From the "hackers" We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Seriously, how do they think T-Mobile's competitors are going to legally pay and use such information?
by Anonymous Coward
on Sunday June 07 2009, @03:58PM (#28243965)
All of their production servers are running UNIX- or UNIX-like operating systems. Had they been running a Windows-only setup, this would not have happened.
Ever heard of a high-profile Windows shop being compromised during the last five years? No? Didn't think so.
Interesting. I only saw HP-UX, SunOS, AIX and Linux. No Windows used in T-Mobile, or they could not be cracked? Or T-Mobile just don't put anything important on Windows servers?
by Anonymous Coward
on Sunday June 07 2009, @04:12PM (#28244073)
And the best thing they can think of doing with it all is to offer it to T-Mobiles competitors? Seriously? I can think of tons of ways to profit off of all that information.
However not one of those ways involves attempting to sell the information to companies that are legally required to report it. Or when that fails, announcing it to the public and getting every police agency in the world on my trail.
If you are, you better start thinking about where to go next. Their service is now wide open. Anything transferred through their network is now questionable.
Can you afford to send an email from a smartphone and have a couple of bytes changed, say from "no" to "yes"? Or from $100 to $10,000?
Can you afford to have your phone records available to everyone on the Internet? How far back could T-Mobile's records go? Two years? Five years?
I'd say if this was played right to the media it could shut T-Mobile down in about two weeks. After all, wouldn't that be a great goal? Their inability to keep hackers out equals no reason to be in business.
Of course this was almost certainly an inside-assisted job. But then you better watch who your employees are. If you're employing people that have access to potentially sensitive data, how do you know they aren't in a financial bind and will do anything to make next month's mortgage payment? Or have some gambling debts that they have to pay or their wife will work off?
I won't be happy to see T-Mobile (really Vodaphone from Germany) go under, but if these hackers have half a brain they will take the company down. If they are just your average script kiddies this will not make to the nightly news and will have no effect on the company.
No, really T-Mobile (whose parent company is Deutsche Telekom) from Germany. Vodafone (not 'Vodaphone') are a UK-based company and T-Mobile's biggest rival.
I think we are entering an age where everyone knows the employee's loyality goes just as far as the permanence of their job, and no job is permanent anymore. So everyone is out for themselves, and if they see a chance to grab some kind of a big payoff they are going to take it. Or toss a wrench into the works just to see what happens.
Well, over the last 20 years or so, companies in general have made it abundantly clear that they feel little or no obligation to their workers. Their stockholders and CEOs, yes, but not their workers. I'm not saying they really ever did, but for perhaps 50 years there was a facade (pensions, long-term employment, etc.).
So it's entirely reasonable that workers return the favour.
Even if it's a real list, it could be something as simple as a pilfered company document off a laptop, a script-kiddie wannabe hacker employee showing off to his friends on IRC, or any of a hundred scenarios.
Do I doubt it's difficult to own a bunch of HP-UX boxes? Nah.
Have I learned to not spastically freak out every time some random people claim they hacked something? Yah.
Trouble is, T-Mobile wouldn't exactly be forthcoming with any confirmations.
At the end of the day, you just have to plan around being hacked. You have to ensure your payment method associated with external services can handle being owned. You have to be ready for people getting your SSN and private info, since it's moronically being used for frivolous purposes everywhere.
Which is not to say you shouldn't do your best to keep your data protected and secure - I just try to plan around any data I give out to various companies being owned.
by Anonymous Coward
on Sunday June 07 2009, @08:02PM (#28245865)
This doesn't surprise me at all. I used to work there a few years ago. Security was not something they were concerned with in the least. RSH was used everywhere and they refused even use telnet let alone ssh. The root passwords on all the Unix servers that controlled the switch was the name of the switch manufacturer. So Nokia was nokia and Nortel was nortel. Frankly this wasn't the worst thing there, don't try to do anything that might improve service or change the way things are done because that would upset the norm.
Anyone who does not have the wherewithal and sense to not make public their extortion demand, very likely does not have the sense and wherewithal to actually harvest information. I see a text depiction of a list of alleged connections to T-Mo servers.
I do not see actual data - show me a 500 data item sample if you have anything at all.
My best guess: Some 15 year old in an Eastern European country will shortly have some 'splainin to do.
I am working for a Relatively Large Teleco in Europe and can say from the list of server names that this is a plausible hack.
Whether or not however they have real information or just DNS entries however is yet to be seen.
What is the basis for this conclusion?
protib02 Prod IHAP TIBCO 582 Tibco 10.1.81.21 HP-UX 11.11 BOTHELL_7 582 #N/A 1 - Tibco. An application layer messaging bus used heavily in FAB (Fulfilment Assurance Billing) area of large telecos proetl02 Prod IHAP Teradata 576 teradata 10.133.17.51 HP-UX 11.11 NEXUS #N/A #N/A 1 - Teradata.... another product I know we are using (unknown however exactly what it does) prowac06 Prod IHAP EAI 151 EAI - Middleware 10.1.80.91 HP-UX 11.11 BOTHELL_7 151 #N/A 1 - EAI - Middleware application used also in telecos.
Similarly the SAP Naming convention used roughly translates to some deployments I have seen in the past.
What does this whole thing give away....
Looking at the naming conventions they have three "defined" network zones: TAMPA - Management (HP OVO, DNS, Backup Servers) BOTHELL - Application Server zone with all sorts of stuff. Big flat topology....(ugly with lots of different services using the same subnets and DB Servers not seperated from AS) NEXUS - Another Application Server Zone with a mix of stuff within it. This appears smaller and newer than the other from the server names.
What does this show from a security perspective?
- No clear Security Architecture... No 3 tier architecture DMZ/Application Server/DB Server split. - No clean separation of Backup network (backup mixed with Management functions... this should be in a seperate network). - No clean separation of Management Network (SAN/Backup/OVO located together)
In any Teleco situation with thousands of servers it is impossible to prevent a security breach. There is always going to be servers somewhere which are unpatched, legacy, forgotten etc. What is important is a "defence in depth" principle to limit any disclosure. In this instance that appears not to have been followed. The topology is "Flat" with an emphasis on easier communications between systems rather than minimizing communications to minimum required. This essentially stopped any chance of them being able to limit a breach.
