Court Complaint Aims at LulzSec Insider

The story should begin with the concluding paragraph of a criminal complaint filed against Lance Moore in the United States District Court, New Jersey

…on or about June 25, 2011, the computer hacking group LulzSec publicized that they had obtained the AT&T Confidential Information and re-circulated it on the Internet

The start of the complaint takes the reader through the leak step-by-step.

  1. Convergys, a “relationship management services” company with more than 70,000 employees hired Moore in August 2010 to be a contractor at an AT&T Mobility customer care call center.
  2. Moore’s responsibility was “answering calls from AT&T Mobility customers, and troubleshooting their problems”.
  3. Moore was granted access to Convergys and AT&T, including VPN.
  4. AT&T was alerted on April 16, 2011 to information anonymously posted to Fileape.com that “had been stored on AT&T’s secured servers, which are protected computers as defined in Title 18, United States Code, Section 1030(e)(2).” The value of the leaked information to AT&T “exceeded $5,000”.
  5. AT&T reviewed their network egress data and found a system IP that accessed Fileape.com on April 10. The system was associated with 19 Convergys contractors
  6. AT&T compared the list of 19 Convergys contractor names to the authentication records on the AT&T Mobility Server that stored the confidential data. Moore’s used his account to access the data “shortly before that same information was uploaded to Fileape.com.
  7. AT&T reviewed their network egress data again for Moore’s username. Just before the data was uploaded to Fileape.com, his user account searched Google for “uploading files, file hosting, and uploading zip files”. His username also accessed Fileape.com and pastebin.com “multiple occasions following the April 10, 2011”.
  8. AT&T then reviewed the contractor time records from Convergys and found Moore was “present and working” at the times highlighted in the investigation.
  9. AT&T questioned Moore. He denied leaking the information and confirmed he was aware of security policy — he had not shared access.

It seems fairly straightforward, but paragraph 17 of the complaint is really the key to the case.

Based on interviews of witnesses in this case, MOORE was authorized to access various portions of the AT&T’s network during the course of his employment, but his access of the AT&T Confidential Information, and subsequent release of the same, exceeded his authorization.

To put it simply, he was not authorized to access the information, but the systems authorized him to access the information.

It’s like he walked though an unlocked door, which of course does not excuse or exonerate Moore, but it brings to light the vulnerability of AT&T data to a call-center contractor.

This information…included thousands of spreadsheets, Microsoft Word documents, Microsoft PowerPoint presentations, image files, PDF files, applications, and other files…related to its 4G network and LTE (“Long Term Evolution”) mobile broadband network, among other topics.”

It’s a story that boils down role-based access control failures, but it’s also a simple log review story about an ISP tracking the use of an internal non-technical user.

With all the log review data in mind it’s unclear why the complaint ends with a vague nod to LulzSec. Although AT&T might take the position that damages are higher when a famous personality circulates stolen information, they could also be trying to deflate the fame of Lulzsec by calling out their association to Moore’s simplistic breach — a combination of “criminal’s are dumb” and “don’t blame the victim” arguments.

It makes sense for them to openly take this position for such a simplistic breach vector because it does not involve regulated information (e.g. PII or EHR). What does AT&T have to lose from challenging the authority of LulzSec to question their or anyone else’s security practices? In other words, had the data been regulated, AT&T might face fines or other sanctions from standards set by a regulator. Instead, they appear to take aim at the philosophy of unauthorized and anonymous access now associated with LulzSec.

CVE-2011-2696 libsndfile overflow

The changelog and notes on the libsndfile overflow reveal that the fix was rushed and details of the severity are not yet decided.

> > could provided a specially-crafted PAF audio file, which once opened by
> > a local, unsuspecting user in an application, linked against libsndfile,
> > could lead to that particular application crash (denial of service),
I agree with everything up to here.

> > or, potentially arbitrary code execution with the privileges of the
> > user running the application.
but this is rubbish. The heap gets overwritten with zeros which would
certainly lead to the application segfaulting. However, there is
no way for arbitrary code to be executed on amy sane OS with proper
memory protection.

Furthermore, Secunia when they contacted me about this said they would
release information about this vulernability on the 18th and then ended
up releasing it on the 12th instead which means I had to rush out the
release I was working on (and would have easily had ready for the
18th). That is not the way to win friends and influence people.

Why Agile Sucks

Insightful and humorous thoughts on development. His argument is to not blame the tool, blame the tool users…

Yesterday I tried to cut my steak with a spoon and that goddam spoon sucked-ass. Why the hell would anybody ever use a spoon for anything? They are completely useless!

[…]

People tend to inaccurately think that ‘potentially shippable software‘ means just build some shit and see what happens. Not the case.

Heat

by H.D.

O WIND, rend open the heat,
Cut apart the heat,
Rend it to tatters.

Fruit cannot drop
Through this thick air–
Fruit cannot fall into heat
That presses up and blunts
The points of pears
And rounds the grapes.

Cut the heat–
Plough through it,
Turning it on either side
Of your path.