T-Mobile Responds to Hack Claims - Nothing to See, Please Move On
Following on from our recent article on a claimed successful attack against the telecommunications giant, T-Mobile, it appears that the situation still remains a little murky, with reports claiming that the company has both confirmed and denied that a breach took place.
Ignoring for a moment the most recent statements by T-Mobile, the original claim of a hack seemed to offer tabulated internal network data as proof of successful compromise of the company. This is the sort of information that would be easy to extract in a single file, and is something that would be expected to exist in any non-trivial network to aid administrators with keeping the network and associated systems operating smoothly. While having possession of the file reduces the need for an attacker to manually map out the network, it isn't something that many would consider overly damaging, especially if network and system security was robust.
Perhaps if a company had thrown all their intrusion and detection system eggs into the basket of Network Intrusion over Host Intrusion Detection Systems (NIDS vs HIDS), then possession of this list would allow an attacker to immediately commence extremely targeted attacks against single systems, hoping to avoid triggering the NIDS (which should be triggering on the external access in the first place), but it should be triggering a properly managed HIDS. The flip side is that having an attacker in possession of a well-enumerated network map makes it simpler for them to target systems which might have an unpatched vulnerability, or which have a degraded HIDS, when their network mapping activity should have triggered on a properly managed NIDS.
A blended approach, with both systems in place and properly managed isn't going to be overly threatened by an attacker having possession of a network map. All it means is that the timeline between initial contact with the network / company systems and compromise / extraction of sensitive data is compressed, reducing the available opportunity to detect, trap and stop the hack and data extraction.
T-Mobile's statements seem to support this point of view, acknowledging that the information published did exist in a file (again there are conflicting reports about the validity of this statement), which has now been identified, and that an investigation is now ongoing to determine the extent and severity of any breach that took place.
The downside for external observers is that T-Mobile are not obliged to make public the results of their internal investigation, and if it is confirmed that personal data was affected for customers, then it could take some time for that information to come out. If affected customers are notified individually, it may never be known just how significant any breach might have been.
Truth, as it is in many cases like this, will lie somewhere between the extremes being put forward (no or minimal hack and full network access and compromise), but it is more likely to lie towards a minor network penetration and data extraction - after all, the information that was published had to come from somewhere.
It is entirely possible that the information was the result of improperly disposed of hardware or a lost storage device.
At the least, it put some excitement back into the old Full-Disclosure mailing list.
A big welcome, by the way, to those reading this article from within T-Mobile's network. Yes, we know you're there. If you, or any of our readers would like to get in touch with us, we're always happy to discuss analysis and material beyond what is published.
11 June 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.