AT&T Hack Highlights Web Site Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

AT&T Hack Highlights Web Site Vulnerabilities

Hackers are experimenting with a number of methods for getting access to online personal information that could make them money.

The attack against an AT&T Web site that sells DSL equipment provides a stern reminder that stolen laptops aren't the only way to compromise sensitive customer information. Although AT&T hasn't provided details about how the site was hacked, it's disclosed that attackers last weekend made off with personal data, including credit card information, for nearly 19,000 DSL equipment customers.

The Web site is run for AT&T by an independent vendor; AT&T would not reveal the vendor's name. It's working with its own internal forensic experts and law enforcement to analyze the attack, a company spokesman says. The company says the attack was discovered within hours of its launch and the affected site was shut down. AT&T, in a statement, attributed the motive of the attack to a criminal market for illegally obtained personal information.

One Web security expert notes that any site that houses sensitive information about customers, including credit card or Social Security numbers, is fair game for attackers looking to cash in on stolen information. To pull off such attacks, hackers are experimenting with JavaScript malware that can be embedded in a Web page and activated when a page is viewed, cross-site scripting attacks that give attackers access to Web site user information, Web site worms, and other ways of coaxing information out of databases connected to Web applications, says Jeremiah Grossman, a former Yahoo information security officer who's now founder and chief technology officer with Web application security provider WhiteHat Security Inc.

To avoid being the next victim, companies must take stock of all their Web sites and assess the security of these sites. If there are dozens of sites, they should be prioritized based upon the nature of the information they access—is customer data at risk?—and the vulnerability of the applications they run. "If issues are found, and every site has issues, they must be addressed right away," Grossman says. "That's really all people are asking for, for companies to be diligent."

If a company isn't proactive about finding its security faults, it's guaranteed someone else will find them, "and they won't be nice about it," Grossman adds.

Attackers have a process for locating and attacking targets. They monitor sites such as SecurityFocus's Bugtraq that report application vulnerabilities, searching for problems with apps that are used to run Web sites or run an aspect of a Web site, such as an online shopping cart. Once an attacker finds a commercially available Web application with a known flaw, he or she will use a Web search tool such as Google or Yahoo to find Web sites using those applications. These search engines will return a list of sites that the attacker can then probe to see if the applications they use have been properly patched. Any site that hasn't been patched is an easy target.

A large company like AT&T is already a ripe target for such attacks, particularly because companies that run dozens of Web sites don't always have a good inventory of them, the applications they're running, and the data they access. "If you don't know what you own, how can you possibly secure it?" Grossman says.

AT&T says it has already contacted via e-mail, phone, and regular mail the nearly 19,000 customers who may have been affected by the data breach. This proactive move isn't part of some corporate policy, but "it's something we're doing in this case," a company spokesman says. Either way, AT&T would have been bound by state breach notification laws to contact any customers residing in the more than 30 states that have such laws. AT&T says it has also put fraud alerts on all the credit card numbers stolen and is offering credit monitoring to affected customers, two moves that have become common in the wake of a data theft or loss.

Web site attacks such as the one AT&T endured aren't uncommon. Eric McCarty, a 25-year-old San Diego resident, was in April charged with hacking into the University of Southern California's computer system and accessing confidential information submitted by students applying to the school.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll