Court Complaint Aims at LulzSec Insider

The story should begin with the concluding paragraph of a criminal complaint filed against Lance Moore in the United States District Court, New Jersey

…on or about June 25, 2011, the computer hacking group LulzSec publicized that they had obtained the AT&T Confidential Information and re-circulated it on the Internet

The start of the complaint takes the reader through the leak step-by-step.

  1. Convergys, a “relationship management services” company with more than 70,000 employees hired Moore in August 2010 to be a contractor at an AT&T Mobility customer care call center.
  2. Moore’s responsibility was “answering calls from AT&T Mobility customers, and troubleshooting their problems”.
  3. Moore was granted access to Convergys and AT&T, including VPN.
  4. AT&T was alerted on April 16, 2011 to information anonymously posted to Fileape.com that “had been stored on AT&T’s secured servers, which are protected computers as defined in Title 18, United States Code, Section 1030(e)(2).” The value of the leaked information to AT&T “exceeded $5,000”.
  5. AT&T reviewed their network egress data and found a system IP that accessed Fileape.com on April 10. The system was associated with 19 Convergys contractors
  6. AT&T compared the list of 19 Convergys contractor names to the authentication records on the AT&T Mobility Server that stored the confidential data. Moore’s used his account to access the data “shortly before that same information was uploaded to Fileape.com.
  7. AT&T reviewed their network egress data again for Moore’s username. Just before the data was uploaded to Fileape.com, his user account searched Google for “uploading files, file hosting, and uploading zip files”. His username also accessed Fileape.com and pastebin.com “multiple occasions following the April 10, 2011”.
  8. AT&T then reviewed the contractor time records from Convergys and found Moore was “present and working” at the times highlighted in the investigation.
  9. AT&T questioned Moore. He denied leaking the information and confirmed he was aware of security policy — he had not shared access.

It seems fairly straightforward, but paragraph 17 of the complaint is really the key to the case.

Based on interviews of witnesses in this case, MOORE was authorized to access various portions of the AT&T’s network during the course of his employment, but his access of the AT&T Confidential Information, and subsequent release of the same, exceeded his authorization.

To put it simply, he was not authorized to access the information, but the systems authorized him to access the information.

It’s like he walked though an unlocked door, which of course does not excuse or exonerate Moore, but it brings to light the vulnerability of AT&T data to a call-center contractor.

This information…included thousands of spreadsheets, Microsoft Word documents, Microsoft PowerPoint presentations, image files, PDF files, applications, and other files…related to its 4G network and LTE (“Long Term Evolution”) mobile broadband network, among other topics.”

It’s a story that boils down role-based access control failures, but it’s also a simple log review story about an ISP tracking the use of an internal non-technical user.

With all the log review data in mind it’s unclear why the complaint ends with a vague nod to LulzSec. Although AT&T might take the position that damages are higher when a famous personality circulates stolen information, they could also be trying to deflate the fame of Lulzsec by calling out their association to Moore’s simplistic breach — a combination of “criminal’s are dumb” and “don’t blame the victim” arguments.

It makes sense for them to openly take this position for such a simplistic breach vector because it does not involve regulated information (e.g. PII or EHR). What does AT&T have to lose from challenging the authority of LulzSec to question their or anyone else’s security practices? In other words, had the data been regulated, AT&T might face fines or other sanctions from standards set by a regulator. Instead, they appear to take aim at the philosophy of unauthorized and anonymous access now associated with LulzSec.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.