Slashdot Mirror
AT&T Concerned About H2K2
****************************************************************
AT&T Network Fraud Advisory
July 11, 2002
****************************************************************
Possible Hacker Social Engineering Attempts
Friday July 12 - Sunday July
14, 2002
===================================================
Caution:
------------
Be careful about giving information to anyone you don't know and those
making unusual information requests by claiming to be an AT&T employee or
customer.
The H2K2 (Hackers on Planet Earth 2002) Hacker Conference will take place
this weekend, Friday, July 12 to Sunday to July 14, 2001, [ed. note: 2001?] in New York
City. This conference will be a gathering of over five thousand computer
hackers, guest speakers, and computer enthusiasts. http://www.h2k2.net
In 1994, 1997 and 2000 at the previous Hope (Hackers on Planet Earth)
Conferences, live demonstrations of "social engineering" techniques were
performed in front of thousands of hackers and other attendees. The hacker
panel dialed live into AT&T offices and centers and demonstrated how to
get proprietary information by pretending to be an AT&T employee and
customer. These calls were recorded and videotaped by the hackers and are
sold as instructional material at future hacker conferences. There is a
very high likelihood that AT&T will be a target again this weekend.
The social engineering contest is scheduled for Sunday July 14th, at 4
P.M. ET, (1 PM PT). During this period hackers may be dialing into AT&T
to get information.
AT&T Network Security would like to warn our employees to be on guard this
entire weekend for any unknown person calling and claiming to be an AT&T
employee to request proprietary information or claiming to be an AT&T
customer with unusual requests.
Remember, if anyone, who is unknown to you calls for proprietary
information or make unusual requests, please follow your procedure by
requesting additional information to ensure the person is who they say
they are before giving out any information.
If the person is claiming to be an AT&T employee, please request name,
callback and HRID #. Then verify through POST or the email global address
list if the information is correct and even request to call the employee
back at their contact number.
If the person is claiming to be an AT&T customer verify this by requesting
additional info on their account like address and SS# and even request to
call the person back at their contact number listed on the account.
Please be on guard for any unusual requests. Verify the person is an AT&T
employee or a legitimate customer and if they have a need to know the
information they are asking. If you can't verify employment or number,
don't give out the information. If you are still in doubt regarding the
legitimacy of the caller, then speak to a supervisor regarding the
situation before proceeding further and inform the caller you will call
them back. If you still have questions you can call the Security Hotline
1-800-822-9009.
Remember you do not want to be the lucky guest of honor on a telephone
call from the hacker conference this weekend with thousands of hackers
listening to you and attempting to scam AT&T out of proprietary
information. Please be on guard.
- - - - - - - - - - - - - - - - - - - - - - - - -
Source: AT&T Network Security
*******************************************************************
and
...
. Beleive me, it'll be a LOT easier to read through than one large check of pure text.Free Mac Mini
If you still have questions you can call the Security Hotline 1-800-822-9009.
Can't the hackers who read slashdot (probably most of them) just call this number instead now?
Furthermore, why doesn't Microsoft have a security hotline?
They have to take special precautions since there's some conference? What about the rest of the year?
Does anyone else think that email sounded like an advertisment rather than a warning???? Wonder if AT&T's marketing department has a card carrying hacker on staff that wrote that.
***I GOT NUTHIN***
It might be useful to indicate that the Anonymous Coward is an AT&T employee of some sort, not an AT&T customer that some might think of at first.
the first rule:
DO NO PANIC!
This kind of behaviour should be common practice, really.
I just hope that whatever information they're looking at, it won't be mine.
On another note, if this hacker convention is so well publicized, why aren't there hordes of policemen preparing to descend upon the unsuspecting hackers? Especially with all the cracking down that the FBI/police force have been doing lately on people who uncap their cable modems, or share wifi connections....
I regularly get emails saying "A person has been seen acting suspiciously on campus, and ran away when challenged. There has been a spate of robberies by extra vigilant," and nothing is made about it. It doesn't mean we're not to be vigilant the rest of the time, just a timely and worthwhile heads up.
What makes this different except the criminals involved are 'l33t and say stuff like "Mad propz".
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Only be secure when the world might be watching, and at all other times be lax. Sounds like a fantastic policy to me.
