Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Hacker Penetrates T-Mobile Systems

Posted by timothy on Wed Jan 12, 2005 08:40 AM
from the sounds-like-a-movie-plot dept.
Security Communications Privacy
An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Hacker Penetrates T-Mobile Systems 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • At first, I got "Nothing to see here" ... but Paris Hilton? Sounds like that guy had plenty to see ;-)

  • linkie? and recruitment (Score:5, Insightful)

    by BoldAC (735721) on Wednesday January 12 2005, @08:41AM (#11333982)
    Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.

    Okay, all my Karma points for a link. :)

    The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.

    As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.

    • I don't understand why he asked for a proxy from this dude he had just met. Really, really stupid, especially when it turned out to be a government monitoring server.

      • Re:linkie? and recruitment (Score:4, Funny)

        by DingerX (847589) on Wednesday January 12 2005, @09:27AM (#11334489) Journal
        Well, just because he got into T-Mobile's system doesn't mean he has a lot of friends. Sure, most young males engaged in such activities are giants of men, with beautiful girls on each arm, and the social ease of a High Commissioner after a second martini, but they're not all so smooth. Heck, he was probably overwhelmed by the fact that the Secret Service took an interest in him, and, seeing photographic evidence that the rumors of those wild "protect the currency" parties were true, figured this was a better shot at a real job than a scattershot "to whom it may concern" resume mentioning everything but the name of the nun who kicked him out for one too many links to the xmas islands on the high school web page.

      • Yep, the guy was stupid (Score:5, Interesting)

        by Tassach (137772) on Wednesday January 12 2005, @10:07AM (#11334960)
        From the article:
        [He] even knew the agency was monitoring his own Microsoft ICQ chat account
        Come on, how frelling stupid can you be? You've got hard intel that the opposition is on to you and you don't shut down your operation? At the very least you crank up your operational security a notch or ten in that situation.

        The guy crossed the line when he went to sell personal information to identity theives. Looking at famous people's candid photos is pretty harmless (as long as he's not selling them to some tabloid or spreading them around). Reading the SS's email is the ultimate in poetic justice; they should be more aware of just how insecure email is than just about anyone. It's inexcuable for the frelling SS to have been sending sensitive documents around in unencrypted emails.

        In the end, it sounds like the guy got caught because of his own hubris. Which, when you think about it, is typical... criminals get busted not because the cops are spectacuarly competant, but because they run their mouths off.

    • As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.

      Um...you do realize they're blackmailing him, right?

      Honestly, I can't decide if being blackmailed is better or worse than him rotting in jail. We don't let people off th

      • Because murder isn't really an analog of hacking. Murder is usually a 1-time, spontaneous act of violence with little if any planning involved. It's more like breaking into an office and stealing the computer to get at the contents instead of hacking your way in via a network connection. I think a better comparison would be between hacking and *serial* killers, who traditionally put a lot more method into their madness because - like hackers - they want to keep coming back for more. And serial killers are q

        • A six figure salary and a supercomputer? Re-watch the end of "Catch Me if You Can"; he'll get a low-grade government salary, half of what the guy whose paid to watch everything he does gets, he won't be allowed computers at home, not even a game console or Internet enabled refrigerator.

          I hate to break it to you, but that's a movie. It is, however, based on a true story. You might want to see how the real Frank Abagnale has been doing lately, though:

          http://www.abagnale.com/index2.asp [abagnale.com]

          • Spy agencies use a lot of different levers.

            See the case of the chinese woman who had a 20 year affair with a FBI agent. She was spying on the Chinese, for the FBI, and they paid her 1.7 million. Then the FBI got an interesting notion that she might be spying for the chinese, so they dragged her in court. Of course, the prosecution screwed up and the judge dismissed the case for infringement of her constitutional right. (that was in the paper a couple days ago).

            All this to show that the US government is no

  • Get Moore !?! (Score:5, Interesting)

    by rednip (186217) <rednip@gma i l . com> on Wednesday January 12 2005, @08:43AM (#11333998) Journal
    Most troubling...
    T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning.

    Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?

    BTW, the Black Hat's email address (and online identity) is ethics@netzero.net [mailto] and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!

    • Re:Get Moore !?! (Score:4, Informative)

      by ack154 (591432) * on Wednesday January 12 2005, @08:49AM (#11334077)
      This might be why (though there's no stating if it's the actual reason or not):
      but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation
      That would be my guess anyways.

    • Re:Get Moore !?! (Score:5, Informative)

      by lucabrasi999 (585141) on Wednesday January 12 2005, @08:53AM (#11334119) Journal
      Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?

      RTFA:

      T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

      It appears that if you sue, you won't win.

      • Re:Get Moore !?! (Score:5, Interesting)

        by lucabrasi999 (585141) on Wednesday January 12 2005, @08:56AM (#11334146) Journal

        As I read even more of the FA:

        According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.
        "[A]m offering reverse lookup of information for a t-mobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEA#, and more," Ethics wrote.

        It appears the feds knew about this months ago.

  • Sophisticated Hackers (Score:5, Funny)

    by randalx (659791) on Wednesday January 12 2005, @08:43AM (#11334001)
    Didn't know Demi Moore and Paris Hilton were that good with computers.

  • Demi Moore and Paris Hilton are involved. (Score:4, Funny)

    by Dragoon412 (648209) on Wednesday January 12 2005, @08:44AM (#11334013)
    Demi Moore and Paris Hilton are involved.

    Can't it just be assumed, at this point, that if there's some major event involving porn, that Paris Hilton is involved?

      • Re:Demi Moore and Paris Hilton are involved. (Score:4, Insightful)

        by doublem (118724) on Wednesday January 12 2005, @10:21AM (#11335131) Homepage Journal
        She's what the media says should be the "perfect" woman. According to Hollywood and fashion designers, she's ideal.

        Wealthy
        Thin to the point of being unhealthy
        High Libido
        Slutty
        Blond
        Dumb as a post.

        As a result, the media HAS to go nuts about her, because toothpicks like her are the kind of trash they've been throwing at us for ages.
          • Actually, it all has to do with economics. The western economy is a culture of shame. "You're not good enough, so buy this product to BECOME good enough." The idea is to create expectations that are impossible to reach, so people are always striving and buying to get something they can never have.

            Mind you, I don't for a moment think this is the result of any kind of organized conspiracy. This is the logical consequence of about a century and a half of advertising campaigns telling us ways we're "not go

  • His Resume is posted online ! (Score:5, Informative)

    by Anonymous Coward on Wednesday January 12 2005, @08:47AM (#11334058)
    http://lists.jammed.com/securityjobs/2001/09/att-0 059/01-RESUME_OF_NICHOLAS_JACOBSEN.txt

  • Not-so Secret Service (Score:4, Interesting)

    by Vollernurd (232458) on Wednesday January 12 2005, @08:48AM (#11334060) Homepage
    Surely the Secret Service would encrypt anything important? I would have though that they would not have used a commercial network service like that. But then again mum always told me not to think too much.

    • Re:Not-so Secret Service (Score:5, Funny)

      by lucabrasi999 (585141) on Wednesday January 12 2005, @09:07AM (#11334256) Journal
      I would have though that they would not have used a commercial network service like that.

      In other news, The President had to be reminded (again) that the White House Lobby Pay Phone should not be used to call Ariel Sharon.

    • Re:Not-so Secret Service (Score:5, Insightful)

      by fizban (58094) <fizban@umich.edu> on Wednesday January 12 2005, @09:14AM (#11334324) Homepage
      Hello? Welcome to the United States. The internet infrastructure is built and controlled by companies. It's not like our government agencies have their own internet. If a Secret Service Agent needs to send an email to the home office, he'll pick up his sidekick, his Blackberry, his Palm, his laptop, etc., connect to a service provider like T-mobile, Verizon, Comcast, etc. and send his message or store his files. Probably encrypted, but maybe not always if it's not a considered a very sensitive communication.

