oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo o000000000000000O0M0G0H0A0X00000000000000000000000000000000000000000000000000o o ____________________ .__ . . ._.. .__.. ..__ .__ ___ ._ 00o o | | |__ |\ /| |_|| | | \ / |__ |__ | | \ 00o o | | |__ | | | | |_ |__| | |__ |__ _|_ |_/ 00o o | | o 00o o | NO IMAGE AVAILABLE | Name: Wxxxx Sxxxxx Employment Status: Active 00o o | | DOB: Xx.Xx.Xx80 Email: WXXXX@XXBELL.NET 00o o | | HRID: ATT149XXXX Employer: AT&T 00o o | | Phone (Home): 314.35X.XXXX 00o o | | Phone (Work): 314.62X.XXXX 00o o ||.||.-¦|_..¦_||.|.._| Home Address: 15XX RXXXX AVENUE, SAINT LOUIS, MO 00o o 1 0 113 03 1 Zip Code: 63XXX 00o o 00o ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooo oooo oooo oooo oooo AT&T HRIDs and Privacy Protection oooo oooo oooo oooo oooo This article is about AT&T HRID's and some flaws in the way AT&T verifies your identify and protects their employees privacy. This is an article on theoretical and practical, all rolled into one. AT&T HRIDs and PINs HRID stands for Human Resources ID. Many companies have them, in one form or another, one name or another. A unique indentifier to identify each employee. AT&T's implementation of HRID's is a seven digit unique number. Many AT&T web-based and telephone-based access control systems use HRIDs as part of the authentication scheme. Sometimes, the HRID is paired with a PIN code. AT&T PIN codes usually have the following format. Birthday followed by Social Security Number in the following format: WW/XX/YY/ZZ WW = 2 digit month XX = 2 digit day YY = 2 digit year ZZ = last 2 digits of social sec number PIN codes are used for verification on many AT&T telephone services, such as when phoning AT&T regarding payroll or benifit information, or when phoning in trouble reports. Many live operators will ask for an HRID and PIN code when an AT&T employee calls them and identifies themself as an AT&T employee. If you want to reset your (or someone else's) AT&T PIN code, you can call 877.HR.ANSWERS, or 877.472.6793. Pressing 9, and then 2 from the main menu will allow you to speak with someone who can reset your PIN code for you. +++ Finding AT&T HRIDs Scouring the web for AT&T HRID's is a fairly straightforward task. A google search for "inurl:hrid inurl:att" yeilded a number of promising-looking seven-digit numbers from www.post.att.com (which no longer is a valid site). Even though the site post.att.com is down, Google still cached a bunch of links. Also, searching Google for "site:post.att.com", which yields a whole bunch more possible HRID's hidden in URL's. Thank you google. There are other methods of getting AT&T HRID's. If you live near AT&T territ- ory, you could physically go down to an AT&T building, and look at dog-tags, and glean numbers that way. You could probably social engineer them, as well. Also, there are plenty of other websites than just post.att.com where HRID's are kept. A little time spent looking around on the 'net will yeild more results. +++ Finding AT&T HRID Information An AT&T HRID on it's own, though, is nothing special. If you want to link AT&T HRID's to information, there are a number of ways to go about it. Probably the easiest is using a site called att.shi.com . This site was never meant to be a site for linking personal information to AT&T HRID's, but it's very useful for doing it, anyways. ATT.SHI.com is a site where AT&T employees can log in and order stuff. Browsing to the main page of ATT.SHI.com explains how ATT.SHI.com uses a very bad system for authentication. I quote from the site: ***QUOTE*** You need to activate your User Account in order to access the information at this site. You will be prompted for your AT&T HRID, which identifies the account we have reserved for you. Once you submit the User ID form, you will be brought to a second form which will allow you to change your Password. If you do not elect to change your password at this time, your password will default to the letters "ATT" followed by the seven digits of your AT&T HRID. Once you have updated your account, your UserName and Password will be as follows: * UserName: ATT followed by your AT&T HRID (Example: ATT1234567). * Password: By default, your password is ATT followed by your AT&T HRID, unless you've changed it after activating your account. (Example: ATT1234567). *********** Nice, huh? If you've got an HRID, and the person connected to the HRID has used att.shi.com and not changed their password, you're set. But, there's more. And more is even better. If the person connected to your AT&T HRID _hasn't_ used the att.shi.com site, you can create a profile for them with http://att.shi.com/activateuser.asp. Simply browse to http://att.shi.com/ activateuser.asp, and enter the HRID number in the box, and voila. Instant HRID verification, and personal information related to the HRID. Wonderful. Also, if you're just wanting a simple Yes/No HRID verification, you could use https://www.mrsnj.com/empsale/CheckHRID.asp. If you were trying to brute force HRID's, and wanted to script it, or something, then https:// www.mrsnj.com/empsale/CheckHRID.asp would probably be your best bet. +++ VoicePost AT&T runs (ran?) a service called VoicePost (post.att.com ...see a similar- ity?), which was an