Please create an account to participate in the Slashdot moderation system


Forgot your password?

AT&T Concerned About H2K2 378

An anonymous submitter forwards this possibly-authentic note about today's H2K2 conference. If you're in the New York area and you love computers and nice hotels, come on down. Anonymous writes "So I get into work, and what do I find in my mailbox? Why, nothing less than a warning cautioning me to be very careful talking to people from July 12 to July 14. (Not me specifically, you understand, it went out all over). Full text follows."

AT&T Network Fraud Advisory
July 11, 2002
Possible Hacker Social Engineering Attempts
Friday July 12 - Sunday July
14, 2002
Be careful about giving information to anyone you don't know and those making unusual information requests by claiming to be an AT&T employee or customer. The H2K2 (Hackers on Planet Earth 2002) Hacker Conference will take place this weekend, Friday, July 12 to Sunday to July 14, 2001, [ed. note: 2001?] in New York City. This conference will be a gathering of over five thousand computer hackers, guest speakers, and computer enthusiasts. In 1994, 1997 and 2000 at the previous Hope (Hackers on Planet Earth) Conferences, live demonstrations of "social engineering" techniques were performed in front of thousands of hackers and other attendees. The hacker panel dialed live into AT&T offices and centers and demonstrated how to get proprietary information by pretending to be an AT&T employee and customer. These calls were recorded and videotaped by the hackers and are sold as instructional material at future hacker conferences. There is a very high likelihood that AT&T will be a target again this weekend. The social engineering contest is scheduled for Sunday July 14th, at 4 P.M. ET, (1 PM PT). During this period hackers may be dialing into AT&T to get information. AT&T Network Security would like to warn our employees to be on guard this entire weekend for any unknown person calling and claiming to be an AT&T employee to request proprietary information or claiming to be an AT&T customer with unusual requests. Remember, if anyone, who is unknown to you calls for proprietary information or make unusual requests, please follow your procedure by requesting additional information to ensure the person is who they say they are before giving out any information. If the person is claiming to be an AT&T employee, please request name, callback and HRID #. Then verify through POST or the email global address list if the information is correct and even request to call the employee back at their contact number. If the person is claiming to be an AT&T customer verify this by requesting additional info on their account like address and SS# and even request to call the person back at their contact number listed on the account. Please be on guard for any unusual requests. Verify the person is an AT&T employee or a legitimate customer and if they have a need to know the information they are asking. If you can't verify employment or number, don't give out the information. If you are still in doubt regarding the legitimacy of the caller, then speak to a supervisor regarding the situation before proceeding further and inform the caller you will call them back. If you still have questions you can call the Security Hotline 1-800-822-9009. Remember you do not want to be the lucky guest of honor on a telephone call from the hacker conference this weekend with thousands of hackers listening to you and attempting to scam AT&T out of proprietary information. Please be on guard.
- - - - - - - - - - - - - - - - - - - - - - - - -
Source: AT&T Network Security

This discussion has been archived. No new comments can be posted.

AT&T Concerned About H2K2

Comments Filter:
  • So? (Score:4, Insightful)

    by Sc00ter ( 99550 ) on Friday July 12, 2002 @09:47AM (#3870387) Homepage
    Given the type of people that go to H2K2 this seems like a good idea. Just trying to get people that might not have a clue a heads up as to what's going on. Sure, not EVERYBODY at H2K2 does these type of activities, but there will be a large number of Skr1p7 K1dd13z out there that will, and people should be prepaired.

    • Re:So? (Score:4, Insightful)

      by An IPv6 obsessed guy ( 545330 ) <> on Friday July 12, 2002 @11:13AM (#3870968) Homepage
      I agree that this is a prudent move. Really, though, don't you think folks should be on guard for this type of thing, say, always?
    • Re:So? (Score:3, Funny)

      by darkfrog ( 98352 )
      not EVERYBODY at H2K2 does these type of activities, but there will be a large number of Skr1p7 K1dd13z out there that will, and people should be prepaired.
      Am I the only one that gets tired of the skript kiddie buzz word? I guess it's no longer used for skript kiddies, but for anything someone else doesn't appreciate.

