Schneier on Security

Clive Robinson • August 27, 2021 12:19 PM

@ Bruce, ALL,

I’ve lost count of how many times T-Mobile has been hacked.

I would say that it has happened so often that it can only be due to “policy” from the most senior levels down throughout the managment of the organization.

So much so that it is “endemic” attitude / cultural belief within those people on the “birds of a feather…” notion.

Which should raise a question in more normal peoples heads of,

If you are an employee of an organisation with such endemic policy, what does it say about not just you, but any organisation that then knowingly employes you?

With the likes of Linked-in it now becomes possible to find where emoloyees of these realy bad organisations go to, which would give other people due warning about these other organisations hiring policies etc.

In fact it would enable researchers to produce several “tree diagrams” that when put together would in effect build a web of “reputational trust”.

Thus with a “reputational trust” web people could chose who to place their business with. Much like used to happen a century or more ago when “small town talk” kept people in line.

Clive Robinson • August 27, 2021 4:41 PM

@ Frank Wilhoit, ALL,

These reflections are bitter and overgeneralized, even by your expansive standards.

Wrong “E” word, try “experienced” instead.

And whilst my words may sound “bitter and overgeneralized” they are unfortunately “realistic” based on what we currentlt know.

Call it the “flip side of the coin”, we know what “others” are doing with our PII right now, peoples future careers are already being decided on what they and others posted on “social media” more than a decade ago at least.

We know there are “agencies” that specialise in online “reputational managment”.

We also know it is an expanding market to take people for as much money as they will part with.

We also know the market has the “fun side” that as a data agent you can play both sides quite profitably at the same time.

Knowing this, what do you realy think is going to happen?

That is what is “Societies Self Defence Reaction” going to be?

Think the alternatives through, decide which is the least harmful that also has a realistic chance of happening bearing in mind what we know is currently going on?

What you will probably come up wirh is a “reputation system” based on “social media”… Because it’s already happening, not just by the likes of the Chinese and other Governments, national security services, immigration officers, law enforcment, employment personnel/employers, credit agencies, and just about anyone else with money to buy the data. To think it’s not going to carry on would be “head in the sand, bum in the air” posturing of the sort we attribute to “bird brains”. Be they with feathers of the Struthioniform genus or those who want to pretend the world is full of ponies with horns on their snouts and rainbow hair sticking out the back ends, ridden by fair maids and such like.

So the question then becomes, knowing this is going on, on one side of the societal divide and it’s going to get worse, how long before the other side of the societal divide does it in “self defence” or “retaliation”?

The genie is out the bottle already, something tells me that it’s not going to go back in. Thus you have to “think it through, and act appropriately”.

Linked in is a “data resource” and,

1, They have done some very scummy things in the past.
2, So peoples data is out there available already.
3, People will monetize it one way or another.

There is no way to win at this game, so you can only play “not to lose” and hope you get a draw. However one way to do that is by not playing at all… I do not do social media and I will never be doing the likes of linked-in, I’m lucky I’ve a choice of not playing.

But is your assertion of,

People don’t choose where to work. They count themselves lucky to find any job at all.

Actually true?

As for,

The de facto organizational culture of this forum has been spiralling down into paranoia. For a long time you stood above that.

No I “stood clear” or “to one side” not “above”, I gave general information and asked people to “think it through”. I’ve even given people warnings that these sorts of systems were on their way over the past few decades. Well they are here now on one side of the fence. Human nature tells you what is going to happen on the other side of the fence.

We’ve seen the “it can not be true” response behaviour before, the classic being prior to Ed Snowdon. There were people on this blog telling others that it was not just technically possible but that it was happening. I remember the “it can not be true” arguments including those denialists accusing people of “paranoia”… Well we now know they were not paranoid.

So I ask you to think… Test your assumptions that makes you say “paranoia”… Do your assumptions have a factual basis? Can they be verified?

My thinking, tells me such reputational systems will be the least harmful response society can make. Heck we have politicians tub thumping for a lot worse in Australia, UK, and US currently. Frequently pushed by the likes of Law Enforcment Agencies and lobbyists for Corporations who see lots of potential in all that data.

When you have UK politicians making claims of 11 billion in such data, you know where it is going to go, or atleast you should do.

But for everyone else, my prediction is, if you put your PII in public by putting it on any social media or recruitment or any other site, even through many Email systems it will be scraped, aggregated and stored for future profit one way or another, and you will not see the benifit of it.

Clive Robinson • August 28, 2021 4:09 AM

@ SpaceLifeForm,

T-Mobile confirms Mandiant was brought in.

After the hoofbeats had faded long into the distance…

On trying to load the page you link to, it comes up with “javascript” Off, however with javascript On the page text briefly flashes up then gets replaced by a “page not found” message.

Which is curious behaviour…

@ ALL,

Anyway if you do get the page up, it does make interesting reading.

Such as,

“On August 17th we confirmed that T-Mobile’s systems were subject to a criminal cyberattack that compromised data of millions of our customers, former customers, and prospective customers. Fortunately, the breach did not expose any customer financial information, credit card information, debit or other payment information but, like so many breaches before, some SSN, name, address, date of birth and driver’s license/ID information was compromised.“

Now the question is how should “like so many breaches before” be read,

1, Applying only to T-Mobile?
2, Applying to Mobile service providers?
3, Applying to the telecommunications service sector?
4, Applying to ICT sector in general?

But I would point out not only is the paragraph it is in is specific to T-Mobile, the sentance it is in starts as specific to T-Mobile so logically option 1 is the one most would think applies….

Anyway votes on a post card 😉

But it gets better… In a paragraph about notifying people who have had their details stolen we find this curiosity,

“We are also now working diligently to notify former and prospective customers.”

Are they saying they have details of people that are not, nor ever have been T-Mobile customers that have been compromised as well?

Before dismissing the idea, remember that in the UK there was a case where the database of customers approaching end of contract with one mobile supplier, ended up in the possession of another compeating mobile phone supplier, and due to unlawful behaviour details became disclosed.

So it might not be “Industry best practice” but there is a “history” of major players having extensive details of people that they have no contractural relationship with being held as shall we be nice and say “leads” even though they might have been unlawfully possibly illegally obtained.

But on the technical side of the attack we only get the following,

“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”

Getting in via “testing” is one of the oldest successful attack routes known, it’s decades old, and it keeps happening. Proving yet again that ICTsec does not learn from it’s history.

In the US perhaps the incident of “testing” being used to attack mobile phone users was that around CarrierIQ.

But if you want to go back even further, how about the one example most hear about in name but never get to know the actual details. The infamous “Prince Phillip Hacked” incident in the UK that happened back in the early days of “home computing” before the Internet was available and BT as we now call it was pushing an on-line service called Prestel, and the UK’s “mad” Maggie Thatcher was trying to sell off what became the “Big Seven Incher” to put money in her “war fund” via the UK Treasury. Which led to a very strange series of events that few are still alive to talk about from first hand experience, as it started back in 1984 as I’ve mentioned before with the “testing” of “bulk update Software” for home computers as the IBM PC was not yet an item you would find in either a home or office, the top of the line in that respect being the Apple ][.

Basically those at Prestel were getting teenagers and school kids to write sodtware to push Prestel, and gave near “open access” via a dial up system we called “Pandora” that although not officially a “live service” actually had been made by taking a backup tape of a “live service” system and loading it onto Pandora. Unfortunately the system was designed with a “plaintext” password file…