Tuesday, August 18, 2009

Modems

It had been in the back of my mind for a long time to war-dial my own organization, just to see if there are any unauthorized modems attached to computers on our network.

The modem attack vector has been long ignored, but if present, it offers a great vector into a network. More commonly than not, locally attached modems are not subject to firewalls, intrusion detection systems, or any other of security controls.

Since I only looked at phone numbers of which we knew a modem was attached, my little exercise was not a true wardialing effort, nor did it provide full coverage. Yet, it yielded pretty useful results. I had (note: past tense!) just over 20 telephone DiDs that were marked as modem lines. When dialed, not one of those lines actually picked up (yay!). Most lines either went to voicemail (shouldn't happen on a modem line), were off the hook, or were disconnected altogether.

All in all, this effort allowed us to reclaim a bunch of unused DiDs, and it confirmed that on our registered modem lines nobody had configured their modem to auto-answer.

The next step will be to identify rogue modem lines.

Fortunately, I do not expect to find that many (if at all). Our field support technicians have been looking out for the presence of modems for a year or two now, and as machines are swapped out on their regular schedule, legacy modems are removed.

Let's see what we come up with in the next few months, but this is one attack vector that should be mostly closed.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.