RE: Phone Switches + telephone banking etc

From: Kit (kit@smallfoxx.com)
Date: 06/06/02


From: "Kit" <kit@smallfoxx.com>
To: <quentyn@fotango.com>, "vuln" <vuln-dev@securityfocus.com>
Date: Thu, 6 Jun 2002 12:58:43 -0500

more importantly, there are VoIP servers which do the key logging of
internal phone systems and many of these are turn-key based servers that are
running on Win2k. Many of the net phone admin's I've worked with aren't
very savvy on system administration and don't know how to properly secure
the system. I've had to go in and remove the appropriate access afterwards,
but from what I've talked to in the past, many implementers don't have
someone knowledgable in windows to properly secure the systems and rely on
how they come from the factory. Which isn't allows much more secure than
how the OS comes from windows. It is very scarey.

-K

-----Original Message-----
From: quentyn@mx1.fotango.com [mailto:quentyn@mx1.fotango.com]On Behalf
Of quentyn@fotango.com
Sent: Thursday, June 06, 2002 10:54 AM
To: vuln
Subject: Phone Switches + telephone banking etc

I was thinking today about phone switches, many of them are connected to
the internal LAN. Many of them record all the keystrokes made by the
individual phones (this is the important bit). If one could compromise a
phone switch (or where ever it stores it's logs) then making free calls
would be a minor issue. The prize in this situation could be who phoned
what bank and if you can get the key presses then if that person has
used the automated telephone banking service, you will have ( at a
minimum):

 the account number
 sort code
 any verification number

has any one done any work in this area ?

I know many banks ( at least in the UK) will say not to use their
service through cordless phones, maybe they should increase to include
corporate phone switches.

Q

--
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
RFC 882 put the dot in .com.