Cybersecurity and Denial

This is not something they want to be known for

by Charles Parker, II

The funny thing is, the more you deny or deflect instead of simply addressing an issue, the more headache and heartburn you create for yourself. The deflection seems to draw more and more attention, the harder you say, “It wasn’t me.” We’ve seen this through the years. AT&T by appearances hasn’t learned this yet. They had a little issue with approximately 73M of their past and present customer’s data being published on ye olde internet. AT&T denied for weeks this mountain of data came from them. On a tangent, how would someone/group happen to secure approximately 73M customer’s data if not somehow from AT&T? You wouldn’t try to do a survey on your own to collect it, and people wouldn’t volunteer this anyway. This could be a vendor/supply chain vector issue, however the individual vendor would have had unfettered access to approximately 73M (yes, M) accounts and be able to download them without being noticed by the security systems or people actively monitoring these.

Issue

All of us are somewhat familiar with AT&T. This may be from hearing of that acquisition, the corporate logo, or their phone service of years ago. The issue at hand though is probably not what they want to be known for. This revolves around the customer accounts. Yes, the customer account numbers were encrypted. But the encryption was weak. With this you don’t need to crack the encryption/cipher to unscramble the passcode. For this, there were only approximately 10k unique encrypted values. This encapsulates the ass code values from 0000 to 9999. For the data, there were a limited number of users with longer passwords. In essence, the encrypted data lacked randomness. For example, the customers other data influenced the passcode. This could be the last four of the person’s SSN, part of the person’s phone number, year of birth, or house number.

The take-away from this is two-fold initially. There’s a lot to learn from this. First, don’t use weak encryption. Yes, this was bypassed but there’s no need for this lapse. Just upgrade it. Second, train the staff (again) and users on what not to use as a password. This is part of the training all the users receive with their annual training.

Data

The data involved in this little issue included the customer’s name, home address, phone number, data of birth, and SSN, or everything you need to take over an identity. Also included in this was the encrypted password. This does appear to the same set of data from a compromise in 2021. You may think “What’s the bid deal? After all, the data has already been available.” The issue is while the data is not entirely fresh, this does contain customer data which does not change. Included in the data was home addresses. Since people tend to not move, this provides a vital data point along with the SSN and date of birth. These are very useful, and you know what the adversary can do with that. This was posted in a public forum for anyone to use.

Affected

AT&T had millions of customer records published online. With the weak encryption, the user’s accounts could be accessed. There has been no evidence yet of unauthorized access. The encrypted passwords could be used as a weekend project to crack by high school or college math students.

About the Author-

Charles Parker II has been working in the info sec field for over a decade, in the banking, medical, automotive, and staffing industries. Charles has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.