Slashdot Mirror
AT&T Concerned About H2K2
****************************************************************
AT&T Network Fraud Advisory
July 11, 2002
****************************************************************
Possible Hacker Social Engineering Attempts
Friday July 12 - Sunday July
14, 2002
===================================================
Caution:
------------
Be careful about giving information to anyone you don't know and those
making unusual information requests by claiming to be an AT&T employee or
customer.
The H2K2 (Hackers on Planet Earth 2002) Hacker Conference will take place
this weekend, Friday, July 12 to Sunday to July 14, 2001, [ed. note: 2001?] in New York
City. This conference will be a gathering of over five thousand computer
hackers, guest speakers, and computer enthusiasts. http://www.h2k2.net
In 1994, 1997 and 2000 at the previous Hope (Hackers on Planet Earth)
Conferences, live demonstrations of "social engineering" techniques were
performed in front of thousands of hackers and other attendees. The hacker
panel dialed live into AT&T offices and centers and demonstrated how to
get proprietary information by pretending to be an AT&T employee and
customer. These calls were recorded and videotaped by the hackers and are
sold as instructional material at future hacker conferences. There is a
very high likelihood that AT&T will be a target again this weekend.
The social engineering contest is scheduled for Sunday July 14th, at 4
P.M. ET, (1 PM PT). During this period hackers may be dialing into AT&T
to get information.
AT&T Network Security would like to warn our employees to be on guard this
entire weekend for any unknown person calling and claiming to be an AT&T
employee to request proprietary information or claiming to be an AT&T
customer with unusual requests.
Remember, if anyone, who is unknown to you calls for proprietary
information or make unusual requests, please follow your procedure by
requesting additional information to ensure the person is who they say
they are before giving out any information.
If the person is claiming to be an AT&T employee, please request name,
callback and HRID #. Then verify through POST or the email global address
list if the information is correct and even request to call the employee
back at their contact number.
If the person is claiming to be an AT&T customer verify this by requesting
additional info on their account like address and SS# and even request to
call the person back at their contact number listed on the account.
Please be on guard for any unusual requests. Verify the person is an AT&T
employee or a legitimate customer and if they have a need to know the
information they are asking. If you can't verify employment or number,
don't give out the information. If you are still in doubt regarding the
legitimacy of the caller, then speak to a supervisor regarding the
situation before proceeding further and inform the caller you will call
them back. If you still have questions you can call the Security Hotline
1-800-822-9009.
Remember you do not want to be the lucky guest of honor on a telephone
call from the hacker conference this weekend with thousands of hackers
listening to you and attempting to scam AT&T out of proprietary
information. Please be on guard.
- - - - - - - - - - - - - - - - - - - - - - - - -
Source: AT&T Network Security
*******************************************************************
Free Mac Mini
If you still have questions you can call the Security Hotline 1-800-822-9009.
Can't the hackers who read slashdot (probably most of them) just call this number instead now?
Furthermore, why doesn't Microsoft have a security hotline?
They have to take special precautions since there's some conference? What about the rest of the year?
It might be useful to indicate that the Anonymous Coward is an AT&T employee of some sort, not an AT&T customer that some might think of at first.
This kind of behaviour should be common practice, really.
I just hope that whatever information they're looking at, it won't be mine.
On another note, if this hacker convention is so well publicized, why aren't there hordes of policemen preparing to descend upon the unsuspecting hackers? Especially with all the cracking down that the FBI/police force have been doing lately on people who uncap their cable modems, or share wifi connections....
I regularly get emails saying "A person has been seen acting suspiciously on campus, and ran away when challenged. There has been a spate of robberies by extra vigilant," and nothing is made about it. It doesn't mean we're not to be vigilant the rest of the time, just a timely and worthwhile heads up.
What makes this different except the criminals involved are 'l33t and say stuff like "Mad propz".
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Only be secure when the world might be watching, and at all other times be lax. Sounds like a fantastic policy to me.
