Slashdot Mirror
Hackers Claim To Hit T-Mobile Hard
dasButcher writes "Hackers are
claiming to own T-Mobile USA's servers and to have access to the cellular phone carrier's operations, finance and subscriber data." (Here's the seclists.org post of the claimed breach.)
Why isn't this stuff encrypted?
My guesses: legacy, convenience, lack of care, lack of duty.
Maybe the hackers can offer better service?
Have you fscked your local propeller head today?
Funny - I get an fraud warning from the link disclosing the breach . . . Opera being over-sensitive I think. "This site is known to distribute malicious software" - NMap has got such a bad name!!
My guess is the conversations go like this:
Front-line Manager: We need to encrypt our dataz.
Middle Manager: How much will this cost?
Front-line Manager: (insert any number)
Middle Manager: No.
Chicken fried butter sticks? Do
I happen to know a Nigerian Prince who would be *very* interested in their offer.
What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.
If the hackers could get through all of this, they must be *very* good. More likely, however, is that they have someone on the inside which bypasses all of this. And it would bypass the encryption on the data anyway since s/he obviously already had Need To Know to get at the data anyway, and thus would have the decryption key. There isn't much a corporation can do against an insider that needs that info just to perform the job they were hired to perform.
However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much.
Yeah, the hackers have sure demonstrated their high ideals by offering the data for sale to the highest bidder. I'm sure they're all just wonderful people who are only thinking of the greater good.
And yes, that was sarcasm. In truth, my opinion of these guys couldn't be much lower than it currently is.
#DeleteChrome
All of their production servers are running UNIX- or UNIX-like operating systems. Had they been running a Windows-only setup, this would not have happened.
Ever heard of a high-profile Windows shop being compromised during the last five years? No? Didn't think so.
And the best thing they can think of doing with it all is to offer it to T-Mobiles competitors? Seriously? I can think of tons of ways to profit off of all that information.
However not one of those ways involves attempting to sell the information to companies that are legally required to report it. Or when that fails, announcing it to the public and getting every police agency in the world on my trail.
T-Mobile (really Vodaphone from Germany)
No, really T-Mobile (whose parent company is Deutsche Telekom) from Germany. Vodafone (not 'Vodaphone') are a UK-based company and T-Mobile's biggest rival.
I'll wait for some validation. Cuz, you know;
prodsrv1|192.168.1.200|root@cia.gov sekret files|for realz|RHEL4
isn't especially convincing.
Even if it's a real list, it could be something as simple as a pilfered company document off a laptop, a script-kiddie wannabe hacker employee showing off to his friends on IRC, or any of a hundred scenarios.
Do I doubt it's difficult to own a bunch of HP-UX boxes? Nah.
Have I learned to not spastically freak out every time some random people claim they hacked something? Yah.
Trouble is, T-Mobile wouldn't exactly be forthcoming with any confirmations.
At the end of the day, you just have to plan around being hacked. You have to ensure your payment method associated with external services can handle being owned. You have to be ready for people getting your SSN and private info, since it's moronically being used for frivolous purposes everywhere.
Which is not to say you shouldn't do your best to keep your data protected and secure - I just try to plan around any data I give out to various companies being owned.
As a purveyor of security software (to a different industry), I've seen countless times that almost always the conversation really does go along an only slightly-less direct route:
A. We need to secure X
B. How much does it cost?
A. (insert any dollars)
B. Do we have to spend that?
A. We do if we want to be reasonably secure.
B (thinks... We're smart people; we can install a few firewalls; that'll keep the Bad Guys out)
B. (Having insight) But this is like insurance, right? If we keep people out of the network, we don't get anything for those dollars.
A. Well, sort of, I suppose so.
B. Right, we'll save those dollars.
---
You have to assume that Bad Guys CAN get into your network if they really want to. Because the truth is, whatever your in-house people have told you, they can. Of you doubt me, talk to people whose job is to break into networks. All the ones I've known will tell you that 100% of targeted commercial networks fall to a concerted attack.
When they do fall, security's job is to make sure, at a minimum:
1) the Bad Guys can't learn anything useful
2) the Bad Guys can't interfere with the service you're selling
3) there's a high probability that you'll detect the event and be able to track the Bad Guys
B's insight isn't a bad one at all... security *is* a kind of insurance. Which means that most of the time, if you have a well-designed system you really are "wasting" the dollars. But one day you or your successor will regret those "saved" dollars.