Hopefully someone will get some lessons learned out of this. I know I will be presenting some points to our management where we should be focusing based upon this. Our security is definitely better but nothing is perfect.
I'm interested in any points that anyone else could offer here, I have not discussed all points however I am interested in the perspective of others from what they can mine there.
And the US export encryption laws, described at http://www.bis.doc.gov/encryption/default.htm [doc.gov]. It would also interfere with the Patriot Act warrant and supervision free phone tapping, and whatever the NSA has put in lately to tap the major fiber optic backbones without warrant or any appeal to inappropriate monitoring available, as they've previously done to AT&T.
As a purveyor of security software (to a different industry), I've seen countless times that almost always the conversation really does go along an only slightly-less direct route:
A. We need to secure X B. How much does it cost? A. (insert any dollars) B. Do we have to spend that? A. We do if we want to be reasonably secure. B (thinks... We're smart people; we can install a few firewalls; that'll keep the Bad Guys out) B. (Having insight) But this is like insurance, right? If we keep people out of the network, we don't get anything for those dollars. A. Well, sort of, I suppose so. B. Right, we'll save those dollars.
---
You have to assume that Bad Guys CAN get into your network if they really want to. Because the truth is, whatever your in-house people have told you, they can. Of you doubt me, talk to people whose job is to break into networks. All the ones I've known will tell you that 100% of targeted commercial networks fall to a concerted attack.
When they do fall, security's job is to make sure, at a minimum:
1) the Bad Guys can't learn anything useful
2) the Bad Guys can't interfere with the service you're selling
3) there's a high probability that you'll detect the event and be able to track the Bad Guys
B's insight isn't a bad one at all... security *is* a kind of insurance. Which means that most of the time, if you have a well-designed system you really are "wasting" the dollars. But one day you or your successor will regret those "saved" dollars.
B's job really is to make a proper cost/benefit analysis. My experience is that that almost never happens. They either just "save" the dollars without thinking or, more often, either a) look to what their competition is doing or b) assume that the risk is so small ("we haven't been hacked so far") that it's not worth spending any money.
Security is a process - not a state. Computer security is like a horizon - an imaginary line that seems to move farther away as you move toward it. The only way any network and systems on that network can be reasonably protected is if there is a recurring yearly budget. In most companies computer security is an afterthought in the IT budget. Sort of, like, if there's money left, we'll spend it on security. Or save it. The bottom line is that most companies simply can't afford meaningful security measures and most of those that can, choose not to spend the money. This entire IT security business is usually just good enough to keep the amateurs out.
What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.
If the hackers could get through all of this, they must be *very* good. More likely, however, is that they have someone on the inside which bypasses all of this. And it would bypass the encryption on the data anyway since s/he obviously already had Need To Know to get at the data anyway, and thus would have the decryption key. There isn't much a corporation can do against an insider that needs that info just to perform the job they were hired to perform.
What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.
It seems your theory is kind of flawed, because if their protection was indeed that good the thieves probably wouldn't have gotten the data they did.
I think the reality is they have a firewall, and probably overly simplistic authentication on the databases, and virtually nothing else. Consider an inept DBA running SQL Server 2005 who ties the SQL Server's SA account to the machine's administrator account. And add another inept system administrator who has a shared admin account across all the database servers, as well as some IIS servers and maybe some FTP servers as well. So the hacker worms his way to an admin account on ftp_serve_01.tmobile.com and ta-da! He's suddenly got admin rights to their data!
Never ascribe to ingenuity that which can be adequately explained by stupidity.
It seems your theory is kind of flawed, because if their protection was indeed that good the thieves probably wouldn't have gotten the data they did.
I think your assumption that "the theives did get data" is premature. I am not seeing corroborative data anywhere.
Speaking of which, based upon analyzing the deleted video files on your primary partition, you should get the old lady a membership at the local gym or something.:P
Yes, they used CSS encryption but those damn hackers broke the law and circumvented it using something called DeCSS... When is the government going to put a stop to this sort of thing and protect us!
There is no way to know and it's a moot point. Presumably they attacked the systems while they were live, so the information would have been decrypted anyway in order for the database system to access it. There is also the inside job scenario that someone outlined above.
Encryption doesn't really matter in this type of break in, it's more for "oh shit I left my hard drive and laptop in an airport" type of scenarios.
Funny - I get an fraud warning from the link disclosing the breach . . . Opera being over-sensitive I think. "This site is known to distribute malicious software" - NMap has got such a bad name!!
They might have technical chops or they might just be taking advantage of a disgruntled employee or other low-tech hole; it's impossible to say so far. What's clear is that they obviously had no idea what to do with the data once they got their hands on it.
I mean, did they really think they could just grab a dump of T-Mobile's customer database and sell it to AT&T? C'mon. Let's think about that for a minute -- what the hell is AT&T going to do with it? I'm sure their marketing department knows all about T-Mobile's demographics versus their own, and if not (and if they care) they could find out with a few calls and some relatively small payments to a research firm. Same with just about anything else I can possibly imagine them extracting from T-Mobile's servers. If AT&T or Verizon is really dying to know something about T-Mobile's operations, they have lots of easier ways to figure it out that involve a lot less risk than buying red-hot DB dumps from criminals.
Also, anyone with half a brain ought to realize that all the telco companies live in fear of being broken into, and that a major breakin is going to hurt the public's perception of the entire industry. The U.S. cellular telcos are, basically, a cartel: and if there's one thing cartel members hate more than each other, it's disruptive outsiders. T-Mobile's competitors probably didn't respond because they thought it was a joke, or some sort of Nigeria scam; if they'd known it was serious, they almost certainly would have done what Pepsi did [post-gazette.com] and called the cops. Not for altruistic reasons, but for sound business ones: having basically mercenary criminals screwing around, stealing data, scaring customers, and generally upsetting the normal business environment is not to any legitimate player's advantage.