Need a Python, C++, Unix, Linux develop
almost as funny as the story run by FOXNEWS.com saying "al Qaeda operatives have infiltrated WorldCom" (last two paragraphs on the page)... seems they didnt read the whole story at foxnews.com... it was a joke commentary by Arnaud de Borchgrave
the story outlining foxnews erronious reporting is here (Item #4).
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Dear Employees:
The previous memo failed to mention another warning sign of hacker social engineering attempts. If you hear the song "Halcyon-On and On" by the music group Orbital, hang up the telephone immediately. We will be holding information sessions at all regional offices for telephone support personnel, where you will be trained to recognize this music within several seconds. DO NOT confuse this warning sign with the last five minutes of Mortal Kombat! It is better to be safe than sorry. Thank you for your cooperation, and stay Hacker-Free(tm) during this period of "l337n355".
...
Now I would try to dial into the Security Hotline ;)
...
("Security Hotline 1-800-822-9009") and
to pretend to be an alarmed AT&T employee
Or dial someone from AT&T pretending to be
from the Security Hotline.
Social Engineering attacks are so easy
- the resolution procedures in case of doubt about a callers identity
- the "security hotline" phone number.
Nice going, AT&T.
CEE5210S The signal SIGHUP was received.
What about after the conference is over? At least at the conference the actions aren't malicious, they're just demonstrated to prove a point. Implementing proper procedures to the employees and making sure they're followed EXACTLY would go a long way toward preventing social engineering. This is NOT a new problem, and it also underscores the simple fact that the least secure part of any network is the user.
-Restil
Play with my webcams and lights here
The notice should have asked the employee's to have the caller put AT&T on their "Do not call list"!
call for FBI agents to guard their garbage bins?!
Those hackers can also use "garbage engineering" techniques to get proprietary information.
i think it is an example of an earthling technique known as 'humour'
No No No No!
Hackers and crackers are not the same persons.... If you are a cracker and come to H2K2 then you will be blamed so hard as you can't just say you own name....
BTW: If some of them do i'm sure that they will report it.. If you not report security ugs on systems you are just a simpel Blackhat and no body respect them.....
Truti
At my employer's firm, we have perfected the art of repelling those out to gain information by a 2-pronged approach. We run the callers through a maze of automated phone forwarding recordings to (eventually) a person who has no clue about anything.
This is the problem -- effectively, virtually every US entity and their mothers use SSN's as a unique identifier. For many students (myself included) it is our college id#. SSN's are used as our account number at various stores/puchase accounts, and more importantly, by most employers as a means of employee identification and by companies as a customer record.
SSN#'s are meant to be for social security....its pathetic that we have this de-facto government id number that is _so_ insecure.
(name addy and ssn ==> credi cards...loans...many a story exists of people with bad credit/delays/problems due to identity theft/minor credit hacking due to a stolen ssn)
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
umm... call it maybe? it's a toll free number.
I called the 800# it is legit.
J
If we're forced to follow basic security procedures, it means the hackers have already won.
Best Windows Freeware
Now the target is absolutely irresistable. They're going to read the notice out loud at the conference and then call AT&T just to make a point. I bet they were even planning to call a different company this year.
Of course, AT&T may be doing this to trap them --it's curious that they say h2k2 several times and clarify it instead of just saying "group of hacker terrorists". Or maybe they really are just that stupid.
Either way, it should be fun. I've got my ticket.
I bet AT&T would just love to get their hands on the person that posted this. AT&T did a very responsible thing: they saw a potential threat to the security of their customers, i.e., a lot of people who are reading this (and even if you don't pay AT&T directly, you might use their lines if you have a cable modem), and sent out a warning to remind their people. They included reminders of proper secure behavior. And what is the first thing an employee do? Leak the number and protocols to an outlet read by the people who are most likely to try and breach security. If you were my employee you'd get in some serious trouble.
Many people who do the social engineering hack make fun of companies for having clueless employees or employees that don't follow basic guidelines. So for those few who make fun of AT&T for doing this, I'd say you can't have it both ways.
We should be applauding AT&T for reminding their people of basic security precautions.
