Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Concerned About H2K2

Posted by michael on from the as-well-they-should-be dept.

An anonymous submitter forwards this possibly-authentic note about today's H2K2 conference. If you're in the New York area and you love computers and nice hotels, come on down. Anonymous writes "So I get into work, and what do I find in my mailbox? Why, nothing less than a warning cautioning me to be very careful talking to people from July 12 to July 14. (Not me specifically, you understand, it went out all over). Full text follows."

****************************************************************
AT&T Network Fraud Advisory
July 11, 2002
****************************************************************
Possible Hacker Social Engineering Attempts
Friday July 12 - Sunday July
14, 2002
===================================================
Caution:
------------
Be careful about giving information to anyone you don't know and those making unusual information requests by claiming to be an AT&T employee or customer. The H2K2 (Hackers on Planet Earth 2002) Hacker Conference will take place this weekend, Friday, July 12 to Sunday to July 14, 2001, [ed. note: 2001?] in New York City. This conference will be a gathering of over five thousand computer hackers, guest speakers, and computer enthusiasts. http://www.h2k2.net In 1994, 1997 and 2000 at the previous Hope (Hackers on Planet Earth) Conferences, live demonstrations of "social engineering" techniques were performed in front of thousands of hackers and other attendees. The hacker panel dialed live into AT&T offices and centers and demonstrated how to get proprietary information by pretending to be an AT&T employee and customer. These calls were recorded and videotaped by the hackers and are sold as instructional material at future hacker conferences. There is a very high likelihood that AT&T will be a target again this weekend. The social engineering contest is scheduled for Sunday July 14th, at 4 P.M. ET, (1 PM PT). During this period hackers may be dialing into AT&T to get information. AT&T Network Security would like to warn our employees to be on guard this entire weekend for any unknown person calling and claiming to be an AT&T employee to request proprietary information or claiming to be an AT&T customer with unusual requests. Remember, if anyone, who is unknown to you calls for proprietary information or make unusual requests, please follow your procedure by requesting additional information to ensure the person is who they say they are before giving out any information. If the person is claiming to be an AT&T employee, please request name, callback and HRID #. Then verify through POST or the email global address list if the information is correct and even request to call the employee back at their contact number. If the person is claiming to be an AT&T customer verify this by requesting additional info on their account like address and SS# and even request to call the person back at their contact number listed on the account. Please be on guard for any unusual requests. Verify the person is an AT&T employee or a legitimate customer and if they have a need to know the information they are asking. If you can't verify employment or number, don't give out the information. If you are still in doubt regarding the legitimacy of the caller, then speak to a supervisor regarding the situation before proceeding further and inform the caller you will call them back. If you still have questions you can call the Security Hotline 1-800-822-9009. Remember you do not want to be the lucky guest of honor on a telephone call from the hacker conference this weekend with thousands of hackers listening to you and attempting to scam AT&T out of proprietary information. Please be on guard.
- - - - - - - - - - - - - - - - - - - - - - - - -
Source: AT&T Network Security
*******************************************************************

25 of 362 comments (clear)

  1. So? by Sc00ter · · Score: 4, Insightful
    Given the type of people that go to H2K2 this seems like a good idea. Just trying to get people that might not have a clue a heads up as to what's going on. Sure, not EVERYBODY at H2K2 does these type of activities, but there will be a large number of Skr1p7 K1dd13z out there that will, and people should be prepaired.

    --
    Free Mac Mini
    1. Re:So? by An+IPv6+obsessed+guy · · Score: 4, Insightful

      I agree that this is a prudent move. Really, though, don't you think folks should be on guard for this type of thing, say, always?

    2. Re:So? by Anonymous+Brave+Guy · · Score: 3, Insightful
      Actually this type of activity is used daily all over the world to obtain information which is later used to break into systems, by true hackers.

      True hackers write good code for fun or profit. If you're going to be pedantic, the term you're looking for is "cracker".

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    3. Re:So? by Mtgman · · Score: 4, Insightful
      A script kiddie has NOTHING to do with social engineering! Learn a new buzzword.
      I disagree. If you read the memo you'd have seen that the point of these seminars is to produce material that, for lack of a better word, can be used to train people to execute social engineering attacks. A HOWTO of sorts. I can easily make the comparison between such a group of published materials and a rootkit. In both cases the "1337" hacker is just following a script.

      Luckily, with humans on both sides there is much more chance for a screwup or someone being caught.

      So I think the script kiddies analogy is accurate, in both cases it's someone who would not have been able to design these attacks themselves using how-to kits to comprimise systems. In this case they're carbon-based, not silicon-based, but the analogy is sound.

      Steven
      --
      -- I have marked myself unwilling to moderate-- I don't have other accounts to artificially inflate the karma of
  2. Hah by iONiUM · · Score: 5, Insightful

    If you still have questions you can call the Security Hotline 1-800-822-9009.
    Can't the hackers who read slashdot (probably most of them) just call this number instead now?

    Furthermore, why doesn't Microsoft have a security hotline?

    1. Re:Hah by douglas+jeffries · · Score: 2, Insightful

      Can't the hackers who read slashdot (probably most of them) just call this number instead now?

      i'd hope their "Security Hotline" would know better than to hand out information to anyone who happens to call. but you never know...

    2. Re:Hah by espo812 · · Score: 2, Insightful
      Yeah, but uhhh why exactly would they want to?
      Because social engineering the security hotline is a much better hack than just social engineering the front desk?
      --

      espo
  3. Some security! by PaperTie · · Score: 3, Insightful

    They have to take special precautions since there's some conference? What about the rest of the year?

    1. Re:Some security! by DNS-and-BIND · · Score: 2, Insightful
      Who the hell cares about AT&T nowadays anyway? Maybe back in the day, but in 2002? This "advisory" is just some guy they hired who used to go to cons, and he's trying to justify his job by issuing spurious bulletins. I'd like to see some of the other crap the AT&T security mandarins put out...probably just as worthless as this one.

      Also, interesting how AT&T apparently requires a SSN to be a customer...the only people who need an SSN are the federal government and your employer.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:Some security! by theBraindonor · · Score: 2, Insightful

      Precautions? Ha!

      How long has the industry known that the easiest way to hack most networks is through social engineering?

      Despite warnings from everyone--from government to researchers--social engineering continues to work.

      Posting a warning to employees will at most protect the company from the unpracticed social engineering tricks. Social engineering is nothing more than the practiced con-job that has been around since one caveman had something another caveman wanted.

  4. What a great fuss about nothing by gowen · · Score: 5, Insightful

    I regularly get emails saying "A person has been seen acting suspiciously on campus, and ran away when challenged. There has been a spate of robberies by extra vigilant," and nothing is made about it. It doesn't mean we're not to be vigilant the rest of the time, just a timely and worthwhile heads up.

    What makes this different except the criminals involved are 'l33t and say stuff like "Mad propz".

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    1. Re:What a great fuss about nothing by gowen · · Score: 2, Insightful
      What makes them criminals? Did I miss something?
      Obtaining confidential information by deception is usually a criminal act, yes.
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  5. Ahh, PR security by Omnifarious · · Score: 2, Insightful

    Only be secure when the world might be watching, and at all other times be lax. Sounds like a fantastic policy to me.

    --
    Need a Python, C++, Unix, Linux develop
    1. Re:Ahh, PR security by Peyna · · Score: 3, Insightful

      Yup, it's okay the rest of the time to give out personal information to random people on the phone. I experienced this the other day with the local electric company.

      My sister and I had rented an apartment together a year ago, and there was a problem with how the electric bill was handled when it was shut off. I called up and spoke to the person and then outright asked them to check my sister's records for any correlating information. I gave him her name, and he gave me her address, phone number, and a whole crapload of other information, with no indication that we were actually related other than that we shared the same last name. Granted, she really is my sister, and I already knew the information he told me, I was quite surprised they actually gave that information out to someone other than the account holder.

      --
      What?
    2. Re:Ahh, PR security by jayhawk88 · · Score: 4, Insightful

      Maybe it's my age, but I'm not seeing the paragraph that says "After this is all over please return to our policy of giving out whatever information a caller should ask for". It's just heads-up to their service reps.

    3. Re:Ahh, PR security by CaseyB · · Score: 4, Insightful

      It's a more like telling your guards to be more alert when there's a horde of barbarians camped just outside the city walls. That doesn't imply you expect them to be lax normally.

  6. This is a great panel by Anonymous Coward · · Score: 1, Insightful

    DefCon has this as a contest running through the conference.

    Social Engineering is obviously one of the best ways to garner information. It is obviously a good thing that AT&T is on their toes this weekend, since I am sure some of these people will try.

    I think it is unfortunate that they have to give warnings for this weekend. Instead they should give monthly meetings on who to give what information to.

    Security is not an end product, it is a process. And it needs to be drilled into everyones head, constantly.

    Maybe some of AT&T employees should attend the conference, learn Social Engineering techniques, and then try to social engineer their own company. Then you could punish peole (right them up, whatever) for security breaches.

  7. Hah by acceleriter · · Score: 5, Insightful
    And they thought no one would post that warning which now contains

    - the resolution procedures in case of doubt about a callers identity

    - the "security hotline" phone number.

    Nice going, AT&T.

    --

    CEE5210S The signal SIGHUP was received.

  8. Wow. by mindstrm · · Score: 4, Insightful

    Funny thing is, this probably won't help.

    I know when we tell everyone about a new virus, and yet another reminder not to run things even if they are from someone you know, some otherwise intelligent people still go out and run it, and when you ask, they say "Well I know you warned me, but MY friends would never do something like that"

    So I can see it now "Well I know there was a warning out.. but he SAID it was an emergency"

  9. This is a Dood Thing(tm) by bigjocker · · Score: 5, Insightful

    That e-mail proves the meeting has acomplished one of its goals. Thanks to H2K2 AT&T is being more careful with the private info.

    Isn't that what we all want? At least that's the reason why I support those kind of things.

    --
    Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
  10. It's ironic by BobRoss · · Score: 3, Insightful

    Why should it take a hacker conference to get AT&T to put out such a warning? I would like to think that such policies are already in place, and that employees are trained to minimize the risk of social engineering from the start.

    I guess that's just wishful thinking though...

    1. Re:It's ironic by suwain_2 · · Score: 3, Insightful
      I was under the impression that is was more of a "You already have these procedures, but take extra care this week..." deal, rather than a "Let's teach you basic security fundamentals!" type of thing.

      Sort of like saying "The roads are icing up, drive carefully." -- it's just a heads-up to remember to follow the procedures. Or so I hope...

      --
      ________________________________________________
      suwain_2 :: quality slashdot p
  11. Re:good thing this was posted by anon by dh003i · · Score: 4, Insightful

    The posting of this message was not harmful or malicious to AT&T or its security issues. Its only informative; you could say it may even give customers higher confidence. The person who posted it did nothing that would get him/her fired. If he were fired, (s)he'd have valid grounds to sue.

    Furthermore, the reactions to this haven't been negative. There's nothing wrong with AT&T taking reasonable measures to insure that private customer information is kept private, and that the general security of their networks is maintained. Indeed, if they did anything else, that would be wrong and irresponsible.

    Speaking as a cyber-libertarian, I can say that cyber-libertarian ideals don't include giving crackers free reign to break into confidential or private information. Indeed, if you allow such, you're destroying liberty, because you lose privacy rights. Cyber-liberties -- as Lessig has said -- can be violated not only by the government, but also by corporations, organizations, and other individuals.

    --
    social sciences can never use experience to verify their statemen
  12. Re:I have mixed feelings... by DeepZenPill · · Score: 2, Insightful

    It's more like you INFERRED AT&T thinks it is acceptable to not follow the procedures the rest of the year.

    To me it had the same purpose as all the Terror alerts the US gov't has given out: "Just a reminder, be especially alert during this period." It is not to say ignore all suspicious activity after this period.

  13. Standard by Anonymous Coward · · Score: 1, Insightful

    This letter is standard boilerplate, with good reason.
    There are workshops on social eng. at these events, and I've personally recieved calls from the events from participants trying to get into the network.