Hackers Claim To Hit T-Mobile Hard 302
dasButcher writes "Hackers are
claiming to own T-Mobile USA's servers and to have access to the cellular phone carrier's operations, finance and subscriber data." (Here's the seclists.org post of the claimed breach.)
Re:Be warned! (Score:5, Informative)
Re:Like competitors would ever pay for this (Score:1, Informative)
I think if T-Mobile isn't going to pay ransom, the hackers should just make this public and make it clear what they can do with the data they have and the access they have. To all the media. So the TV News and newspapers run with stories about how your billing records are now public information and how to look up anyone's phone records. Then add on how data can be changed by these folks with their access. Maybe you get a $10,000 bill next month if you have T-Mobile service just because. Or you get a credit. Make it random, just to confuse people.
Maybe the general public would understand that these folks pose a real risk.
Of course, what is likely to happen is ... nothing. Nothing at all.
Re:T-Mobile Customer? (Score:5, Informative)
T-Mobile (really Vodaphone from Germany)
No, really T-Mobile (whose parent company is Deutsche Telekom) from Germany. Vodafone (not 'Vodaphone') are a UK-based company and T-Mobile's biggest rival.
Re:Using the data for good purposes (Score:5, Informative)
Please do so now, in detail, with references containing verifiable data on the costs.
I'm guessing you don't understand how SMSes work. You do realize that they are effectively free for the cell phone company, right? Your cell phone is already sending this kind of message every time it reports back to a tower. It's just that most of the message is empty, but the bandwidth is still used. So, by piggy-backing a human-to-human message onto the cell-to-tower report, you get an SMS that has an effectively $0.00 incidental cost.
That's point #1. Point #2 is that an SMS is an amazingly small amount of bandwidth compared to voice, and yet it costs far more than voice.
Point #3 is linking back to /. http://tech.slashdot.org/article.pl?sid=08/01/29/0244208 [slashdot.org]
Of course, I could go on and on, but that would be saving you all the fun of independent research. I'm certain that if there are still things bothering you after you've read this (and don't miss the EU's current action against the European cell pseudo-monopolies!), people here will be happy to help.
Re:Millions of credit cards, unprecedented access (Score:2, Informative)
Re:Using the data for good purposes (Score:3, Informative)
Well, I think DVD's cost too much. Shouldn't the government step in there as well?
One, two, maybe three cellphone providers here, with the number of competitors artificially limited by government regulation to prevent interference and/or accept bribes. That is no free market and has no competition because of government force. So it needs price regulation.
Seven pages of DVD manufacturers here to scroll thru:
http://en.wikipedia.org/wiki/List_of_DVD_manufacturers [wikipedia.org]
Now that is a free market... No need for price regulation due to intense competition.
How about cars? They cost too much, don't you think?
One, two, maybe three cellphone providers here, with the number of competitors artificially limited by government regulation to prevent interference and/or accept bribes. That is no free market and has no competition, because of the government licenses. So it needs regulation.
This page lists "44 top automobile manufacturers" Presumably there are far more than 44, if this is only the top 44. That is a free market, no need for price regulation due to extreme competition.
http://en.wikipedia.org/wiki/Automotive_industry [wikipedia.org]
While the government is at it, shouldn't all prices have to be approved, regulated and reviewed periodically by the government? I mean if one grocery store in LA is charging $0.15 for an apple and one in Seattle is charging $0.30 isn't there some gouging going on here?
Three, maybe four cellphone providers provide service here, with the number of competitors artificially limited by government regulation to prevent interference and/or accept bribes. That is no free market and no competition because of the government license structure. So it needs government price regulation to fix the problem the government caused.
http://local.yahoo.com/CA/Los+Angeles/Food+Dining/Grocery+Stores [yahoo.com]
Lists 5106 grocery stores in LA. Plenty of competition and free market. No need for price regulation due to intense competition.
http://local.yahoo.com/WA/Seattle/Food+Dining/Grocery+Stores [yahoo.com]
Only lists 897 grocery stores in Seattle. Plenty of competition and free market. No need for price regulation due to intense competition.
Shouldn't we just have the goverment set all prices for all goods and services? Wouldn't that be more fair?
For cellphone service, it sets all the operational rules and FCC regulations and basically controls the company with no difference between the small number of providers except capital structure, so the govt has the responsibility to complete it's work and set the price so as not to screw the customer, because it is an inherently non-capitalistic non-free market non-competitive system due to government interference (more so that usual, anyway).
Short answer: no.
Short answer: yes.
Re:Millions of credit cards, unprecedented access (Score:3, Informative)
> I don't think there can be much in the way of law enforcement action. No damages, yet.
Clear violation of the Computer Fraud and Abuse Act.
> No idea where they might be operating from, so jurisdiction is an open question.
Doesn't matter where they were operating from. T-Mobile is a US company and the computers that were cracked were in US territory so the US has jurisdiction. The question is custody: can the Feds find them and if so can they get them extradited (or otherwise gain custody).
Re:Using the data for good purposes (Score:2, Informative)
When a company gets a license to exclusively use a certain radio frequency, yes, We the People should have the ability to set certain restrictions.
Re:Pay some smart $$$ get smart security (Score:2, Informative)
Umm, once you're on the corporate WAN (as they clearly are from the listing) the OS' being used are kind of irrelevant. They probably sniffed login credentials from client machines rather than attacking the backend servers directly, indeed such systems should be in no way directly connected to the internet.
Proud hacker, (Score:2, Informative)
Is anyone else getting tired of the media's and even Slashdot's own misuse of the word 'hacker'?
Crackers Claim To Hit T-Mobile Hard
Fixed it for you.
