RE: Phone Switches + telephone banking etc

From: Kit (kitat_private)
Date: Thu Jun 06 2002 - 10:58:43 PDT

  • Next message: Stuart Adamson: "RE: Exploiting Buffer Overflows in CGI Scripts"

    more importantly, there are VoIP servers which do the key logging of
    internal phone systems and many of these are turn-key based servers that are
    running on Win2k.  Many of the net phone admin's I've worked with aren't
    very savvy on system administration and don't know how to properly secure
    the system.  I've had to go in and remove the appropriate access afterwards,
    but from what I've talked to in the past, many implementers don't have
    someone knowledgable in windows to properly secure the systems and rely on
    how they come from the factory.  Which isn't allows much more secure than
    how the OS comes from windows.  It is very scarey.
    
    -K
    
    -----Original Message-----
    From: quentynat_private [mailto:quentynat_private]On Behalf
    Of quentynat_private
    Sent: Thursday, June 06, 2002 10:54 AM
    To: vuln
    Subject: Phone Switches + telephone banking etc
    
    
    I was thinking today about phone switches, many of them are connected to
    the internal LAN. Many of them record all the keystrokes made by the
    individual phones (this is the important bit). If one could compromise a
    phone switch (or where ever it stores it's logs) then making free calls
    would be a minor issue. The prize in this situation could be who phoned
    what bank and if you can get the key presses then if that person has
    used the automated telephone banking service, you will have ( at a
    minimum):
    
     the account number
     sort code
     any verification number
    
    
    has any one done any work in this area ?
    
    I know many banks ( at least in the UK) will say not to use their
    service through cordless phones, maybe they should increase to include
    corporate phone switches.
    
    
    
    Q
    
    --
    #####################
    Quentyn Taylor
    Sysadmin - Fotango
    #####################
    RFC 882 put the dot in .com.
    



    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 12:08:43 PDT