The other red-flag that screams amateur hour about the whole thing is what they did after being turned down by the "competitors" -- they posted what amounts to a "for sale" ad to the Full Disclosure list. They thought that was the best venue for selling a shitload of customer financial records? Really? There are bulletin boards, whole online communities, where criminals trade identity information. It's a mature underground economy; the information they had -- names, addresses, CC numbers, SSNs -- would have been a fungible, commodity product, well-understood and easy to resell for cash.
However they got the information in the first place, it's pretty clear they didn't think their cunning plan all the way through.)
If I were an AT&T official and they contacted me? I'd absolutely be interested. I'd also be on the phone to internal corporate security and the FBI before I finished reading the email.
If this story is true, those are some mighty bold thieves. AT&T probably has more resources than anyone else on the planet for tracking down the originator of that communication. For that matter, AT&T are probably the ones the FBI contacts when they want to hunt down a bad guy, so you know there's a long relationship there, too.
Times may be tough, but various competing corporations often have informal and even friendly relationships with each other when it comes to Loss Prevention departments. They share info on thieves and threats, and despite outward animosity between two competing companies, their L.P. departments do tend to help each other out with situations like these. I know that's the case in retail, where organized crime investigations actually can have cooperation between companies like Walmart and Best Buy. There's definitely an "old boy's network" behind the scenes as these employees shift between companies and don't forget their old friends. It's a lot like the cop brotherhood (in part because many of the L.P. staffs are actually retired cops.) AT&T likely wants these guys caught almost as much as T-Mobile does.
However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much.
Yeah, the hackers have sure demonstrated their high ideals by offering the data for sale to the highest bidder. I'm sure they're all just wonderful people who are only thinking of the greater good.
And yes, that was sarcasm. In truth, my opinion of these guys couldn't be much lower than it currently is.
by Anonymous Coward
on Sunday June 07 2009, @04:09PM (#28244051)
However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much.
They don't have to cost so much. In fact, the cost of providing SMS service is next to nothing - it's an afterthought that runs in the cell phone control channel.
HOWEVER, in the real world, the price of a product/service doesn't depend on the cost to provide the service, it depends on what people are willing to pay. The fact that so many people are willing to pay high prices for SMS reflects supply & demand.
Personally, I never send SMS. If I want to talk to you, I'll call you. Otherwise I'll send email. But I seem to be in the minority.
A better question is why is there so little competition in SMS prices - is there collusion to avoid competition?
A better question is why is there so little competition in SMS prices - is there collusion to avoid competition?
Yes. The marginal cost is very close to zero, so when all the telecoms raise prices nearly simultaneously as they did a few years ago, collusion is by far the most likely explanation.
Collusion would be the best explanation in a void of facts. Here I think I can be of assistance.
I am a telecommunications engineer. I am reading this article because it relates to my industry, not because of any belief that these data thieves have done anything remotely interesting. Given that it may be "on topic" to assume this could affect SMS pricing, it seems then "on topic" to relate why it cannot.
Here are the Big Secrets:
Except for one hour a day, SMSs don't cost anything.
Except for one hour a day, Voice calls don't cost anything.
There. It's out. The servers that process these things on average draw 4.0 amps per 2U at idle and 4.5 amps per 2U at busy. That's the total power savings ratio going from peak-hour to 4 a.m.
Since the equipment is already sitting there and the bandwidth is already leased and a large carrier rarely has to use another carrier's network for Long Distance transport. The fix costs burn whether you are yammering away on your phone or not.
Where adding customers to the network costs money is when those customers make a call during the busy hour. A "blocked call rate" is the % of people who get a network-busy signal or some sort of error when they try to make a call while the system is already at full capacity. Large carriers try to keep this number below 1%.
So where you cost them money in added infrastructure is when you make calls that contribute to busy hour traffic. The rest of the time the cost of your calls rounds comfortably down to zero.
Since the cost of support in a given month is 90% sunk whether you have zero calls or spend the whole month busy, your marketing department is given a large dollar figure they have to get from the subscribers so you can stay in the black.
The question then is "How to bill for it?" Enter game theory.
If you announced to the world what your busy hour is (say 9 a.m.), and that you were only charging for calls during that time, naturally no one would call during that time. You could then announce the new busy hour (now 10 a.m.), and then people would avoid that.... I'm sure you see where this is going. As a carrier with a growing subscriber base you'd still have to be adding cell-sites for the constantly roving busy hour and people on your network would constantly have to update their calling habits to dodge it.
So they pick large chunk of the day where the business users can't really avoid making calls and they divide cost of busy hour infrastructure across those hours. It's not all that tricky. The rest of the day is given away free or near free as the marketing gimmick enthusiasts see fit.
Slightly trickier, is the math to relate people's usage to the probability that they will cost you money in infrastructure upgrades. It's convoluted, but there isn't even any calculus involved. I've seen the spreadsheets where this is done. They generally just tweak a number here and a number there and hit F9 until they see the numbers they like.
The same issues apply to SMS. If you announced that "on your network all SMSs are free" you'd get people switching over just because of that (more money == good), but then they'd be SMS enthusiasts who would shortly saturate your SS7 infrastructure with messages. That equipment is very expensive. You can argue that it shouldn't be and what a great value it would be to create a nationwide wireless topology consisting entirely of WRT54Gs, but in the real world, the only people buying SS7 gear are large carriers, and the people selling it know that and charge much like they would charge the government.
Except that's not what's happening. Instead of competing, everyone's saying "we'll charge the same rate per message" while that same rate is still insanely high.
Why should Congress bother with SMS pricing? Isn't that what competition is for?
Why? Because the cell providers are monopolies, created in part through the (very necessary) restriction of broadcast frequencies. Contrary to popular opinion, government *is* supposed to do good things for its citizens. I really admire that the EU has chosen to take the cell providers over there head-on, forcing them to lower rates. I disagree with how they did it, but that's only because they chose to regulate maximum prices instead of just breaking the monopolies up.
