Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Concerned About H2K2

Posted by michael on from the as-well-they-should-be dept.

An anonymous submitter forwards this possibly-authentic note about today's H2K2 conference. If you're in the New York area and you love computers and nice hotels, come on down. Anonymous writes "So I get into work, and what do I find in my mailbox? Why, nothing less than a warning cautioning me to be very careful talking to people from July 12 to July 14. (Not me specifically, you understand, it went out all over). Full text follows."

****************************************************************
AT&T Network Fraud Advisory
July 11, 2002
****************************************************************
Possible Hacker Social Engineering Attempts
Friday July 12 - Sunday July
14, 2002
===================================================
Caution:
------------
Be careful about giving information to anyone you don't know and those making unusual information requests by claiming to be an AT&T employee or customer. The H2K2 (Hackers on Planet Earth 2002) Hacker Conference will take place this weekend, Friday, July 12 to Sunday to July 14, 2001, [ed. note: 2001?] in New York City. This conference will be a gathering of over five thousand computer hackers, guest speakers, and computer enthusiasts. http://www.h2k2.net In 1994, 1997 and 2000 at the previous Hope (Hackers on Planet Earth) Conferences, live demonstrations of "social engineering" techniques were performed in front of thousands of hackers and other attendees. The hacker panel dialed live into AT&T offices and centers and demonstrated how to get proprietary information by pretending to be an AT&T employee and customer. These calls were recorded and videotaped by the hackers and are sold as instructional material at future hacker conferences. There is a very high likelihood that AT&T will be a target again this weekend. The social engineering contest is scheduled for Sunday July 14th, at 4 P.M. ET, (1 PM PT). During this period hackers may be dialing into AT&T to get information. AT&T Network Security would like to warn our employees to be on guard this entire weekend for any unknown person calling and claiming to be an AT&T employee to request proprietary information or claiming to be an AT&T customer with unusual requests. Remember, if anyone, who is unknown to you calls for proprietary information or make unusual requests, please follow your procedure by requesting additional information to ensure the person is who they say they are before giving out any information. If the person is claiming to be an AT&T employee, please request name, callback and HRID #. Then verify through POST or the email global address list if the information is correct and even request to call the employee back at their contact number. If the person is claiming to be an AT&T customer verify this by requesting additional info on their account like address and SS# and even request to call the person back at their contact number listed on the account. Please be on guard for any unusual requests. Verify the person is an AT&T employee or a legitimate customer and if they have a need to know the information they are asking. If you can't verify employment or number, don't give out the information. If you are still in doubt regarding the legitimacy of the caller, then speak to a supervisor regarding the situation before proceeding further and inform the caller you will call them back. If you still have questions you can call the Security Hotline 1-800-822-9009. Remember you do not want to be the lucky guest of honor on a telephone call from the hacker conference this weekend with thousands of hackers listening to you and attempting to scam AT&T out of proprietary information. Please be on guard.
- - - - - - - - - - - - - - - - - - - - - - - - -
Source: AT&T Network Security
*******************************************************************

21 of 362 comments (clear)

  1. Re:Hah by JWSmythe · · Score: 5, Funny

    I get the feeling the operators at (800) 822-9009 are about to be slashdotted themselves.. Can AT&T take 1/2 mil simultanious calls to their security hotline? hehe

    --
    Serious? Seriousness is well above my pay grade.
  2. heh, this is amusing... by night_flyer · · Score: 3, Funny

    almost as funny as the story run by FOXNEWS.com saying "al Qaeda operatives have infiltrated WorldCom" (last two paragraphs on the page)... seems they didnt read the whole story at foxnews.com... it was a joke commentary by Arnaud de Borchgrave

    the story outlining foxnews erronious reporting is here (Item #4).

    --


    Thanks to file sharing, I purchase more CDs
    Thanks to the RIAA, I buy them used...
  3. HA! Social Engineering! by Havokmon · · Score: 5, Funny
    Kudos to the guy who got AT&T to give us their proprietary info on what security precautions they take before giving out confidential information. ;)

    --
    "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
    1. Re:HA! Social Engineering! by MarkGriz · · Score: 2, Funny

      This just in...

      "H2K2 announces last minute updates to the schedule for Sunday, July 14"

      Sunday July 14 - Penntop South

      14:00 Google is your friend: Using search engines to locate confidential information (such as AT&T HRID's)
      15:00 Forging credentials: Hacking email address lists to plant bogus information
      16:00 Social Engineering

      --
      Beauty is in the eye of the beerholder.
  4. So if you want to hack AT&T... by MrBandersnatch · · Score: 1, Funny

    just dont call them mid-july. Any other time they will obviously be happy to answer you're questions without checking that you are authorised to recieve that information :)

  5. Addendum: by cybermace5 · · Score: 5, Funny

    Dear Employees:

    The previous memo failed to mention another warning sign of hacker social engineering attempts. If you hear the song "Halcyon-On and On" by the music group Orbital, hang up the telephone immediately. We will be holding information sessions at all regional offices for telephone support personnel, where you will be trained to recognize this music within several seconds. DO NOT confuse this warning sign with the last five minutes of Mortal Kombat! It is better to be safe than sorry. Thank you for your cooperation, and stay Hacker-Free(tm) during this period of "l337n355".

