Hacking goldmine as BT publishes remote dial-up numbers

[InfoSec News <isn () c4i org>]

http://news.zdnet.co.uk/story/0,,t269-s2107318,00.html

Graeme Wearden   
Monday 25th March 2002

BT is to remove the list from the Web, but security experts warn that
the companies affected are at risk of attack in the future.

BT has admitted that it published the private remote access numbers of
a number of British companies on its Web site -- a move that could
expose the firms affected to hacking attacks.

The numbers were published on the public BT Together Web site in a
list that BT thought only included local and national ISP dial-up
numbers. However, the company admitted to ZDNet UK News on Monday that
an unspecified number of remote dial-up numbers were present in the
list. This list consisted of a total of 4,960 numbers, and it's
unclear quite how many of these were company dial-up numbers.

The director of one company whose remote access number was exposed has
described BT's actions as "just ridiculous".

BT has told ZDNet UK that this list will be taken down from the Web,
but security experts have warned that the numbers could already have
fallen into the hands of malicious computer users. Companies that give
their employees dial-in access to their networks have been advised to
check their security.

BT Together is a range of phone tariffs that give users unlimited
calls in return for a monthly fee. These tariffs do not apply to
national and local ISP dial-up numbers, and BT has said that the
purpose of its list was to make its BT Together customers aware of
numbers that they would have to pay extra to call.

However, the company has admitted that it inadvertently included
private dial-up numbers in this list.

"Our call-logging software would detect when BT Together customers
were making long data calls to certain numbers. We would then call
those numbers, and if there was a modem on the other end we concluded
it was an ISP, and that number would be added to the ISP exclusion
list," a BT spokesman said.

The BT spokesman would not say how many of the 4,960 numbers were
corporate dial-up numbers, but insisted it was "a very small number".

BT now plans to take the list offline, leaving only a tool where users
can enter a specific number to find whether it will be included in
their BT Together package or not.

ZDNet UK tracked down a company affected by BT's mistake. Martin Ryan,
director of IT consultancy group DB Consulting, was not pleased to be
told that his company's remote dial-up number has been made public.  
"These numbers would be extremely useful to hackers," Ryan told ZDNet
UK. "Even if a system isn't insecure, there's the potential to deny
employees access to the network, as we've only got a limited number of
phone lines for remote access."

According to experts, many companies have taken a very lax approach to
the security of their remote access systems. "I know of companies
which didn't have any security checks at all, because their sales
people wouldn't have to remember yet another user name and password,"  
said Roy Hills, technical director of security firm NTA Monitor.

Hills described the publication of the numbers by BT as "a cock-up",
and warned that any company whose remote-access number had been made
public would have to check their security.

"Some companies operate a policy of 'security by obscurity'," said
Hills. "Because a number is ex-directory, they believe they are safe
from hackers."

Other security experts agreed that the numbers would be valuable to
hackers. "Any hacker would enjoy having those numbers on his list,"  
said Jack Clark, European product marketing manager at security
software firm Network Associates. "Given access to those numbers I'm
sure that people would at least play around. If I were BT I'd get
those numbers down as quickly as I could."

Hills said that firms should not rely on a low profile to keep hackers
away. "This won't be much of a problem for companies who have already
set strong remote access security, such as user name and password
protection, or secure IDs," he said. "It could be easier to get the
budget to make changes now."

Hills was pleased to hear that BT planned to take the list down, but
warned that it was likely that the information has already fallen into
the wrong hands. "Hats off to BT for deciding to take it down, and
deciding quickly. However, once you release these kind of numbers you
can't go round to every hacker's PC and ask for them back."

Need To Know, a weekly humorous technology newsletter, first revealed
the existence of BT's list late last week.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.