Aug 30, 2006 (11:08 AM EDT)
AT&T Hack Highlights Web Site Vulnerabilities

Read the Original Article at InformationWeek

The attack against an AT&T Web site that sells DSL equipment provides a stern reminder that stolen laptops aren't the only way to compromise sensitive customer information. Although AT&T hasn't provided details about how the site was hacked, it's disclosed that attackers last weekend made off with personal data, including credit card information, for nearly 19,000 DSL equipment customers.

The Web site is run for AT&T by an independent vendor; AT&T would not reveal the vendor's name. It's working with its own internal forensic experts and law enforcement to analyze the attack, a company spokesman says. The company says the attack was discovered within hours of its launch and the affected site was shut down. AT&T, in a statement, attributed the motive of the attack to a criminal market for illegally obtained personal information.

One Web security expert notes that any site that houses sensitive information about customers, including credit card or Social Security numbers, is fair game for attackers looking to cash in on stolen information. To pull off such attacks, hackers are experimenting with JavaScript malware that can be embedded in a Web page and activated when a page is viewed, cross-site scripting attacks that give attackers access to Web site user information, Web site worms, and other ways of coaxing information out of databases connected to Web applications, says Jeremiah Grossman, a former Yahoo information security officer who's now founder and chief technology officer with Web application security provider WhiteHat Security Inc.

To avoid being the next victim, companies must take stock of all their Web sites and assess the security of these sites. If there are dozens of sites, they should be prioritized based upon the nature of the information they access—is customer data at risk?—and the vulnerability of the applications they run. "If issues are found, and every site has issues, they must be addressed right away," Grossman says. "That's really all people are asking for, for companies to be diligent."

If a company isn't proactive about finding its security faults, it's guaranteed someone else will find them, "and they won't be nice about it," Grossman adds.

Attackers have a process for locating and attacking targets. They monitor sites such as SecurityFocus's Bugtraq that report application vulnerabilities, searching for problems with apps that are used to run Web sites or run an aspect of a Web site, such as an online shopping cart. Once an attacker finds a commercially available Web application with a known flaw, he or she will use a Web search tool such as Google or Yahoo to find Web sites using those applications. These search engines will return a list of sites that the attacker can then probe to see if the applications they use have been properly patched. Any site that hasn't been patched is an easy target.

A large company like AT&T is already a ripe target for such attacks, particularly because companies that run dozens of Web sites don't always have a good inventory of them, the applications they're running, and the data they access. "If you don't know what you own, how can you possibly secure it?" Grossman says.

AT&T says it has already contacted via e-mail, phone, and regular mail the nearly 19,000 customers who may have been affected by the data breach. This proactive move isn't part of some corporate policy, but "it's something we're doing in this case," a company spokesman says. Either way, AT&T would have been bound by state breach notification laws to contact any customers residing in the more than 30 states that have such laws. AT&T says it has also put fraud alerts on all the credit card numbers stolen and is offering credit monitoring to affected customers, two moves that have become common in the wake of a data theft or loss.

Web site attacks such as the one AT&T endured aren't uncommon. Eric McCarty, a 25-year-old San Diego resident, was in April charged with hacking into the University of Southern California's computer system and accessing confidential information submitted by students applying to the school.