Users' Data Target Of 'Targeted Attack' on AT&T

← Back to Stories (view on slashdot.org)

Users' Data Target Of 'Targeted Attack' on AT&T

Posted by timothy on Tuesday November 22, 2011 @04:43AM from the oh-the-files-are-inside-the-death-star dept.

New submitter fran6gagne writes "AT&T [Monday] notified customers of an effort by hackers to collect online account information. It is not believed that the perpetrators of this attack obtained access to sensitive information." eWeek's account has a bit more detail.

20 of 28 comments (clear)

Min score:

Reason:

Sort:

Double Negatives for Double Fun by elysiuan · 2011-11-22 04:46 · Score: 2

I don't don't believe that exposing user data is not not a big deal!
Of coarse not by fish_in_the_c · 2011-11-22 04:51 · Score: 1

"It is not not believed that the perpetrators of this attack obtained access to sensitive information"
if they had ATT certainly would not tell anybody ... and if they were REALLY good ATT wouldn't know.

--
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
1. Re:Of coarse not by Jawnn · 2011-11-22 06:26 · Score: 1
  
  "It is not not believed that the perpetrators of this attack obtained access to sensitive information" if they had ATT certainly would not tell anybody ... and if they were REALLY good ATT wouldn't know.
  Close, but I see that you are not fluent in corporate double-speak. Allow me to translate, my friend.
  "We are not ready to grudgingly admit that the perpetrators of this attack obtained access to sensitive information. On advice from counsel, not to mention our friends at Sony, we going to go with that story, for now."
2. Re:Of coarse not by DriedClexler · 2011-11-22 07:17 · Score: 2
  
  You need to learn how to translate this stuff:
  "The attackers were not successful" -> They got the password hashes.
  "The attackers were not able to gain access to sensitive data" --> They got the password hashes plus a bunch of private stuff we stored in cleartext because we're idiots.
  "We have no reason to believe the attackers compromised sensitive data." --> They got everything.
  
  --
  Information theory is life. The rest is just the KL divergence.
Re:Target of targeted attack? by Lunix+Nutcase · 2011-11-22 04:54 · Score: 3, Informative

That's the brilliant "editing" work of timothy. The original articles used "organized and systematic" attack but timothy must have thought that was too clear and not redundant enough for the slashdot title.
(One of) My problems with AT&T... by jesseck · 2011-11-22 04:58 · Score: 4, Interesting

When I signed up for a UVerse account, they provided the login details. They had my username (previously tied to DSL), no biggie. But then the technician at the house was able to pull up my password. MY password. It's stored in a reversible manner (if encrypted at all)- why the fuck? This does not surprise me that AT&T was targeted, and I'm sure they have millions of customers that believe they password is safe. Since then, I don't trust AT&T or that account for anything important.
1. Re:(One of) My problems with AT&T... by Anonymous Coward · 2011-11-22 06:21 · Score: 2, Informative
  
  Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.
  ( I have to re-take the training at least yearly about it )
  Full drive encryption on all desktop and laptop systems are pretty much the standard. Software firewalls and
  anti-virus updated constantly. Forced password changes on a scheduled basis with complexity rules in full
  effect. Access to servers which hold SPI are limited and those accounts are either passphrase level logins
  or RSA SecurID tokens.
  ( All tokens were re-issued post RSA Data breach )
  Network sniffers are in place everywhere. Firewalls are in place to isolate the many internal networks
  within the company. Identifying the systems with your data is only part of the puzzle. Getting access to
  them ( and the network they reside upon ) is a lot more work for an outsider.
  Not just anyone in the company has access to your data. Only those groups that need access to it to do
  their job. Will it stop the official evil employee from looking at your data if they have legitimate access ?
  Of course not. You have to trust SOMEONE to access your data when necessary.
  From an outside hack perspective though, the systems in general are definitely not wide open for the
  world to see. They may not be up to NSA / Area-51standards, but they're pretty locked down.
2. Re:(One of) My problems with AT&T... by certain+death · 2011-11-22 06:33 · Score: 3, Interesting
  
  You mean they are serious about protecting _THEIR OWN_ data, not customers data.
  
  --
  "My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
3. Re:(One of) My problems with AT&T... by gl4ss · 2011-11-22 07:25 · Score: 2
  
  I guess it would be smarter to target at&t dsl installers then.
  then you'd get all passes.
  
