| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3a9907780510280353w4ae78b03h33ee4d8708ee4513@mail.gmail.com> Date: Fri Oct 28 11:53:35 2005 From: 0x2fbb3d97 at googlemail.com (Betty Duz) Subject: British Telecom remote landline hijack - NCR (No Crocodile-clips Required) Overview -------- British Telecom (BT) operates an automated fault detection and reporting system that allows anyone to test any line. If the line is found to be faulty the caller is given an option to divert all incoming calls for that line to another number, including mobile phones. No authentication is required and the owner of the line will be oblivious to the fact that her calls are being hijacked. Impact ------ An attacker who is either aware of a faulty line or in a position to cause a fault on a line (e.g. by cutting/shorting it) is able to hijack all incoming calls to that line without the owners knowledge or consent. Whilst BT will have a log of the number to which the calls have been diverted, in these days of mobile-phone vending machines, this information is useless. Workaround ---------- Switch to a telephone company that has a clue. BT may work around this problem by employing more staff rather than trying to save money by implementing buggy, tortuous, irritating, automated systems. Status ------ BT Engineers were notified.
Powered by blists - more mailing lists