Problem lies perhaps in the fact that AT&T is a big corporation. People are numbers and numbers can be forged/stolen easily without too much trouble. What if an AT&T employee that just got sacked took a list with him with the information and just threw it on the internet.
I know that these kind of security precautions exist in every big corporation (i work for a top financial corp). I also know that they NEVER work. No-one knows you by the face, only a name or a number is known, and these are easy too come by.
Besides, most system breaches are done from the inside anyway. I know that our company had more internal issues then external.
Now that gives an interesting movie, seeing a hacker calling an AT&T employee... You'll have more fun listening to Brain Damage: Public Radio rules!
bash$
Funny thing is, this probably won't help.
I know when we tell everyone about a new virus, and yet another reminder not to run things even if they are from someone you know, some otherwise intelligent people still go out and run it, and when you ask, they say "Well I know you warned me, but MY friends would never do something like that"
So I can see it now "Well I know there was a warning out.. but he SAID it was an emergency"
That e-mail proves the meeting has acomplished one of its goals. Thanks to H2K2 AT&T is being more careful with the private info.
Isn't that what we all want? At least that's the reason why I support those kind of things.
Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
Why should it take a hacker conference to get AT&T to put out such a warning? I would like to think that such policies are already in place, and that employees are trained to minimize the risk of social engineering from the start.
I guess that's just wishful thinking though...
I also work for AT&T, but I have not seen this memo (I'm in NJ. Maybe it only went to NY people? Maybe only to sales people? Maybe I'm not good enough?).
But I did some hunting and found this in a recent newsletter. Seems outide people are _supposed_ to call that number (which looks like it is out of my building based on the exchange of the phone #)....
SECURING CRITICAL INFORMATION: AT&T is classified as a critical infrastructure company, servicing the communications needs of the government, including its armed forces around the world. Because of this relationship, and current world events, employees may receive inquiries concerning AT&T's network infrastructure security. While most requests are legitimate, some may not be. It's critical to the security of our country, as well as to our business, that these questions be answered factually, and information provided only to legitimate requestors. For these reasons, employees who receive inquiries from a local, state or federal government agency, anyone claiming to represent the media, or any concerned citizen, should refer those agencies or individuals to the AT&T Corporate Security 24x7 hotline at 1-800-822-9009 (within U.S.) or 908-658-0380 (outside U.S.). Corporate Security will ensure inquiries are verified and appropriate responses provided.
Actually, I thought this was hilarious. Because it IMPLIES AT&T thinks it is acceptable to not follow the procedures the rest of the year.
I wonder if there has ever been an instance of an 800 number being slashdotted?
Basil
Read the jargon file !
Dammit - gotta wake up before posting.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
How can we be sure this is really what it appears and that it is not slashdot that his been socially engineered ?
Read this very similar AT&T warning about a 1998 DEF CON conference:
http://www.defcon.org/TEXT/6/att-dc-6-alert.txt
Unless AT&T has not changed its warnings in three years (unlikely) and such warnings have been leaked multiple times (more unlikely) this would seem to be a fake.
That song is great :) Orbital has a lot of good music other than Halcyon and On and On. I highly recommend them
Resume your normal, insecure procedures on Monday morning. There's no point in going overboard with this security hoopla.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
But I think this falls under the category of "heightened awareness".
Cheers,
Jim in Tokyo
-- My Weblog.
Nah, the 50 FBI agents that were tapping this number were all busy grabbing the pirate out of his parents' house.
It's safe to call the number now. (:
Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
Actually, it makes good statistical/economic sense to concentrate caution on periods of higher risk.
Let's say that AT&T has two modes: careful (C) and reckless (R). Now clearly it costs more in terms of employee time to be careful than reckless. (Say it costs C=$10 and R=$1 respectively. ) Assume Careful catches a proportion q_c of social engineering attempts while Reckless lets a proportion q_r succeed.
Now assume that at a given time there is probability p that someone on the line is trying to social engineer them. Assume also the costs of being hacked (in embarassment or whatever) are uncorrelated, and average $H. Assume the benefits of a legit phone call are $B.