Need a Python, C++, Unix, Linux develop
almost as funny as the story run by FOXNEWS.com saying "al Qaeda operatives have infiltrated WorldCom" (last two paragraphs on the page)... seems they didnt read the whole story at foxnews.com... it was a joke commentary by Arnaud de Borchgrave
the story outlining foxnews erronious reporting is here (Item #4).
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
just dont call them mid-july. Any other time they will obviously be happy to answer you're questions without checking that you are authorised to recieve that information :)
Dear Employees:
The previous memo failed to mention another warning sign of hacker social engineering attempts. If you hear the song "Halcyon-On and On" by the music group Orbital, hang up the telephone immediately. We will be holding information sessions at all regional offices for telephone support personnel, where you will be trained to recognize this music within several seconds. DO NOT confuse this warning sign with the last five minutes of Mortal Kombat! It is better to be safe than sorry. Thank you for your cooperation, and stay Hacker-Free(tm) during this period of "l337n355".
...
So did CmdrTaco social engineer this Anonymous Coward into posting this proprietary company bulletin on Slashdot? The mind boggles!
Beeboy(!)
"This is my sig file. There are many like it, but this one is mine."
DefCon has this as a contest running through the conference.
Social Engineering is obviously one of the best ways to garner information. It is obviously a good thing that AT&T is on their toes this weekend, since I am sure some of these people will try.
I think it is unfortunate that they have to give warnings for this weekend. Instead they should give monthly meetings on who to give what information to.
Security is not an end product, it is a process. And it needs to be drilled into everyones head, constantly.
Maybe some of AT&T employees should attend the conference, learn Social Engineering techniques, and then try to social engineer their own company. Then you could punish peole (right them up, whatever) for security breaches.
it's not relevant at all. there are people here at slashdot that do nothing but post complete crap. they're known as crapflooders, and often have a default score of -1 on their posts. other folks to look out for are trolls, people who toss out a comment with the intent of generating typical responses or flames.
Now I would try to dial into the Security Hotline ;)
...
("Security Hotline 1-800-822-9009") and
to pretend to be an alarmed AT&T employee
Or dial someone from AT&T pretending to be
from the Security Hotline.
Social Engineering attacks are so easy
LEARN ENGLISH!
- the resolution procedures in case of doubt about a callers identity
- the "security hotline" phone number.
Nice going, AT&T.
CEE5210S The signal SIGHUP was received.
ring ring
at&t internal helpdesk hello bob speaking
hey bob, its jack here from whatever department. you know that mail you guys just sent out about the hacking conference thing
yeah
something's wrong with my email client, can you forward it to this hotmail account...
Maybe in the states it works differently, but in Canada you don't *have* to give out your SIN (our version) unless its to the government... not that companies don't ask anyway. Isn't it usually considered a VERY dangerous little bit of information to give out on the phone to some guy at a phone co? I don't think I'd like the idea that I'd be refused service because I refuse to give out my SIN/SS# just because of a hacker conference.
What about after the conference is over? At least at the conference the actions aren't malicious, they're just demonstrated to prove a point. Implementing proper procedures to the employees and making sure they're followed EXACTLY would go a long way toward preventing social engineering. This is NOT a new problem, and it also underscores the simple fact that the least secure part of any network is the user.
-Restil
Play with my webcams and lights here
The notice should have asked the employee's to have the caller put AT&T on their "Do not call list"!
call for FBI agents to guard their garbage bins?!
Those hackers can also use "garbage engineering" techniques to get proprietary information.
The reason it's in there is:
1. Dave Barry's funny
2. The conference is AT the Hotel Pennsylvania, so it's relevant
that AT&T has themselves a beowulf cluster of morons :]
----- I took the blue pill. Ignorance is bliss. ----- eof
It is interesting to see that AT&T want their employees to be on "guard this entire weekend" when it involves embarrassment to the company. After the weekend, though, they can resume their usual lax security.
i hope they normally work to educate their employees on security. if that's the case, it's a good idea to send reminders from time to time, especially if you know you're a likely target at a specific time.
but if they don't regularly discuss things like social engineering, it's far too late now as most people will likely disregard the notice.
i think it is an example of an earthling technique known as 'humour'
Did anyone else think the hotel description was a
better read than the actual link about the hacker conference?
Scott.
If no one has, for all we know it's a psychic hotline or something. Can anyone think of a way to verify this?
At my employer's firm, we have perfected the art of repelling those out to gain information by a 2-pronged approach. We run the callers through a maze of automated phone forwarding recordings to (eventually) a person who has no clue about anything.