Re:If you were smart, you used a prepaid phone (Score:3, Informative)
Re:Using the data for good purposes (Score:5, Informative)
Collusion would be the best explanation in a void of facts. Here I think I can be of assistance.
I am a telecommunications engineer. I am reading this article because it relates to my industry, not because of any belief that these data thieves have done anything remotely interesting. Given that it may be "on topic" to assume this could affect SMS pricing, it seems then "on topic" to relate why it cannot.
Here are the Big Secrets:
Except for one hour a day, SMSs don't cost anything.
Except for one hour a day, Voice calls don't cost anything.
There. It's out. The servers that process these things on average draw 4.0 amps per 2U at idle and 4.5 amps per 2U at busy. That's the total power savings ratio going from peak-hour to 4 a.m.
Since the equipment is already sitting there and the bandwidth is already leased and a large carrier rarely has to use another carrier's network for Long Distance transport. The fix costs burn whether you are yammering away on your phone or not.
Where adding customers to the network costs money is when those customers make a call during the busy hour. A "blocked call rate" is the % of people who get a network-busy signal or some sort of error when they try to make a call while the system is already at full capacity. Large carriers try to keep this number below 1%.
So where you cost them money in added infrastructure is when you make calls that contribute to busy hour traffic. The rest of the time the cost of your calls rounds comfortably down to zero.
Since the cost of support in a given month is 90% sunk whether you have zero calls or spend the whole month busy, your marketing department is given a large dollar figure they have to get from the subscribers so you can stay in the black.
The question then is "How to bill for it?" Enter game theory.
If you announced to the world what your busy hour is (say 9 a.m.), and that you were only charging for calls during that time, naturally no one would call during that time. You could then announce the new busy hour (now 10 a.m.), and then people would avoid that.... I'm sure you see where this is going. As a carrier with a growing subscriber base you'd still have to be adding cell-sites for the constantly roving busy hour and people on your network would constantly have to update their calling habits to dodge it.
So they pick large chunk of the day where the business users can't really avoid making calls and they divide cost of busy hour infrastructure across those hours. It's not all that tricky. The rest of the day is given away free or near free as the marketing gimmick enthusiasts see fit.
Slightly trickier, is the math to relate people's usage to the probability that they will cost you money in infrastructure upgrades. It's convoluted, but there isn't even any calculus involved. I've seen the spreadsheets where this is done. They generally just tweak a number here and a number there and hit F9 until they see the numbers they like.
The same issues apply to SMS. If you announced that "on your network all SMSs are free" you'd get people switching over just because of that (more money == good), but then they'd be SMS enthusiasts who would shortly saturate your SS7 infrastructure with messages. That equipment is very expensive. You can argue that it shouldn't be and what a great value it would be to create a nationwide wireless topology consisting entirely of WRT54Gs, but in the real world, the only people buying SS7 gear are large carriers, and the people selling it know that and charge much like they would charge the government.
So you want
Re:Using the data for good purposes (Score:1, Informative)
The SMS function is really a matter of the upstream provider, and how many SMSC (Short Message Service Control) Servers you have in your network. The boxes do cost money, and it is pretty pricey to buy the licensing from Ericsson or whomever you chose.
The national clearing houses for SMS routing charge a lot of cash to route messages, but the size of the message is nill.
Re:Using the data for good purposes (Score:2, Informative)
Plausible based upon server names. (Score:4, Informative)
I am working for a Relatively Large Teleco in Europe and can say from the list of server names that this is a plausible hack.
Whether or not however they have real information or just DNS entries however is yet to be seen.
What is the basis for this conclusion?
protib02 Prod IHAP TIBCO 582 Tibco 10.1.81.21 HP-UX 11.11 BOTHELL_7 582 #N/A 1 - Tibco. An application layer messaging bus used heavily in FAB (Fulfilment Assurance Billing) area of large telecos
proetl02 Prod IHAP Teradata 576 teradata 10.133.17.51 HP-UX 11.11 NEXUS #N/A #N/A 1 - Teradata.... another product I know we are using (unknown however exactly what it does)
prowac06 Prod IHAP EAI 151 EAI - Middleware 10.1.80.91 HP-UX 11.11 BOTHELL_7 151 #N/A 1 - EAI - Middleware application used also in telecos.
Similarly the SAP Naming convention used roughly translates to some deployments I have seen in the past.
What does this whole thing give away....
Looking at the naming conventions they have three "defined" network zones:
TAMPA - Management (HP OVO, DNS, Backup Servers)
BOTHELL - Application Server zone with all sorts of stuff. Big flat topology....(ugly with lots of different services using the same subnets and DB Servers not seperated from AS)
NEXUS - Another Application Server Zone with a mix of stuff within it. This appears smaller and newer than the other from the server names.
What does this show from a security perspective?
- No clear Security Architecture ... No 3 tier architecture DMZ/Application Server/DB Server split.
- No clean separation of Backup network (backup mixed with Management functions... this should be in a seperate network).
- No clean separation of Management Network (SAN/Backup/OVO located together)
In any Teleco situation with thousands of servers it is impossible to prevent a security breach. There is always going to be servers somewhere which are unpatched, legacy, forgotten etc.
What is important is a "defence in depth" principle to limit any disclosure. In this instance that appears not to have been followed. The topology is "Flat" with an emphasis on easier communications between systems rather than minimizing communications to minimum required. This essentially stopped any chance of them being able to limit a breach.
Hopefully someone will get some lessons learned out of this. I know I will be presenting some points to our management where we should be focusing based upon this. Our security is definitely better but nothing is perfect.
I'm interested in any points that anyone else could offer here, I have not discussed all points however I am interested in the perspective of others from what they can mine there.
Please more comments!
http://streetstyles.ch/ [streetstyles.ch] - Schweiz Band & Fashion Tshirts