    --
    ...
  6. Re:Hah by Pig+Hogger · · Score: 5, Funny
    Furthermore, why doesn't Microsoft have a security hotline?
    They had one, but it melted down.
  7. Re:How is all of this relevent to the origional po by lucid+rinehead · · Score: 2, Funny

    i think it is an example of an earthling technique known as 'humour'

  8. perfect security by constantnormal · · Score: 5, Funny

    At my employer's firm, we have perfected the art of repelling those out to gain information by a 2-pronged approach. We run the callers through a maze of automated phone forwarding recordings to (eventually) a person who has no clue about anything.

    1. Re:perfect security by zerOnIne · · Score: 5, Funny

      you work for verizon, don't you?

      --
      09
    2. Re:perfect security by ethereal · · Score: 4, Funny

      "Why don't you just tell me the name of the movie you want to see?"

      --

      Your right to not believe: Americans United for Separation of Church and

  9. Re:What a great fuss about nothing by Peyna · · Score: 3, Funny

    I suppose, but what I see in this case is more an attempt to point at a huge hole in these systems and say "Hey, fix it your morons." Locking up people who do it isn't going to fix the problem. They are only trying to point out a problem with how information is given out. Obviously, someone could easily do this with more malicious intents.

    --
    What?
  10. Ignore the memo! by L.+VeGas · · Score: 5, Funny

    If we're forced to follow basic security procedures, it means the hackers have already won.

    --
    Best Windows Freeware
  11. Re:What a great fuss about nothing by edbarrett · · Score: 5, Funny
    So what does "mad props" mean anyway?

    The Set Decoration Is Not Amused.

  12. Who's engineering Whom ? by Martin+Spamer · · Score: 3, Funny


    How can we be sure this is really what it appears and that it is not slashdot that his been socially engineered ?

  13. Re:So? by darkfrog · · Score: 3, Funny
    not EVERYBODY at H2K2 does these type of activities, but there will be a large number of Skr1p7 K1dd13z out there that will, and people should be prepaired.
    Am I the only one that gets tired of the skript kiddie buzz word? I guess it's no longer used for skript kiddies, but for anything someone else doesn't appreciate.


    Soon we'll have people saying... "Damn Skr1p7 K1dd13z with assault riffles and bullet proof vests came into my house today andd seized all my computer equipment, allong with any other electric device (phone, paper shredder, refrigerator, disposal) for evidence."

    hehe

    A script kiddie has NOTHING to do with social engineering! Learn a new buzzword.
    --
    --DarkFrog
    If the dead rise again, we're going to have some serious population control issues.
  14. P.S. to the Memo by Royster · · Score: 4, Funny

    Resume your normal, insecure procedures on Monday morning. There's no point in going overboard with this security hoopla.

    --
    I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
  15. AT&T shouldn't care about this memo getting ou by iabervon · · Score: 4, Funny

    This information shouldn't be considered secret; after all it's not terribly hard to find out what AT&T will ask if you call up pretending to be an employee or customer: just call up, pretending to be an employee or customer and see what they ask you. If they've designed their procedures sensibly, you still shouldn't be able to spoof them.

    Of course, the really great hack would be to call up Kevin Mitnick pretending to be an officer of the court, and get the information from him.

  16. Re:What a great fuss about nothing by Fulcrum+of+Evil · · Score: 3, Funny

    > The Set Decoration Is Not Amused.

    make g00gly eyes at prop

    >The Set Decoration is becoming agitated

    moon props

    >The Set Decoration attacks! It hits! it Hits!

    Run away

    >The Set Decoration attacks! It hits!
    >You have died. Your score is 3 out of a possible 666. Play again? (y/n)

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  17. Re:Some security! by Anonymous+DWord · · Score: 4, Funny

    Not quite true. Here's what it says on the paper that comes with a brand shiny new SS Card:

    YOUR SOCIAL SECURITY CARD

    The Social Security number shown on your card is yours alone. Record your number in a safe place in case your card is lost or stolen. Protect both your card and your number to prevent their misuse.
    ...
    Some private organizations use Social Security numbers for record keeping purposes. Such use is neither required nor prohibited by Federal law. The use of your Social Security number by such an organization for its own records is a private matter between you and the organization. Private organizations cannot get information from your Social Security record just because they know your number.

    Any Federal, State, or local government agency that asks for your number must tell you: whether giving it is mandatory or voluntary, its authority for requesting the number, and how the number will be used.
    ...

    Emphasis mine.

    --
    "If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
  18. Re:Phone DDoS by ZPO · · Score: 2, Funny

    A much simpler method would be to run a fake "Free hot phone sex" post on a few USENET groups with the 800 number attached.

    Several years ago I had a user do that for Citibank's multilingual customer service center. Their corporate security was not pleased to say the least.