1994, 1997, 2000, ____
what comes next? not 2002
unless of course they send this warning out every year.
Got Freedom?
Thinking?
(Get it? Security through obscurity? Oh, I give up...)
It almost sounds like they are more worried about being embarrased than being hacked. At least with regular hack attempts, there's no one filming and distributing it - there's no audience.
Sure it's fun to see this memo, and maybe it's a bit humourous, but I can't help but feel that the submitter really shouldn't have sent this information to /.
Maybe most of us hate "The Phone Company" and think they overcharge and use shady tactics, and, sure, not everyone at H2K2 will try for and/or do anything with the information they may or may not receive. And, yes, hackers aren't inherently evil folks wanting to harm.
But AT&T is a company with a lot of proprietary information that could be easily broken if someone starts playing around with it, especially if they really don't understand what they're doing.
Yes, yes, information wants to be free and all that, but I see the memo as AT&T trying to keep a handle on what's going on inside their property.
Is it really okay to expose this? At best it's a look into, perhaps humorous, internal PR. At worst it's letting the world know that, on this particular weekend, the back door to the Best Buy on Such-and-such St. has a broken lock.
And if this did result in a real-world break-in -- if someone did use this information to steal from the Best Buy -- the person who posted this information would be arested and charged.
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
http://www.lysator.liu.se/etexts/hacker/
An interesting read, and they don't seem to have learned anything...
Everyone who had high karma now just has 'excellent'. Since according to the editors, nothing over 25 karma really matters, I figure I've got 23 karma to burn with goatse.cx posts.
I've always loved your posts Subject Line Troll. To anyone that finds slashdot getting boring, start reading at -1.
I called the 800# it is legit.
J
If we're forced to follow basic security procedures, it means the hackers have already won.
Best Windows Freeware
Now the target is absolutely irresistable. They're going to read the notice out loud at the conference and then call AT&T just to make a point. I bet they were even planning to call a different company this year.
Of course, AT&T may be doing this to trap them --it's curious that they say h2k2 several times and clarify it instead of just saying "group of hacker terrorists". Or maybe they really are just that stupid.
Either way, it should be fun. I've got my ticket.
Well I tried several reverse phone directories, but the number seems to be unlisted. This includes anywho.com which is part of at&t.
Thoughts on tech, Software Engineering, and stuff
I bet AT&T would just love to get their hands on the person that posted this. AT&T did a very responsible thing: they saw a potential threat to the security of their customers, i.e., a lot of people who are reading this (and even if you don't pay AT&T directly, you might use their lines if you have a cable modem), and sent out a warning to remind their people. They included reminders of proper secure behavior. And what is the first thing an employee do? Leak the number and protocols to an outlet read by the people who are most likely to try and breach security. If you were my employee you'd get in some serious trouble.
Many people who do the social engineering hack make fun of companies for having clueless employees or employees that don't follow basic guidelines. So for those few who make fun of AT&T for doing this, I'd say you can't have it both ways.
We should be applauding AT&T for reminding their people of basic security precautions.
Problem lies perhaps in the fact that AT&T is a big corporation. People are numbers and numbers can be forged/stolen easily without too much trouble. What if an AT&T employee that just got sacked took a list with him with the information and just threw it on the internet.
I know that these kind of security precautions exist in every big corporation (i work for a top financial corp). I also know that they NEVER work. No-one knows you by the face, only a name or a number is known, and these are easy too come by.
Besides, most system breaches are done from the inside anyway. I know that our company had more internal issues then external.
Now that gives an interesting movie, seeing a hacker calling an AT&T employee... You'll have more fun listening to Brain Damage: Public Radio rules!
bash$
Funny thing is, this probably won't help.
I know when we tell everyone about a new virus, and yet another reminder not to run things even if they are from someone you know, some otherwise intelligent people still go out and run it, and when you ask, they say "Well I know you warned me, but MY friends would never do something like that"
So I can see it now "Well I know there was a warning out.. but he SAID it was an emergency"
The fact that the conference is mentioned several times leads me to believe that it is a clever advertising campaign for the conference designed by one of the organizers. I don't feel like this note had its origins within AT&T.
No, that means you're already there.
This Notice is Very likely proprietary information to AT&T. The submitter obviously has a very small or nonexistant understanding of security issues and confidentiality if he is forwarding this information outside the company.