      Soon we'll have people saying... "Damn Skr1p7 K1dd13z with assault riffles and bullet proof vests came into my house today andd seized all my computer equipment, allong with any other electric device (phone, paper shredder, refrigerator, disposal) for evidence."


      A script kiddie has NOTHING to do with social engineering! Learn a new buzzword.
      • Re:So? (Score:4, Insightful)

        by Mtgman ( 195502 ) on Friday July 12, 2002 @02:44PM (#3872412)
        A script kiddie has NOTHING to do with social engineering! Learn a new buzzword.
        I disagree. If you read the memo you'd have seen that the point of these seminars is to produce material that, for lack of a better word, can be used to train people to execute social engineering attacks. A HOWTO of sorts. I can easily make the comparison between such a group of published materials and a rootkit. In both cases the "1337" hacker is just following a script.

        Luckily, with humans on both sides there is much more chance for a screwup or someone being caught.

        So I think the script kiddies analogy is accurate, in both cases it's someone who would not have been able to design these attacks themselves using how-to kits to comprimise systems. In this case they're carbon-based, not silicon-based, but the analogy is sound.

  • Hah (Score:5, Insightful)

    by iONiUM ( 530420 ) on Friday July 12, 2002 @09:47AM (#3870391) Journal
    If you still have questions you can call the Security Hotline 1-800-822-9009.
    Can't the hackers who read slashdot (probably most of them) just call this number instead now?

    Furthermore, why doesn't Microsoft have a security hotline?
  • Some security! (Score:3, Insightful)

    by PaperTie ( 411784 ) on Friday July 12, 2002 @09:48AM (#3870393)
    They have to take special precautions since there's some conference? What about the rest of the year?
    • Its just a reminder. Its already standard practice at companies like that to verify information of the callers. Just like the police normally patrol the streets, reminders go out when they think people need to be extra cautious.
      • Its already standard practice at companies like that to verify information of the callers.

        Apparently while it may be "standard practice", it isn't followed very much of the time. It's very easy to convince people you are someone else even with very little of their personal information. How often have you called somewhere and to make sure you are you, they read your address to you and ask if it is correct? Imagine if when you booted up your OS instead of login: and password: it asked for whatever personal information you had, then made a judgement call as to whether or not you are actually you, without demanding a specific username and password combination?
        • Re:Some security! (Score:3, Interesting)

          by elandal ( 9242 )
          How often have you called somewhere and to make sure you are you, they read your address to you and ask if it is correct?
          Not often. Usually they ask for my name, date of birth, and address. Not AT&T (I'm not their customer), but other companies. Except that phone companies love obscure numbers ("It's Your phone line installation service code, in the right-upper corner of Your phone service contract" or whatever - anyway not the customer ID or alike) I can't remember and to get it, I first need to dive into a pile of papers.

          Just a couple of days ago I received a call regarding a fax I had sent, and I was asked the usual basic information and whether I had sent the fax, and if I could verify the request I made by stating it (shortly) now on phone. After I stated my request on phone, it was OK'd, and later that day I had confirmation fax on my table.

          I think that was pretty good. Of course, my request was somewhat unusual, so it might have triggered a "use the strong procedure" attitude.
        • Re:Some security! (Score:2, Informative)

          by ph0rk ( 118461 )
          and how often are you calling internal AT&T numbers posing as an employee? (perhaps rightly so).

          All the megacorps do this, if nothing else, simply because the company is so damn big the person has never heard of you, your manager, or your manager's manager.

    • Who the hell cares about AT&T nowadays anyway? Maybe back in the day, but in 2002? This "advisory" is just some guy they hired who used to go to cons, and he's trying to justify his job by issuing spurious bulletins. I'd like to see some of the other crap the AT&T security mandarins put out...probably just as worthless as this one.

      Also, interesting how AT&T apparently requires a SSN to be a customer...the only people who need an SSN are the federal government and your employer.

      • Re:Some security! (Score:3, Informative)

        by Ageless ( 10680 )
        Uh, do you not have any utilities coming in to your home? Almost every single utility I have uses SSN and requires it for transactions.

        As for your statement. Your employer is not allowed to require your SSN but you are required to provide a way for them to tax you. That can be a tax id or something but doesn't have to be SSN.