automated system by which AT&T employees could get the phone numbers of other AT&T employees. Sounds fun. The best part is, you don't even need to be an AT&T employee to use the service. Simply call up 866.288.7678. It's a voice recognition system, with a whole host of features. The system isn't very active, anymore. Well, it's not active as far as AT&T is concerned. But, it's still useful, and interesting. The Voicepost service used to be tied into the 800.FIND.ATT service, which was like a directory for AT&T employees. You could find information on AT&T employees, AT&T employment offices and other information. The 800.FIND.ATT mostly out-links now, to numbers like 866.288.7678. The system is mostly grandfathered now, but it's still useful to get AT&T employee phone numbers. When you first call you first call up the AT&T VoicePost service (866.288. 7678), you are greeted with an automated voice that tells you: "Welcome to AT&T's Voicepost. Please choose on of the following. Contact, or help." There are four options I've found from the mainmenu of the VoicePost service. Contact, Help, Rerecord, and Operator. Operator is, well, operator. But it's really just an Audix voicemail box. Rerecord lets you re-record the pronoun- ciation of your name in the VoicePost directory. Help is help, and Contact is what we really want. The voicepost system will allow you to find out personal phone numbers of AT&T employees, if you know their name. Their name. Wooo. So basically, you just call it up, and when it asks you for a name, you say, "John Smith", or whatever you want, and then, if their phone number is listed, then it will tell you the number. +++ AT&T Alliance Password Resets If you can get an HRID number, and an associated name, then getting even _more_ personal information (like home and address work address, and home phone number) has never been easier, unfortunately. The Alliance training system for AT&T, Lucent (formerly Westren Electric) and Avaya employees can be found at http://207.242.156.34/stc/default.htm, or www.employee growth.com. http://207.242.156.34/stc/default.htm is the one we are going to deal with. So. You browse to the site, you don't know what the password is, though. So how can you log in? You can't. But what you can do...password reset! You can reset an Alliance password using http://207.242.156.34/stc/passreq. htm. It's simple. Just enter the first and last name of the AT&T employee, and the AT&T HRID. You could already have both of these, if you used the previous methods for obtaining first and last names and HRIDs. Then, you have the option to enter _ANY_ email address. Let's say that again. _ANY_ email address. Freakin' insane, AT&T. Retarded. Anyways. Within one business day, an email will be sent to the address you specified, and it will look something like this: On 8/8/05, Xxxxx, Xxxx wrote: > > > > Your Alliance password is your HRID. Thanks for using Alliance services. And wow. Now, you can log into the Alliance training area, and look at the "personal information" page to get even more personal information about AT&T employees, including but not limited to home and work phone number, home and work address, private and work email, and HRID number. The AT&T Alliance Website is also closely linked to www.employeegrowth.com, which is a long-distance learning site for AT&T, Lucent and Avaya employees. The AT&T Alliance Website also discloses FAR too much personal employee information on their site. AT&T administrators need to be aware that WEB SECURITY IS IMPORTANT. Weak passwords are unacceptable for a company that is such a target for theft-of-service and fraud. Also, please note that the Alliance password is not the same as the AT&T Global Single Sign-on (https://www.e-access.att.com/ecampus/Saba/attCustom Login.jsp?site=ATTLearning, as well as many others) password. The AT&T Single Sign-on is one tough nut to crack, and this Alliance password reset thing will not work with the Global Single Sign-on. +++ Ends As you can see, AT&T ideas about security need to change. Stricter security needs to be put in place, and AT&T employees, employees, EMPLOYEES need to be educated about what they should and _should_not_ give out over the phone. Web-based things need to be tightened up, and phone-based things should ask for authentication before giving out personal information. The VoicePost service is mostly grandfathered, but it's still not cleaned up. AT&T should clean up their mess. Also, the fact that Google is indexing the log-in strings (which contain the passwords) for AT&T's voicepost service is a problem. Sure, they've mostly corrected this with their Global Single-Sign on, but they still need to clean up after themselves. But employees here are really the weakest link. Employees shouldn't assume you are who you say you are..they should be doubtful from the start. And the AT&T/Lucent/Avaya Alliance training site needs to not reset passwords, if you can provide and HRID and name. That's just not enough information to prove you are who you say you are. Anyone can walk into an AT&T building, and take pictures of name tags with HRID's on 'em. It's just too sketchy. I'll definitely be digging to see what else I can find. Anyways, that's it. war 2005 (08/10/05)