  --
  world was created 5 seconds before this post as it is.
4. Re:(One of) My problems with AT&T... by rsborg · 2011-11-22 08:03 · Score: 1
  
  Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.
  ( I have to re-take the training at least yearly about it )
  AT&T is a multi-headed beast of a company with dozens of divisions. It's highly likely that in your area, AT&T may be highly security conscious while in the UVerse area, they couldn't secure two pieces of paper using a stapler... having reversible encryption is an incredibly bad security exposure (GP post's anecdote).
  
  Forced password changes on a scheduled basis with complexity rules in full
  effect.
  This has actually proven to be bad, as folks will likely resort to writing down their passwords... or if they infrequently use the system, they just keep using the "forgot, email me" feature.
  
  --
  Make sure everyone's vote counts: Verified Voting
5. Re:(One of) My problems with AT&T... by Charliemopps · 2011-11-22 08:11 · Score: 1
  
  Their customers data IS their own data. Didn't you know that?
6. Re:(One of) My problems with AT&T... by Charliemopps · 2011-11-22 08:19 · Score: 1
  
  I used to work for ATT. People working in the same building don't even know the job responsibilities of people across the hall... much less across the country. ATT would do things like: Give one of their departments a free data line. This line was still billed, but they'd put it on an account that was paid by ATT itself. There were thousands of lines on these accounts and they'd bill in the millions, but it didn't matter because ATT would pay it themselves right? Well, the problems arose when ATT would lay-off the previously mentioned department. They'd fired everyone, and vacate the building. A few months later a new tenant would move in and find several WORKING T1s on the ATT network... some of them inside ATTs own internal cloud! They'd call ATT billing and request to have those lines removed... ATT would say they need a written statement ending service to disconnect. The tenants would explain that ATT was the customer, they need to write their own disconnect request... but ATT would refuse. Dishonest people would say "Fine" and write a fake disconnect request. (that actually would work) More dishonest people would just start using the T1s and say "Yay!" Honest customers, as usual, were screwed. ATT would let the line sit, usually for years, then figure it out and try to back-bill them for something they never asked to have installed, never used and had no way of removing.
Re:Ah /. by Lunix+Nutcase · 2011-11-22 05:13 · Score: 1

It's better than the two-day-old blogspam like the post about Linux kernel codenames that was nothing but a regurgitation of a wiki page.
phone numbers may be enumerated by Anonymous Coward · 2011-11-22 05:13 · Score: 4, Interesting

It appears that they are just enumerating which phone numbers are set up with online account access. This can be done via the account setup page. The login page itself will not tell you if an account exists or doesn't exist, but the setup page will. Likely, this is a first step to later brute force passwords. Given that the username is the phone number, they can then just try and find one that has an account set up with AT&T's web site. The daily internet storm center podcast had some details about this. http://isc.sans.edu/podcastdetail.html
Next up by mr1911 · 2011-11-22 06:19 · Score: 3, Funny

It is not believed that the perpetrators of this attack obtained access to sensitive information.
AT&T does not consider any of its customer's personal data as "sensitive information".

--
This post comes with a double-your-money-back guarantee!
Any offense taken to this post is at your sole discretion.
1. Re:Next up by Jeng · 2011-11-22 07:48 · Score: 1
  
  The article has a quote similar to that one, but with different wording that leaves them actually very little wiggle room.
  
  âoeWe recently detected an organized and systematic attempt to obtain information on a number of AT&T customer accounts, including yours,â AT&T said in an e-mail to customers. âoeWe do not believe that the perpetrators of this attack obtained access to your online account or any of the information contained in that account.â
  
  Considering the type of attack they describe this sounds more like a scouting mission rather than a full on attack.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
2. Re:Next up by Anonymous Coward · 2011-11-22 09:09 · Score: 1
  
  And, anyway, we won't know for sure until the charges start showing up on your next phone bill....
Re:Target of targeted attack? by wwfarch · 2011-11-22 07:32 · Score: 1

I think the title is saying there was an attack that tried to get data (Users' data was the target) from AT&T ('Targeted attack' on AT&T). Definitely a confusing headline but not actually redundant.
Re:Target of targeted attack? by migla · 2011-11-22 18:58 · Score: 1

Yes, I was partly being compulsively silly. The quotes convey the extra info that AT&T describes it as a targeted attack. A title without repetitition of words might have been "Targeted attack" for AT&T user info" or something...

--
Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
+T-Mobile = Fatter Target by Doc+Ruby · 2011-11-23 01:27 · Score: 1

If AT&T gets T-Mobile, then the more monopolistic combined company will be a bigger target for attacks, which harm more people at once when successful.
Carrier diversity is yet another reason not to let AT&T continue to recover its total monopoly status.

--
--
make install -not war