The Notice does list good procedures with regards to verifying identities, and avoiding social engineeering attacks, and does outline a legitimate security concern to AT&T, and thier security department acted.
What an abuse of terms! Calling pretending to be an AT&T employee is simplky called a lie or deception. Social Engineering (former meaning of the word Cybernetics) is not an individual lie, but a steeering society using mass desinformation of public in order to change demograpnics, or orientation of society.
For instance disinformation about earth overpopulation, single child policy, "sexual education", distribution of condoms, abortion counseling etc. are examples of Social Egineering, usually things that are never tolerated in civilized society.
That e-mail proves the meeting has acomplished one of its goals. Thanks to H2K2 AT&T is being more careful with the private info.
Isn't that what we all want? At least that's the reason why I support those kind of things.
Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
Why should it take a hacker conference to get AT&T to put out such a warning? I would like to think that such policies are already in place, and that employees are trained to minimize the risk of social engineering from the start.
I guess that's just wishful thinking though...
I also work for AT&T, but I have not seen this memo (I'm in NJ. Maybe it only went to NY people? Maybe only to sales people? Maybe I'm not good enough?).
But I did some hunting and found this in a recent newsletter. Seems outide people are _supposed_ to call that number (which looks like it is out of my building based on the exchange of the phone #)....
SECURING CRITICAL INFORMATION: AT&T is classified as a critical infrastructure company, servicing the communications needs of the government, including its armed forces around the world. Because of this relationship, and current world events, employees may receive inquiries concerning AT&T's network infrastructure security. While most requests are legitimate, some may not be. It's critical to the security of our country, as well as to our business, that these questions be answered factually, and information provided only to legitimate requestors. For these reasons, employees who receive inquiries from a local, state or federal government agency, anyone claiming to represent the media, or any concerned citizen, should refer those agencies or individuals to the AT&T Corporate Security 24x7 hotline at 1-800-822-9009 (within U.S.) or 908-658-0380 (outside U.S.). Corporate Security will ensure inquiries are verified and appropriate responses provided.
I wonder if there has ever been an instance of an 800 number being slashdotted?
Basil
Read the jargon file !
We MUST remain vigilent!!
http://www.disassociate.com
The hotel is just as bad as Barry describes it. I was forced to stay there as a presenter at a conference, and while I travel a lot and have stayed in all sorts of horrible places, this was the worst by a long mile. Nice and expensive (though cheap for NY) too.
How can we be sure this is really what it appears and that it is not slashdot that his been socially engineered ?
Read this very similar AT&T warning about a 1998 DEF CON conference:
http://www.defcon.org/TEXT/6/att-dc-6-alert.txt
Unless AT&T has not changed its warnings in three years (unlikely) and such warnings have been leaked multiple times (more unlikely) this would seem to be a fake.
This one reads reverse social engineering...
If one of those evil haxors calls you, just dial 800-hackers, and a "AT&T" person will help you.
This is a good one...
That song is great :) Orbital has a lot of good music other than Halcyon and On and On. I highly recommend them
Excerpt from the site:
:)
>> Preregistration for H2K2 is closed -- you can
>> still pay $50 at the door to get in, but you
>> must bring cash; we cannot take credit cards
>> for admission.
>>
Oho... imagine that, forcing themselves to stay semi-legit by not using credit cards
That's like going to a Catholic priest convention and not being able to bring your favorite altar boy.
------ He'd been to some great parties in tombs.
H2K2, that is.
------ He'd been to some great parties in tombs.
Resume your normal, insecure procedures on Monday morning. There's no point in going overboard with this security hoopla.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
But I think this falls under the category of "heightened awareness".
Cheers,
Jim in Tokyo
-- My Weblog.
I think social engineering is key in many situations, and "script kiddies" usually dont have it. It gets you from place to place on the net and in the real world. So i would be concerned if i was at&t, but now.. they are a laughing stock and are going to be hit good. =p
Actually, it makes good statistical/economic sense to concentrate caution on periods of higher risk.
Let's say that AT&T has two modes: careful (C) and reckless (R). Now clearly it costs more in terms of employee time to be careful than reckless. (Say it costs C=$10 and R=$1 respectively. ) Assume Careful catches a proportion q_c of social engineering attempts while Reckless lets a proportion q_r succeed.
Now assume that at a given time there is probability p that someone on the line is trying to social engineer them. Assume also the costs of being hacked (in embarassment or whatever) are uncorrelated, and average $H. Assume the benefits of a legit phone call are $B.
We can now compute the payoff from being careful versus reckless.
V_C = B (1-p) - H p q_c - C
V_R = B (1-p) - H p q_r - R
It's clearly quite possible for either V_C or V_R to be larger depending on the coefficients.
If you could make a function giving q as a function of cost, you could solve for V=0. This would tell you exactly how careful to be, given a particular present level of riskiness p.
To be fair, this is also a Doodette Thing(tm).
I love it... follow these security procedures _on the specific date and time when a hacker's conference has an announced a scheduled social engineering demonstration_.
Don't worry about REAL security. Just worry about embarrassing PR. As long as the hacker breakins don't occur at a time and place when the press is likely to find out about them, everything is OK...
If they had NOT sent out the email, they would have had a good opportunity to find out whether the improved procedures they instituted following embarrassments at previous HOPE conventions were effective. (They DID institute improved procedures following those previous conventions, didn't they?)
"How to Do Nothing," kids activities, back in print!
This information shouldn't be considered secret; after all it's not terribly hard to find out what AT&T will ask if you call up pretending to be an employee or customer: just call up, pretending to be an employee or customer and see what they ask you. If they've designed their procedures sensibly, you still shouldn't be able to spoof them.
Of course, the really great hack would be to call up Kevin Mitnick pretending to be an officer of the court, and get the information from him.
AT&T is being smart here. Socially engineer me once, shame on you. Socially engineer me twice, shame on me. Granted, what with all the shenanigans that have happened in the past with AT&T and hackers (they dont seem to get along so well) it has been a great deal more than "Socially engineer me twice" for the folks at AT&T.
Although AT&T does have a valid point that due to the fact that the H2K2 convention is going on, wouldn't it be a good idea to generally be suspicious of people on the phone who claim to be AT&T employees who request proprietary information. Since AT&T deals with a large ammount of sensetive information at any given time I figured that it would be a good idea to be alert at any given time. I mean, thanks to the internet people no longer have to be in one physical place to converge. Just a thought.
"AtAT concerned about H2G2". I was trying to figure out why Douglas Adams' website would be moving in on "As the Apple Turns' turf." I mean, he WAS a mac advocate (ok, evangelist) but damn.
Triv
Yeah, I don't even know why we still call them Social Security Numbers. It's a farce. It is your unique National Identification Number, whether you like it or not.
Cool! Amazing Toys.
I think I'll just wait until next week. That document makes it sound like any other week of the year root passwords are given to the first 100 people through the door.
Finally, math books without any of that base 6 crap in them.
the problems served as an eye opener to many. AT&T however, has taken a very foolish approach to dealing with this. Instead of tightening the social arm of security all year around, they are only interested in this date range (not ONLY of course, but since this has not been made a big issue before, and employee training is the NUMBER ONE method of reducing social engineering security risk, then AT&T is not taking it seriously overall)
This is exactly what any thief, vandal, or anyone who wishes to subvert security, wishes for... the very predictable nature. I hope for their sake that these warnings are more often (year around) and are not the only method of education of employees.
I seek not only to follow in the footsteps of the men of old, I seek the things they sought.
Maybe in the states it works differently, but in Canada you don't *have* to give out your SIN (our version) unless its to the government... not that companies don't ask anyway.
Actually, the US does have such a law. It's just completely ignored.
Every so often someone suggests enforcing the rule, but that would require so many changes that it won't happen.
Actually, you CAN keep it to yourself in most cases. And I have for a couple decades. (I've been concerned about identity theft since long before the term was coined.)
The battle has been lost with respect to withholding it from the state governments when you go for a driver's license - congress authorized them to collect it. (They actually MANDATED it - allegedly to help track dads who skipped out on child support. So why are they collecting womens' numbers, hmm?)
Some entities are entitled to your SS number - generally those that may pay you taxable money: employers and banks. (NOT insurance companies, at least until there's a taxable payout, and most payouts are not taxable.) The rest can ask and you can refuse. They're usually stuck serving you anyhow - especially if they're already contracted to do so, as with certain employee benefits.
I'm not sure if lenders are entitled or if it's just "Well, I have to serve you anyhow. But I get to do so on my personal estimate of your credit risk, based on rules I use that are common to all applicants. I think someone who withholds their SS# from a lender has a skeleton in his financial closet and is a high risk." Either way if you want a loan you'll need to give 'em the number.
The big problem has always been hospitals and medical insurance companies. Hospitals normally assign a hospital number separately and will let you leave your SS# field blank or fill it with "withheld". They have a separate field for the insurance ID, because lots of people are on their spouses' or parents' insurance. Insurance companies generally let you use a replacement I.D. Some will assign it themselves. Some will ask you to generate one - and be responsible if it collides with someone else' number.
If you must generate one: there are several rules for numbers the US will never assign. One I remember is "any of the three fields is all zero". I think any field all-9 is also unused. Two insurance companies that assign numbers are apparently using counters, one starting at 000-00-0001, the other at 100-00-0001 (probably to avoid collisions with each other). If that's where they started they've each assigned more than a thousand before they got to me. Regardless: I have yet to encounter any billing or hospital registration software that rejects "illegal" SS# patterns.
Lately it has gotten a LOT easier to withhold the numbers. Apparently enough people have been doing so that it's no longer a "lone nut" thing. (This is possibly because identity theft has been in the news for a couple years, possibly because people like me have dealt with enough companies to bring their I.T. departments kicking and screaming into the world of privacy.) Companies have gotten the message - clear down to the clerk level - and are no longer fighting the withholding of SS#s and other personal info.
Computer Professionals for Social Responsibility has a project on keeping SS#s private and can give you some tips if you run into a company that's being obstinate.
Meanwhile, get your passport and use THAT for I.D. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
ATT is always calling my home trying to get me to switch back to their crap service. Well, just like they're inside my phonelines 2 times a day, I hope talented h4x0r is inside their machine fucking things up 2 times a day.
I hope Sprint sent warnings to the staff of TechTV when Kevin Mitnick was on the Screensavers recently.
A call to this number rang about twenty times, then was picked up by a voicebot: "Your party is not picking up. Your call will now be disconnected."
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
AT&T Has blocked access to the H2K2 Website for all employees through Smartfilter.
Preregistration for H2K2 is closed -- you can still pay $50 at the door to get in, but you must bring cash; we cannot take credit cards for admission.
A hacker's conference that doesn't take credit card numbers? Whatever happened to social engineering?
The society for a thought-free internet welcomes you.
...why not just let the operator know that you *did* in fact get the memo about increased security and the H2K2, but it's quite an emergency and can't get to all of your information?
waddle waddle
> I wonder if there has ever been an instance of an
> 800 number being slashdotted?
Oh yeah.
I used babysit the computers at a call center, and it's very easy to get overloaded.
There are a finite number of trunks (voice lines) coming into a call center. If they are all occupied, you get a fast busy signal when you call that 800 number.
The voice telling you to press 1 for this and 2 for that is being generated by a computer running IVR (interactive voice response) software. The IVR box can only handle a finite # of conversations, depending on the h/w and how it's set up.
And of course there are a finite # of bums in seats, i.e. the people who take the calls. If they're short of agents, you can wait in queue a long time, as I'm sure you've experienced.
YOu posted a HACKER manual on ./ again...
BAD YOu... Prepare to be punished!!!
In about 1980, when I was in high school, I discovered an unused phone extension line in my bedroom closet and started experimenting with it. I quickly figured out the basics and built a little homemade phone. Later, I got the idea of using a thirty-foot spool of wire and a couple of alligator clips to quickly tap into someone's line outside of their house to steal long distance phone calls from the safety of my car. This is really trivial stuff, I know, but I thought I was clever.
But not clever enough. I called my cousin long-distance by connecting to what turned out to be the phone line of a little old lady who'd never made a long-distance phone call in her life. Her church was helping her pay her bills and noticed the phone call immediately. They called AT&T, and AT&T merely checked to see who else in my small New Mexico town had ever called that California number. Then they called my mom.
Once AT&T security found out that I hadn't actually done anything sophisticated or interesting, they just made my parents pay for the call and dropped the matter.
None of this, of course, shows that AT&T security was especially astute. But a few years later I was working as a radio disc-jockey, and I told this story to the station's chief broadcast engineer. He told me that he had worked for AT&T and that AT&T Security were among the best private security experts in the world. In his words: "Don't fuck with AT&T Security". That made an impression on me.
Later on, when I first read about the phone phreaking era, I felt lucky that a) I wasn't ingenious enough to get myself in any real trouble, and b) I didn't know anyone who was.