        The difference is that if a company has a policy then they can choose to not do business with you. If you don't want to provide SSN, well, Long Distance isn't a right.
        • Yeah, I don't even know why we still call them Social Security Numbers. It's a farce. It is your unique National Identification Number, whether you like it or not.
      • Re:Some security! (Score:4, Informative)

        by sysadmn ( 29788 ) <.sysadmn. .at.> on Friday July 12, 2002 @11:21AM (#3871021) Homepage
        If you had bothered to read the article, you'd note that it says that AT&T was burned by this in the past, and they'd like to avoid being burned again. I'd hardly call this "spurious" or "worthless".
    • Precautions? Ha!

      How long has the industry known that the easiest way to hack most networks is through social engineering?

      Despite warnings from everyone--from government to researchers--social engineering continues to work.

      Posting a warning to employees will at most protect the company from the unpracticed social engineering tricks. Social engineering is nothing more than the practiced con-job that has been around since one caveman had something another caveman wanted.

    • It's Bayesian (Score:3, Interesting)

      by GlobalEcho ( 26240 )
      Actually, it makes good statistical/economic sense to concentrate caution on periods of higher risk.

      Let's say that AT&T has two modes: careful (C) and reckless (R). Now clearly it costs more in terms of employee time to be careful than reckless. (Say it costs C=$10 and R=$1 respectively. ) Assume Careful catches a proportion q_c of social engineering attempts while Reckless lets a proportion q_r succeed.

      Now assume that at a given time there is probability p that someone on the line is trying to social engineer them. Assume also the costs of being hacked (in embarassment or whatever) are uncorrelated, and average $H. Assume the benefits of a legit phone call are $B.

      We can now compute the payoff from being careful versus reckless.

      V_C = B (1-p) - H p q_c - C

      V_R = B (1-p) - H p q_r - R

      It's clearly quite possible for either V_C or V_R to be larger depending on the coefficients.

      If you could make a function giving q as a function of cost, you could solve for V=0. This would tell you exactly how careful to be, given a particular present level of riskiness p.
    • They have to take special precautions since there's some conference? What about the rest of the year?

      My thoughts exactly. This gives me the bad feeling they are enforcing their security policies only because having yet another "breach" would be really bad PR. But why aren't they enforced all the time as rigorously? Costs. It costs both time and money to go through the entire protocol, not to mention the additional cost of properly training the employees to follow these rules.

      I'm actually willing to bet some beancounter added 2 and 2 and came to the conclusion that having that much bad PR would cost the company more than enforcing the security policy strictly for a few days. Anyone care to guess how many days it takes for the situation return to "normal?"

  • Editors, again.... (Score:2, Informative)

    by Anonymous Coward
    It might be useful to indicate that the Anonymous Coward is an AT&T employee of some sort, not an AT&T customer that some might think of at first.
  • by Bartmoss ( 16109 ) on Friday July 12, 2002 @09:51AM (#3870411) Homepage Journal
    This kind of behaviour should be common practice, really.
  • Paranoia (Score:2, Interesting)

    by LeiraHoward ( 529716 )
    Just watch: after a note like that, I'll bet someone at the hacker conference takes that as a challenge, and some dumb worker forgets/disregards this warning, and gets made "guest of honor" at their conference, anyway.

    I just hope that whatever information they're looking at, it won't be mine.

    On another note, if this hacker convention is so well publicized, why aren't there hordes of policemen preparing to descend upon the unsuspecting hackers? Especially with all the cracking down that the FBI/police force have been doing lately on people who uncap their cable modems, or share wifi connections....

    • On another note, if this hacker convention is so well publicized, why aren't there hordes of policemen preparing to descend upon the unsuspecting hackers?

      Because being interested in computer security is not (yet) a crime? The attitude may be different, but the content is really no different that what you'd get at a computer security conference.

      Wish I could make it, but I've got a full weekend here.

    • Your comment is silly.

      The people who attend these conferences are usually not interested in as much "black hat" hacking as you may think. It would be hard to find a reason to arrest much less convict many of the attendants.

