BT Publishes Private Remote Access Numbers On Internet

March 25, 2002

By Graeme Wearden, ZDNet

http://news.zdnet.co.uk/story/0,,t269-s2107318,00.html



BT is to remove the list from the Web, but security experts warn that the companies affected are at risk of attack in the future.

BT has admitted that it published the private remote access numbers of a number of British companies on its Web site -- a move that could expose the firms affected to hacking attacks.

The numbers were published on the public BT Together Web site in a list that BT thought only included local and national ISP dial-up numbers. However, the company admitted to ZDNet UK News on Monday that an unspecified number of remote dial-up numbers were present in the list. This list consisted of a total of 4,960 numbers, and it's unclear quite how many of these were company dial-up numbers.

The director of one company whose remote access number was exposed has described BT's actions as "just ridiculous".

BT has told ZDNet UK that this list will be taken down from the Web, but security experts have warned that the numbers could already have fallen into the hands of malicious computer users. Companies that give their employees dial-in access to their networks have been advised to check their security.

BT Together is a range of phone tariffs that give users unlimited calls in return for a monthly fee. These tariffs do not apply to national and local ISP dial-up numbers, and BT has said that the purpose of its list was to make its BT Together customers aware of numbers that they would have to pay extra to call.

However, the company has admitted that it inadvertently included private dial-up numbers in this list.

"Our call-logging software would detect when BT Together customers were making long data calls to certain numbers. We would then call those numbers, and if there was a modem on the other end we concluded it was an ISP, and that number would be added to the ISP exclusion list," a BT spokesman said.

The BT spokesman would not say how many of the 4,960 numbers were corporate dial-up numbers, but insisted it was "a very small number".

BT now plans to take the list offline, leaving only a tool where users can enter a specific number to find whether it will be included in their BT Together package or not.

ZDNet UK tracked down a company affected by BT's mistake. Martin Ryan, director of IT consultancy group DB Consulting, was not pleased to be told that his company's remote dial-up number has been made public. "These numbers would be extremely useful to hackers," Ryan told ZDNet UK. "Even if a system isn't insecure, there's the potential to deny employees access to the network, as we've only got a limited number of phone lines for remote access."

According to experts, many companies have taken a very lax approach to the security of their remote access systems. "I know of companies which didn't have any security checks at all, because their sales people wouldn't have to remember yet another user name and password," said Roy Hills, technical director of security firm NTA Monitor.

Hills described the publication of the numbers by BT as "a cock-up", and warned that any company whose remote-access number had been made public would have to check their security.

"Some companies operate a policy of 'security by obscurity'," said Hills. "Because a number is ex-directory, they believe they are safe from hackers."

Other security experts agreed that the numbers would be valuable to hackers. "Any hacker would enjoy having those numbers on his list," said Jack Clark, European product marketing manager at security software firm Network Associates. "Given access to those numbers I'm sure that people would at least play around. If I were BT I'd get those numbers down as quickly as I could."

Hills said that firms should not rely on a low profile to keep hackers away. "This won't be much of a problem for companies who have already set strong remote access security, such as user name and password protection, or secure IDs," he said. "It could be easier to get the budget to make changes now."

Hills was pleased to hear that BT planned to take the list down, but warned that it was likely that the information has already fallen into the wrong hands. "Hats off to BT for deciding to take it down, and deciding quickly. However, once you release these kind of numbers you can't go round to every hacker's PC and ask for them back."


main page ATTRITION feedback