Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Cellphones Communications

Hackers Claim To Hit T-Mobile Hard 302

dasButcher writes "Hackers are claiming to own T-Mobile USA's servers and to have access to the cellular phone carrier's operations, finance and subscriber data." (Here's the seclists.org post of the claimed breach.)
This discussion has been archived. No new comments can be posted.

Hackers Claim To Hit T-Mobile Hard

Comments Filter:
  • Why.... (Score:2, Interesting)

    Why isn't this stuff encrypted? For the few places that would need the data why not have a special viewer that would decrypt the stuff thats sensitive?
    • Re:Why.... (Score:5, Insightful)

      by tftp ( 111690 ) on Sunday June 07, 2009 @03:46PM (#28243895) Homepage

      Why isn't this stuff encrypted?

      My guesses: legacy, convenience, lack of care, lack of duty.

      • Re:Why.... (Score:5, Insightful)

        by Antique Geekmeister ( 740220 ) on Sunday June 07, 2009 @06:54PM (#28245403)
        And the US export encryption laws, described at http://www.bis.doc.gov/encryption/default.htm [doc.gov]. It would also interfere with the Patriot Act warrant and supervision free phone tapping, and whatever the NSA has put in lately to tap the major fiber optic backbones without warrant or any appeal to inappropriate monitoring available, as they've previously done to AT&T.
        • Re: (Score:3, Insightful)

          by tinkertim ( 918832 )

          And the US export encryption laws, described at http://www.bis.doc.gov/encryption/default.htm [doc.gov] [doc.gov]. It would also interfere with the Patriot Act warrant and supervision free phone tapping, and whatever the NSA has put in lately to tap the major fiber optic backbones without warrant or any appeal to inappropriate monitoring available, as they've previously done to AT&T.

          What part of that did you mistake to read "I can't encrypt server side even if I must make clients use clear text" ?

      • Re: (Score:3, Insightful)

        by DigitAl56K ( 805623 ) *

        Maybe some of it is encrypted. But perhaps with some pilfered credentials a database or other internal system will happily respond to your queries and pass back the results as plaintext. After all, somebody somewhere has to be able to decrypt the customer/billing information or it's useless.

        Encryption isn't the be-all and end-all of security. For example, using TrueCrypt on your laptop is a great idea to reduce your risk in case of theft, but when you've mounted an encrypted partition and someone is rooting

    • Re:Why.... (Score:5, Insightful)

      by bi_boy ( 630968 ) on Sunday June 07, 2009 @03:50PM (#28243915)
      My guess is the conversations go like this:

      Front-line Manager: We need to encrypt our dataz.
      Middle Manager: How much will this cost?
      Front-line Manager: (insert any number)
      Middle Manager: No.
      • Re:Why.... (Score:5, Insightful)

        by N7DR ( 536428 ) on Sunday June 07, 2009 @04:51PM (#28244425) Homepage

        As a purveyor of security software (to a different industry), I've seen countless times that almost always the conversation really does go along an only slightly-less direct route:

        A. We need to secure X
        B. How much does it cost?
        A. (insert any dollars)
        B. Do we have to spend that?
        A. We do if we want to be reasonably secure.
        B (thinks... We're smart people; we can install a few firewalls; that'll keep the Bad Guys out)
        B. (Having insight) But this is like insurance, right? If we keep people out of the network, we don't get anything for those dollars.
        A. Well, sort of, I suppose so.
        B. Right, we'll save those dollars.

        ---

        You have to assume that Bad Guys CAN get into your network if they really want to. Because the truth is, whatever your in-house people have told you, they can. Of you doubt me, talk to people whose job is to break into networks. All the ones I've known will tell you that 100% of targeted commercial networks fall to a concerted attack.

        When they do fall, security's job is to make sure, at a minimum:
            1) the Bad Guys can't learn anything useful
            2) the Bad Guys can't interfere with the service you're selling
            3) there's a high probability that you'll detect the event and be able to track the Bad Guys

        B's insight isn't a bad one at all... security *is* a kind of insurance. Which means that most of the time, if you have a well-designed system you really are "wasting" the dollars. But one day you or your successor will regret those "saved" dollars.

