Hacker shocker: Project reveals breaches galore ----------------------------------------------- By Jonathan Littman September 18, 1997 2:47 PM PDT ZDNN Hackers call it "war dialing." A security expert has used this old hacker's technique to root out thousands of modem lines in Northern California that may be leaving corporations and individuals vulnerable to attack. Peter Shipley of Berkeley, Calif., has been letting his computer do the dialing. A whole lot of dialing: 1.4 million numbers or so; 500 an hour, 12,000 a day. Roughly 14,000 of the 1.4 million numbers Shipley's program randomly dialed were modem lines, a figure that translates to thousands of open doors for would-be hackers to wreak havoc. The huge research project has revealed case studies in bad security practices. Shipley's conclusion: Today, many companies and individuals are unaware of the risk that one unprotected modem line can pose to an entire computer network. Shipley says that while many unaccounted-for modem lines are found in corporations, an increasing number of employees have direct dial-up access to corporate networks from home. And not surprisingly he notes, "a lot of the time they don't have good passwords." Some startling findings of the telecommunications vulnerability study: * An East Bay medical facility gives unrestricted modem access to patient records, making it easy for a hacker to steal, alter or delete private medical records; * An Internet company offering financial services does not require a password to modify its modem-accessible firewall, potentially permitting intruders to install backdoors and disable auditing routines; and * A Fortune 100 company's air conditioner and environmental control units can be easily changed by modem, enabling a hacker to overheat buildings or kill lights at will. Shipley has not attempted to access any of the 14,000 sites his war-dialing method has found in Northern California, but his research raises questions whether basic security is widely practiced. The security expert says he found numerous firewalls in Silicon Valley so poorly configured that intruders could easily gain total command of the firewall and the network behind it. Only three of every thousand modem lines he checked posted a warning banner, violating policy for many government sites and corporations. "Some of them had a welcome banner on the screen, gave the name of the operating system, the release number, even in many cases the name of the corporation," said Ken Kumasawa a security consultant for TeleDesign Management Inc. in Burlingame, Calif., who reviewed the data. "This has been a no-no for about five or six years." Instead of a welcome screen, Kumasawa says the modem line should have led to a warning screen -- or nothing. "To a certain extent it should be a blank screen," he said. "The person who is accessing it should know how to do it." War dialing was popularized by the 1983 hacker-classic movie "War Games," which featured Matthew Broderick dialing his way to a direct connection with a military computer. In days past, hackers would mass-dial tens of thousands of phone numbers to find open systems from which to make further assaults. But Shipley -- a security auditor who plans to publish a technical paper on his research -- says he's maintained a "look but don't touch" premise. He didn't attempt to access any of the systems his war dialer found, and for good reason. Unauthorized access carries criminal penalties. Recent studies showing that 39 percent of homes have PCs may extend the risk of hacking. "As more and more home-access software appears, say to synchronize your laptop with your desktop, the risk of dial-up information warfare will increase," said Shipley. "Badly configured systems can permit hackers to gain access to a hard drive or printer, read or delete files, even run programs on your machine." Jonathan Littman is the author of "The Fugitive Game" and "The Watchman."