The easiest way to get into a system - yet never addressed in testing.

1. “Super
Phreak”
Modems: The Forgotten
Backdoor

2. A Day in the Life

3. Remember the 80’s ?
1980
John Lennon shot
Pac-Man
Super Trouper
Empire Strikes
Back

4. Remember the 80’s ?
1980 1981
John Lennon shot JR Ewing shot
Pac-Man Rubik's Cube
Super Trouper Super Freak
Empire Strikes Raiders Lost Ark
Back

5. Remember the 80’s ?
1980 1981 1982
John Lennon shot JR Ewing shot Reagan shot
Pac-Man Rubik's Cube Trivial Pursuit
Super Trouper Super Freak Don’t You Want
Me
Empire Strikes Raiders Lost Ark
Back Tootsie

6. Remember the 80’s ?
1980 1981 1982 1983
John Lennon shot JR Ewing shot Reagan shot My knees shot
Pac-Man Rubik's Cube Trivial Pursuit Cabbage Patch
Kids
Super Trouper Super Freak Don’t You Want
Me Thriller
Empire Strikes Raiders Lost Ark
Back Tootsie War Games

8. Spark That Lit The Fire
Sales of modems
increased by a factor
of 500 within 3
Public
months of the release
of the film “War
Games”
Private

9. Remember When?
Our biggest vulnerability Our biggest threat
Public
Private

10. Super Phreaky – Yoaw!
Phreak = "phone" + "freak".
"Phreak", "phreaker“= names for people
who participate in phreaking
Phreaking = studying, experimenting with,
or exploring telecoms systems,
equipment or systems connected to
telephone networks. Linked to hacking
when networks went computerised.
Now called the H/P culture
(Hacking and Phreaking).

11. War Dialer Process
1. Obtain exchanges
2. Configure & run dialer
3. Analyse carriers & identify
devices
4. Connect to carriers identified
5. Brute force if prompted
6. Access granted

12. Functions of a Modem
• Dial-Out access – allows
someone to subvert the
firewall to get out
• Dial-In access – allows
remote access to an internal
system via the PBX

13. Dial-Out Access
 Desktop devices, faxes, scanners, PCs
 Primarily user internet-related activity
 Use of unauthorised modems to circumvent firewall
rules - access blocked internet material
 Risk exposure is user-dependent and localised
 Think data leakage
 Risk commensurate with access privileges
 Most organisations do not have a requirement for it

14. Dial-Out Risks
Firewall
Unauthorised
Material Your Organisation
Network
Trojan Horses & Configuration
Server
Modem
Viruses Workstation
Business
Data
Databases
Information
Server
Leakage

15. Dial-In Access
 Business systems – servers - not PC-based
 Think 3rd party managed devices
 Increased likelihood business-critical system
 Permits targeted rather than opportunistic attack
 Time to map & exploit the system
 System can remain compromised after the hacker
disconnects
 Likely to be untraceable
 Most organisations have at least some requirement
for dial-in access

16. Your View
1. Bandwidth Manager
2. Exterior Router
3. Bastion Host (Firewall)
4. Interior Router
5. Network Switch
6. Application Servers
7. Network Storage
8. PBX
9. Voicemail
10. Modem Bank
11. RAS Server
12. Authentication Server
13. UPS
14. Air Conditioning
15. Building Access Control System

17. Phreaker’s View
1. Bandwidth Manager
2. Exterior Router
3. Bastion Host (Firewall)
4. Interior Router
5. Network Switch
6. Application Servers
7. Network Storage
8. PBX
9. Voicemail
10. Modem Bank
11. RAS Server
12. Authentication Server
13. UPS
14. Air Conditioning
15. Building Access Control System

18. Scale of Dial-In Threat
 Large organisations: 1.5% – 2.5% of all
telephone extensions provide dial-in access
(up to 25 extensions per 1000 )
 Small organisations: 2% - 3% of telephone
extensions provide dial-in connectivity (up
to 15 extensions per 500)

19. Prevailing Opinion…
"...most large companies are more vulnerable
through poorly inventoried modem lines than via
firewall-protected Internet gateways"
Hacking Exposed: Network Security Secrets and Solutions. McClure,
Scambray & Kurtz. Osborne,2008
“While remote access is not the only route that
hackers use to attack networks, they often cite it as
the easiest route in”
Information Security Breaches Survey 2010: Remote Access.
UK Department of Trade & Industry

20. And yet….
DTI’s Information Security Breaches Survey
cited it in 2004 by stating that …
• Less than 2% surveyed checked for unauthorised modem
access
…but not since

21. Managing Dial-Out Risk
Non-PC based:
• Configure dial-out under application control
• Modem configured for “dial-out” only
PC-based:
• PBX monitoring – outbound call logging (restricted to
DDI line logging)
• Host-based solutions – anti-virus / host monitoring /
configuration lockdown
General:
• Effective policy – user education, policing &
enforcement

22. Managing Dial-In Risk
Managed through:
• Review & confirm 3rd party access requirements
• Change vendor defaults
• SLA’s should address breach responsibilities
• Implement appropriate controls (access restriction,
authentication, dial-back)
• Monitor – inbound call logging / alerting / read logs!
• Effective policy – user education, policing &
enforcement

23. 25 th Anniversary

24. Todays’ War Dialer
• WarVOX, Linux-based freeware available on
Dark-Hack
• Uses VoIP services to make up to 10,000
calls in an 8 hour period
• Spoofs caller ID
• IDs admin interfaces to PABX and IP based
devices
• Finds and copies/strips stored audio files
and archives

25. Test This

26. Some things never die,
they just go out of
fashion…
Phreaking is the founding
methodology of hackers.
What makes you think its
dead?
Still the most dependable
backdoor into a system.

27. 26 Dover Street,
London , W1S 4LY,
United Kingdom
+44 (0) 203 586 1025
www.orthusirm.com
info@ orthusirm.com