Slashdot Mirror
More Holes Found in T-Mobile Website
mogwhat writes "Even though T-Mobile's website was decisively hacked into over a year ago by now (in)famous cracker Nick Jacobsen, a blog posting by computer security expert Jack Koziol details many serious security holes in various T-Mobile websites. You would think that T-Mobile would have paid attention the first time? Time to get a new cell phone provider!"
Can you pw*404*
Aaw crap. I guess he could.
Why is it that every time a Slashdot news story gets posted, a riducilousy inane comment or question has to be appended to the actual news item?
Could this be the lamest thing ever?
TMobile Customers should let TMobile know that we care about security issues on their website, and that we consider this to be very important for our continued relationship with them!
The issue is that when Nick Jacobson owned T-Mobile's website, he used that to gain access to their entire network -- every picture sent or recieved, every text message, possibly even phone calls. He owned a good portion of the company.
I mod down pyramid schemes in sigs.
Traditional Landline companies take customer privacy very seriously (at least the ones I worked for) but the new technologies - Mobility, cell, internet divisions/companies always seemed to be playing fast and loose with phone company policy. Very frustrating from the landline side of the house. Not that the landline divisions are much more secure but at least they generally have the right attitude to security.
The rock, the vulture, and the chain
From the latest CryptoGram by Bruce Schneier:
"T-Mobile suffered some bad press for its lousy security, nothing more. It'll spend some money improving its security, but it'll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers."
And I seriously doubt if the treatment of security would be or is any better from any of the other cellular carriers.
- SR
"God is a comedian playing to an audience too afraid to laugh." -- Voltaire
No, but the guy who hired him (or the guy who hired that guy, or so on up the chain), and didn't do something about it when he failed the first time, is the same guy who hired the guy who runs your telephone network, and is responsible for ensuring he does a good job. Still feel happy using them?
I am trolling
T-Mobile is a german company. Originally it was called "Telekom" which is short for "Telecommunication", then they split up their departments into T-Com (responsible for telephone services), T-Onlien (ISP services), T-Systems (business solutions) and T-Mobile (mobile communication). They just kept the name when buying themselves into the US market.
lets see, your network is so insecure that someone hacks into it using government accounts and steals private information from your company.
do you...
a) tighten your security on your network so it doesnt happen again
b) appoligize and place it on your "things to do" list or
c) dont change a damn thing but pay snoop dog and company mega bucks to advertise your new sidekick II?
if your t-mobile then c is the correct answer!
Good Karma, Bad Karma, doesnt matter to me... I'm still going to say whats on my mind!
T-Mobile use GSM.
Soooooo........how does your digital scanner breal the encryption?
Encryption in the GSM network utilizes a Challenge/Response mechanism.
The Mobile Station (MS) signs into the network.
The Mobile Services Switching Center (MSC) requests 5 triples from the Home Location Register (HLR).
The Home Location Register creates five triples utilizing the A8 algorithm. These five triples each contain:
A 128-bit random challenge (RAND)
A 32-bit matching Signed Response (SRES)
A 64-bit ciphering key used as a Session Key (Kc).
The Home Location Register sends the Mobile Services Switching Center the five triples.
The Mobile Services Switching Center sends the random challenge from the first triple to the Base Transceiver Station (BTS).
The Base Transceiver Station sends the random challenge from the first triple to the Mobile Station.
The Mobile Station receives the random challenge from the Base Transceiver Station and encrypts it with the Individual Subscriber Authentication Key (Ki) assigned to the Mobile Station utilizing the A3 algorithm.
The Mobile Station sends the Signed Response to the Base Transceiver Station.
The Base Transceiver Station sends the Signed Response to the Mobile Services Switching Center.
The Mobile Services Switching Center verifies the Signed Response.
The Mobile Station generates a Session Key (Kc) utilizing the A8 algorithm, the Individual Subscriber Authentication Key (Ki) assigned to the Mobile Station, and the random challenge received from the Base Transceiver Station.
The Mobile Station sends the Session Key (Kc) to the Base Transceiver Station.
The Mobile Services Switching Center sends the Session Key (Kc) to the Base Transceiver Station.
The Base Transceiver Station receives the Session Key (Kc) from the Mobile Services Switching Center.
The Base Transceiver Station receives the Session Key (Kc) from the Mobile Station.
The Base Transceiver Station verifies the Session Keys from the Mobile Station and the Mobile Services switching Center.
The A5 algorithm is initialized with the Session Key (Kc) and the number of the frame to be encrypted.
Over-the-air communication channel between the Mobile Station and Base Transceiver Station can now be encrypted utilizing the A5 algorithm.