      These places are sometimes the places where new technologies are invented or destroyed (that is, if flaws are found... your new cell phone for example may provide to be a great scanner etc...).

      Think of it as a conference for computer security but above all electronics engineering...

  • by gowen ( 141411 ) <> on Friday July 12, 2002 @09:51AM (#3870413) Homepage Journal
    I regularly get emails saying "A person has been seen acting suspiciously on campus, and ran away when challenged. There has been a spate of robberies by extra vigilant," and nothing is made about it. It doesn't mean we're not to be vigilant the rest of the time, just a timely and worthwhile heads up.

    What makes this different except the criminals involved are 'l33t and say stuff like "Mad propz".
  • Ahh, PR security (Score:2, Insightful)

    by Omnifarious ( 11933 )

    Only be secure when the world might be watching, and at all other times be lax. Sounds like a fantastic policy to me.

    • by Peyna ( 14792 )
      Yup, it's okay the rest of the time to give out personal information to random people on the phone. I experienced this the other day with the local electric company.

      My sister and I had rented an apartment together a year ago, and there was a problem with how the electric bill was handled when it was shut off. I called up and spoke to the person and then outright asked them to check my sister's records for any correlating information. I gave him her name, and he gave me her address, phone number, and a whole crapload of other information, with no indication that we were actually related other than that we shared the same last name. Granted, she really is my sister, and I already knew the information he told me, I was quite surprised they actually gave that information out to someone other than the account holder.
    • by jayhawk88 ( 160512 ) <> on Friday July 12, 2002 @10:15AM (#3870586)
      Maybe it's my age, but I'm not seeing the paragraph that says "After this is all over please return to our policy of giving out whatever information a caller should ask for". It's just heads-up to their service reps.
    • by CaseyB ( 1105 ) on Friday July 12, 2002 @10:27AM (#3870668)
      It's a more like telling your guards to be more alert when there's a horde of barbarians camped just outside the city walls. That doesn't imply you expect them to be lax normally.
  • by night_flyer ( 453866 ) on Friday July 12, 2002 @09:51AM (#3870417) Homepage
    almost as funny as the story run by [] saying "al Qaeda operatives have infiltrated WorldCom" (last two paragraphs on the page)... seems they didnt read the whole story at it was a joke commentary by Arnaud de Borchgrave

    the story outlining foxnews erronious reporting is here [] (Item #4).
  • by Havokmon ( 89874 ) <> on Friday July 12, 2002 @09:51AM (#3870420) Homepage Journal
    Kudos to the guy who got AT&T to give us their proprietary info on what security precautions they take before giving out confidential information. ;)

  • by Ristretto ( 79399 ) <emery.cs@umass@edu> on Friday July 12, 2002 @09:52AM (#3870424) Homepage
    It would be an especially clever case of "meta" social engineering if the AT&T number was false. Haven't checked, but it's an entertaining notion. People calling the 1-800 number would certainly feel that they were speaking to actual AT&T representatives (having called the official number themselves) and would then be arguably more likely to release personal information.
  • I can see it now (Score:5, Interesting)

    by chabotc ( 22496 ) <chabotc @ g m a> on Friday July 12, 2002 @09:52AM (#3870425) Homepage
    First they get a valid name and number from some poor smugs home page or usenet posting, then they will call AT&T..

    att> Hello how may i help you
    hacker> Hello this is from . Hey i'm sorry to have to call you now, specialy with all this H2 stuff going on, but i need some information on
    att> Umm, well sir i need to ..
    hacker> yea i know, i also saw the memo, my HRID is and my number is . Shall i hold while you check?
    att> Nah, i gues thats ok, what did you need again?

    this would be the uba hack ;-)
  • Addendum: (Score:5, Funny)

    by cybermace5 ( 446439 ) <> on Friday July 12, 2002 @09:55AM (#3870444) Homepage Journal
    Dear Employees:

    The previous memo failed to mention another warning sign of hacker social engineering attempts. If you hear the song "Halcyon-On and On" by the music group Orbital, hang up the telephone immediately. We will be holding information sessions at all regional offices for telephone support personnel, where you will be trained to recognize this music within several seconds. DO NOT confuse this warning sign with the last five minutes of Mortal Kombat! It is better to be safe than sorry. Thank you for your cooperation, and stay Hacker-Free(tm) during this period of "l337n355".

