AT&T Concerned About H2K2

An anonymous submitter forwards this possibly-authentic note about today's H2K2 conference. If you're in the New York area and you love computers and nice hotels, come on down. Anonymous writes "So I get into work, and what do I find in my mailbox? Why, nothing less than a warning cautioning me to be very careful talking to people from July 12 to July 14. (Not me specifically, you understand, it went out all over). Full text follows."

****************************************************************
AT&T Network Fraud Advisory
July 11, 2002
****************************************************************
Possible Hacker Social Engineering Attempts
Friday July 12 - Sunday July
14, 2002
===================================================
Caution:
------------
Be careful about giving information to anyone you don't know and those making unusual information requests by claiming to be an AT&T employee or customer. The H2K2 (Hackers on Planet Earth 2002) Hacker Conference will take place this weekend, Friday, July 12 to Sunday to July 14, 2001, [ed. note: 2001?] in New York City. This conference will be a gathering of over five thousand computer hackers, guest speakers, and computer enthusiasts. http://www.h2k2.net In 1994, 1997 and 2000 at the previous Hope (Hackers on Planet Earth) Conferences, live demonstrations of "social engineering" techniques were performed in front of thousands of hackers and other attendees. The hacker panel dialed live into AT&T offices and centers and demonstrated how to get proprietary information by pretending to be an AT&T employee and customer. These calls were recorded and videotaped by the hackers and are sold as instructional material at future hacker conferences. There is a very high likelihood that AT&T will be a target again this weekend. The social engineering contest is scheduled for Sunday July 14th, at 4 P.M. ET, (1 PM PT). During this period hackers may be dialing into AT&T to get information. AT&T Network Security would like to warn our employees to be on guard this entire weekend for any unknown person calling and claiming to be an AT&T employee to request proprietary information or claiming to be an AT&T customer with unusual requests. Remember, if anyone, who is unknown to you calls for proprietary information or make unusual requests, please follow your procedure by requesting additional information to ensure the person is who they say they are before giving out any information. If the person is claiming to be an AT&T employee, please request name, callback and HRID #. Then verify through POST or the email global address list if the information is correct and even request to call the employee back at their contact number. If the person is claiming to be an AT&T customer verify this by requesting additional info on their account like address and SS# and even request to call the person back at their contact number listed on the account. Please be on guard for any unusual requests. Verify the person is an AT&T employee or a legitimate customer and if they have a need to know the information they are asking. If you can't verify employment or number, don't give out the information. If you are still in doubt regarding the legitimacy of the caller, then speak to a supervisor regarding the situation before proceeding further and inform the caller you will call them back. If you still have questions you can call the Security Hotline 1-800-822-9009. Remember you do not want to be the lucky guest of honor on a telephone call from the hacker conference this weekend with thousands of hackers listening to you and attempting to scam AT&T out of proprietary information. Please be on guard.
- - - - - - - - - - - - - - - - - - - - - - - - -
Source: AT&T Network Security
*******************************************************************

So?

[Sc00ter]

Given the type of people that go to H2K2 this seems like a good idea. Just trying to get people that might not have a clue a heads up as to what's going on. Sure, not EVERYBODY at H2K2 does these type of activities, but there will be a large number of Skr1p7 K1dd13z out there that will, and people should be prepaired.

Re:So?

[An+IPv6+obsessed+guy]

I agree that this is a prudent move. Really, though, don't you think folks should be on guard for this type of thing, say, always?

Re:So?

[Mtgman]

A script kiddie has NOTHING to do with social engineering! Learn a new buzzword.

I disagree. If you read the memo you'd have seen that the point of these seminars is to produce material that, for lack of a better word, can be used to train people to execute social engineering attacks. A HOWTO of sorts. I can easily make the comparison between such a group of published materials and a rootkit. In both cases the "1337" hacker is just following a script.

Luckily, with humans on both sides there is much more chance for a screwup or someone being caught.

So I think the script kiddies analogy is accurate, in both cases it's someone who would not have been able to design these attacks themselves using how-to kits to comprimise systems. In this case they're carbon-based, not silicon-based, but the analogy is sound.

Steven

Hah

[iONiUM]

If you still have questions you can call the Security Hotline 1-800-822-9009.
Can't the hackers who read slashdot (probably most of them) just call this number instead now?

Furthermore, why doesn't Microsoft have a security hotline?

Re:Hah

[JWSmythe]

I get the feeling the operators at (800) 822-9009 are about to be slashdotted themselves.. Can AT&T take 1/2 mil simultanious calls to their security hotline? hehe

Re:Hah

[Pig+Hogger]

Furthermore, why doesn't Microsoft have a security hotline?

They had one, but it melted down.

Re:Hah

[Patrick13]

ya know.... 800 numbers have global caller ID. I wouldn't recommend calling this number from, say, your workstation, at the place where work for a living.