We can now compute the payoff from being careful versus reckless.
V_C = B (1-p) - H p q_c - C
V_R = B (1-p) - H p q_r - R
It's clearly quite possible for either V_C or V_R to be larger depending on the coefficients.
If you could make a function giving q as a function of cost, you could solve for V=0. This would tell you exactly how careful to be, given a particular present level of riskiness p.
I love it... follow these security procedures _on the specific date and time when a hacker's conference has an announced a scheduled social engineering demonstration_.
Don't worry about REAL security. Just worry about embarrassing PR. As long as the hacker breakins don't occur at a time and place when the press is likely to find out about them, everything is OK...
If they had NOT sent out the email, they would have had a good opportunity to find out whether the improved procedures they instituted following embarrassments at previous HOPE conventions were effective. (They DID institute improved procedures following those previous conventions, didn't they?)
"How to Do Nothing," kids activities, back in print!
This information shouldn't be considered secret; after all it's not terribly hard to find out what AT&T will ask if you call up pretending to be an employee or customer: just call up, pretending to be an employee or customer and see what they ask you. If they've designed their procedures sensibly, you still shouldn't be able to spoof them.
Of course, the really great hack would be to call up Kevin Mitnick pretending to be an officer of the court, and get the information from him.
If that's the case - and I would hope it isn't! - I'd rather a pimply teen from Queens did the breaking first, giving the target company a heads-up as to their poor security, rather than a terrorist bent on crippling the US phone network or Internet. Think of H2K2 and its attendees as a free security test for AT&T and other companies.
Is it really okay to expose this?
Yes, absolutely. Much more sensitive information gets published in mainstream media all the time. In fact, it's in posting things like this that Slashdot is at its best, since it provides insight into things that are normally hidden, and which perhaps could stand a bit of scrutiny (or if they can't, should be able to!)
At worst it's letting the world know that, on this particular weekend, the back door to the Best Buy on Such-and-such St. has a broken lock.
That's silly. If AT&T's procedures can be compromised so easily based on the information in that email, they better get new procedures, and they'd better hire security people who know what they're doing.
And if this did result in a real-world break-in -- if someone did use this information to steal from the Best Buy -- the person who posted this information would be arested and charged.
That may well be true, and is an example of the kind of thinking that many officials indulge in. Crack down on the hackers who expose problems, and maybe no-one will notice some of the more serious holes in our infrastructure security. In fact, one of the talks at H2K2 covers this topic:
The fact that the poster of the AT&T email might be arrested and charged is all the more reason to post it. If you allow valid and responsible actions to be circumscribed by petty intimidation, you've already lost your freedom. Of course, you might question the "valid" and "responsible" in my previous sentence, but the point is that it's possible to disagree on these things, and it's not the job of law enforcement to take a position unless an actual identifiable crime has occurred."AtAT concerned about H2G2". I was trying to figure out why Douglas Adams' website would be moving in on "As the Apple Turns' turf." I mean, he WAS a mac advocate (ok, evangelist) but damn.
Triv
Yeah, I don't even know why we still call them Social Security Numbers. It's a farce. It is your unique National Identification Number, whether you like it or not.
Cool! Amazing Toys.
Maybe in the states it works differently, but in Canada you don't *have* to give out your SIN (our version) unless its to the government... not that companies don't ask anyway.
Actually, the US does have such a law. It's just completely ignored.
Every so often someone suggests enforcing the rule, but that would require so many changes that it won't happen.
Actually, you CAN keep it to yourself in most cases. And I have for a couple decades. (I've been concerned about identity theft since long before the term was coined.)
The battle has been lost with respect to withholding it from the state governments when you go for a driver's license - congress authorized them to collect it. (They actually MANDATED it - allegedly to help track dads who skipped out on child support. So why are they collecting womens' numbers, hmm?)