  • Now I would try to dial into the Security Hotline
    ("Security Hotline 1-800-822-9009") and
    to pretend to be an alarmed AT&T employee ;)

    Or dial someone from AT&T pretending to be
    from the Security Hotline.

    Social Engineering attacks are so easy ...
  • Hah (Score:5, Insightful)

    by acceleriter ( 231439 ) on Friday July 12, 2002 @09:58AM (#3870477)
    And they thought no one would post that warning which now contains

    - the resolution procedures in case of doubt about a callers identity

    - the "security hotline" phone number.

    Nice going, AT&T.

    • Re:Hah (Score:2, Interesting)

      I'm not really comfortable with Slashdot publishing phone numbers at all. Whose one is next? Yours? Mine?

      Disrupting web sites by posting links is one thing, but posting internal phone numbers which are used to deal with critical problems is really, really bad.

  • What about after the conference is over? At least at the conference the actions aren't malicious, they're just demonstrated to prove a point. Implementing proper procedures to the employees and making sure they're followed EXACTLY would go a long way toward preventing social engineering. This is NOT a new problem, and it also underscores the simple fact that the least secure part of any network is the user.

    • I can almost here the intro to the session now; "OK, we are now going to perform some live demonstations of Social Engineering. If you want some easy meat to try out your new l33t 5k1llz when you get home; try the local AT&T offices, as they should be letting their guard down nicely by Monday thanks to some prep work we did on Friday...". ;)
  • Telemarketing AT&T.

    The notice should have asked the employee's to have the caller put AT&T on their "Do not call list"!

  • Should they also (Score:2, Interesting)

    by af_robot ( 553885 )
    call for FBI agents to guard their garbage bins?!
    Those hackers can also use "garbage engineering" techniques to get proprietary information.
  • by constantnormal ( 512494 ) on Friday July 12, 2002 @10:08AM (#3870548)
    At my employer's firm, we have perfected the art of repelling those out to gain information by a 2-pronged approach. We run the callers through a maze of automated phone forwarding recordings to (eventually) a person who has no clue about anything.
    • by zerOnIne ( 128186 ) on Friday July 12, 2002 @10:32AM (#3870697) Homepage
      you work for verizon, don't you?
    • At my employer's firm, we have perfected the art of repelling those out to gain information by a 2-pronged approach. We run the callers through a maze of automated phone forwarding recordings to (eventually) a person who has no clue about anything.

      Isn't that the way every company's support is?

      For example, you call the police and you get:

      Please enter the abbreviation for the state you are in


      Please enter the letters for the city you are in


      Please enter your zip code


      Please enter your telephone number


      Please enter your last name


      Please enter your first name


      Please enter your sex


      Please tell us do you jerk off with your left or right hand


      Please tell us what you are calling about: Enter 1 for reporting a crime in progress, 2 for reporting a past crime, 3 for reporting a crime you have reason to believe will be committed, 4 for inquiring about a suspect, 5 for filing complaints, 6 for all other issues


      Please identify the type of crime being committed: 1 for murder, 2 for rape, 3 for child molestation, 4 for torture, 5 for assault, 6 for robbery, 7 for drinking while driving, 8 for public indecency, 9 for all other types of crimes.


      Please identify the gender of the offender raping the victim


      Please hold. Your call will be answered in the order that it was received. Average wait times range from 30 minutes to 1 hour

      10 min: Thank you for your patience. All of our police officers are currently busy. Please hold. Your patience is appreciated.

      20min: Thank you for your patience. All of our police officers are currently busy. Please hold. Your patience is appreciated.

      59 minutes: We're sorry, due to circumstances beyond our control, your call has been disconnected. Please call the police number again and re-enter your complaint.
  • Number is legit (Score:2, Informative)

    by jloukinas ( 304314 )
    I called the 800# it is legit.

  • by L. VeGas ( 580015 ) on Friday July 12, 2002 @10:21AM (#3870627) Homepage Journal
    If we're forced to follow basic security procedures, it means the hackers have already won.
  • Now the target is absolutely irresistable. They're going to read the notice out loud at the conference and then call AT&T just to make a point. I bet they were even planning to call a different company this year.

