Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Concerned About H2K2

Posted by michael on from the as-well-they-should-be dept.

An anonymous submitter forwards this possibly-authentic note about today's H2K2 conference. If you're in the New York area and you love computers and nice hotels, come on down. Anonymous writes "So I get into work, and what do I find in my mailbox? Why, nothing less than a warning cautioning me to be very careful talking to people from July 12 to July 14. (Not me specifically, you understand, it went out all over). Full text follows."

****************************************************************
AT&T Network Fraud Advisory
July 11, 2002
****************************************************************
Possible Hacker Social Engineering Attempts
Friday July 12 - Sunday July
14, 2002
===================================================
Caution:
------------
Be careful about giving information to anyone you don't know and those making unusual information requests by claiming to be an AT&T employee or customer. The H2K2 (Hackers on Planet Earth 2002) Hacker Conference will take place this weekend, Friday, July 12 to Sunday to July 14, 2001, [ed. note: 2001?] in New York City. This conference will be a gathering of over five thousand computer hackers, guest speakers, and computer enthusiasts. http://www.h2k2.net In 1994, 1997 and 2000 at the previous Hope (Hackers on Planet Earth) Conferences, live demonstrations of "social engineering" techniques were performed in front of thousands of hackers and other attendees. The hacker panel dialed live into AT&T offices and centers and demonstrated how to get proprietary information by pretending to be an AT&T employee and customer. These calls were recorded and videotaped by the hackers and are sold as instructional material at future hacker conferences. There is a very high likelihood that AT&T will be a target again this weekend. The social engineering contest is scheduled for Sunday July 14th, at 4 P.M. ET, (1 PM PT). During this period hackers may be dialing into AT&T to get information. AT&T Network Security would like to warn our employees to be on guard this entire weekend for any unknown person calling and claiming to be an AT&T employee to request proprietary information or claiming to be an AT&T customer with unusual requests. Remember, if anyone, who is unknown to you calls for proprietary information or make unusual requests, please follow your procedure by requesting additional information to ensure the person is who they say they are before giving out any information. If the person is claiming to be an AT&T employee, please request name, callback and HRID #. Then verify through POST or the email global address list if the information is correct and even request to call the employee back at their contact number. If the person is claiming to be an AT&T customer verify this by requesting additional info on their account like address and SS# and even request to call the person back at their contact number listed on the account. Please be on guard for any unusual requests. Verify the person is an AT&T employee or a legitimate customer and if they have a need to know the information they are asking. If you can't verify employment or number, don't give out the information. If you are still in doubt regarding the legitimacy of the caller, then speak to a supervisor regarding the situation before proceeding further and inform the caller you will call them back. If you still have questions you can call the Security Hotline 1-800-822-9009. Remember you do not want to be the lucky guest of honor on a telephone call from the hacker conference this weekend with thousands of hackers listening to you and attempting to scam AT&T out of proprietary information. Please be on guard.
- - - - - - - - - - - - - - - - - - - - - - - - -
Source: AT&T Network Security
*******************************************************************

13 of 362 comments (clear)

  1. Paranoia by LeiraHoward · · Score: 2, Interesting
    Just watch: after a note like that, I'll bet someone at the hacker conference takes that as a challenge, and some dumb worker forgets/disregards this warning, and gets made "guest of honor" at their conference, anyway.

    I just hope that whatever information they're looking at, it won't be mine.

    On another note, if this hacker convention is so well publicized, why aren't there hordes of policemen preparing to descend upon the unsuspecting hackers? Especially with all the cracking down that the FBI/police force have been doing lately on people who uncap their cable modems, or share wifi connections....

  2. Should they also by af_robot · · Score: 2, Interesting

    call for FBI agents to guard their garbage bins?!
    Those hackers can also use "garbage engineering" techniques to get proprietary information.

  3. Videotaped! by MavEtJu · · Score: 3, Interesting
    These calls were recorded and videotaped by the hackers and are sold as instructional material at future hacker conferences.

