Slashdot Mirror

← Back to Stories (view on slashdot.org)

Users' Data Target Of 'Targeted Attack' on AT&T

Posted by timothy on from the oh-the-files-are-inside-the-death-star dept.

New submitter fran6gagne writes "AT&T [Monday] notified customers of an effort by hackers to collect online account information. It is not believed that the perpetrators of this attack obtained access to sensitive information." eWeek's account has a bit more detail.

9 of 28 comments (clear)

  1. Double Negatives for Double Fun by elysiuan · · Score: 2

    I don't don't believe that exposing user data is not not a big deal!

  2. Re:Target of targeted attack? by Lunix+Nutcase · · Score: 3, Informative

    That's the brilliant "editing" work of timothy. The original articles used "organized and systematic" attack but timothy must have thought that was too clear and not redundant enough for the slashdot title.

  3. (One of) My problems with AT&T... by jesseck · · Score: 4, Interesting

    When I signed up for a UVerse account, they provided the login details. They had my username (previously tied to DSL), no biggie. But then the technician at the house was able to pull up my password. MY password. It's stored in a reversible manner (if encrypted at all)- why the fuck? This does not surprise me that AT&T was targeted, and I'm sure they have millions of customers that believe they password is safe. Since then, I don't trust AT&T or that account for anything important.

    1. Re:(One of) My problems with AT&T... by Anonymous Coward · · Score: 2, Informative

      Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.
      ( I have to re-take the training at least yearly about it )

      Full drive encryption on all desktop and laptop systems are pretty much the standard. Software firewalls and
      anti-virus updated constantly. Forced password changes on a scheduled basis with complexity rules in full
      effect. Access to servers which hold SPI are limited and those accounts are either passphrase level logins
      or RSA SecurID tokens.

      ( All tokens were re-issued post RSA Data breach )

      Network sniffers are in place everywhere. Firewalls are in place to isolate the many internal networks
      within the company. Identifying the systems with your data is only part of the puzzle. Getting access to
      them ( and the network they reside upon ) is a lot more work for an outsider.

      Not just anyone in the company has access to your data. Only those groups that need access to it to do
      their job. Will it stop the official evil employee from looking at your data if they have legitimate access ?
      Of course not. You have to trust SOMEONE to access your data when necessary.

      From an outside hack perspective though, the systems in general are definitely not wide open for the
      world to see. They may not be up to NSA / Area-51standards, but they're pretty locked down.

    2. Re:(One of) My problems with AT&T... by certain+death · · Score: 3, Interesting

      You mean they are serious about protecting _THEIR OWN_ data, not customers data.

      --
      "My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
    3. Re:(One of) My problems with AT&T... by gl4ss · · Score: 2

      I guess it would be smarter to target at&t dsl installers then.

      then you'd get all passes.

      --
      world was created 5 seconds before this post as it is.
  4. phone numbers may be enumerated by Anonymous Coward · · Score: 4, Interesting

    It appears that they are just enumerating which phone numbers are set up with online account access. This can be done via the account setup page. The login page itself will not tell you if an account exists or doesn't exist, but the setup page will. Likely, this is a first step to later brute force passwords. Given that the username is the phone number, they can then just try and find one that has an account set up with AT&T's web site. The daily internet storm center podcast had some details about this. http://isc.sans.edu/podcastdetail.html

  5. Next up by mr1911 · · Score: 3, Funny

    It is not believed that the perpetrators of this attack obtained access to sensitive information.

    AT&T does not consider any of its customer's personal data as "sensitive information".

    --
    This post comes with a double-your-money-back guarantee!
    Any offense taken to this post is at your sole discretion.
  6. Re:Of coarse not by DriedClexler · · Score: 2

    You need to learn how to translate this stuff:

    "The attackers were not successful" -> They got the password hashes.

    "The attackers were not able to gain access to sensitive data" --> They got the password hashes plus a bunch of private stuff we stored in cleartext because we're idiots.

    "We have no reason to believe the attackers compromised sensitive data." --> They got everything.

    --
    Information theory is life. The rest is just the KL divergence.