The threat known as AntiSec is largely considered an external one, but organizations are vulnerable from within too. The recently leaked AT&T documents, published over the weekend when LulzSec said good-bye, came from an internal source, The Tech Herald has learned.
The AT&T documents published this weekend were part of a torrent file released by LulzSec. It was their final release under the name, and the second major release for the AntiSec movement, which LulzSec established. AntiSec has only one goal, find and release information.
For those participating, AntiSec’s top priority is to steal and leak any classified government information, including email spools and documentation. The prime targets are banks and other high-ranking establishments, such as AT&T. However, any organization, no matter how big or small, is fair game.
The main lesson that executives would do well to learn is that insiders can leverage the spirit of AntiSec just as quickly as someone on the outside can. This is how AT&T’s data made it to the Web. According to the recently arrested Ryan Cleary, who told us about the AT&T leak back in May, “…an employee of AT&T gave us loads of shit. Including a bootable USB…,” Cleary said.
Ryan’s comments were confirmed by two additional sources. One of them, a person linked to LulzSec itself, and the other an associate of Anonymous familiar with the data.
The leaked documents include more than 60,000 phone numbers, each one linked to an iPhone 3G, 3GS, or iPhone 4. Based on the spreadsheet’s title, each one of them was assigned at one point to IBM employee. There are spreadsheets with server names and IP addresses, each with a corresponding username and password, for both development and production usage on AT&T’s internal network.
Some of the documents reference the need to use an RSA token, in addition to established usernames and passwords. Given the SecurID breach, one would assume AT&T has already replaced their tokens, but if any of the stolen RSA data aligns with the AT&T data, criminals could walk all over the telecom’s infrastructure.
Moreover, the other leaked documents, such as the various meeting notes, AT&T’s 4G / LTE testing data, internal presentations, and a random assortment of technical documentation, could lead directly to a targeted Phishing attack.
Some of the documents seen by The Tech Herald include the network ID used by various executives, development staff, and technical managers within the company. The documents provide a complete reference to the jargon and terms used for several internal projects.
Knowing those user IDs, as well as what projects they are working on - by internal title and reference no less - could lead to disaster once the @att.com suffix is added to a malicious email. Making things worse, there are also contact details and information for Cisco employees working with AT&T on LTE-related projects.
In all, an AT&T insider walked off with nearly 200MB of information contained in more than 300 files. The leaked material dates from late 2010 to April of this year. This corresponds with Ryan’s claims to us in May that the internal information was, at the time, only recently handed over.
The AT&T leak is a clear example of how, even if solid external protections are in place, information can still find a way to leave an organization. Insiders have always been a risk, so much so that an entire sub-industry within the security industry was created to deal with it. Most CIOs and CSOs know the sub-industry's offerings by name - DLP.
At the same time, even if DLP is in place, and AT&T is sure to have something to that effect running on their network, insiders with access can still walk off with information. So at that point, the plan shifts from proactive to reactive, as security teams turn to their recovery and response plans.
Disaster recovery and incident response is likely going to be the primary focus, after hardening existing defenses, in organizations the world over for the foreseeable future. There’s no other way around it, as it is nearly impossible to stop a determined attacker, even one from within.
We’ve reached out to AT&T for comment. We’ll update this story if we hear from them.
Update: AT&T has told us that they have no comment on the issue.