Users' Data Target Of 'Targeted Attack' on AT&T 28
New submitter fran6gagne writes "AT&T [Monday] notified customers of an effort by hackers to collect online account information. It is not believed that the perpetrators of this attack obtained access to sensitive information." eWeek's account has a bit more detail.
Double Negatives for Double Fun (Score:3)
I don't don't believe that exposing user data is not not a big deal!
Target of targeted attack? (Score:1)
Is the redundant headline redundant?
Re:Target of targeted attack? (Score:4, Informative)
That's the brilliant "editing" work of timothy. The original articles used "organized and systematic" attack but timothy must have thought that was too clear and not redundant enough for the slashdot title.
Re: (Score:1)
Re: (Score:2)
Yes, I was partly being compulsively silly. The quotes convey the extra info that AT&T describes it as a targeted attack. A title without repetitition of words might have been "Targeted attack" for AT&T user info" or something...
Of coarse not (Score:2)
"It is not not believed that the perpetrators of this attack obtained access to sensitive information" ... and if they were REALLY good ATT wouldn't know.
if they had ATT certainly would not tell anybody
Re: (Score:2)
"It is not not believed that the perpetrators of this attack obtained access to sensitive information" if they had ATT certainly would not tell anybody ... and if they were REALLY good ATT wouldn't know.
Close, but I see that you are not fluent in corporate double-speak. Allow me to translate, my friend.
"We are not ready to grudgingly admit that the perpetrators of this attack obtained access to sensitive information. On advice from counsel, not to mention our friends at Sony, we going to go with that story, for now."
Re: (Score:3)
You need to learn how to translate this stuff:
"The attackers were not successful" -> They got the password hashes.
"The attackers were not able to gain access to sensitive data" --> They got the password hashes plus a bunch of private stuff we stored in cleartext because we're idiots.
"We have no reason to believe the attackers compromised sensitive data." --> They got everything.
(One of) My problems with AT&T... (Score:5, Interesting)
Re: (Score:2, Informative)
Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.
( I have to re-take the training at least yearly about it )
Full drive encryption on all desktop and laptop systems are pretty much the standard. Software firewalls and
anti-virus updated constantly. Forced password changes on a scheduled basis with complexity rules in full
effect. Access to servers which hold SPI are limited and those accounts are either passphrase level logins
or RSA SecurID tokens.
( All to
Re:(One of) My problems with AT&T... (Score:4, Interesting)
Re: (Score:3)
I guess it would be smarter to target at&t dsl installers then.
then you'd get all passes.
Re: (Score:2)
Re: (Score:2)
Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.
( I have to re-take the training at least yearly about it )
AT&T is a multi-headed beast of a company with dozens of divisions. It's highly likely that in your area, AT&T may be highly security conscious while in the UVerse area, they couldn't secure two pieces of paper using a stapler... having reversible encryption is an incredibly bad security exposure (GP post's anecdote).
Forced password changes on a scheduled basis with complexity rules in full
effect.
This has actually proven to be bad, as folks will likely resort to writing down their passwords... or if they infrequently use the system, they just keep using the "forgot, email me"
Re: (Score:2)
Re: (Score:2)
It's better than the two-day-old blogspam like the post about Linux kernel codenames that was nothing but a regurgitation of a wiki page.
phone numbers may be enumerated (Score:4, Interesting)
It appears that they are just enumerating which phone numbers are set up with online account access. This can be done via the account setup page. The login page itself will not tell you if an account exists or doesn't exist, but the setup page will. Likely, this is a first step to later brute force passwords. Given that the username is the phone number, they can then just try and find one that has an account set up with AT&T's web site. The daily internet storm center podcast had some details about this. http://isc.sans.edu/podcastdetail.html
Next up (Score:4, Funny)
It is not believed that the perpetrators of this attack obtained access to sensitive information.
AT&T does not consider any of its customer's personal data as "sensitive information".
Re: (Score:2)
The article has a quote similar to that one, but with different wording that leaves them actually very little wiggle room.
âoeWe recently detected an organized and systematic attempt to obtain information on a number of AT&T customer accounts, including yours,â AT&T said in an e-mail to customers. âoeWe do not believe that the perpetrators of this attack obtained access to your online account or any of the information contained in that account.â
Considering the type of attack they describe this sounds more like a scouting mission rather than a full on attack.
Re: (Score:1)
And, anyway, we won't know for sure until the charges start showing up on your next phone bill....
+T-Mobile = Fatter Target (Score:2)
If AT&T gets T-Mobile, then the more monopolistic combined company will be a bigger target for attacks, which harm more people at once when successful.
Carrier diversity is yet another reason not to let AT&T continue to recover its total monopoly status.