the introduction of commercial telephone line scanners in 1998, any organization testing the security of its phone and modem lines had to use the phone hackers' own tools. Only two—the ToneLoc and THC-Scan programs, developed by so-called "phone phreaks" in the mid-1990s— held any official corporate IT stamp of approval.
The debut of the first commercial war dialer was a watershed for IT security auditors. It was a system developed by computer security professionals for computer security professionals, thereby entirely bypassing the need to interface with the computer underground. Suddenly, the hacker term "war dialing" had been rechristened "telephone line scanning," and the corporate necessity of modem sweeping had finally been legitimized.
The developers of these programs also understood that computer security auditors needed different tools from those used by computer attackers. While an attacker looks for any and all exploitable vulnerabilities, auditors work to build a comprehensive list of those vulnerabilities to prevent attack. In addition to attackers' brute-force tactics, auditors require easyto- use, highly configurable tools that can conduct repeated and repeatable exhaustive searches and generate detailed reports. Furthermore, commercial modem sweepers were business tools, all documentation was easily available, and support for the products came bundled with the software.
A Cautious Welcome and Much Curiosity
Following the release of the first two commercial telephone scanners (Sandstorm Enterprises' PhoneSweep and Secure Logix's TeleSweep), organizations that needed war dialers—and software publications that reviewed security technology—tried to understand these products' place in the IT security realm.
In 1999, acting on an Internet tip, IS auditing firm CanAudit tried implementing commercial telephone scanners in conjunction with its existing, highly limiting freeware war dialers. The test results are reflected in "Dial M for Modem: A Lesson in Training," published that same year in Security Management magazine:
[The commercial scanner] identified a vulnerability in a network maintained by a security systems company owned by the energy company. Through this system hole, anyone could have taken control of the security company's access control system and potentially its clients' systems as well. After witnessing a demonstration of the pandemonium that could have occurred via this breach, the company quickly plugged the hole.5
The freeware war dialers accomplished no such thing.
The authors of the network security classic, Hacking Exposed, similarly compared existing freeware war dialers and the new commercial products, enthusiastically endorsing the latter: "There is very little to reveal that isn't readily evident within the...simple graphical interface, automated scheduling, carrier penetration, simultaneous multiple modem support, and elegant reporting." They added, "If it appears that we're biased towards [commercial scanning], we are."6
Naturally, the hackers were watching, as well. The hacker bulletin boards and newsgroups were buzzing with questions about commercial war dialers: Could you get it for free? Why was it such a big deal for a program to be able to identify fax tones, when a good phone phreak could do it by ear? But the commercial scanners' engineers already had network attackers in mind when the products were developed.
Commercial Scanners Were, and Still Are, Different
The technical features and capabilities of the telephone line scanners first deployed in the late 1990s are as singular now as they were nearly a decade ago. These features include multimodem dialing, security hardware to prevent misuse and an "expert system" to identify remote systems. The successful products' graphical user interfaces (GUIs) and robust structures made it easier for less-experienced users to run the system, and they were modestly priced, often under US $1,000. In later versions, Sandstorm Enterprises implemented the patented Single Call Detect on its PhoneSweep scanner, and SecureLogix Inc. implemented the patented TeleWall Firewall on its competing product, TeleSweep. But both patents and the corporate eagerness to move to broadband gradually drove other commercial scanners off the market.
Today, only PhoneSweep, now in v.5.4, remains in active commercial distribution, accounting for 80 percent of all commercial telephone scanners worldwide. This is in part because Sandstorm Enterprises acquired patents on two crucial elements of telephone line scanning technology, thereby driving TeleSweep from the commercial market. Despite this fact, however, PhoneSweep engineers continue to upgrade the product's capabilities and finesse its existing features. PhoneSweep's latest release includes better fax recognition, more granular reporting, an improved GUI and more robust file importing capabilities.
Telephone Line Scanning Today
Security professionals now widely acknowledge commercial telephone line scanners as trusted products in a high-stakes arena. That is because, regardless of the technology used, securing an organization's infrastructure from outsiders and rogue insiders is still a high-stakes game.
According to Bruce Middleton, a computer security and forensics expert and author on several books on cybercrime investigation and prevention, "Ports have become the [attacker's] entry of choice, but companies should still conduct a vulnerability scan with a war dialer periodically to detect any unauthorized modems on the premises."7
Stylish? No. In the news? Not really. But as long as dial-up modems still exist, attackers will continue to penetrate them. And, as long as cracking modems yields access to vulnerable data and networks, the recommended best practice for ensuring modem security will continue to be to "sweep" them on a regular basis.
1 The ISO 17799 Directory, www.iso-17799.com
2 SANS Institute, "Essential Security Actions: Step-by-Step/A Consensus of High Impact, Low Cost, Core Actions for a Program of System and Network Security Version 3," 2006, www.sans.org/score/ISO_17799checklist2.php
5 Gips, Michael; "Dial M for Modem," Security Management Magazine, September 1999, p. 24, www.securitymanagement.com/library/000720.html
6 McClure, Stuart; Joel Scambray; George Kurtz; Hacking Exposed: Network Security Secrets & Solutions, Osborne/McGraw-Hill, USA, 1999, p. 271 and 277
7 Middleton, Bruce; "Using the Hacker's Toolbox," Security Management Magazine, June 1999, p. 59, www.securitymanagement.com/library/000689.html
is a writer, editor and journalist with 15 years of experience in emerging technologies. She has written for the Boston Globe, Boston magazine, and the Christian Science Monitor; edited a book for Harvard's Kennedy School of Government; and created marketing collateral for numerous software companies. She is also the author of three novels.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.