Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security AT&T Communications Privacy

Users' Data Target Of 'Targeted Attack' on AT&T 28

Posted by timothy from the oh-the-files-are-inside-the-death-star dept.
New submitter fran6gagne writes "AT&T [Monday] notified customers of an effort by hackers to collect online account information. It is not believed that the perpetrators of this attack obtained access to sensitive information." eWeek's account has a bit more detail.
This discussion has been archived. No new comments can be posted.

Users' Data Target Of 'Targeted Attack' on AT&T More

Users' Data Target Of 'Targeted Attack' on AT&T

Comments Filter:

  • Double Negatives for Double Fun (Score:3)

    by elysiuan ( 762931 ) on Tuesday November 22, 2011 @12:46PM (#38137122) Homepage

    I don't don't believe that exposing user data is not not a big deal!

  • Is the redundant headline redundant?

    • Re:Target of targeted attack? (Score:4, Informative)

      by Lunix Nutcase ( 1092239 ) on Tuesday November 22, 2011 @12:54PM (#38137238)

      That's the brilliant "editing" work of timothy. The original articles used "organized and systematic" attack but timothy must have thought that was too clear and not redundant enough for the slashdot title.

      • I think the title is saying there was an attack that tried to get data (Users' data was the target) from AT&T ('Targeted attack' on AT&T). Definitely a confusing headline but not actually redundant.

        • Re: (Score:2)

          by migla ( 1099771 )

          Yes, I was partly being compulsively silly. The quotes convey the extra info that AT&T describes it as a targeted attack. A title without repetitition of words might have been "Targeted attack" for AT&T user info" or something...

  • "It is not not believed that the perpetrators of this attack obtained access to sensitive information"
    if they had ATT certainly would not tell anybody ... and if they were REALLY good ATT wouldn't know.

    • Re: (Score:2)

      by Jawnn ( 445279 )

      "It is not not believed that the perpetrators of this attack obtained access to sensitive information" if they had ATT certainly would not tell anybody ... and if they were REALLY good ATT wouldn't know.

      Close, but I see that you are not fluent in corporate double-speak. Allow me to translate, my friend.
      "We are not ready to grudgingly admit that the perpetrators of this attack obtained access to sensitive information. On advice from counsel, not to mention our friends at Sony, we going to go with that story, for now."

    • You need to learn how to translate this stuff:

      "The attackers were not successful" -> They got the password hashes.

      "The attackers were not able to gain access to sensitive data" --> They got the password hashes plus a bunch of private stuff we stored in cleartext because we're idiots.

      "We have no reason to believe the attackers compromised sensitive data." --> They got everything.

  • (One of) My problems with AT&T... (Score:5, Interesting)

    by jesseck ( 942036 ) on Tuesday November 22, 2011 @12:58PM (#38137314)
    When I signed up for a UVerse account, they provided the login details. They had my username (previously tied to DSL), no biggie. But then the technician at the house was able to pull up my password. MY password. It's stored in a reversible manner (if encrypted at all)- why the fuck? This does not surprise me that AT&T was targeted, and I'm sure they have millions of customers that believe they password is safe. Since then, I don't trust AT&T or that account for anything important.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.
      ( I have to re-take the training at least yearly about it )

      Full drive encryption on all desktop and laptop systems are pretty much the standard. Software firewalls and
      anti-virus updated constantly. Forced password changes on a scheduled basis with complexity rules in full
      effect. Access to servers which hold SPI are limited and those accounts are either passphrase level logins
      or RSA SecurID tokens.

      ( All to

      • Re:(One of) My problems with AT&T... (Score:4, Interesting)

        by certain death ( 947081 ) on Tuesday November 22, 2011 @02:33PM (#38139062)
        You mean they are serious about protecting _THEIR OWN_ data, not customers data.

      • Re: (Score:2)

        by rsborg ( 111459 )

        Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.
        ( I have to re-take the training at least yearly about it )

        AT&T is a multi-headed beast of a company with dozens of divisions. It's highly likely that in your area, AT&T may be highly security conscious while in the UVerse area, they couldn't secure two pieces of paper using a stapler... having reversible encryption is an incredibly bad security exposure (GP post's anecdote).

        Forced password changes on a scheduled basis with complexity rules in full
        effect.

        This has actually proven to be bad, as folks will likely resort to writing down their passwords... or if they infrequently use the system, they just keep using the "forgot, email me"

        • I used to work for ATT. People working in the same building don't even know the job responsibilities of people across the hall... much less across the country. ATT would do things like: Give one of their departments a free data line. This line was still billed, but they'd put it on an account that was paid by ATT itself. There were thousands of lines on these accounts and they'd bill in the millions, but it didn't matter because ATT would pay it themselves right? Well, the problems arose when ATT would lay-

  • phone numbers may be enumerated (Score:4, Interesting)

    by Anonymous Coward on Tuesday November 22, 2011 @01:13PM (#38137608)

    It appears that they are just enumerating which phone numbers are set up with online account access. This can be done via the account setup page. The login page itself will not tell you if an account exists or doesn't exist, but the setup page will. Likely, this is a first step to later brute force passwords. Given that the username is the phone number, they can then just try and find one that has an account set up with AT&T's web site. The daily internet storm center podcast had some details about this. http://isc.sans.edu/podcastdetail.html

  • Next up (Score:4, Funny)

    by mr1911 ( 1942298 ) on Tuesday November 22, 2011 @02:19PM (#38138820)

    It is not believed that the perpetrators of this attack obtained access to sensitive information.

    AT&T does not consider any of its customer's personal data as "sensitive information".

    • Re: (Score:2)

      by Jeng ( 926980 )

      The article has a quote similar to that one, but with different wording that leaves them actually very little wiggle room.

      âoeWe recently detected an organized and systematic attempt to obtain information on a number of AT&T customer accounts, including yours,â AT&T said in an e-mail to customers. âoeWe do not believe that the perpetrators of this attack obtained access to your online account or any of the information contained in that account.â

      Considering the type of attack they describe this sounds more like a scouting mission rather than a full on attack.

    • Re: (Score:1)

      by Anonymous Coward

      And, anyway, we won't know for sure until the charges start showing up on your next phone bill....

  • If AT&T gets T-Mobile, then the more monopolistic combined company will be a bigger target for attacks, which harm more people at once when successful.

    Carrier diversity is yet another reason not to let AT&T continue to recover its total monopoly status.

Slashdot Top Deals

It is easier to write an incorrect program than understand a correct one.

Close