B's job really is to make a proper cost/benefit analysis. My experience is that that almost never happens. They either just "save" the dollars without thinking or, more often, either a) look to what their competition is doing or b) assume that the risk is so small ("we haven't been hacked so far") that it's not worth spending any money.
Does this mean service will improve?
If I were an AT&T official and they contacted me? I'd absolutely be interested. I'd also be on the phone to internal corporate security and the FBI before I finished reading the email.
If this story is true, those are some mighty bold thieves. AT&T probably has more resources than anyone else on the planet for tracking down the originator of that communication. For that matter, AT&T are probably the ones the FBI contacts when they want to hunt down a bad guy, so you know there's a long relationship there, too.
Times may be tough, but various competing corporations often have informal and even friendly relationships with each other when it comes to Loss Prevention departments. They share info on thieves and threats, and despite outward animosity between two competing companies, their L.P. departments do tend to help each other out with situations like these. I know that's the case in retail, where organized crime investigations actually can have cooperation between companies like Walmart and Best Buy. There's definitely an "old boy's network" behind the scenes as these employees shift between companies and don't forget their old friends. It's a lot like the cop brotherhood (in part because many of the L.P. staffs are actually retired cops.) AT&T likely wants these guys caught almost as much as T-Mobile does.
John
I think we are entering an age where everyone knows the employee's loyality goes just as far as the permanence of their job, and no job is permanent anymore. So everyone is out for themselves, and if they see a chance to grab some kind of a big payoff they are going to take it. Or toss a wrench into the works just to see what happens.
Well, over the last 20 years or so, companies in general have made it abundantly clear that they feel little or no obligation to their workers. Their stockholders and CEOs, yes, but not their workers. I'm not saying they really ever did, but for perhaps 50 years there was a facade (pensions, long-term employment, etc.).
So it's entirely reasonable that workers return the favour.
It seems your theory is kind of flawed, because if their protection was indeed that good the thieves probably wouldn't have gotten the data they did.
I think your assumption that "the theives did get data" is premature. I am not seeing corroborative data anywhere.
Speaking of which, based upon analyzing the deleted video files on your primary partition, you should get the old lady a membership at the local gym or something. :P
People willing to trade their freedom of expression for temporary entertainment deserve neither and will lose both.
They might have technical chops or they might just be taking advantage of a disgruntled employee or other low-tech hole; it's impossible to say so far. What's clear is that they obviously had no idea what to do with the data once they got their hands on it.
I mean, did they really think they could just grab a dump of T-Mobile's customer database and sell it to AT&T? C'mon. Let's think about that for a minute -- what the hell is AT&T going to do with it? I'm sure their marketing department knows all about T-Mobile's demographics versus their own, and if not (and if they care) they could find out with a few calls and some relatively small payments to a research firm. Same with just about anything else I can possibly imagine them extracting from T-Mobile's servers. If AT&T or Verizon is really dying to know something about T-Mobile's operations, they have lots of easier ways to figure it out that involve a lot less risk than buying red-hot DB dumps from criminals.
Also, anyone with half a brain ought to realize that all the telco companies live in fear of being broken into, and that a major breakin is going to hurt the public's perception of the entire industry. The U.S. cellular telcos are, basically, a cartel: and if there's one thing cartel members hate more than each other, it's disruptive outsiders. T-Mobile's competitors probably didn't respond because they thought it was a joke, or some sort of Nigeria scam; if they'd known it was serious, they almost certainly would have done what Pepsi did and called the cops. Not for altruistic reasons, but for sound business ones: having basically mercenary criminals screwing around, stealing data, scaring customers, and generally upsetting the normal business environment is not to any legitimate player's advantage.
The other red-flag that screams amateur hour about the whole thing is what they did after being turned down by the "competitors" -- they posted what amounts to a "for sale" ad to the Full Disclosure list. They thought that was the best venue for selling a shitload of customer financial records? Really? There are bulletin boards, whole online communities, where criminals trade identity information. It's a mature underground economy; the information they had -- names, addresses, CC numbers, SSNs -- would have been a fungible, commodity product, well-understood and easy to resell for cash.
However they got the information in the first place, it's pretty clear they didn't think their cunning plan all the way through.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."