What a great fuss about nothing

[gowen]

I regularly get emails saying "A person has been seen acting suspiciously on campus, and ran away when challenged. There has been a spate of robberies by extra vigilant," and nothing is made about it. It doesn't mean we're not to be vigilant the rest of the time, just a timely and worthwhile heads up.

What makes this different except the criminals involved are 'l33t and say stuff like "Mad propz".

Re:What a great fuss about nothing

[edbarrett]

So what does "mad props" mean anyway?

The Set Decoration Is Not Amused.

HA! Social Engineering!

[Havokmon]

Kudos to the guy who got AT&T to give us their proprietary info on what security precautions they take before giving out confidential information. ;)

Addendum:

[cybermace5]

Dear Employees:

The previous memo failed to mention another warning sign of hacker social engineering attempts. If you hear the song "Halcyon-On and On" by the music group Orbital, hang up the telephone immediately. We will be holding information sessions at all regional offices for telephone support personnel, where you will be trained to recognize this music within several seconds. DO NOT confuse this warning sign with the last five minutes of Mortal Kombat! It is better to be safe than sorry. Thank you for your cooperation, and stay Hacker-Free(tm) during this period of "l337n355".

Hah

[acceleriter]

And they thought no one would post that warning which now contains

- the resolution procedures in case of doubt about a callers identity

- the "security hotline" phone number.

Nice going, AT&T.

perfect security

[constantnormal]

At my employer's firm, we have perfected the art of repelling those out to gain information by a 2-pronged approach. We run the callers through a maze of automated phone forwarding recordings to (eventually) a person who has no clue about anything.

Re:perfect security

[zerOnIne]

you work for verizon, don't you?

Re:perfect security

[ethereal]

"Why don't you just tell me the name of the movie you want to see?"

Re:Ahh, PR security

[jayhawk88]

Maybe it's my age, but I'm not seeing the paragraph that says "After this is all over please return to our policy of giving out whatever information a caller should ask for". It's just heads-up to their service reps.

Ignore the memo!

[L.+VeGas]

If we're forced to follow basic security procedures, it means the hackers have already won.

good thing this was posted by anon

[jd142]

I bet AT&T would just love to get their hands on the person that posted this. AT&T did a very responsible thing: they saw a potential threat to the security of their customers, i.e., a lot of people who are reading this (and even if you don't pay AT&T directly, you might use their lines if you have a cable modem), and sent out a warning to remind their people. They included reminders of proper secure behavior. And what is the first thing an employee do? Leak the number and protocols to an outlet read by the people who are most likely to try and breach security. If you were my employee you'd get in some serious trouble.

Many people who do the social engineering hack make fun of companies for having clueless employees or employees that don't follow basic guidelines. So for those few who make fun of AT&T for doing this, I'd say you can't have it both ways.

We should be applauding AT&T for reminding their people of basic security precautions.

Re:good thing this was posted by anon

[Lando]

Speaking as an ex-ATT employee. It's really not a problem with sending the memo out to the world...

These are the standard policies that ATT uses to verify the authenticity of calls. It's nothing out the ordinary, just a reminder to people that they should be verifiying identity before they give out information.

Re:good thing this was posted by anon

[dh003i]

The posting of this message was not harmful or malicious to AT&T or its security issues. Its only informative; you could say it may even give customers higher confidence. The person who posted it did nothing that would get him/her fired. If he were fired, (s)he'd have valid grounds to sue.

Furthermore, the reactions to this haven't been negative. There's nothing wrong with AT&T taking reasonable measures to insure that private customer information is kept private, and that the general security of their networks is maintained. Indeed, if they did anything else, that would be wrong and irresponsible.

Speaking as a cyber-libertarian, I can say that cyber-libertarian ideals don't include giving crackers free reign to break into confidential or private information. Indeed, if you allow such, you're destroying liberty, because you lose privacy rights. Cyber-liberties -- as Lessig has said -- can be violated not only by the government, but also by corporations, organizations, and other individuals.

Wow.

[mindstrm]

Funny thing is, this probably won't help.

I know when we tell everyone about a new virus, and yet another reminder not to run things even if they are from someone you know, some otherwise intelligent people still go out and run it, and when you ask, they say "Well I know you warned me, but MY friends would never do something like that"

So I can see it now "Well I know there was a warning out.. but he SAID it was an emergency"

Re:Ahh, PR security

[CaseyB]

It's a more like telling your guards to be more alert when there's a horde of barbarians camped just outside the city walls. That doesn't imply you expect them to be lax normally.

This is a Dood Thing(tm)

[bigjocker]

That e-mail proves the meeting has acomplished one of its goals. Thanks to H2K2 AT&T is being more careful with the private info.

Isn't that what we all want? At least that's the reason why I support those kind of things.

Re:Some security!