So when there were sufficient cell companies to have competition, American cell prices were the lowest in the world by far. Now that all the small players have been gobbled up, and we're only left with effectively three companies, there is no more competition.
Ah, but these are not governmental-backed monopolies that are essential to life, now are they? Don't like GM, but something else (everyone else sure did). DVD too expensive? Rent it, watch another movie, or just pass it up.
Telephone, internet, electricity, or water too expensive? Too bad, suck it up and pay, because by all normal metrics, these are the basic tenets of modern life.
So when the few remaining cell phone operators pretty much simultaneously raised rates on SMSes, at a time when the whole gov't w
Well, I think DVD's cost too much. Shouldn't the government step in there as well?
One, two, maybe three cellphone providers here, with the number of competitors artificially limited by government regulation to prevent interference and/or accept bribes. That is no free market and has no competition because of government force. So it needs price regulation.
Please do so now, in detail, with references containing verifiable data on the costs.
I'm guessing you don't understand how SMSes work. You do realize that they are effectively free for the cell phone company, right? Your cell phone is already sending this kind of message every time it reports back to a tower. It's just that most of the message is empty, but the bandwidth is still used. So, by piggy-backing a human-to-human message onto the cell-to-tower report, you get an SMS that has an effectively $0.00 incidental cost.
That's point #1. Point #2 is that an SMS is an amazingly small amount of bandwidth compared to voice, and yet it costs far more than voice.
Of course, I could go on and on, but that would be saving you all the fun of independent research. I'm certain that if there are still things bothering you after you've read this (and don't miss the EU's current action against the European cell pseudo-monopolies!), people here will be happy to help.
What? Are you 12? Seriously, with a response like that how do you not expect people to just ignore you since you don't even offer anything to the conversation. Just shouting "WRONG" doesn't change anything and only serves to strengthen the other side. Rather than childish name-calling perhaps you could add something of value rather than wasting everyone's time? Maybe not...
There are those of us that intercept and redirect cell transmissions because of the absurdly high costs of everything. Why use cell minu
Why am I complaining? Because I believe very firmly that in the past few years the telecommunications market has fallen victim to collusion.
It seems that many/.ers confuse the price people will pay with the correct price. See, the price you will pay is NOT the right price. The maximum price you will pay, correlated to the minimum price the supplier will charge, is the right price. That's where monopolies, duopolies, and collusion break things up. They make it so that the minimum price the supplier will cha
FWIW - I don't know if it could be related or quite how, exactly, but I am a T-mobile client in the SE US, and noticed yesterday and the evening before that calls were dropping like crazy. Very, very inconsistent from their usual service, IME. T-mobile has shown good network 'uptime' since they bought out a smaller cellular company I was with about 18 months ago. (They *have* tried to dick me for a little extra cash here and there on my bill, but were good after a call to billing.) The unusual poor performance I was witness to yesterday in conjunction with this story makes me go "Hmmm...", while hoping it bears out as untrue.
We all joke, and to some extent say, "good job" to the hackers. We forget these guys are no different than the robbers and thugs you see on "cops" or the evening news, they are just more covert. No one cheers on the armed gunman, robbing a convenience store. It bothers me these guys aren't viewed in the same light.
No doubt that they are bad guys, but to say that they are 'no different' is taking it a little far. How many convenience store robberies have you heard of that have ended badly for the staff? There is a good chance that a convenience store robber is willing to deprive someone of their life to get what they want. A hacker is merely willing to deprive someone of property. They are more like the guy who breaks into the convenience store after hours, with the intent to run away if confronted.
The curious thing is that the typical slashdotter would have some appreciation for the skills required to pull off such a hack (assuming they didn't just find a backup tape full of passwords in the trash:) - we can more readily identify with the nerd in his basement with the world at his fingertips 'sticking it to the man' than we could with the armed robber desperate to get cash for his next drug hit. And we all hate cell phone companies. I don't know what's on the agenda for these guys though... presumably blackmail or extortion.
But when you are king and are rounding up all the hackers, remember to include the guys who are unlawfully downloading copyright material too:)
Well, unless you bought your phone at a store with cash, and buy refills the same way..
I guess I am the "not smart" T-Mobile user, as I bought my prepaid phone through their web site.. You seem to be imply that T-Mobile is somehow a flyby night company... They are in fact 8th largest in the world.. Verizon is 14th., AT&T is 15th., Sprint doesn't make the top 20 and they have slightly more than half as many subscribers as AT&T... Of all these companies, why should I not have trust in T-Mobile ?
Look on the bright side.. (Score:5, Insightful)
Like competitors would ever pay for this (Score:5, Insightful)
From the "hackers" We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Seriously, how do they think T-Mobile's competitors are going to legally pay and use such information?
They're in luck! (Score:5, Funny)
I happen to know a Nigerian Prince who would be *very* interested in their offer.
All UNIX/UNIX-likes (Score:5, Funny)
All of their production servers are running UNIX- or UNIX-like operating systems. Had they been running a Windows-only setup, this would not have happened.
Ever heard of a high-profile Windows shop being compromised during the last five years? No? Didn't think so.
Re:All UNIX/UNIX-likes (Score:5, Funny)
You do realize you can register for free Steve, right?
Parent
Re:All UNIX/UNIX-likes (Score:5, Funny)
Ever heard of a high-profile Windows shop being compromised during the last five years? No? Didn't think so.
Of course we don't hear about it anymore. It's not news!
Parent
Is that the list of compromised servers? (Score:3, Insightful)
Interesting. I only saw HP-UX, SunOS, AIX and Linux. No Windows used in T-Mobile, or they could not be cracked? Or T-Mobile just don't put anything important on Windows servers?
Millions of credit cards, unprecedented access (Score:5, Insightful)
And the best thing they can think of doing with it all is to offer it to T-Mobiles competitors? Seriously? I can think of tons of ways to profit off of all that information.
However not one of those ways involves attempting to sell the information to companies that are legally required to report it. Or when that fails, announcing it to the public and getting every police agency in the world on my trail.