      A lot of people have crazy delusions that secret agencies live in some far off technical wonderhome, where all communications are encrypted with some super 733t MD67 algorithm never before seen by any other person in the world, all access is controlled by handprint and retinal scan identification and everyone walks around with James Bond gadgets in their pockets. It's just not so. These people live and work in normal offices and normal homes and deal with the same crappy, bug-ridden and insecure hardware and software that the rest of us do. It's probably a bit better than your normal corporate office, but not by much.
        • A lot of people have crazy delusions that secret agencies live in some far off technical wonderhome, where all communications are encrypted with some super 733t MD67 algorithm never before seen by any other person in the world, all access is controlled by handprint and retinal scan identification and everyone walks around with James Bond gadgets in their pockets. It's just not so. These people live and work in normal offices and normal homes and deal with the same crappy, bug-ridden and insecure hardware
    • I don't know what they're complaining about. I thought we weren't supposed to have an "expectation of privacy" with email. So it's legal to read anyones email without violating their privacy right?

  • The News (Score:5, Insightful)

    by DrugCheese (266151) on Wednesday January 12 2005, @08:50AM (#11334086)
    I bet the American public will be more flabergasted over the fact that he has pictures of Demi Moore and Paris Hilton that haven't been released then the fact he was spying on the Secret Service.

    Some days I'm proud to be american, but then the drugs wear off.

  • Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?

    • Re:Secret Service Mail Encryption (Score:5, Interesting)

      by Maestro4k (707634) on Wednesday January 12 2005, @09:35AM (#11334580) Journal
      • Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?
      If you'd RTFA, you'd know that many of things he had access to were important, sensitive and, in an ideal world, should have been encrypted. One good question the article didn't ask is why'd the secret service agent send these things unencrypted over a monitorable network? Personally I'd like to know that he had been disciplined for allowing this security breach to occur.

  • But how could he NOT get caught? (Score:5, Insightful)

    by HawkinsD (267367) on Wednesday January 12 2005, @08:54AM (#11334124)
    FA says that he was offering ssn, dob, passwords, etc. for sale.

    So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?

    Who performs first? Are there criminal escrow services?

    And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?

    Is there something I'm missing here?

    No, really.

    • Even Hung Out On UnderNet? (Score:5, Insightful)

      by oobob (715122) * on Wednesday January 12 2005, @09:49AM (#11334747)
      So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?

      Who performs first? Are there criminal escrow services?

      This page [securityfocus.com], linked in the posted article, has some explanation about how they traded:

      "The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.

      Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..

      Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."

      And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?

      Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.

      Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?

      The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them

  • Hmm... (Score:5, Insightful)

    by 404 Clue Not Found (763556) on Wednesday January 12 2005, @08:55AM (#11334133) Homepage
    So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?

    I mean, it's not like he found a flaw and just experimented with it briefly. He deliberately exploited it over the course of a year and even attempted to profit from it. Doesn't that seem... wrong?

    I understand that he would be very useful to the investigators, but what about the victims? Were there actually any? Were they affected? If so, it sure seems like the punishment was rather light. Almost encourages people to try the same thing. Is the message here "crime pays, as long as you work for the government once you're caught"?

    On the other hand, how can he work as a mole when so much about his identity is already revealed? If the entire world now knows his name, has access to his resume, etc., isn't he at great risk of being identified?

    And it's not just him... with all the information revealed in the news article, how can the SS's original snitch stay hidden? Wouldn't whatever hackers he made contact with obviously know who he is, now?

    It's almost like watching a spy movie. Heh, well, what do I know. It all just seemed rather strange to an outsider like me, but I must admit I don't know how these things usually work. Someone wanna explain?

    Also, it was interesting that they called ICQ "Microsoft ICQ". Just a mistake or did MS secretly buy AOL?
    • What, you're somehow expecting corporations and governments to be non-evil?

    • Re:Hmm... (Score:4, Interesting)

      by pegr (46683) * on Wednesday January 12 2005, @09:18AM (#11334378) Homepage Journal
      So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?