[sysadmn]

If you had bothered to read the article, you'd note that it says that AT&T was burned by this in the past, and they'd like to avoid being burned again. I'd hardly call this "spurious" or "worthless".

P.S. to the Memo

[Royster]

Resume your normal, insecure procedures on Monday morning. There's no point in going overboard with this security hoopla.

Re:It's ironic

[shren]

Why should it take a hacker conference to get AT&T to put out such a warning?

There have been warnings about more general con-men around for years - even some of thier tricks are well known. There's always the classic movie, "The Sting". Many social engineering tricks rely on pressure and tricking the target when they're not really paying attention (conning register boys out of a five by doing an 'i need change' shell game) or using pressure tactics into forcing a bad decision.

Sometimes these warnings play right into the con men's hands! Pickpockets *love* signs that say "beware of the pickpocket", because everybody pats thier wallet to make sure it's still there. "Thanks for letting me know exactly where your wallet is, target.", thinks the pickpocket. A block away the target isn't thinking about pickpockets anymore - two blocks away and his wallet's gone.

Like, without this memo, maybe even with it, if you hacked the switchboard to the phone center and made it so 10 hackers could all call the same desk clerk at the same time, it would be easy to pull something on him. (If you know when the phones are undermanned or can dial directly to an extension, you don't even need to hack the switch.)

Have the other 9 callers put pressure on him with mundane but slightly time consuming requests. Almost everybody who works a phone these days has a lot of pressure on them to resolve each call quickly. When he's got half of the 9 on hold and is trying to get what they want, have the 10th call and play "I'm a manager and I need to know (trivial piece of information that's actually valuable to a hacker) now!" Time's ticking on the held calls. If he leaves them on hold it will show up on a report to his manager. If he doesn't help this guy he'll have another manager angry at him for different reasons.

And the 10th calling 'manager' isn't going to refuse any requests for information. No, of course not. He's just going to say, "I've got that info in my wallet - no not there, maybe in my briefcase, I'm looking.", thus stalling untill target phone rep folds like cardboard box. He breaks policy in an attempt to make everybody happy. But, hey, at least the hackers are happy. *grin*

Thinking about what's going on "Why are there 10 calls to my desk???" is near-proof against con men. They have a thousand tricks to keep you from having time to think.

AT&T shouldn't care about this memo getting ou

[iabervon]

This information shouldn't be considered secret; after all it's not terribly hard to find out what AT&T will ask if you call up pretending to be an employee or customer: just call up, pretending to be an employee or customer and see what they ask you. If they've designed their procedures sensibly, you still shouldn't be able to spoof them.

Of course, the really great hack would be to call up Kevin Mitnick pretending to be an officer of the court, and get the information from him.

AT&T Security

[kmellis]

This reminds me that back in the day, AT&T Security was supposedly a bunch of bmf's.

In about 1980, when I was in high school, I discovered an unused phone extension line in my bedroom closet and started experimenting with it. I quickly figured out the basics and built a little homemade phone. Later, I got the idea of using a thirty-foot spool of wire and a couple of alligator clips to quickly tap into someone's line outside of their house to steal long distance phone calls from the safety of my car. This is really trivial stuff, I know, but I thought I was clever.

But not clever enough. I called my cousin long-distance by connecting to what turned out to be the phone line of a little old lady who'd never made a long-distance phone call in her life. Her church was helping her pay her bills and noticed the phone call immediately. They called AT&T, and AT&T merely checked to see who else in my small New Mexico town had ever called that California number. Then they called my mom.

Once AT&T security found out that I hadn't actually done anything sophisticated or interesting, they just made my parents pay for the call and dropped the matter.

None of this, of course, shows that AT&T security was especially astute. But a few years later I was working as a radio disc-jockey, and I told this story to the station's chief broadcast engineer. He told me that he had worked for AT&T and that AT&T Security were among the best private security experts in the world. In his words: "Don't fuck with AT&T Security". That made an impression on me.

Later on, when I first read about the phone phreaking era, I felt lucky that a) I wasn't ingenious enough to get myself in any real trouble, and b) I didn't know anyone who was.

Re:Some security!

[Anonymous+DWord]

Not quite true. Here's what it says on the paper that comes with a brand shiny new SS Card:

YOUR SOCIAL SECURITY CARD

The Social Security number shown on your card is yours alone. Record your number in a safe place in case your card is lost or stolen. Protect both your card and your number to prevent their misuse.
...
Some private organizations use Social Security numbers for record keeping purposes. Such use is neither required nor prohibited by Federal law. The use of your Social Security number by such an organization for its own records is a private matter between you and the organization. Private organizations cannot get information from your Social Security record just because they know your number.

Any Federal, State, or local government agency that asks for your number must tell you: whether giving it is mandatory or voluntary, its authority for requesting the number, and how the number will be used.
...

Emphasis mine.