T-Mobile Customer? (Score:3, Interesting)
If you are, you better start thinking about where to go next. Their service is now wide open. Anything transferred through their network is now questionable.
Can you afford to send an email from a smartphone and have a couple of bytes changed, say from "no" to "yes"? Or from $100 to $10,000?
Can you afford to have your phone records available to everyone on the Internet? How far back could T-Mobile's records go? Two years? Five years?
I'd say if this was played right to the media it could shut T-Mobile down in about two weeks. After all, wouldn't that be a great goal? Their inability to keep hackers out equals no reason to be in business.
Of course this was almost certainly an inside-assisted job. But then you better watch who your employees are. If you're employing people that have access to potentially sensitive data, how do you know they aren't in a financial bind and will do anything to make next month's mortgage payment? Or have some gambling debts that they have to pay or their wife will work off?
I won't be happy to see T-Mobile (really Vodaphone from Germany) go under, but if these hackers have half a brain they will take the company down. If they are just your average script kiddies this will not make to the nightly news and will have no effect on the company.
Re:T-Mobile Customer? (Score:5, Informative)
T-Mobile (really Vodaphone from Germany)
No, really T-Mobile (whose parent company is Deutsche Telekom) from Germany. Vodafone (not 'Vodaphone') are a UK-based company and T-Mobile's biggest rival.
Parent
Re:T-Mobile Customer? (Score:5, Insightful)
I think we are entering an age where everyone knows the employee's loyality goes just as far as the permanence of their job, and no job is permanent anymore. So everyone is out for themselves, and if they see a chance to grab some kind of a big payoff they are going to take it. Or toss a wrench into the works just to see what happens.
Well, over the last 20 years or so, companies in general have made it abundantly clear that they feel little or no obligation to their workers. Their stockholders and CEOs, yes, but not their workers. I'm not saying they really ever did, but for perhaps 50 years there was a facade (pensions, long-term employment, etc.).
So it's entirely reasonable that workers return the favour.
Parent
Before I hit the panic button (Score:5, Insightful)
I'll wait for some validation. Cuz, you know;
prodsrv1|192.168.1.200|root@cia.gov sekret files|for realz|RHEL4
isn't especially convincing.
Even if it's a real list, it could be something as simple as a pilfered company document off a laptop, a script-kiddie wannabe hacker employee showing off to his friends on IRC, or any of a hundred scenarios.
Do I doubt it's difficult to own a bunch of HP-UX boxes? Nah.
Have I learned to not spastically freak out every time some random people claim they hacked something? Yah.
Trouble is, T-Mobile wouldn't exactly be forthcoming with any confirmations.
At the end of the day, you just have to plan around being hacked. You have to ensure your payment method associated with external services can handle being owned. You have to be ready for people getting your SSN and private info, since it's moronically being used for frivolous purposes everywhere.
Which is not to say you shouldn't do your best to keep your data protected and secure - I just try to plan around any data I give out to various companies being owned.
Worked there a few years ago... (Score:4, Interesting)
This doesn't surprise me at all. I used to work there a few years ago. Security was not something they were concerned with in the least. RSH was used everywhere and they refused even use telnet let alone ssh. The root passwords on all the Unix servers that controlled the switch was the name of the switch manufacturer. So Nokia was nokia and Nortel was nortel. Frankly this wasn't the worst thing there, don't try to do anything that might improve service or change the way things are done because that would upset the norm.
Hmmmmm.... (Score:5, Funny)
Now's my chance to call all those phone-sex lines I've always been curious about!
Sir, you owe $15,239 and 33 cents.
"But I never made those calls!?! You people got hacked last month, didn't you? They must have stolen my info!"
Oh, that's right. Alright sir, we'll take care of it. Uhmmm...by the way, sir? I can barely hear you. Why do you sound so far away?
"Oh, I can't hold my phone. I uhhh...I sprained my wrists."
Yeah...right (Score:5, Funny)
Anyone who does not have the wherewithal and sense to not make public their extortion demand, very likely does not have the sense and wherewithal to actually harvest information. I see a text depiction of a list of alleged connections to T-Mo servers.
I do not see actual data - show me a 500 data item sample if you have anything at all.
My best guess: Some 15 year old in an Eastern European country will shortly have some 'splainin to do.
Plausible based upon server names. (Score:4, Informative)
I am working for a Relatively Large Teleco in Europe and can say from the list of server names that this is a plausible hack.
Whether or not however they have real information or just DNS entries however is yet to be seen.
What is the basis for this conclusion?
protib02 Prod IHAP TIBCO 582 Tibco 10.1.81.21 HP-UX 11.11 BOTHELL_7 582 #N/A 1 - Tibco. An application layer messaging bus used heavily in FAB (Fulfilment Assurance Billing) area of large telecos
proetl02 Prod IHAP Teradata 576 teradata 10.133.17.51 HP-UX 11.11 NEXUS #N/A #N/A 1 - Teradata.... another product I know we are using (unknown however exactly what it does)
prowac06 Prod IHAP EAI 151 EAI - Middleware 10.1.80.91 HP-UX 11.11 BOTHELL_7 151 #N/A 1 - EAI - Middleware application used also in telecos.
Similarly the SAP Naming convention used roughly translates to some deployments I have seen in the past.
What does this whole thing give away....
Looking at the naming conventions they have three "defined" network zones:
TAMPA - Management (HP OVO, DNS, Backup Servers)
BOTHELL - Application Server zone with all sorts of stuff. Big flat topology....(ugly with lots of different services using the same subnets and DB Servers not seperated from AS)
NEXUS - Another Application Server Zone with a mix of stuff within it. This appears smaller and newer than the other from the server names.
What does this show from a security perspective?
- No clear Security Architecture ... No 3 tier architecture DMZ/Application Server/DB Server split.
- No clean separation of Backup network (backup mixed with Management functions... this should be in a seperate network).
- No clean separation of Management Network (SAN/Backup/OVO located together)
In any Teleco situation with thousands of servers it is impossible to prevent a security breach. There is always going to be servers somewhere which are unpatched, legacy, forgotten etc.