        B's job really is to make a proper cost/benefit analysis. My experience is that that almost never happens. They either just "save" the dollars without thinking or, more often, either a) look to what their competition is doing or b) assume that the risk is so small ("we haven't been hacked so far") that it's not worth spending any money.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Almost any risk can be covered one of two ways:

          1. Absorbing a large cost infrequently.
          2. Spread the cost over your average cases.

          This is simply an application of Murphy's law. Any outcome which is not systematically excluded will occur eventually. You can either incur the overhead of building a system that excludes the negative outcomes or you can accept the risk that they will occur.

          Of course, in practice you can't absolutely exclude negative outcomes, but as you say, you may be able to analyze them and break t

        • Re:Why.... (Score:5, Interesting)

          by Venik ( 915777 ) on Sunday June 07, 2009 @07:05PM (#28245479)
          Security is a process - not a state. Computer security is like a horizon - an imaginary line that seems to move farther away as you move toward it. The only way any network and systems on that network can be reasonably protected is if there is a recurring yearly budget. In most companies computer security is an afterthought in the IT budget. Sort of, like, if there's money left, we'll spend it on security. Or save it. The bottom line is that most companies simply can't afford meaningful security measures and most of those that can, choose not to spend the money. This entire IT security business is usually just good enough to keep the amateurs out.
        • I've worked in I.T. long enough to know that the vast majority of security products and services out there are little more than selling companies a "bill of goods". Sometimes, it's a great investment, simply as a CYA move. (As a systems administrator, you're a lot less likely to get fired because of a hack if you can show you tried your best to secure everything, using products X, Y and Z, right?)

          But ultimately, you can go with the most highly regarded firewall product, the top-rated anti-spyware and anti

    • Re:Why.... (Score:5, Insightful)

      by Tanktalus ( 794810 ) on Sunday June 07, 2009 @03:52PM (#28243931) Journal

      What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.

      If the hackers could get through all of this, they must be *very* good. More likely, however, is that they have someone on the inside which bypasses all of this. And it would bypass the encryption on the data anyway since s/he obviously already had Need To Know to get at the data anyway, and thus would have the decryption key. There isn't much a corporation can do against an insider that needs that info just to perform the job they were hired to perform.

      • Once you have access to the filesystem of the machine that runs the database, all the Need To Know restrictions are null and void, you just grab the database file. And that tends to be one firewall + one host away from The Wild.

      • Re:Why.... (Score:4, Insightful)

        by plover ( 150551 ) * on Sunday June 07, 2009 @05:13PM (#28244629) Homepage Journal

        What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.

        It seems your theory is kind of flawed, because if their protection was indeed that good the thieves probably wouldn't have gotten the data they did.

        I think the reality is they have a firewall, and probably overly simplistic authentication on the databases, and virtually nothing else. Consider an inept DBA running SQL Server 2005 who ties the SQL Server's SA account to the machine's administrator account. And add another inept system administrator who has a shared admin account across all the database servers, as well as some IIS servers and maybe some FTP servers as well. So the hacker worms his way to an admin account on ftp_serve_01.tmobile.com and ta-da! He's suddenly got admin rights to their data!

        Never ascribe to ingenuity that which can be adequately explained by stupidity.

        • Re:Why.... (Score:5, Funny)

          by jesset77 ( 759149 ) on Sunday June 07, 2009 @06:28PM (#28245209)

          It seems your theory is kind of flawed, because if their protection was indeed that good the thieves probably wouldn't have gotten the data they did.

          I think your assumption that "the theives did get data" is premature. I am not seeing corroborative data anywhere.

          Speaking of which, based upon analyzing the deleted video files on your primary partition, you should get the old lady a membership at the local gym or something. :P

    • Well for one thing they have to actually use a lot of this data on a day-to-day basis. And if hundreds of call operators have to know to what address to dispatch repair crews et al, there's really no securing it.

      I'm not surprised by breaches like this at all. So many people have access to this data it's unreasonable to assume it's secure. I just huddle in the herd of helpless millions and hope that sheer numbers protect me. Oh, and it helps to live the student lifestyle with only a few transactions a mont
    • Re:Why.... (Score:5, Interesting)

      by jythie ( 914043 ) on Sunday June 07, 2009 @03:59PM (#28243977)

      Who said it was not encrypted?

      • Re:Why.... (Score:4, Funny)

        by ae1294 ( 1547521 ) on Sunday June 07, 2009 @04:48PM (#28244393) Journal

        Who said it was not encrypted?

        Yes, they used CSS encryption but those damn hackers broke the law and circumvented it using something called DeCSS...
        When is the government going to put a stop to this sort of thing and protect us!

      • Re: (Score:3, Insightful)

        by blitzkrieg3 ( 995849 )
        There is no way to know and it's a moot point. Presumably they attacked the systems while they were live, so the information would have been decrypted anyway in order for the database system to access it. There is also the inside job scenario that someone outlined above.

        Encryption doesn't really matter in this type of break in, it's more for "oh shit I left my hard drive and laptop in an airport" type of scenarios.
  • by nanospook ( 521118 ) on Sunday June 07, 2009 @03:47PM (#28243899)
    Maybe the hackers can offer better service?
    • by sjames ( 1099 )

      Given the practices of the telecomms these days, even privacy wouldn't be affected. It MAY improve under the hackers since there's not much money in plain old call records and they won't be all that interested in cooperating with the feds.

  • by VampireByte ( 447578 ) on Sunday June 07, 2009 @03:49PM (#28243909) Homepage

    From the "hackers" We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Seriously, how do they think T-Mobile's competitors are going to legally pay and use such information?

    • Re: (Score:2, Insightful)

      by jack2000 ( 1178961 )
      You think they offered it legally to the competitors?
    • Certainly not legally...

      Seems a little far-fetched to me too, but I suppose they would know better than me.
    • I suppose there are ways to hide the transaction, but if somebody wanted to catch these thieves, couldn't they just follow the money? I do hope they are caught. I have a Tmo account.
  • by Anonymous Coward on Sunday June 07, 2009 @03:50PM (#28243917)

    I happen to know a Nigerian Prince who would be *very* interested in their offer.

  • by Anonymous Coward on Sunday June 07, 2009 @03:58PM (#28243965)

    All of their production servers are running UNIX- or UNIX-like operating systems. Had they been running a Windows-only setup, this would not have happened.

    Ever heard of a high-profile Windows shop being compromised during the last five years? No? Didn't think so.

  • by jsveiga ( 465473 ) on Sunday June 07, 2009 @04:08PM (#28244041)

    Interesting. I only saw HP-UX, SunOS, AIX and Linux. No Windows used in T-Mobile, or they could not be cracked? Or T-Mobile just don't put anything important on Windows servers?

    • Interesting, how do you think they got through the firewall in the first place?

    • How hard is it to keep a Linux, AIX and SunOS servers patched with security updates, seriously. These boxes must of never been properly secured in the first place for that many operating systems to be compromised. I know it is a bit of security through obscurity but having multiple server OS usually offers you some protection but to have this many fail seems like they need to pay more $$$$ and get a competent sysadmin group. I would not be surprised if a majority of their day to day sysadmin work was out
  • by Anonymous Coward on Sunday June 07, 2009 @04:12PM (#28244073)

    And the best thing they can think of doing with it all is to offer it to T-Mobiles competitors? Seriously? I can think of tons of ways to profit off of all that information.

    However not one of those ways involves attempting to sell the information to companies that are legally required to report it. Or when that fails, announcing it to the public and getting every police agency in the world on my trail.

    • by cdrguru ( 88047 )

      I don't think there can be much in the way of law enforcement action. No damages, yet. No idea where they might be operating from, so jurisdiction is an open question.

      • Re: (Score:2, Informative)

        by eimsand ( 903055 )
        It's my understanding that unauthorized access to a computer system is a crime in and of itself. The misuse of data and/or facilities after the hack just add separate charges and penalties. (It should be clear that I'm not a lawyer...)
        • by cdrguru ( 88047 )

          Yes, but take it from someone that has many, many "unuthorized access attempts" made every day and a few that have been successful. Law enforcement begins when you can prove $25,000 (or more) in damages. No proof = no action.

          Similarly, unless you know where it is coming from they aren't much interested. Even the FBI is pretty much powerless to stop a Romainian hacker until there are really major damages in the millions of dollars. And most foreign law enforcement just laughs at US companies. Sucks to b

      • Re: (Score:3, Informative)

        by John Hasler ( 414242 )

        > I don't think there can be much in the way of law enforcement action. No damages, yet.