I had an idea like this when I was younger. Write a worm that spreads to and sits on all computers with a dial up connection. At a paticular time, the computers would activate, and if the worm detected that the user was away from the computer, it would dial up some number DDoSing some poor person or company....
It would create a mess because while many internet sites are aware of DDoS... the phone system is more vunerable. If there were enough hosts you could shutdown a whole exchange area, or cell area. The possibilties are scary.
Im not here now... Im out KILLING pepperoni
I used to work for AT&T in a phone center and this was a pretty common occurrence. We would regularly receive these types of alerts whenever there was an event such as this.
I think this memo just makes it THAT much more tempting now. There sure to get attempts now.
"Please be on guard for any unusual requests. Verify the person is an AT&T employee or a legitimate customer and if they have a need to know the information they are asking...and inform the caller you will call them back."
Someone was able to not only get through to AT&T service but also GOT A CALL BACK!? Now THAT is shocking news!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I was wondering why my grandma had all of these 900 sex chat calls on her phone bill years ago. And I thought my grandma was just kinky!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Fortunantly, H2K2 will be over soon, and AT&T staff can go back to not worrying about what information they give out. Whew! Come monday morning, they can relax again.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
nt
Brainfart. It was Stevie Smith. My bad.
Hot Damn! It's the Soggy Bottom Boys!
It's true.
This letter is standard boilerplate, with good reason.
There are workshops on social eng. at these events, and I've personally recieved calls from the events from participants trying to get into the network.
If you have any legitimate business with AT&T be sure to call them around the times mentioned in the memo. They'll be extra cautious then.
Every year in Las Vegas, AT&T issues the same warning, and generally, every year, someone still succeeds at socially engineering some information from them.
I have to seriously doubt the authenticity of this memo... I work for AT&T in a division that would most defnitely be one of the first to recieve any such warning memo - and I've recieved nothing.
If it's the real deal, take the memo as just one irresponsible & clueless manager having a panic attack because of some Fox News story that screamed about evil hackers detroying the world with AT&T phone lines. It's *definitely* NOT a company-wide warning.
Was it truly anonymous? Given that this sort of thing is bound to get leaked, would they have embedded traitor identification in the memo? c.f. Yuval's "How to swindle Rabin", all they have to do is pick ten to fifteen independent innocuous ways to edit the memo - thesaurus some words, add or remove commas, etc. - and then send a unique permutation to each employee.
If they embed the same code number with two or three different sets of ten to fifteen modifications they can detect, if not work around, collaboration.
Now they'd have to be pretty paranoid to do this as a matter of course, but after a few leaks they might get wise and try something.
English: I would like to go to bed.
Finnish: Heijo ältaspainen innihoppinen jo hervepoika ekkereppe nellokreier louminainen o sååå ne eijospeijo Baisikorpen! Ihodeijo blåvalen sei kareelien i huvet.
I'm sorry, you must be confused with The New HP!
What AT&T saw was potential embarassment. IE, having it shown, publically, how bad their security is.... If I tried a social engineering tricks a week ago, how far would I have gotten? If I did it in 6 months, how far would I go?
AT&T just wanted to warn everyone to not cause embarassment to them THIS PARTICULAR weekend.
If you want security, what AT&T should do is hire these guys and have them try to social engineer themselves in at least once a month on a random day. Keep them on guard EVERY day, not just 2 days a year.
... is that the memo was written by someone from H2K2, with a faked from address, sent to an already-hacked list of AT&T staff email addresses, and 1-800-822-9009 is switched through to a phone on centre stage at the conference. Why call them when you can make them call you?
- Chuq
I am Count Cuntula. I want to eat your cunt! Ahahahhaha!
Last year my company sent out a similar email when they provided the bandwidth for a hacker convention in Las Vegas.
Except the email had a slightly different tone, more like: We don't know which genius decided to sell bandwidth to these people, but now that it's done, be careful as they have a history of having cracking contests...
Don't think we had any trouble though.
Ender-
Nothing to see here
I don't remember if it was AT&T specifically, but it may have been. At H2K in 2000, a memo similar to this actually prompted the social engineering call - which was actually made to the security people... They did indeed to see to be inclined to believe that they were speaking to an actual employee of the company, as they were asked to explain this memo the "employee" just received.
The entire conversation was hillarious as it gave a glimpse into the security office's view of hackers, live, to a roomful of 400-500 or so of them.