    Of course, AT&T may be doing this to trap them --it's curious that they say h2k2 several times and clarify it instead of just saying "group of hacker terrorists". Or maybe they really are just that stupid.

    Either way, it should be fun. I've got my ticket.

  • by jd142 ( 129673 ) on Friday July 12, 2002 @10:25AM (#3870654) Homepage
    I bet AT&T would just love to get their hands on the person that posted this. AT&T did a very responsible thing: they saw a potential threat to the security of their customers, i.e., a lot of people who are reading this (and even if you don't pay AT&T directly, you might use their lines if you have a cable modem), and sent out a warning to remind their people. They included reminders of proper secure behavior. And what is the first thing an employee do? Leak the number and protocols to an outlet read by the people who are most likely to try and breach security. If you were my employee you'd get in some serious trouble.

    Many people who do the social engineering hack make fun of companies for having clueless employees or employees that don't follow basic guidelines. So for those few who make fun of AT&T for doing this, I'd say you can't have it both ways.

    We should be applauding AT&T for reminding their people of basic security precautions.
    • Speaking as an ex-ATT employee. It's really not a problem with sending the memo out to the world...

      These are the standard policies that ATT uses to verify the authenticity of calls. It's nothing out the ordinary, just a reminder to people that they should be verifiying identity before they give out information.

    • The posting of this message was not harmful or malicious to AT&T or its security issues. Its only informative; you could say it may even give customers higher confidence. The person who posted it did nothing that would get him/her fired. If he were fired, (s)he'd have valid grounds to sue.

      Furthermore, the reactions to this haven't been negative. There's nothing wrong with AT&T taking reasonable measures to insure that private customer information is kept private, and that the general security of their networks is maintained. Indeed, if they did anything else, that would be wrong and irresponsible.

      Speaking as a cyber-libertarian, I can say that cyber-libertarian ideals don't include giving crackers free reign to break into confidential or private information. Indeed, if you allow such, you're destroying liberty, because you lose privacy rights. Cyber-liberties -- as Lessig has said -- can be violated not only by the government, but also by corporations, organizations, and other individuals.
  • Problem lies perhaps in the fact that AT&T is a big corporation. People are numbers and numbers can be forged/stolen easily without too much trouble. What if an AT&T employee that just got sacked took a list with him with the information and just threw it on the internet.

    I know that these kind of security precautions exist in every big corporation (i work for a top financial corp). I also know that they NEVER work. No-one knows you by the face, only a name or a number is known, and these are easy too come by.

    Besides, most system breaches are done from the inside anyway. I know that our company had more internal issues then external.
  • Videotaped! (Score:3, Interesting)

    by MavEtJu ( 241979 ) <slashdot@ma[ ] ['vet' in gap]> on Friday July 12, 2002 @10:27AM (#3870662) Homepage
    These calls were recorded and videotaped by the hackers and are sold as instructional material at future hacker conferences.

    Now that gives an interesting movie, seeing a hacker calling an AT&T employee... You'll have more fun listening to Brain Damage []:
    "Brain Damage" was a two hour call-in show hosted by Emmanuel (using the name Eric Corley) which aired from 1988 to 1995. The show covered all kinds of serious topics as well as non-serious ones. Favorite regular features included
    Confuse The Operator, highlights from Radio Moscow, and a reading of the lunch menu by the university lunch lady. Callers contributed their over-the-phone songs, stories of their lives, and features such as the "Math Teacher Spy." There were fewer and fewer shows in the later years until it finally came to an end on January 29, 1995.
    Public Radio rules! :-)
  • Wow. (Score:4, Insightful)

    by mindstrm ( 20013 ) on Friday July 12, 2002 @10:27AM (#3870665)
    Funny thing is, this probably won't help.

    I know when we tell everyone about a new virus, and yet another reminder not to run things even if they are from someone you know, some otherwise intelligent people still go out and run it, and when you ask, they say "Well I know you warned me, but MY friends would never do something like that"

    So I can see it now "Well I know there was a warning out.. but he SAID it was an emergency"
  • by bigjocker ( 113512 ) on Friday July 12, 2002 @10:38AM (#3870733) Homepage
    That e-mail proves the meeting has acomplished one of its goals. Thanks to H2K2 AT&T is being more careful with the private info.