      If you think the Secret Service won't use his skills in exactly the same way he was offering to the public before he got busted, you are mistaken. That is to say (explicitly), the Feds will use this guy to break into private computer networks and steal information of interest to them. They will keep him at arms length in case he gets caught. This is the way law enforcement (unfortunately) works...

    • Are you new here? (Score:5, Insightful)

      by copponex (13876) on Wednesday January 12 2005, @09:29AM (#11334512) Homepage
      Situational ethics are pervasive in our society. Steal 100,000,000 through insurance fraud, you get 5 years. Rob 10,000 at a bank, and get 20.

      This is also the same country where we gave a dictator the technology and biological weapons to kill his own people by the tens of thousands, and used that as a reason 15 years later to depose him.

      Get used to it.
    • So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?

      The government does this all the time in organized crime and drug cases. Look at a guy like Sammy "The Bull" Gravano. He killed god knows how many as a member of the Gambino family not to mention a list of other crimes a mile long but was given a slap on the wrist and a new identi
      • --> Johanne (urarrested@ARN-34.i_am_from_the_united_states_sec ret_service.gov)
        Hello fellow criminals. Let's do crime.

  • Are budget cuts that severe? (Score:5, Insightful)

    by motherjoe (716821) on Wednesday January 12 2005, @08:55AM (#11334140)
    Why on earth is the Secret Service of the United States using T-Mobile as an ISP/Email provider?

    What's next? The FBI, CIA, etc is compromised while using hotmail, Yahoo, or Google mail?

    Are Gov IT cutbacks so severe they have to turn to places like this to send messages?

  • Funniest quote (Score:4, Funny)

    by davetrainer (587868) * <slashdotNO@SPAMdavetrainer.com> on Wednesday January 12 2005, @09:01AM (#11334192)
    "He basically just said there was flaw in the way the cell phone servers were set up," says William Genovese, a 27-year-old hacker facing unrelated charges for allegedly
    selling a copy of Microsoft's leaked source code for $20.00."

    I hope it came with an 18-dollar bill.

  • Gets ya thinking... (Score:3, Interesting)

    by jchawk (127686) on Wednesday January 12 2005, @09:13AM (#11334305) Homepage Journal
    You know it seems like the reason this guy got caught was because he was sloppy with his own identity online... If he would have been more careful with the names / icq numbers / people he trusted online, it's very unlikely that he would have gotten caught.

    I think he let his greed / ego get in the way when trying to offload this information that he obtained.

    This really makes you wonder about the guys you never hear about, the ones that don't get caught. :-/
    • This really makes you wonder about the guys you never hear about, the ones that don't get caught. :-/

      I agree, the most disturbing thing about all of this is the low level of knowledge of the hacker. He was nothing but a script kiddie on his resume and he was caught with obvious mistakes. We can be sure that TMobile and others are still owned by more sophisticated crackers who will not be caught.

      The article links to a 2001 resume [securityfocus.com] which never mentions GNU and only once mentions Unix but lots of Windozed

  • standards board (Score:4, Insightful)

    by shameus_burp (848522) on Wednesday January 12 2005, @09:16AM (#11334345)
    Even though I am not a T-Mobile subcriber, it's distrubing to me that my personal information is protected by the whim of a corporation and not by any standards. I think everyone is in agreement that corporations are driven by cost of security and not the security of it's subscribers. The government should fine T-Mobile for inadequet IT security and a security standards board should be created to set baseline security measures for corporations and other institutions. I'm not sure such a committee exists but it's clear to me that there are no defined rules to protect information. We have rules from the FDA in regards to food, rules to handle securities etc. Why not rules and laws to protect customer and employee information?
  • .. now *that* would be a story ;o)
  • as its weakest link.

    (This event could be called "backdoor", couldn't it?)
    • The source code for Danger's SSH client is included in the hiptop SDK. If you suspect it's doing something shady, why not sign up for a developer account at http://developer.danger.com and download the source?

      That said, I've used the SSH client myself and even glanced through the source briefly, and nothing struck me as suspicious. As for the hiptop lacking the power to do the encryption, that's why it takes the client a good thirty seconds or so just to perform the initial handshake.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.