What is important is a "defence in depth" principle to limit any disclosure. In this instance that appears not to have been followed. The topology is "Flat" with an emphasis on easier communications between systems rather than minimizing communications to minimum required. This essentially stopped any chance of them being able to limit a breach.
Hopefully someone will get some lessons learned out of this. I know I will be presenting some points to our management where we should be focusing based upon this. Our security is definitely better but nothing is perfect.
I'm interested in any points that anyone else could offer here, I have not discussed all points however I am interested in the perspective of others from what they can mine there.
Please more comments!
http://streetstyles.ch/ [streetstyles.ch] - Schweiz Band & Fashion Tshirts
Re:Why.... (Score:5, Insightful)
Why isn't this stuff encrypted?
My guesses: legacy, convenience, lack of care, lack of duty.
Parent
Re:Why.... (Score:5, Insightful)
Parent
Re:Why.... (Score:5, Insightful)
Front-line Manager: We need to encrypt our dataz.
Middle Manager: How much will this cost?
Front-line Manager: (insert any number)
Middle Manager: No.
Parent
Re:Why.... (Score:5, Insightful)
As a purveyor of security software (to a different industry), I've seen countless times that almost always the conversation really does go along an only slightly-less direct route:
A. We need to secure X
B. How much does it cost?
A. (insert any dollars)
B. Do we have to spend that?
A. We do if we want to be reasonably secure.
B (thinks... We're smart people; we can install a few firewalls; that'll keep the Bad Guys out)
B. (Having insight) But this is like insurance, right? If we keep people out of the network, we don't get anything for those dollars.
A. Well, sort of, I suppose so.
B. Right, we'll save those dollars.
---
You have to assume that Bad Guys CAN get into your network if they really want to. Because the truth is, whatever your in-house people have told you, they can. Of you doubt me, talk to people whose job is to break into networks. All the ones I've known will tell you that 100% of targeted commercial networks fall to a concerted attack.
When they do fall, security's job is to make sure, at a minimum:
1) the Bad Guys can't learn anything useful
2) the Bad Guys can't interfere with the service you're selling
3) there's a high probability that you'll detect the event and be able to track the Bad Guys
B's insight isn't a bad one at all... security *is* a kind of insurance. Which means that most of the time, if you have a well-designed system you really are "wasting" the dollars. But one day you or your successor will regret those "saved" dollars.
B's job really is to make a proper cost/benefit analysis. My experience is that that almost never happens. They either just "save" the dollars without thinking or, more often, either a) look to what their competition is doing or b) assume that the risk is so small ("we haven't been hacked so far") that it's not worth spending any money.
Parent
Re:Why.... (Score:5, Interesting)
Parent
Re:Why.... (Score:5, Insightful)
What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.
If the hackers could get through all of this, they must be *very* good. More likely, however, is that they have someone on the inside which bypasses all of this. And it would bypass the encryption on the data anyway since s/he obviously already had Need To Know to get at the data anyway, and thus would have the decryption key. There isn't much a corporation can do against an insider that needs that info just to perform the job they were hired to perform.
Parent
Re:Why.... (Score:4, Insightful)
What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.
It seems your theory is kind of flawed, because if their protection was indeed that good the thieves probably wouldn't have gotten the data they did.
I think the reality is they have a firewall, and probably overly simplistic authentication on the databases, and virtually nothing else. Consider an inept DBA running SQL Server 2005 who ties the SQL Server's SA account to the machine's administrator account. And add another inept system administrator who has a shared admin account across all the database servers, as well as some IIS servers and maybe some FTP servers as well. So the hacker worms his way to an admin account on ftp_serve_01.tmobile.com and ta-da! He's suddenly got admin rights to their data!
Never ascribe to ingenuity that which can be adequately explained by stupidity.
Parent
Re:Why.... (Score:5, Funny)
It seems your theory is kind of flawed, because if their protection was indeed that good the thieves probably wouldn't have gotten the data they did.
I think your assumption that "the theives did get data" is premature. I am not seeing corroborative data anywhere.
Speaking of which, based upon analyzing the deleted video files on your primary partition, you should get the old lady a membership at the local gym or something. :P
Parent
Re:Why.... (Score:4, Funny)
I emailed them with my very serious offer. And from another account asking them to plz send me teh codez. No response yet :(
Parent
Re:Why.... (Score:5, Interesting)
Who said it was not encrypted?
Parent
Re:Why.... (Score:4, Funny)
Who said it was not encrypted?
Yes, they used CSS encryption but those damn hackers broke the law and circumvented it using something called DeCSS...
When is the government going to put a stop to this sort of thing and protect us!
Parent
Re: (Score:3, Insightful)
Encryption doesn't really matter in this type of break in, it's more for "oh shit I left my hard drive and laptop in an airport" type of scenarios.
Be warned! (Score:5, Interesting)
Parent
Re:Be warned! (Score:5, Informative)
Parent
Re:worthless data! (Score:5, Insightful)
What is there in this data that would cause an AT&T executive to risk losing his job and perhaps going to prison?
Parent
Hard to tell yet. (Score:5, Insightful)
They might have technical chops or they might just be taking advantage of a disgruntled employee or other low-tech hole; it's impossible to say so far. What's clear is that they obviously had no idea what to do with the data once they got their hands on it.
I mean, did they really think they could just grab a dump of T-Mobile's customer database and sell it to AT&T? C'mon. Let's think about that for a minute -- what the hell is AT&T going to do with it? I'm sure their marketing department knows all about T-Mobile's demographics versus their own, and if not (and if they care) they could find out with a few calls and some relatively small payments to a research firm. Same with just about anything else I can possibly imagine them extracting from T-Mobile's servers. If AT&T or Verizon is really dying to know something about T-Mobile's operations, they have lots of easier ways to figure it out that involve a lot less risk than buying red-hot DB dumps from criminals.
