Another mode of assualt would be to break security on the
telephone switch to reroute calls leaving your site. I'm not
sure of the current feasability of an attack, but afew years
back, such phone rerouting was not impossible. (NB: This may
be urban legend; I never did it, or saw it done. Does someone
with more telephone knowledge care to comment?)
It's happened, though not necessarily for computer hacking. See Hafner
and Markoff's ``Cyberpunk''. My favorite example (I think it's in
there, but a few minutes perusal of the index couldn't find it) was
when the probation office in Delray Beach, Florida, had its phone
number busy-forwarded to Dial-a-Porn in New York.
S/Key on the modem ports? S/Key is a one time passwording
scheme available from thumper.bellcore.com. It would allow
anyone to get to your login prompt, but only authorized users
(in theory) could get by it. There are also smart card
solutions such as securID.
The big advantage of S/Key over SecureID is that the host doesn't have
to keep any secret more sensitive than a hashed password (which is bad
enough, but not nearly as bad as a cleartext key). For this reason,
I'm coming more and more to the conclusion that if you can't afford a
dedicated authentication server or a public-key based mechansism, S/Key
(or some other implementation of Lamport's algorithm) is by far the
best choice. (Before you ask, Lamport's paper is in the November '81
CACM.)
The big disadvantage is that I don't know of any hardware
implementations. It might be a nice hack to write one for a palmtop
computer.
Follow-Ups:
|
|