Some entities are entitled to your SS number - generally those that may pay you taxable money: employers and banks. (NOT insurance companies, at least until there's a taxable payout, and most payouts are not taxable.) The rest can ask and you can refuse. They're usually stuck serving you anyhow - especially if they're already contracted to do so, as with certain employee benefits.
I'm not sure if lenders are entitled or if it's just "Well, I have to serve you anyhow. But I get to do so on my personal estimate of your credit risk, based on rules I use that are common to all applicants. I think someone who withholds their SS# from a lender has a skeleton in his financial closet and is a high risk." Either way if you want a loan you'll need to give 'em the number.
The big problem has always been hospitals and medical insurance companies. Hospitals normally assign a hospital number separately and will let you leave your SS# field blank or fill it with "withheld". They have a separate field for the insurance ID, because lots of people are on their spouses' or parents' insurance. Insurance companies generally let you use a replacement I.D. Some will assign it themselves. Some will ask you to generate one - and be responsible if it collides with someone else' number.
If you must generate one: there are several rules for numbers the US will never assign. One I remember is "any of the three fields is all zero". I think any field all-9 is also unused. Two insurance companies that assign numbers are apparently using counters, one starting at 000-00-0001, the other at 100-00-0001 (probably to avoid collisions with each other). If that's where they started they've each assigned more than a thousand before they got to me. Regardless: I have yet to encounter any billing or hospital registration software that rejects "illegal" SS# patterns.
Lately it has gotten a LOT easier to withhold the numbers. Apparently enough people have been doing so that it's no longer a "lone nut" thing. (This is possibly because identity theft has been in the news for a couple years, possibly because people like me have dealt with enough companies to bring their I.T. departments kicking and screaming into the world of privacy.) Companies have gotten the message - clear down to the clerk level - and are no longer fighting the withholding of SS#s and other personal info.
Computer Professionals for Social Responsibility has a project on keeping SS#s private and can give you some tips if you run into a company that's being obstinate.
Meanwhile, get your passport and use THAT for I.D. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It's more like you INFERRED AT&T thinks it is acceptable to not follow the procedures the rest of the year.
To me it had the same purpose as all the Terror alerts the US gov't has given out: "Just a reminder, be especially alert during this period." It is not to say ignore all suspicious activity after this period.
A call to this number rang about twenty times, then was picked up by a voicebot: "Your party is not picking up. Your call will now be disconnected."
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
Preregistration for H2K2 is closed -- you can still pay $50 at the door to get in, but you must bring cash; we cannot take credit cards for admission.
A hacker's conference that doesn't take credit card numbers? Whatever happened to social engineering?
The society for a thought-free internet welcomes you.
> I wonder if there has ever been an instance of an
> 800 number being slashdotted?
Oh yeah.
I used babysit the computers at a call center, and it's very easy to get overloaded.
There are a finite number of trunks (voice lines) coming into a call center. If they are all occupied, you get a fast busy signal when you call that 800 number.
The voice telling you to press 1 for this and 2 for that is being generated by a computer running IVR (interactive voice response) software. The IVR box can only handle a finite # of conversations, depending on the h/w and how it's set up.
And of course there are a finite # of bums in seats, i.e. the people who take the calls. If they're short of agents, you can wait in queue a long time, as I'm sure you've experienced.
In about 1980, when I was in high school, I discovered an unused phone extension line in my bedroom closet and started experimenting with it. I quickly figured out the basics and built a little homemade phone. Later, I got the idea of using a thirty-foot spool of wire and a couple of alligator clips to quickly tap into someone's line outside of their house to steal long distance phone calls from the safety of my car. This is really trivial stuff, I know, but I thought I was clever.
But not clever enough. I called my cousin long-distance by connecting to what turned out to be the phone line of a little old lady who'd never made a long-distance phone call in her life. Her church was helping her pay her bills and noticed the phone call immediately. They called AT&T, and AT&T merely checked to see who else in my small New Mexico town had ever called that California number. Then they called my mom.
Once AT&T security found out that I hadn't actually done anything sophisticated or interesting, they just made my parents pay for the call and dropped the matter.
