lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri Oct 28 11:53:35 2005
From: 0x2fbb3d97 at googlemail.com (Betty Duz)
Subject: British Telecom remote landline hijack - NCR (No
	Crocodile-clips Required)

Overview
--------
British Telecom (BT) operates an automated fault detection and
reporting system that allows anyone to test any line. If the line is
found to be faulty the caller is given an option to divert all
incoming calls for that line to another number, including mobile
phones. No authentication is required and the owner of the line will
be oblivious to the fact that her calls are being hijacked.

Impact
------
An attacker who is either aware of a faulty line or in a position to
cause a fault on a line (e.g. by cutting/shorting it) is able to hijack all
incoming calls to that line without the owners knowledge or consent.
Whilst BT will have a log of the number to which the calls have been
diverted, in these days of mobile-phone vending machines, this
information is useless.

Workaround
----------
Switch to a telephone company that has a clue.

BT may work around this problem by employing more staff rather than
trying to save money by implementing buggy, tortuous, irritating, automated
systems.

Status
------
BT Engineers were notified.

Powered by blists - more mailing lists