Also, anyone with half a brain ought to realize that all the telco companies live in fear of being broken into, and that a major breakin is going to hurt the public's perception of the entire industry. The U.S. cellular telcos are, basically, a cartel: and if there's one thing cartel members hate more than each other, it's disruptive outsiders. T-Mobile's competitors probably didn't respond because they thought it was a joke, or some sort of Nigeria scam; if they'd known it was serious, they almost certainly would have done what Pepsi did [post-gazette.com] and called the cops. Not for altruistic reasons, but for sound business ones: having basically mercenary criminals screwing around, stealing data, scaring customers, and generally upsetting the normal business environment is not to any legitimate player's advantage.
The other red-flag that screams amateur hour about the whole thing is what they did after being turned down by the "competitors" -- they posted what amounts to a "for sale" ad to the Full Disclosure list. They thought that was the best venue for selling a shitload of customer financial records? Really? There are bulletin boards, whole online communities, where criminals trade identity information. It's a mature underground economy; the information they had -- names, addresses, CC numbers, SSNs -- would have been a fungible, commodity product, well-understood and easy to resell for cash.
However they got the information in the first place, it's pretty clear they didn't think their cunning plan all the way through.)
Parent
Re:worthless data! (Score:5, Insightful)
If I were an AT&T official and they contacted me? I'd absolutely be interested. I'd also be on the phone to internal corporate security and the FBI before I finished reading the email.
If this story is true, those are some mighty bold thieves. AT&T probably has more resources than anyone else on the planet for tracking down the originator of that communication. For that matter, AT&T are probably the ones the FBI contacts when they want to hunt down a bad guy, so you know there's a long relationship there, too.
Times may be tough, but various competing corporations often have informal and even friendly relationships with each other when it comes to Loss Prevention departments. They share info on thieves and threats, and despite outward animosity between two competing companies, their L.P. departments do tend to help each other out with situations like these. I know that's the case in retail, where organized crime investigations actually can have cooperation between companies like Walmart and Best Buy. There's definitely an "old boy's network" behind the scenes as these employees shift between companies and don't forget their old friends. It's a lot like the cop brotherhood (in part because many of the L.P. staffs are actually retired cops.) AT&T likely wants these guys caught almost as much as T-Mobile does.
Parent
Re:Using the data for good purposes (Score:5, Insightful)
However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much.
Yeah, the hackers have sure demonstrated their high ideals by offering the data for sale to the highest bidder. I'm sure they're all just wonderful people who are only thinking of the greater good.
And yes, that was sarcasm. In truth, my opinion of these guys couldn't be much lower than it currently is.
Parent
Re:Using the data for good purposes (Score:4, Insightful)
However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much.
They don't have to cost so much. In fact, the cost of providing SMS service is next to nothing - it's an afterthought that runs in the cell phone control channel.
HOWEVER, in the real world, the price of a product/service doesn't depend on the cost to provide the service, it depends on what people are willing to pay. The fact that so many people are willing to pay high prices for SMS reflects supply & demand.
Personally, I never send SMS. If I want to talk to you, I'll call you. Otherwise I'll send email. But I seem to be in the minority.
A better question is why is there so little competition in SMS prices - is there collusion to avoid competition?
Parent
Re:Using the data for good purposes (Score:5, Interesting)
A better question is why is there so little competition in SMS prices - is there collusion to avoid competition?
Yes. The marginal cost is very close to zero, so when all the telecoms raise prices nearly simultaneously as they did a few years ago, collusion is by far the most likely explanation.
Parent
Re:Using the data for good purposes (Score:5, Informative)
Collusion would be the best explanation in a void of facts. Here I think I can be of assistance.
I am a telecommunications engineer. I am reading this article because it relates to my industry, not because of any belief that these data thieves have done anything remotely interesting. Given that it may be "on topic" to assume this could affect SMS pricing, it seems then "on topic" to relate why it cannot.
Here are the Big Secrets:
Except for one hour a day, SMSs don't cost anything.
Except for one hour a day, Voice calls don't cost anything.
There. It's out. The servers that process these things on average draw 4.0 amps per 2U at idle and 4.5 amps per 2U at busy. That's the total power savings ratio going from peak-hour to 4 a.m.
Since the equipment is already sitting there and the bandwidth is already leased and a large carrier rarely has to use another carrier's network for Long Distance transport. The fix costs burn whether you are yammering away on your phone or not.
Where adding customers to the network costs money is when those customers make a call during the busy hour. A "blocked call rate" is the % of people who get a network-busy signal or some sort of error when they try to make a call while the system is already at full capacity. Large carriers try to keep this number below 1%.
So where you cost them money in added infrastructure is when you make calls that contribute to busy hour traffic. The rest of the time the cost of your calls rounds comfortably down to zero.
Since the cost of support in a given month is 90% sunk whether you have zero calls or spend the whole month busy, your marketing department is given a large dollar figure they have to get from the subscribers so you can stay in the black.
The question then is "How to bill for it?" Enter game theory.
If you announced to the world what your busy hour is (say 9 a.m.), and that you were only charging for calls during that time, naturally no one would call during that time. You could then announce the new busy hour (now 10 a.m.), and then people would avoid that.... I'm sure you see where this is going. As a carrier with a growing subscriber base you'd still have to be adding cell-sites for the constantly roving busy hour and people on your network would constantly have to update their calling habits to dodge it.
So they pick large chunk of the day where the business users can't really avoid making calls and they divide cost of busy hour infrastructure across those hours. It's not all that tricky. The rest of the day is given away free or near free as the marketing gimmick enthusiasts see fit.
Slightly trickier, is the math to relate people's usage to the probability that they will cost you money in infrastructure upgrades. It's convoluted, but there isn't even any calculus involved. I've seen the spreadsheets where this is done. They generally just tweak a number here and a number there and hit F9 until they see the numbers they like.
The same issues apply to SMS. If you announced that "on your network all SMSs are free" you'd get people switching over just because of that (more money == good), but then they'd be SMS enthusiasts who would shortly saturate your SS7 infrastructure with messages. That equipment is very expensive. You can argue that it shouldn't be and what a great value it would be to create a nationwide wireless topology consisting entirely of WRT54Gs, but in the real world, the only people buying SS7 gear are large carriers, and the people selling it know that and charge much like they would charge the government.
