Log management and network auditing led to AT&T insider's arrest

by Steve Ragan - Jul 26 2011, 13:13

Court documents in the case of an AT&T support contractor, alleged to have leaked sensitive corporate information to Anonymous, reveal that log management and network auditing led to his eventual arrest last week by the FBI.

Lance Moore, 21, of Las Cruces, N.M., is said to have leaked thousands of documents including more than 60,000 phone numbers, as well as server names and IP addresses, each with a corresponding username and password, for both development and production usage on AT&T’s internal network.

In addition the leak contained, other documents, such as various meeting notes, emails, AT&T’s 4G/LTE testing data, internal presentations, technical documentation, and a bootable USB image.

The FBI said that Moore obtained the documents while working as a support contractor for Convergys, a company that provides call center staffing for AT&T Mobility. While using a VPN connection provided by AT&T to its network, it is claimed that Moore accessed and uploaded the documents to FileApe.com, a hosting service that promises never to store identifying information on anyone who uses the site to upload or download files.

In April, AT&T’s Chief Security Office (CSO) Team suspected that sensitive information might have been improperly accessed. How they discovered the unauthorized access is not explained in the FBI affidavit viewed by The Tech Herald. However, after speaking to AT&T employees, we’ve learned that AT&T’s call center and network operations are heavily monitored.

AT&T’s internal investigation into the data breach discovered an IP address on their network visited FileApe.com at the same time the confidential information was accessed without authorization. Drilling down into network logs, the IP address itself was assigned to a pool of IPs allocated to Convergys contractors. At the time of the breach there were 19 contractors connected to the server where the documents were stored.

“These sorts of data breach scenarios underscore the importance of applying intelligence to the logs that virtually all companies collect. It isn't enough to simply capture logs of system activity. You must be able to act on the data you collect,” commented Dwayne Melancon, the VP of Products at Tripwire.

Further network auditing revealed that of the 19 contractors, only “Moore’s AT&T username accessed both FileApe.com, and the servers containing the AT&T Confidential Information,” the FBI affidavit explained.

“Indeed, Moore’s username was used to download the AT&T Confidential Information shortly before that same information was uploaded to FileApe.com and made publically available.”

Adding to the case, AT&T’s examination of Internet usage reports show that before the leaked documents were uploaded to FileApe.com, Moore’s username was linked to Google searches for uploading files, file hosting, and uploading zip files. Convergys’ network logs also show Moore’s username accessing FileApe.com and Pastebin.com several times after the breach occurred, and on the day of the breach he was present in the office.

When confronted by an AT&T investigator in May, Moore denied any involvement in the breach, or theft of the documents.

After his arrest last week, Moore now faces 10 years in prison and a $250,000 USD fine for his alleged role in leaking sensitive AT&T information to Anonymous. He was released on his own recognizance, and is subject to having his Internet access monitored as a condition of his release. He will be represented by a Federal Public Defender during his next appearance in a New Jersey court on August 1.

Daniel Kennedy, the Research Director for Information Security & Networking at TheInfoPro, noted that it was clear AT&T’s event management and log practices allowed them to launch a thorough investigation.

“AT&T investigators were able to identify that an IP address from their network accessed FileApe.com, which server that IP was associated with, and who was connected to it at the time of the file upload,” Kennedy said.

“While the incompetency of the insider bad actor in this case is fairly common, the ability to make so compelling a case against him via effective log management practices and a strong forensic capability is both rare and impressive.”

Kennedy added that while event log management solutions have penetrated some 70-percent of enterprises, with 17-percent stating that putting something in place is in their plans, the more detail oriented Security Information Event Management (SIEM) solutions have not fared as well. Only 50-percent of enterprises interviewed acknowledge having them in use today.

Previous coverage can be found here and here.

Around the Web