    Isn't that what we all want? At least that's the reason why I support those kind of things.
  • It's ironic (Score:3, Insightful)

    by BobRoss ( 63028 ) on Friday July 12, 2002 @10:41AM (#3870752)
    Why should it take a hacker conference to get AT&T to put out such a warning? I would like to think that such policies are already in place, and that employees are trained to minimize the risk of social engineering from the start.

    I guess that's just wishful thinking though...
    • Re:It's ironic (Score:3, Insightful)

      by suwain_2 ( 260792 )
      I was under the impression that is was more of a "You already have these procedures, but take extra care this week..." deal, rather than a "Let's teach you basic security fundamentals!" type of thing.

      Sort of like saying "The roads are icing up, drive carefully." -- it's just a heads-up to remember to follow the procedures. Or so I hope...

    • But I think this falls under the category of "heightened awareness".

      Jim in Tokyo
    • Re:It's ironic (Score:4, Interesting)

      by shren ( 134692 ) on Friday July 12, 2002 @11:57AM (#3871265) Homepage Journal

      Why should it take a hacker conference to get AT&T to put out such a warning?

      There have been warnings about more general con-men around for years - even some of thier tricks are well known. There's always the classic movie, "The Sting". Many social engineering tricks rely on pressure and tricking the target when they're not really paying attention (conning register boys out of a five by doing an 'i need change' shell game) or using pressure tactics into forcing a bad decision.

      Sometimes these warnings play right into the con men's hands! Pickpockets *love* signs that say "beware of the pickpocket", because everybody pats thier wallet to make sure it's still there. "Thanks for letting me know exactly where your wallet is, target.", thinks the pickpocket. A block away the target isn't thinking about pickpockets anymore - two blocks away and his wallet's gone.

      Like, without this memo, maybe even with it, if you hacked the switchboard to the phone center and made it so 10 hackers could all call the same desk clerk at the same time, it would be easy to pull something on him. (If you know when the phones are undermanned or can dial directly to an extension, you don't even need to hack the switch.)

      Have the other 9 callers put pressure on him with mundane but slightly time consuming requests. Almost everybody who works a phone these days has a lot of pressure on them to resolve each call quickly. When he's got half of the 9 on hold and is trying to get what they want, have the 10th call and play "I'm a manager and I need to know (trivial piece of information that's actually valuable to a hacker) now!" Time's ticking on the held calls. If he leaves them on hold it will show up on a report to his manager. If he doesn't help this guy he'll have another manager angry at him for different reasons.

      And the 10th calling 'manager' isn't going to refuse any requests for information. No, of course not. He's just going to say, "I've got that info in my wallet - no not there, maybe in my briefcase, I'm looking.", thus stalling untill target phone rep folds like cardboard box. He breaks policy in an attempt to make everybody happy. But, hey, at least the hackers are happy. *grin*

      Thinking about what's going on "Why are there 10 calls to my desk???" is near-proof against con men. They have a thousand tricks to keep you from having time to think.

  • Security Hotline (Score:3, Interesting)

    by Anonymous Coward on Friday July 12, 2002 @10:44AM (#3870763)
    I also work for AT&T, but I have not seen this memo (I'm in NJ. Maybe it only went to NY people? Maybe only to sales people? Maybe I'm not good enough?).

    But I did some hunting and found this in a recent newsletter. Seems outide people are _supposed_ to call that number (which looks like it is out of my building based on the exchange of the phone #)....

    SECURING CRITICAL INFORMATION: AT&T is classified as a critical infrastructure company, servicing the communications needs of the government, including its armed forces around the world. Because of this relationship, and current world events, employees may receive inquiries concerning AT&T's network infrastructure security. While most requests are legitimate, some may not be. It's critical to the security of our country, as well as to our business, that these questions be answered factually, and information provided only to legitimate requestors. For these reasons, employees who receive inquiries from a local, state or federal government agency, anyone claiming to represent the media, or any concerned citizen, should refer those agencies or individuals to the AT&T Corporate Security 24x7 hotline at 1-800-822-9009 (within U.S.) or 908-658-0380 (outside U.S.). Corporate Security will ensure inquiries are verified and appropriate responses provided.
    • There's a note on (in the morning's chatty post) from a person who seems to indicate this whole thing is a troll. (I don't want to link because I like squabble and they're bandwidth poor right now.)