        Clear violation of the Computer Fraud and Abuse Act.

        > No idea where they might be operating from, so jurisdiction is an open question.

        Doesn't matter where they were operating from. T-Mobile is a US company and the computers that were cracked were in US territory so the US has jurisdiction. The question is custody: can the Feds find them and if so can they get them extradited (or otherwise gain custody).

  • T-Mobile Customer? (Score:3, Interesting)

    by cdrguru ( 88047 ) on Sunday June 07, 2009 @04:13PM (#28244083) Homepage

    If you are, you better start thinking about where to go next. Their service is now wide open. Anything transferred through their network is now questionable.

    Can you afford to send an email from a smartphone and have a couple of bytes changed, say from "no" to "yes"? Or from $100 to $10,000?

    Can you afford to have your phone records available to everyone on the Internet? How far back could T-Mobile's records go? Two years? Five years?

    I'd say if this was played right to the media it could shut T-Mobile down in about two weeks. After all, wouldn't that be a great goal? Their inability to keep hackers out equals no reason to be in business.

    Of course this was almost certainly an inside-assisted job. But then you better watch who your employees are. If you're employing people that have access to potentially sensitive data, how do you know they aren't in a financial bind and will do anything to make next month's mortgage payment? Or have some gambling debts that they have to pay or their wife will work off?

    I won't be happy to see T-Mobile (really Vodaphone from Germany) go under, but if these hackers have half a brain they will take the company down. If they are just your average script kiddies this will not make to the nightly news and will have no effect on the company.

    • by 117 ( 1013655 ) on Sunday June 07, 2009 @04:28PM (#28244231)

      T-Mobile (really Vodaphone from Germany)

      No, really T-Mobile (whose parent company is Deutsche Telekom) from Germany. Vodafone (not 'Vodaphone') are a UK-based company and T-Mobile's biggest rival.

      • by cdrguru ( 88047 )

        My mistake. I knew they were offshore and from Germany.

        Yup, I am on T-Mobile, until the hackers shut them down, if they do. I'd really like to see a demonstration of "hacker power" It might get people to wake up. But we are far more likely to see nothing come from this at all. Which means that everyone gets to bear the brunt of folks like this. And law enforcement yawns and ignores everything until something really, really bad happens.

    • The claim itself is damaging. If these hackers are lying, with the sole intent to damage T-Mobile's reputation, then they've already wildly succeeded, and the evidence they'd have to provide wouldn't require a very deep penetration at all.

    • Of course this was almost certainly an inside-assisted job. But then you better watch who your employees are. If you're employing people that have access to potentially sensitive data, how do you know they aren't in a financial bind and will do anything to make next month's mortgage payment? Or have some gambling debts that they have to pay or their wife will work off?

      You can never know for certain. Even if you could know, how do you know that one of the people whose job is to watch other people isn't compromised?

      Rather than require that employees have absolutely zero privacy, a far better approach is to implement business processes that are inherently self-checking. Kind of like the two-man switch for nuclear missile launches as seen in the movies. That way you limit the damage that a single compromised employee can do. While it may be possible to compromise one arb

    • by antdude ( 79039 )

      Where to though? All companies have problems. :(

    • by eison ( 56778 )

      What makes you think it's different anywhere else?

  • by forgottenusername ( 1495209 ) on Sunday June 07, 2009 @04:50PM (#28244405)

    I'll wait for some validation. Cuz, you know;

    prodsrv1|192.168.1.200|root@cia.gov sekret files|for realz|RHEL4

    isn't especially convincing.

    Even if it's a real list, it could be something as simple as a pilfered company document off a laptop, a script-kiddie wannabe hacker employee showing off to his friends on IRC, or any of a hundred scenarios.

    Do I doubt it's difficult to own a bunch of HP-UX boxes? Nah.

    Have I learned to not spastically freak out every time some random people claim they hacked something? Yah.

    Trouble is, T-Mobile wouldn't exactly be forthcoming with any confirmations.

    At the end of the day, you just have to plan around being hacked. You have to ensure your payment method associated with external services can handle being owned. You have to be ready for people getting your SSN and private info, since it's moronically being used for frivolous purposes everywhere.

    Which is not to say you shouldn't do your best to keep your data protected and secure - I just try to plan around any data I give out to various companies being owned.

