Hackers Claim To Hit T-Mobile Hard

dasButcher writes "Hackers are claiming to own T-Mobile USA's servers and to have access to the cellular phone carrier's operations, finance and subscriber data." (Here's the seclists.org post of the claimed breach.)

Re:Be warned!

[Ethanol-fueled]

Noscript on Firefox throws a "potential XSS attempt" warning.

Re:T-Mobile Customer?

[117]

T-Mobile (really Vodaphone from Germany)

No, really T-Mobile (whose parent company is Deutsche Telekom) from Germany. Vodafone (not 'Vodaphone') are a UK-based company and T-Mobile's biggest rival.

Re:Using the data for good purposes

[otter42]

Please do so now, in detail, with references containing verifiable data on the costs.

I'm guessing you don't understand how SMSes work. You do realize that they are effectively free for the cell phone company, right? Your cell phone is already sending this kind of message every time it reports back to a tower. It's just that most of the message is empty, but the bandwidth is still used. So, by piggy-backing a human-to-human message onto the cell-to-tower report, you get an SMS that has an effectively $0.00 incidental cost.

That's point #1. Point #2 is that an SMS is an amazingly small amount of bandwidth compared to voice, and yet it costs far more than voice.

Point #3 is linking back to /. http://tech.slashdot.org/article.pl?sid=08/01/29/0244208

Of course, I could go on and on, but that would be saving you all the fun of independent research. I'm certain that if there are still things bothering you after you've read this (and don't miss the EU's current action against the European cell pseudo-monopolies!), people here will be happy to help.

Re:Using the data for good purposes

[Art+Popp]

Collusion would be the best explanation in a void of facts. Here I think I can be of assistance.

I am a telecommunications engineer. I am reading this article because it relates to my industry, not because of any belief that these data thieves have done anything remotely interesting. Given that it may be "on topic" to assume this could affect SMS pricing, it seems then "on topic" to relate why it cannot.

Here are the Big Secrets:

Except for one hour a day, SMSs don't cost anything.

Except for one hour a day, Voice calls don't cost anything.

There. It's out. The servers that process these things on average draw 4.0 amps per 2U at idle and 4.5 amps per 2U at busy. That's the total power savings ratio going from peak-hour to 4 a.m.

Since the equipment is already sitting there and the bandwidth is already leased and a large carrier rarely has to use another carrier's network for Long Distance transport. The fix costs burn whether you are yammering away on your phone or not.

Where adding customers to the network costs money is when those customers make a call during the busy hour. A "blocked call rate" is the % of people who get a network-busy signal or some sort of error when they try to make a call while the system is already at full capacity. Large carriers try to keep this number below 1%.

So where you cost them money in added infrastructure is when you make calls that contribute to busy hour traffic. The rest of the time the cost of your calls rounds comfortably down to zero.

Since the cost of support in a given month is 90% sunk whether you have zero calls or spend the whole month busy, your marketing department is given a large dollar figure they have to get from the subscribers so you can stay in the black.

The question then is "How to bill for it?" Enter game theory.

If you announced to the world what your busy hour is (say 9 a.m.), and that you were only charging for calls during that time, naturally no one would call during that time. You could then announce the new busy hour (now 10 a.m.), and then people would avoid that.... I'm sure you see where this is going. As a carrier with a growing subscriber base you'd still have to be adding cell-sites for the constantly roving busy hour and people on your network would constantly have to update their calling habits to dodge it.

So they pick large chunk of the day where the business users can't really avoid making calls and they divide cost of busy hour infrastructure across those hours. It's not all that tricky. The rest of the day is given away free or near free as the marketing gimmick enthusiasts see fit.

Slightly trickier, is the math to relate people's usage to the probability that they will cost you money in infrastructure upgrades. It's convoluted, but there isn't even any calculus involved. I've seen the spreadsheets where this is done. They generally just tweak a number here and a number there and hit F9 until they see the numbers they like.

The same issues apply to SMS. If you announced that "on your network all SMSs are free" you'd get people switching over just because of that (more money == good), but then they'd be SMS enthusiasts who would shortly saturate your SS7 infrastructure with messages. That equipment is very expensive. You can argue that it shouldn't be and what a great value it would be to create a nationwide wireless topology consisting entirely of WRT54Gs, but in the real world, the only people buying SS7 gear are large carriers, and the people selling it know that and charge much like they would charge the government.

So you want

Plausible based upon server names.

[luftmatraze]

I am working for a Relatively Large Teleco in Europe and can say from the list of server names that this is a plausible hack.

Whether or not however they have real information or just DNS entries however is yet to be seen.

What is the basis for this conclusion?

protib02 Prod IHAP TIBCO 582 Tibco 10.1.81.21 HP-UX 11.11 BOTHELL_7 582 #N/A 1 - Tibco. An application layer messaging bus used heavily in FAB (Fulfilment Assurance Billing) area of large telecos
proetl02 Prod IHAP Teradata 576 teradata 10.133.17.51 HP-UX 11.11 NEXUS #N/A #N/A 1 - Teradata.... another product I know we are using (unknown however exactly what it does)
prowac06 Prod IHAP EAI 151 EAI - Middleware 10.1.80.91 HP-UX 11.11 BOTHELL_7 151 #N/A 1 - EAI - Middleware application used also in telecos.

Similarly the SAP Naming convention used roughly translates to some deployments I have seen in the past.

What does this whole thing give away....

Looking at the naming conventions they have three "defined" network zones:
TAMPA - Management (HP OVO, DNS, Backup Servers)
BOTHELL - Application Server zone with all sorts of stuff. Big flat topology....(ugly with lots of different services using the same subnets and DB Servers not seperated from AS)
NEXUS - Another Application Server Zone with a mix of stuff within it. This appears smaller and newer than the other from the server names.

What does this show from a security perspective?

- No clear Security Architecture ... No 3 tier architecture DMZ/Application Server/DB Server split.
- No clean separation of Backup network (backup mixed with Management functions... this should be in a seperate network).
- No clean separation of Management Network (SAN/Backup/OVO located together)

In any Teleco situation with thousands of servers it is impossible to prevent a security breach. There is always going to be servers somewhere which are unpatched, legacy, forgotten etc.
What is important is a "defence in depth" principle to limit any disclosure. In this instance that appears not to have been followed. The topology is "Flat" with an emphasis on easier communications between systems rather than minimizing communications to minimum required. This essentially stopped any chance of them being able to limit a breach.

Hopefully someone will get some lessons learned out of this. I know I will be presenting some points to our management where we should be focusing based upon this. Our security is definitely better but nothing is perfect.

I'm interested in any points that anyone else could offer here, I have not discussed all points however I am interested in the perspective of others from what they can mine there.

Please more comments!

http://streetstyles.ch/ - Schweiz Band & Fashion Tshirts