AT&T hackers warned of vulnerability, now proven right

Hackers of the old-school type used to claim that they hacked to learn, and when they did break into computers owned by others, they left behind no traces. Rather, they said, the hack was a warning, like a canary in a coal mine, that the system was insecure.

Corporate America has rarely liked this approach. For one thing, it endangers jobs. If the head assistant manager for security finds out his system got hacked by a bunch of 16-year-olds, he looks kind of incompetent. For this reason, individuals at corporations tend to hide rather than publicize hacks.

But every now and then, an example floats along that’s so blatant it might make even corporate America stand up and start taking notice. From an article in eWeek about the latest death star AT&T hack:

Attackers appear to have used an automated script to see if AT&T telephone numbers were linked to online AT&T accounts, AT&T spokesperson Mark Siegel said in an email Nov. 21. The script tried to link mobile numbers with log-in credentials and then tried to use the credential to log in to the AT&T Website.

Less than 1 percent of the customers were affected, AT&T claimed. Considering the company reported 100.7 million wireless subscribers at the end of the third quarter, that could mean as many as 1 million subscribers were affected.

For all of us, the memory hole is right around the bend, and sometimes it’s hard to recall what happened even only a few years ago. However, this whole incident is reminiscent of another.

In this incident, a smart young hacker saw a blatant hole in the security of a major corporation (whose name or should we say acronym may start with ‘A’) and so whipped up a quick script to mine the website for information.

However, this guy was a grey hat or white hat hacker, meaning that he did not have criminal intent of the for-profit variety. Instead, he was just curious to see if it could be done. He sent the data to the corporation and, when they ignored him, published the hack.

Cue the hue and cry. He was denounced as a witch, called public enemy #1, and they would have sent him to Gitmo if possible. His life turned upside down, he embarked on an epic quest for a lawyer to defend him.

Today’s hack should make his case easier. It’s not nice to say “I told you so,” but sometimes it’s accurate. From the memory hole I bring you Two Charged in AT&T Hack of iPad Customer Data:

Last summer the two allegedly contacted Gawker to report that a hole in AT&T’s website allowed anyone to access data on iPad owners, including government and military officials, corporate CEOs and media executives who purchased iPads.

The personal data included e-mail addresses and ICC-IDs – a unique identifier that’s used to authenticate the SIM card in a customer’s iPad to AT&T’s network.

Those horrible hackers, revealing those big security holes that later come back and make us look really stupid. What happens when the bad guys get there before the hackers? Presumably, the data gets stolen and whoever’s on duty at AT&T does her best to cover it up.

Like high school, this situation is a cat and mouse game between law-makers and law-breakers, and hackers are the mischievous imps who are caught in the middle. It reminds me of how at my high school, the challenge was to sneak into the library and smoke a cigarette.

Dozens of us did it. First we learned to pick the locks, then to come in through the windows, and finally to short out the electric alarm. The point was not destruction, but to say you’d gotten away with it. The librarians would come in at morning and smell the stale smoke, and then herd the usual suspects into the principal’s office. The rumor was that if you told them your method, and they could fix it, you only got two hours of detention.

Hackers serve the same function in our modern economy. We don’t like to admit it, but people who have the time and motivation to muck around with our computer systems often find the bugs, gaps and errors. We should be listening to them, not throwing them in jail to cover our wounded egos.

I bet AT&T is wishing they’d listened about now.

Leave a Reply

Your email address will not be published.