    Now that gives an interesting movie, seeing a hacker calling an AT&T employee... You'll have more fun listening to Brain Damage:
    "Brain Damage" was a two hour call-in show hosted by Emmanuel (using the name Eric Corley) which aired from 1988 to 1995. The show covered all kinds of serious topics as well as non-serious ones. Favorite regular features included Confuse The Operator, highlights from Radio Moscow, and a reading of the lunch menu by the university lunch lady. Callers contributed their over-the-phone songs, stories of their lives, and features such as the "Math Teacher Spy." There were fewer and fewer shows in the later years until it finally came to an end on January 29, 1995.
    Public Radio rules! :-)
    --
    bash$ :(){ :|:&};:
  4. Security Hotline by Anonymous Coward · · Score: 3, Interesting

    I also work for AT&T, but I have not seen this memo (I'm in NJ. Maybe it only went to NY people? Maybe only to sales people? Maybe I'm not good enough?).

    But I did some hunting and found this in a recent newsletter. Seems outide people are _supposed_ to call that number (which looks like it is out of my building based on the exchange of the phone #)....

    SECURING CRITICAL INFORMATION: AT&T is classified as a critical infrastructure company, servicing the communications needs of the government, including its armed forces around the world. Because of this relationship, and current world events, employees may receive inquiries concerning AT&T's network infrastructure security. While most requests are legitimate, some may not be. It's critical to the security of our country, as well as to our business, that these questions be answered factually, and information provided only to legitimate requestors. For these reasons, employees who receive inquiries from a local, state or federal government agency, anyone claiming to represent the media, or any concerned citizen, should refer those agencies or individuals to the AT&T Corporate Security 24x7 hotline at 1-800-822-9009 (within U.S.) or 908-658-0380 (outside U.S.). Corporate Security will ensure inquiries are verified and appropriate responses provided.

  5. Re:Hah by Florian+Weimer · · Score: 2, Interesting

    I'm not really comfortable with Slashdot publishing phone numbers at all. Whose one is next? Yours? Mine?

    Disrupting web sites by posting links is one thing, but posting internal phone numbers which are used to deal with critical problems is really, really bad.

  6. att # by Basil+Ganglia · · Score: 2, Interesting

    I wonder if there has ever been an instance of an 800 number being slashdotted?

    --
    Basil
  7. Re:Some security! by elandal · · Score: 3, Interesting
    How often have you called somewhere and to make sure you are you, they read your address to you and ask if it is correct?
    Not often. Usually they ask for my name, date of birth, and address. Not AT&T (I'm not their customer), but other companies. Except that phone companies love obscure numbers ("It's Your phone line installation service code, in the right-upper corner of Your phone service contract" or whatever - anyway not the customer ID or alike) I can't remember and to get it, I first need to dive into a pile of papers.

    Just a couple of days ago I received a call regarding a fax I had sent, and I was asked the usual basic information and whether I had sent the fax, and if I could verify the request I made by stating it (shortly) now on phone. After I stated my request on phone, it was OK'd, and later that day I had confirmation fax on my table.

    I think that was pretty good. Of course, my request was somewhat unusual, so it might have triggered a "use the strong procedure" attitude.
  8. Re:It's ironic by shren · · Score: 4, Interesting

    Why should it take a hacker conference to get AT&T to put out such a warning?

    There have been warnings about more general con-men around for years - even some of thier tricks are well known. There's always the classic movie, "The Sting". Many social engineering tricks rely on pressure and tricking the target when they're not really paying attention (conning register boys out of a five by doing an 'i need change' shell game) or using pressure tactics into forcing a bad decision.

    Sometimes these warnings play right into the con men's hands! Pickpockets *love* signs that say "beware of the pickpocket", because everybody pats thier wallet to make sure it's still there. "Thanks for letting me know exactly where your wallet is, target.", thinks the pickpocket. A block away the target isn't thinking about pickpockets anymore - two blocks away and his wallet's gone.

    Like, without this memo, maybe even with it, if you hacked the switchboard to the phone center and made it so 10 hackers could all call the same desk clerk at the same time, it would be easy to pull something on him. (If you know when the phones are undermanned or can dial directly to an extension, you don't even need to hack the switch.)

    Have the other 9 callers put pressure on him with mundane but slightly time consuming requests. Almost everybody who works a phone these days has a lot of pressure on them to resolve each call quickly. When he's got half of the 9 on hold and is trying to get what they want, have the 10th call and play "I'm a manager and I need to know (trivial piece of information that's actually valuable to a hacker) now!" Time's ticking on the held calls. If he leaves them on hold it will show up on a report to his manager. If he doesn't help this guy he'll have another manager angry at him for different reasons.

