[ISN] Hacking goldmine as BT publishes remote dial-up numbers

From: InfoSec News (isnat_private)
Date: Tue Mar 26 2002 - 00:33:51 PST

  • Next message: InfoSec News: "[ISN] Patch system in the works"

    Graeme Wearden   
    Monday 25th March 2002
    BT is to remove the list from the Web, but security experts warn that
    the companies affected are at risk of attack in the future.
    BT has admitted that it published the private remote access numbers of
    a number of British companies on its Web site -- a move that could
    expose the firms affected to hacking attacks.
    The numbers were published on the public BT Together Web site in a
    list that BT thought only included local and national ISP dial-up
    numbers. However, the company admitted to ZDNet UK News on Monday that
    an unspecified number of remote dial-up numbers were present in the
    list. This list consisted of a total of 4,960 numbers, and it's
    unclear quite how many of these were company dial-up numbers.
    The director of one company whose remote access number was exposed has
    described BT's actions as "just ridiculous".
    BT has told ZDNet UK that this list will be taken down from the Web,
    but security experts have warned that the numbers could already have
    fallen into the hands of malicious computer users. Companies that give
    their employees dial-in access to their networks have been advised to
    check their security.
    BT Together is a range of phone tariffs that give users unlimited
    calls in return for a monthly fee. These tariffs do not apply to
    national and local ISP dial-up numbers, and BT has said that the
    purpose of its list was to make its BT Together customers aware of
    numbers that they would have to pay extra to call.
    However, the company has admitted that it inadvertently included
    private dial-up numbers in this list.
    "Our call-logging software would detect when BT Together customers
    were making long data calls to certain numbers. We would then call
    those numbers, and if there was a modem on the other end we concluded
    it was an ISP, and that number would be added to the ISP exclusion
    list," a BT spokesman said.
    The BT spokesman would not say how many of the 4,960 numbers were
    corporate dial-up numbers, but insisted it was "a very small number".
    BT now plans to take the list offline, leaving only a tool where users
    can enter a specific number to find whether it will be included in
    their BT Together package or not.
    ZDNet UK tracked down a company affected by BT's mistake. Martin Ryan,
    director of IT consultancy group DB Consulting, was not pleased to be
    told that his company's remote dial-up number has been made public.  
    "These numbers would be extremely useful to hackers," Ryan told ZDNet
    UK. "Even if a system isn't insecure, there's the potential to deny
    employees access to the network, as we've only got a limited number of
    phone lines for remote access."
    According to experts, many companies have taken a very lax approach to
    the security of their remote access systems. "I know of companies
    which didn't have any security checks at all, because their sales
    people wouldn't have to remember yet another user name and password,"  
    said Roy Hills, technical director of security firm NTA Monitor.
    Hills described the publication of the numbers by BT as "a cock-up",
    and warned that any company whose remote-access number had been made
    public would have to check their security.
    "Some companies operate a policy of 'security by obscurity'," said
    Hills. "Because a number is ex-directory, they believe they are safe
    from hackers."
    Other security experts agreed that the numbers would be valuable to
    hackers. "Any hacker would enjoy having those numbers on his list,"  
    said Jack Clark, European product marketing manager at security
    software firm Network Associates. "Given access to those numbers I'm
    sure that people would at least play around. If I were BT I'd get
    those numbers down as quickly as I could."
    Hills said that firms should not rely on a low profile to keep hackers
    away. "This won't be much of a problem for companies who have already
    set strong remote access security, such as user name and password
    protection, or secure IDs," he said. "It could be easier to get the
    budget to make changes now."
    Hills was pleased to hear that BT planned to take the list down, but
    warned that it was likely that the information has already fallen into
    the wrong hands. "Hats off to BT for deciding to take it down, and
    deciding quickly. However, once you release these kind of numbers you
    can't go round to every hacker's PC and ask for them back."
    Need To Know, a weekly humorous technology newsletter, first revealed
    the existence of BT's list late last week.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 04:10:40 PST