AT&T Hack Highlights Web Site Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

AT&T Hack Highlights Web Site Vulnerabilities

Hackers are experimenting with a number of methods for getting access to online personal information that could make them money.

The attack against an AT&T Web site that sells DSL equipment provides a stern reminder that stolen laptops aren't the only way to compromise sensitive customer information. Although AT&T hasn't provided details about how the site was hacked, it's disclosed that attackers last weekend made off with personal data, including credit card information, for nearly 19,000 DSL equipment customers.

The Web site is run for AT&T by an independent vendor; AT&T would not reveal the vendor's name. It's working with its own internal forensic experts and law enforcement to analyze the attack, a company spokesman says. The company says the attack was discovered within hours of its launch and the affected site was shut down. AT&T, in a statement, attributed the motive of the attack to a criminal market for illegally obtained personal information.

One Web security expert notes that any site that houses sensitive information about customers, including credit card or Social Security numbers, is fair game for attackers looking to cash in on stolen information. To pull off such attacks, hackers are experimenting with JavaScript malware that can be embedded in a Web page and activated when a page is viewed, cross-site scripting attacks that give attackers access to Web site user information, Web site worms, and other ways of coaxing information out of databases connected to Web applications, says Jeremiah Grossman, a former Yahoo information security officer who's now founder and chief technology officer with Web application security provider WhiteHat Security Inc.

To avoid being the next victim, companies must take stock of all their Web sites and assess the security of these sites. If there are dozens of sites, they should be prioritized based upon the nature of the information they access—is customer data at risk?—and the vulnerability of the applications they run. "If issues are found, and every site has issues, they must be addressed right away," Grossman says. "That's really all people are asking for, for companies to be diligent."

If a company isn't proactive about finding its security faults, it's guaranteed someone else will find them, "and they won't be nice about it," Grossman adds.

Attackers have a process for locating and attacking targets. They monitor sites such as SecurityFocus's Bugtraq that report application vulnerabilities, searching for problems with apps that are used to run Web sites or run an aspect of a Web site, such as an online shopping cart. Once an attacker finds a commercially available Web application with a known flaw, he or she will use a Web search tool such as Google or Yahoo to find Web sites using those applications. These search engines will return a list of sites that the attacker can then probe to see if the applications they use have been properly patched. Any site that hasn't been patched is an easy target.

A large company like AT&T is already a ripe target for such attacks, particularly because companies that run dozens of Web sites don't always have a good inventory of them, the applications they're running, and the data they access. "If you don't know what you own, how can you possibly secure it?" Grossman says.

AT&T says it has already contacted via e-mail, phone, and regular mail the nearly 19,000 customers who may have been affected by the data breach. This proactive move isn't part of some corporate policy, but "it's something we're doing in this case," a company spokesman says. Either way, AT&T would have been bound by state breach notification laws to contact any customers residing in the more than 30 states that have such laws. AT&T says it has also put fraud alerts on all the credit card numbers stolen and is offering credit monitoring to affected customers, two moves that have become common in the wake of a data theft or loss.

Web site attacks such as the one AT&T endured aren't uncommon. Eric McCarty, a 25-year-old San Diego resident, was in April charged with hacking into the University of Southern California's computer system and accessing confidential information submitted by students applying to the school.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll