Who has the Controls

Mar 1, 1997 12:00 PM, By JOHN McCUMBER

The following sermon is for those of you who normally pass up reading a computer column. You know who you are - the one without a something.com address on your business card, never mind a Web site.

Hey, don't worry, I'm not going to ridicule you. I'm the guy who finally bought my family a new Compaq to replace an ancient TI 99/4a I bought for 50 bucks off the back of a truck in 1984. I never wanted a home computer for a hobby - I wanted a tool to help solve problems. I have always used computers at work, and I know their capabilities and limitations. They had to mature before I felt it was worth an investment.

People use these machines for a variety of reasons. My home PC helps me do research and communicate with colleagues and coworkers, and it allows my kids to avoid competition for limited resources at the local library. I still adamantly refuse to keep my financial records on the PC, however. I feel home finance software requires far too much man-machine interface for my lifestyle. Besides, it is less time-consuming for me to do my checkbook and taxes by hand.

You may have chosen to join the ranks of the www.whocares.com crowd, but there is nothing wrong with that. The life of the digerati just may not be your style. But there is something significant on the horizon that will convince the entire security community to sit up and take a closer look at the issues of computer network security. The issue came into focus for me when I noticed two telephone numbers followed by codes at the bottom of an office telephone list produced by our corporate headquarters. Anyone with the telephone number and the codes can remotely control the lights and heat in the building. Interesting. That means the environmental functions are controlled automatically - by a computer. These controls can be accessed and manipulated remotely through an on-board modem which answers its own telephone line and responds to tones sent over the connection. Hence, anyone who obtained this telephone list would be able to manipulate our building's environmental controls from any telephone in the world.

If you are starting to get the willies, join the club. How much business would you lose if your staff showed up to work on Monday to find the heat had been shut down since Friday night?

Most micro- and mini-computers are still sensitive to extreme temperatures and humidity variances. Shutting down a company's San Diego office HVAC in July could idle its servers for days. They would have no e-mail, Web support or collaborative project management capabilities. Basically, the business support infrastructure would be degraded severely. If they were a computerized shop-by-mail catalog service, they would be out of business until things were returned to normal. How about that for a competitive disadvantage?

Like it or not, the security profession is not on the fast track to computer and network savvy. Have you seen the advertisement on television for home management software for your computer? It shows the computer turning on the lights, running the VCR and monitoring the temperature. You will be able to call your PC and control these items remotely. If you are on the Web, you can do it from almost anywhere.

How are we going to control access to these systems? Perhaps we will choose passwords! Hmmm. Fess up, now. How many lame passwords have you conjured up in the last few months? You have your kid's name, your alter ego (e.g. Beerman) or some other easily hacked word. Default passwords installed by the vendor are always a good guess. There are several programs like Crack that can hack passwords quickly and easily, especially ones that do not contain any numbers or special characters.

How about passwords used by multiple groups of people? In this category are passwords and codes for controlling building infrastructure components such as elevators, HVAC and door locks. Many different groups of people need access to these systems: employees, maintenance and service personnel, property management and security. Group passwords are often recorded in places available to the prying eyes of those without a need to know. Why not check today to see if you are unknowingly responsible for remote access control of your physical plant's infrastructure components? You may be surprised.

Many manufacturers and vendors tout controllers and infrastructure components that allow remote telecommunications access to elevators, security systems and even fire suppression equipment. I have been surfing the Web sites through links from places like nsi.org. Check them out for yourself. If you thought you could avoid computer and telecommunications security for a couple more years, give it up. What will you tell your boss when she shows up next Monday morning to find her office temperature hovering around 37 degrees and the sprinklers watering her PC like it's a tropical fern? Maybe you could propose a better password.

About the author: John McCumber is a computer security consultant with Trident Data Systems, Fairfax, Va. Previously he was a principal analyst-section manager with Litton/ PRC Inc., where he provided services to numerous Department of Defense organizations. McCumber retired from a career in the U.S. Air Force in 1994. He holds adjunct faculty status at the Defense Intelligence College, Eastern Michigan University, James Madison University and the DOD Security Institute.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue