Could a T-Mobile data breach be traced to creaky machines?
Last Saturday, a group of hackers cited by Insecure.org claimed having pilfered "everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009," belonging to T-Mobile. If claims of a data breach are proven true, investigators should look to some of the machines brought into the company as part of previous deals with third-party providers to modernize the network.
They should also ask what part of "upgrade" the company doesn't understand.
Analysis of the information currently available on the breach indicates that a great many of the machines claimed as breached by the people behind "[email protected]" are behind the times -- in a few cases, seriously behind.
SunOS 5.9, for instance, is the operating system present on a slew of allegedly breached machines handling various functions including (some) security; that version was released in 2002 and superseded in 2005. HP-UX 11.1 and 11.23, which appear to be the operating environments of choice on some of the servers handling billing, were released in 2000 and 2003 respectively; HP is currently shipping 11.31, or 11i v3 in the company's alternate parlance.
Could machines so out-of-date be lacking in patching? It's possible. Moreover, notes a correspondent familiar with the situation, agreements over the years with outside service providers could have provided an environment in which a little breach could grow big. T-Mobile's aggressive US buildout in the past few years, including its serious GSM/EDGE upgrade, was made possible in part by partnerships between the telco and third-party providers, which provide many of the underpinnings that make the system go.
Our correspondent suggested that one or more of those third parties is likely to have shipped any machines it may have introduced to the network with unnecessary services switched on. If those machines were not aggressively tended once on T-Mobile's network and were not in legitimate use, they could have been sitting there for years -- a tempting attack surface for the kind of people who think they could sell evidence of a felony-level hack to T-Mobile's competitors.
In a prepared release this morning, T-Mobile stated: "The protection of our customers' information, and the safety and security of our systems, is absolutely paramount at T-Mobile. Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible."
10:00 am EDT June 9, 2009 • The latest recitation of T-Mobile's statement to IDG's Robert McMillan last night contained a little addition that appears to confirm that at least some of what the unidentified malicious users demonstrated is genuine customer data.
"Regarding the recent claim on a Web site," the addition reads, "we've identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers. We continue to investigate the matter, and have taken additional precautionary measures to further ensure our customers' information and our systems are protected."