None of this, of course, shows that AT&T security was especially astute. But a few years later I was working as a radio disc-jockey, and I told this story to the station's chief broadcast engineer. He told me that he had worked for AT&T and that AT&T Security were among the best private security experts in the world. In his words: "Don't fuck with AT&T Security". That made an impression on me.
Later on, when I first read about the phone phreaking era, I felt lucky that a) I wasn't ingenious enough to get myself in any real trouble, and b) I didn't know anyone who was.
I had an idea like this when I was younger. Write a worm that spreads to and sits on all computers with a dial up connection. At a paticular time, the computers would activate, and if the worm detected that the user was away from the computer, it would dial up some number DDoSing some poor person or company....
It would create a mess because while many internet sites are aware of DDoS... the phone system is more vunerable. If there were enough hosts you could shutdown a whole exchange area, or cell area. The possibilties are scary.
Im not here now... Im out KILLING pepperoni
"Please be on guard for any unusual requests. Verify the person is an AT&T employee or a legitimate customer and if they have a need to know the information they are asking...and inform the caller you will call them back."
Someone was able to not only get through to AT&T service but also GOT A CALL BACK!? Now THAT is shocking news!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I was wondering why my grandma had all of these 900 sex chat calls on her phone bill years ago. And I thought my grandma was just kinky!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
In Canada it is illegal to index anything by SIN/SSN. You must always have a unique key that isn't the SIN/SSN -- this is (very likely) why schoolchildren and college/university students are given student IDs.
I would have thought the US would have similar laws. I guess not...
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Fortunantly, H2K2 will be over soon, and AT&T staff can go back to not worrying about what information they give out. Whew! Come monday morning, they can relax again.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
Brainfart. It was Stevie Smith. My bad.
Hot Damn! It's the Soggy Bottom Boys!
Every year in Las Vegas, AT&T issues the same warning, and generally, every year, someone still succeeds at socially engineering some information from them.
What AT&T saw was potential embarassment. IE, having it shown, publically, how bad their security is.... If I tried a social engineering tricks a week ago, how far would I have gotten? If I did it in 6 months, how far would I go?
AT&T just wanted to warn everyone to not cause embarassment to them THIS PARTICULAR weekend.
If you want security, what AT&T should do is hire these guys and have them try to social engineer themselves in at least once a month on a random day. Keep them on guard EVERY day, not just 2 days a year.
I don't remember if it was AT&T specifically, but it may have been. At H2K in 2000, a memo similar to this actually prompted the social engineering call - which was actually made to the security people... They did indeed to see to be inclined to believe that they were speaking to an actual employee of the company, as they were asked to explain this memo the "employee" just received.
The entire conversation was hillarious as it gave a glimpse into the security office's view of hackers, live, to a roomful of 400-500 or so of them.
It appears Ockham lost his razor and grew a beard.
Aha! You know, I only saw that movie for the first (and only) time this year.
What was the horrible prank that H2K2 decided to unleash upon the US telecommunications networks? Did you see the major news networks talking about how nationwide long distance was shutdown from the Hotel Pennsylvania?
No. H2K2ers did not "attack" phone companies anymore than Kevin Mitnick broke into Norad. But KM did rot in jail for four years for minor offenses. On the other hand, Oliver North, a known drug trafficker, hasn't served a day in jail. Why? Because the American public (including the American
People who try to do independent research of systems or try to find vulnerabilities in our national infrastructures are being branded as criminals, by the "powers-that-be", the centrally controlled US media. Well, it won't be too long before
BTW, you guys missed an awesome demonstration of the limitations of caller id. The feared "attack" was a live demonstration of them returning a false phone number identification. I could repeat the technical details here, but that would be aiding you
Think about it.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
"The site, which went online in 1995, had never before been hacked, Anderson said.
"The newspaper is investigating but has no clues to who might have done it, he added."
Wow! What a mystery! I wonder who could possible have done it? Aren't all the hackers listening to lectures right now?
Taking stuff apart since 1969 (TM)