It appears Ockham lost his razor and grew a beard.
"Yes, God?"
"Stop playing with yourself."
"It is God!"
(It's been years-- but I'll bet that's more accurate than the quote on IMDb.)
Back in the dark ages, the US military had lots of readily hackable phone systems, though much of the security depended on operators (on bases with equipment too antique for direct in/out dial) and on unauthorized people having trouble getting the 16-button TouchTone AUTOVON phones (which could request different levels of call priority.) One of my buddies who'd worked Air Force telephony before working for AT&T had stories about some guy in the base hacking his way up to Looking Glass, the nuclear command post airplane.
Go to h2k.net and listen to the social engineering panel from the last convention. They read this exact same notice, although this version has obviously been modified a tiny bit by the troll that submitted it, and called that exact same number.
Maybe instead of calling it "being social engineered", they should call it "being trolled".
me
a 6' tall blonde walks up to them and offers them sex for an id and passwd...
What the memo SHOULD say is that all id's and passwords have been changed to:
ID: noskilz
PW: n05K!lZ
and just allow 'dummy' info out there...
and then put a little honeypot out for the little script bitches to use...
--Huck
"Just Smile and Nod." --Huck
Since T seems to be on the ball, and ready for this one, perhaps the fine folks at the confrence will switch to plan B and hassle tech support at the the much hated Verizon.
Just a thought.
Good thing one of the panels at today's conference was circumventing Caller ID; simply either use the callid perl script (address anyone? I've forgotten it) or orange box, another (albiet shareware) program to do the same. Or, as pointed out by the second caller, simply call a more gullible phone provider, claim to be a person testing the lines, and make yourself redirected to AT&T =) They'll never know where you hit 'em from.
The dream reveals the reality which conception lags behind. That is the horror of life- the terror of art. -Franz Kafka
Seems that Jerry Falwell was foaming at the mouth on his TV program about gays one day and a gentleman in San Francisco used his old C-64 and an automated dialer to start calling the number for contributions .... repeatedly
The gentleman also passed the word to his friends and IF the story is true.. caused so much chaos that Falwell dropped the 800 number after he got the bill..
This may be an urban rumor, but it's quite plausable unlike most...
Close, but actually in Finnish that would be:
"Haluaisin mennä sänkyyn" (literal translation)
"Haluaisin mennä nukkumaan" (I would like to go to sleep)
"Taidanpa mennä nukkumaan" (I think I'll go to sleep)
What was the horrible prank that H2K2 decided to unleash upon the US telecommunications networks? Did you see the major news networks talking about how nationwide long distance was shutdown from the Hotel Pennsylvania?
No. H2K2ers did not "attack" phone companies anymore than Kevin Mitnick broke into Norad. But KM did rot in jail for four years for minor offenses. On the other hand, Oliver North, a known drug trafficker, hasn't served a day in jail. Why? Because the American public (including the American
People who try to do independent research of systems or try to find vulnerabilities in our national infrastructures are being branded as criminals, by the "powers-that-be", the centrally controlled US media. Well, it won't be too long before
BTW, you guys missed an awesome demonstration of the limitations of caller id. The feared "attack" was a live demonstration of them returning a false phone number identification. I could repeat the technical details here, but that would be aiding you
Think about it.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
"The site, which went online in 1995, had never before been hacked, Anderson said.
"The newspaper is investigating but has no clues to who might have done it, he added."
Wow! What a mystery! I wonder who could possible have done it? Aren't all the hackers listening to lectures right now?
Taking stuff apart since 1969 (TM)
Yes, Emmanuel had to call att, however their long distance service had been cut earlier that day and could not get through to the att security # without using a calling card. When he finally got through he was pretty well deflected, the operator figured it out (could have been the laughing in the background). He then proceded to call starbucks and social engineer a credit card # and expiration date in front a full room of hackers- amazing. Then called the Russian tearoom and changed someones dinner reservation, the restaurant even gave Emmanuel the customers phone #, so he called them claiming to be the restaurant and said they had to move their reservation by a half hour do to a health inspection. It's not so scary that he got away with it, it's scary that it's so easy.
How long before a phreak taps into the local phone trunk, reroutes the 800 number, and collects a pretty fistful of HRIDs and whatnot?
Safe to say, it's already happened...
*** *** You're just jealous 'cause the voices talk to me... ***