Security

A T-Mobile spokesman said on Tuesday that data someone posted to a security e-mail list over the weekend was legitimate T-Mobile data but not customer information, and that the phone company's network was not hacked or breached as the poster claimed.

The statement raises more questions than it answers. If indeed there was no network hack, could there have been an inside leak? Or could it have been something as low-tech as dumpster diving, in which records are obtained from trash bins outside a company's offices?

All T-Mobile would say is that it is investigating how the information was obtained.

On Saturday, someone posted to the Full Disclosure e-mail list claiming to have hacked into T-Mobile's computer network.

"We have everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009," the poster wrote, adding that the data was being offered up to the highest bidder. As evidence of the hack the post included a bunch of lines of codes that look like they reference some operating systems and possibly IP addresses.

T-Mobile said the data is not customer data, but declined to say what it is. On Monday, T-Mobile said it was investigating the situation.

Then late on Monday, the company issued a statement that said: "Regarding the recent claim on a Web site, we've identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers."

On Tuesday, T-Mobile issued an updated statement that removed that wording and added: "The company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised. Reports to the contrary are inaccurate and should be corrected."

T-Mobile says the data isn't customer data. So what is it?

(Credit: T-Mobile)

Updated at 2:30 p.m. PST with security source comment.

T-Mobile USA is looking into claims that a hacker has broken into its data bases and stolen customer and company information.

Someone anonymously posted the claims on the security mailing list Full Disclosure on Saturday. In that post, the hacker claims to have gotten access to "everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009."

The poster said he had offered the information to T-Mobile competitors, but they supposedly didn't show any interest. Now he says he is offering the information to the highest bidder.

T-Mobile issued a statement that the company is looking into the matter.

"The protection of our customers' information, and the safety and security of our systems, is absolutely paramount at T-Mobile," the company said. "Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible."

Some security experts were skeptical of the claims.

"The way this data has been offered is not the way the Underground Economy usually works," said Steve Santorelli, a former Scotland Yard detective who is director of global outreach at security research firm Team Cymru. "Such a highly public offer certainly tends to suggest that this is a hoax or a scam. Many things don't add up: for example, if you'd spent the time to get all this data, surely you'd have a buyer lined up or at least the connections to discretely find a buyer. Now that 'the cat's out of the bag,' the data is worth significantly less on the open market as T-Mobile will be able to put countermeasures in place such as changing passwords."

Kelly Todd, chief communications officer at the Open Security Foundation, said there wasn't enough information publicly available to determine at this time whether the breach is legitimate or not.

"At initial glance I'd say a list like that could be legitimate," he said. However, "I would have to question their comment that they had contacted T-Mobile competitors...You'd think that in order to cover their tracks they would want to take a different route than to contact the competitors."

T-Mobile has had three prior data breaches recorded on the DataLossdb.org site, which the Open Security Foundation runs. In 2005, a teenager was able to get phone numbers of celebrities who use the service; in 2006 a laptop was reported lost that contained social security numbers and addresses of about 45,000 T-Mobile customers; and in October 2008 a disc was reported lost that contained data on about 17 million T-Mobile customers, according to Todd.

CNET News' Elinor Mills contributed to this report.

When it comes to telling customers about security weaknesses, there's a fine line between alerting customers and inviting attacks. With T-Mobile G1, the first phone to run Google's Android operating system, I think the companies are erring on the side of inadequate disclosure.

I've been testing a review model of the G1, and an update arrived first on November 1 and then a second a week later. Only by dint of much pestering and more than a week of waiting did I find out from Google what was in those two Android patches.

And T-Mobile has been pretty quiet, too. (I'm waiting for comment from the company about its choices.)

I'm not the type to blithely ignore patches. Sure, I'm not convinced the security patches I download for Adobe Reader, Microsoft Windows, and Firefox are flawless, but I think the odds are good enough they'll be an improvement that I install them.

But with the Android phone, I couldn't even tell if the patches were security related, much less how important they are, much less what they actually do. The closest I could come was figuring out what operating system build I had installed, then using that nugget of information to snoop around the T-Mobile forums, the Android bug-reporting system, and assorted Web sites to see if I could piece together what was going on.

In short, even if companies are generally looking out for their customers' best interests, I think it behooves them to keep the customers better informed. It prevents us from feeling like disempowered pawns. It helps us make intelligent choices with our products. And it can even make us happy, when pesky bugs are stamped out or useful features are added.

Even Microsoft, which hardly has a reputation for coddling its users, does a better job of keeping people in the loop. It gives a heads up a few days in advance about what's coming on its next monthly "patch Tuesday" upgrades.

In a pickle
Google writes the patches but relies on T-Mobile to disseminate them to its customers and to communicate with its customers, said Rich Cannings of Google's Android security team.

"We won't disclose the issue until all our users have been at least asked to update their phone," Cannings said.

T-Mobile's site says delivering over-the-air updates to G1 customers takes several days, with users selected in random order. Given the philosophy of not disclosing details until everybody has a chance to update, it would be impractical to include update details along with the update itself. Early recipients could simply publish details online.

Microsoft takes a different approach, though, publicly releasing details even before all computers have been patched.

Those who dig around T-Mobile's forums can find posts from a T-Mobile administrator named Will. "The first rule of updates is: you do not talk about updates," he joked in one post confirming that T-Mobile had begun sending out the TC30 patch, then only offered a hint about what was in the patch. He was more forthcoming in an earlier post, though.

The G1's request to update its Android software doesn't share any details about what's changing or how important it is. (Click to enlarge.)

(Credit: Stephen Shankland/CNET News)

Cannings said Google will release all the gory details about Android vulnerabilities eventually; the security announcements are automatically sent to the Bugtraq and Full Disclosure security mailing lists, for example, he said.

But that process doesn't take place on the same schedule as the patches T-Mobile distributes. It's been 11 days since I received the RC29 patch, and there's still no word published on the Android Security Announcements group. The only note is an August 18 introductory note with this advice: "If you would like to receive security patch announcements for Android, please join the android-security-announce Google Group."

The security fixes also take place behind closed doors, despite Android's open-source nature. After the report of the root-console bug that would cause a G1 phone to reboot if a user simply typed "reboot", Google's Dan Morrill added a note, "Marking as security problem, which will hide this issue until the fix is public," though it wasn't actually hidden.

Google has taken the same approach of hiding security issues with its Chrome browser, and updates are installed automatically with no option for users to approve the process. Again, it takes the approach that Google knows best, and users are best to trust the company to do the right thing.

Should I lighten up?
But here's the question: am I wrong to bridle at this somewhat paternalistic attitude? Given that the future no doubt holds updates for car engine firmware, home wireless network routers, universal remote control, and Internet-enabled stuffed animals, we'll all have to get more used to them. After all, security is a grave matter, and vulnerabilities lead directly to spam-sending botnets and other serious issues. Should I just relax and go with the flow?

Vote in the poll and share your thoughts in the comments below.

The G1's request to update its Android software. (Click to enlarge.)

(Credit: Stephen Shankland/CNET News)

Google has begun releasing some details about the vulnerabilities it patched in two updates to Google's Android operating system software in the T-Mobile G1 smartphone.

The company had acknowledged some of the work earlier, but it hasn't posted an official comment about the vulnerabilities. But Rich Cannings of the Android security team shared details about the RC29 and RC30 updates that T-Mobile began distributing to G1 customers at least as early as November 1 and November 9, respectively.

Google had acknowledged the RC29 patch for the G1 fixed a browser vulnerability that could have let an attacker use malicious code on a Web site to take over the browser. The severity of such issues is limited by Android's security design, which walls off applications into separate compartments to limit an attacker's power. But Cannings said the patch also fixed two other issues.

The Android browser is based on the open-source WebKit engine for converting HTML instructions into an actual Web page, and RC29 brought Android up to date with two patches that had been released but that Google had missed. One of them is a universal cross-site scripting problem that could give an attacker control of the browser, Canning said.

RC29 also fixed a problem that could let someone bypass Android's locking mechanism by booting the phone into safe mode.

Google plans to publish fuller details on its Android Security Announcements group soon, Cannings said, but the company waits until the patches have been offered to all users before disclosing full details.

RC30 and the root console bug
RC30, which came about a week later, fixed an unusual "root-console" problem in Android in which text that people typed--while composing e-mail messages or searching contacts, for example--could be executed as Linux commands with the highest-level privileges. One user found it by typing the word "reboot" in a text message.

The problem was that Google left in a feature that let programmers execute commands with a remote device attached over a serial port, but when there was no such device attached, the phone just used input from the keyboard.

Linux and Unix users are advised to use their systems with "root" privileges reserved only for administrators, but Android was actually giving anybody that privilege. The problem was lessened because many characters used in Linux commands, such as hyphens, tildes, and slashes, weren't available, but it was still a big problem, Cannings said.