  • by Anonymous Coward on Sunday June 07, 2009 @08:02PM (#28245865)

    This doesn't surprise me at all. I used to work there a few years ago. Security was not something they were concerned with in the least. RSH was used everywhere and they refused even use telnet let alone ssh. The root passwords on all the Unix servers that controlled the switch was the name of the switch manufacturer. So Nokia was nokia and Nortel was nortel. Frankly this wasn't the worst thing there, don't try to do anything that might improve service or change the way things are done because that would upset the norm.

  • Hmmmmm.... (Score:5, Funny)

    by IonOtter ( 629215 ) on Sunday June 07, 2009 @08:05PM (#28245875) Homepage

    Now's my chance to call all those phone-sex lines I've always been curious about!

    Sir, you owe $15,239 and 33 cents.

    "But I never made those calls!?! You people got hacked last month, didn't you? They must have stolen my info!"

    Oh, that's right. Alright sir, we'll take care of it. Uhmmm...by the way, sir? I can barely hear you. Why do you sound so far away?

    "Oh, I can't hold my phone. I uhhh...I sprained my wrists."

  • by TechnoGrl ( 322690 ) on Sunday June 07, 2009 @09:07PM (#28246241)

    Anyone who does not have the wherewithal and sense to not make public their extortion demand, very likely does not have the sense and wherewithal to actually harvest information. I see a text depiction of a list of alleged connections to T-Mo servers.

    I do not see actual data - show me a 500 data item sample if you have anything at all.

    My best guess: Some 15 year old in an Eastern European country will shortly have some 'splainin to do.
     

  • by luftmatraze ( 1567915 ) on Monday June 08, 2009 @04:05AM (#28248495)

    I am working for a Relatively Large Teleco in Europe and can say from the list of server names that this is a plausible hack.

    Whether or not however they have real information or just DNS entries however is yet to be seen.

    What is the basis for this conclusion?

    protib02 Prod IHAP TIBCO 582 Tibco 10.1.81.21 HP-UX 11.11 BOTHELL_7 582 #N/A 1 - Tibco. An application layer messaging bus used heavily in FAB (Fulfilment Assurance Billing) area of large telecos
    proetl02 Prod IHAP Teradata 576 teradata 10.133.17.51 HP-UX 11.11 NEXUS #N/A #N/A 1 - Teradata.... another product I know we are using (unknown however exactly what it does)
    prowac06 Prod IHAP EAI 151 EAI - Middleware 10.1.80.91 HP-UX 11.11 BOTHELL_7 151 #N/A 1 - EAI - Middleware application used also in telecos.

    Similarly the SAP Naming convention used roughly translates to some deployments I have seen in the past.

    What does this whole thing give away....

    Looking at the naming conventions they have three "defined" network zones:
    TAMPA - Management (HP OVO, DNS, Backup Servers)
    BOTHELL - Application Server zone with all sorts of stuff. Big flat topology....(ugly with lots of different services using the same subnets and DB Servers not seperated from AS)
    NEXUS - Another Application Server Zone with a mix of stuff within it. This appears smaller and newer than the other from the server names.

    What does this show from a security perspective?

    - No clear Security Architecture ... No 3 tier architecture DMZ/Application Server/DB Server split.
    - No clean separation of Backup network (backup mixed with Management functions... this should be in a seperate network).
    - No clean separation of Management Network (SAN/Backup/OVO located together)

    In any Teleco situation with thousands of servers it is impossible to prevent a security breach. There is always going to be servers somewhere which are unpatched, legacy, forgotten etc.
    What is important is a "defence in depth" principle to limit any disclosure. In this instance that appears not to have been followed. The topology is "Flat" with an emphasis on easier communications between systems rather than minimizing communications to minimum required. This essentially stopped any chance of them being able to limit a breach.

    Hopefully someone will get some lessons learned out of this. I know I will be presenting some points to our management where we should be focusing based upon this. Our security is definitely better but nothing is perfect.

    I'm interested in any points that anyone else could offer here, I have not discussed all points however I am interested in the perspective of others from what they can mine there.

    Please more comments!

    http://streetstyles.ch/ [streetstyles.ch] - Schweiz Band & Fashion Tshirts

This is now. Later is later.

Working...