    And the 10th calling 'manager' isn't going to refuse any requests for information. No, of course not. He's just going to say, "I've got that info in my wallet - no not there, maybe in my briefcase, I'm looking.", thus stalling untill target phone rep folds like cardboard box. He breaks policy in an attempt to make everybody happy. But, hey, at least the hackers are happy. *grin*

    Thinking about what's going on "Why are there 10 calls to my desk???" is near-proof against con men. They have a thousand tricks to keep you from having time to think.

    --
    Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
  9. It's Bayesian by GlobalEcho · · Score: 3, Interesting

    Actually, it makes good statistical/economic sense to concentrate caution on periods of higher risk.

    Let's say that AT&T has two modes: careful (C) and reckless (R). Now clearly it costs more in terms of employee time to be careful than reckless. (Say it costs C=$10 and R=$1 respectively. ) Assume Careful catches a proportion q_c of social engineering attempts while Reckless lets a proportion q_r succeed.

    Now assume that at a given time there is probability p that someone on the line is trying to social engineer them. Assume also the costs of being hacked (in embarassment or whatever) are uncorrelated, and average $H. Assume the benefits of a legit phone call are $B.

    We can now compute the payoff from being careful versus reckless.

    V_C = B (1-p) - H p q_c - C

    V_R = B (1-p) - H p q_r - R

    It's clearly quite possible for either V_C or V_R to be larger depending on the coefficients.

    If you could make a function giving q as a function of cost, you could solve for V=0. This would tell you exactly how careful to be, given a particular present level of riskiness p.

  10. Microsoft's Security Hotline by schmaltz · · Score: 3, Interesting
    The all-knowing Google found a number for "Microsoft Product Support Services Hotline-Virus-related product support"
    1-866-PC-SAFETY (866-727-2383)
    http://www.microsoft.com/usa/government/security.a sp

    A call to this number rang about twenty times, then was picked up by a voicebot: "Your party is not picking up. Your call will now be disconnected."
    --
    Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma ... where's Siggy?
  11. Blocked at AT&T by Anonymous Coward · · Score: 1, Interesting

    AT&T Has blocked access to the H2K2 Website for all employees through Smartfilter.

  12. AT&T Security by kmellis · · Score: 5, Interesting
    This reminds me that back in the day, AT&T Security was supposedly a bunch of bmf's.

    In about 1980, when I was in high school, I discovered an unused phone extension line in my bedroom closet and started experimenting with it. I quickly figured out the basics and built a little homemade phone. Later, I got the idea of using a thirty-foot spool of wire and a couple of alligator clips to quickly tap into someone's line outside of their house to steal long distance phone calls from the safety of my car. This is really trivial stuff, I know, but I thought I was clever.

    But not clever enough. I called my cousin long-distance by connecting to what turned out to be the phone line of a little old lady who'd never made a long-distance phone call in her life. Her church was helping her pay her bills and noticed the phone call immediately. They called AT&T, and AT&T merely checked to see who else in my small New Mexico town had ever called that California number. Then they called my mom.

    Once AT&T security found out that I hadn't actually done anything sophisticated or interesting, they just made my parents pay for the call and dropped the matter.

    None of this, of course, shows that AT&T security was especially astute. But a few years later I was working as a radio disc-jockey, and I told this story to the station's chief broadcast engineer. He told me that he had worked for AT&T and that AT&T Security were among the best private security experts in the world. In his words: "Don't fuck with AT&T Security". That made an impression on me.

    Later on, when I first read about the phone phreaking era, I felt lucky that a) I wasn't ingenious enough to get myself in any real trouble, and b) I didn't know anyone who was.

  13. Phone DDoS by Catskul · · Score: 2, Interesting


    I had an idea like this when I was younger. Write a worm that spreads to and sits on all computers with a dial up connection. At a paticular time, the computers would activate, and if the worm detected that the user was away from the computer, it would dial up some number DDoSing some poor person or company....

    It would create a mess because while many internet sites are aware of DDoS... the phone system is more vunerable. If there were enough hosts you could shutdown a whole exchange area, or cell area. The possibilties are scary.

    --

    Im not here now... Im out KILLING pepperoni