So you want
Parent
Re: (Score:3, Insightful)
Re:Using the data for good purposes (Score:5, Insightful)
Why should Congress bother with SMS pricing? Isn't that what competition is for?
Why? Because the cell providers are monopolies, created in part through the (very necessary) restriction of broadcast frequencies. Contrary to popular opinion, government *is* supposed to do good things for its citizens. I really admire that the EU has chosen to take the cell providers over there head-on, forcing them to lower rates. I disagree with how they did it, but that's only because they chose to regulate maximum prices instead of just breaking the monopolies up.
So when there were sufficient cell companies to have competition, American cell prices were the lowest in the world by far. Now that all the small players have been gobbled up, and we're only left with effectively three companies, there is no more competition.
Parent
Re: (Score:3, Insightful)
Ah, but these are not governmental-backed monopolies that are essential to life, now are they? Don't like GM, but something else (everyone else sure did). DVD too expensive? Rent it, watch another movie, or just pass it up.
Telephone, internet, electricity, or water too expensive? Too bad, suck it up and pay, because by all normal metrics, these are the basic tenets of modern life.
So when the few remaining cell phone operators pretty much simultaneously raised rates on SMSes, at a time when the whole gov't w
Re:Using the data for good purposes (Score:5, Insightful)
Guys, busting up AT&T was the *best* thing that ever happened to American telecommunications.
So the baby bells could reform their monopoly as SBC? Oh and then change back to AT&T and rebuy the spun-off AT&T Wireless? Yeah that worked out well.
Parent
Re: (Score:3, Informative)
Well, I think DVD's cost too much. Shouldn't the government step in there as well?
One, two, maybe three cellphone providers here, with the number of competitors artificially limited by government regulation to prevent interference and/or accept bribes. That is no free market and has no competition because of government force. So it needs price regulation.
Seven pages of DVD manufacturers here to scroll thru:
http://en.wikipedia.org/wiki/List_of_DVD_manufacturers [wikipedia.org]
Now that is a free market... No need for price regulation due to intense competition.
How about cars? They cost too much, don't you think?
One, two, maybe three cellphone providers
Re:Using the data for good purposes (Score:5, Informative)
Please do so now, in detail, with references containing verifiable data on the costs.
I'm guessing you don't understand how SMSes work. You do realize that they are effectively free for the cell phone company, right? Your cell phone is already sending this kind of message every time it reports back to a tower. It's just that most of the message is empty, but the bandwidth is still used. So, by piggy-backing a human-to-human message onto the cell-to-tower report, you get an SMS that has an effectively $0.00 incidental cost.
That's point #1. Point #2 is that an SMS is an amazingly small amount of bandwidth compared to voice, and yet it costs far more than voice.
Point #3 is linking back to /. http://tech.slashdot.org/article.pl?sid=08/01/29/0244208 [slashdot.org]
Of course, I could go on and on, but that would be saving you all the fun of independent research. I'm certain that if there are still things bothering you after you've read this (and don't miss the EU's current action against the European cell pseudo-monopolies!), people here will be happy to help.
Parent
Re: (Score:3, Interesting)
What? Are you 12? Seriously, with a response like that how do you not expect people to just ignore you since you don't even offer anything to the conversation. Just shouting "WRONG" doesn't change anything and only serves to strengthen the other side. Rather than childish name-calling perhaps you could add something of value rather than wasting everyone's time? Maybe not...
There are those of us that intercept and redirect cell transmissions because of the absurdly high costs of everything. Why use cell minu
Re: (Score:3, Interesting)
Why am I complaining? Because I believe very firmly that in the past few years the telecommunications market has fallen victim to collusion.
It seems that many /.ers confuse the price people will pay with the correct price. See, the price you will pay is NOT the right price. The maximum price you will pay, correlated to the minimum price the supplier will charge, is the right price. That's where monopolies, duopolies, and collusion break things up. They make it so that the minimum price the supplier will cha
Re:nice! (Score:5, Funny)
Does this mean service will improve?
Parent
Re:nice! (Score:5, Interesting)
Parent
Re:nice! (Score:4, Insightful)
nice!
We all joke, and to some extent say, "good job" to the hackers. We forget these guys are no different than the robbers and thugs you see on "cops" or the evening news, they are just more covert. No one cheers on the armed gunman, robbing a convenience store. It bothers me these guys aren't viewed in the same light.
Parent
Re:nice! (Score:4, Insightful)
No doubt that they are bad guys, but to say that they are 'no different' is taking it a little far. How many convenience store robberies have you heard of that have ended badly for the staff? There is a good chance that a convenience store robber is willing to deprive someone of their life to get what they want. A hacker is merely willing to deprive someone of property. They are more like the guy who breaks into the convenience store after hours, with the intent to run away if confronted.
The curious thing is that the typical slashdotter would have some appreciation for the skills required to pull off such a hack (assuming they didn't just find a backup tape full of passwords in the trash :) - we can more readily identify with the nerd in his basement with the world at his fingertips 'sticking it to the man' than we could with the armed robber desperate to get cash for his next drug hit. And we all hate cell phone companies. I don't know what's on the agenda for these guys though... presumably blackmail or extortion.
But when you are king and are rounding up all the hackers, remember to include the guys who are unlawfully downloading copyright material too :)
Parent
Re:If you were smart, you used a prepaid phone (Score:5, Insightful)
Well, unless you bought your phone at a store with cash, and buy refills the same way..
I guess I am the "not smart" T-Mobile user, as I bought my prepaid phone through their web site.. You seem to be imply that T-Mobile is somehow a flyby night company ... They are in fact 8th largest in the world.. Verizon is 14th., AT&T is 15th., Sprint doesn't make the top 20 and they have slightly more than half as many subscribers as AT&T... Of all these companies, why should I not have trust in T-Mobile ?
Parent