      Is there any evidence other than the text in the message that this was received by a legit AT&T employee?
  • att # (Score:2, Interesting)

    I wonder if there has ever been an instance of an 800 number being slashdotted?
  • by Martin Spamer ( 244245 ) on Friday July 12, 2002 @11:16AM (#3870998) Homepage Journal

    How can we be sure this is really what it appears and that it is not slashdot that his been socially engineered ?
  • by saforrest ( 184929 ) on Friday July 12, 2002 @11:17AM (#3871003) Journal
    Read this very similar AT&T warning about a 1998 DEF CON conference: []

    Unless AT&T has not changed its warnings in three years (unlikely) and such warnings have been leaked multiple times (more unlikely) this would seem to be a fake.
  • by Royster ( 16042 ) on Friday July 12, 2002 @11:41AM (#3871149) Homepage
    Resume your normal, insecure procedures on Monday morning. There's no point in going overboard with this security hoopla.
  • I love it... follow these security procedures _on the specific date and time when a hacker's conference has an announced a scheduled social engineering demonstration_.

    Don't worry about REAL security. Just worry about embarrassing PR. As long as the hacker breakins don't occur at a time and place when the press is likely to find out about them, everything is OK...

    If they had NOT sent out the email, they would have had a good opportunity to find out whether the improved procedures they instituted following embarrassments at previous HOPE conventions were effective. (They DID institute improved procedures following those previous conventions, didn't they?)
  • by iabervon ( 1971 ) on Friday July 12, 2002 @12:05PM (#3871322) Homepage Journal
    This information shouldn't be considered secret; after all it's not terribly hard to find out what AT&T will ask if you call up pretending to be an employee or customer: just call up, pretending to be an employee or customer and see what they ask you. If they've designed their procedures sensibly, you still shouldn't be able to spoof them.

    Of course, the really great hack would be to call up Kevin Mitnick pretending to be an officer of the court, and get the information from him.
  • "AtAT concerned about H2G2". I was trying to figure out why Douglas Adams' website would be moving in on "As the Apple Turns' turf." I mean, he WAS a mac advocate (ok, evangelist) but damn.

  • AT&T Security (Score:5, Interesting)

    by kmellis ( 442405 ) <> on Friday July 12, 2002 @01:19PM (#3871822) Homepage
    This reminds me that back in the day, AT&T Security was supposedly a bunch of bmf's.

    In about 1980, when I was in high school, I discovered an unused phone extension line in my bedroom closet and started experimenting with it. I quickly figured out the basics and built a little homemade phone. Later, I got the idea of using a thirty-foot spool of wire and a couple of alligator clips to quickly tap into someone's line outside of their house to steal long distance phone calls from the safety of my car. This is really trivial stuff, I know, but I thought I was clever.

    But not clever enough. I called my cousin long-distance by connecting to what turned out to be the phone line of a little old lady who'd never made a long-distance phone call in her life. Her church was helping her pay her bills and noticed the phone call immediately. They called AT&T, and AT&T merely checked to see who else in my small New Mexico town had ever called that California number. Then they called my mom.

    Once AT&T security found out that I hadn't actually done anything sophisticated or interesting, they just made my parents pay for the call and dropped the matter.

    None of this, of course, shows that AT&T security was especially astute. But a few years later I was working as a radio disc-jockey, and I told this story to the station's chief broadcast engineer. He told me that he had worked for AT&T and that AT&T Security were among the best private security experts in the world. In his words: "Don't fuck with AT&T Security". That made an impression on me.

    Later on, when I first read about the phone phreaking era, I felt lucky that a) I wasn't ingenious enough to get myself in any real trouble, and b) I didn't know anyone who was.

If I had only known, I would have been a locksmith. -- Albert Einstein