Hacker Penetrates T-Mobile Systems

An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."

The Register has an article too ...

[un1xl0ser]

The Register's Article [theregister.co.uk]

His Resume is posted online !

[Anonymous Coward]

http://lists.jammed.com/securityjobs/2001/09/att-0 059/01-RESUME_OF_NICHOLAS_JACOBSEN.txt

Re:Get Moore !?!

[ack154]

This might be why (though there's no stating if it's the actual reason or not):

but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation

That would be my guess anyways.

Re:Get Moore !?!

[lucabrasi999]

Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?

RTFA:

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

It appears that if you sue, you won't win.

Re:His Resume is posted online !

[Anonymous Coward]

http://lists.jammed.com/securityjobs/2001/09/att-0 059/01-RESUME_OF_NICHOLAS_JACOBSEN.txt [jammed.com]

Clicky... AC, so no karma whoring for me. :-)

Re:Argh...

[Anonymous Coward]

No, hacker. The hacker/cracker distinction is only for the inner geek circles. Hacker in the mainstream means both.

Words can have multiple meanings.

Picture messages,

[ambrosen]

are uploaded to a phone company server and a link is sent to the recipient's phone, which then downloads the picture. So the content is by default stored on the company's server.

T-Mobile Security

[GJSchaller]

My guess is that the Secret Service was using Blackberries, which uses encrypted transmissions between the Blackberry server and the device, and even multiple encryptions, if I remember correctly (one for the message, one for the Wireless). I doubt that they were stupid enough to use unencrpyted service, when regular non-Govt. customers can have encryption (We have it here at our job on our BBs). Note that they say "emails" and not "SMS" or "Text Messages."

Re:linkie? and recruitment

[Gruneun]

A six figure salary and a supercomputer? Re-watch the end of "Catch Me if You Can"; he'll get a low-grade government salary, half of what the guy whose paid to watch everything he does gets, he won't be allowed computers at home, not even a game console or Internet enabled refrigerator.

I hate to break it to you, but that's a movie. It is, however, based on a true story. You might want to see how the real Frank Abagnale has been doing lately, though:

http://www.abagnale.com/index2.asp [abagnale.com]

Meet the script kiddie.

[twitter]

This really makes you wonder about the guys you never hear about, the ones that don't get caught. :-/

I agree, the most disturbing thing about all of this is the low level of knowledge of the hacker. He was nothing but a script kiddie on his resume and he was caught with obvious mistakes. We can be sure that TMobile and others are still owned by more sophisticated crackers who will not be caught.

The article links to a 2001 resume [securityfocus.com] which never mentions GNU and only once mentions Unix but lots of Windozed based cracker toys and garbage. His efforts, while many, were too narrowly focused.

It does not look like he mastered Windoze cracking or much else by the time he was caught three years later. Besides being dumb enough to try to sell information, he accepted a proxy from a stranger. Someone who knew what they were doing would have a botnet proxy they set up themselves that could never be traced through. What else is windoze cracking good for?

The whole mindset was script kiddie. Own a phone service and collect stuff. What a waste of time.

He got his resume wish in a perverse way. He wanted a job is computer security. Now he's a felon and gets to spend some quality time as a government slave, snitching on his friends till he's all used up. Or he can go to jail and take the usual felon jobs: dishwasher, garbage man and other highly undesirable manual labor in tiny shops that know they can abuse you. Those jobs will be waiting for him when the government is through with him.

Re:SSH on T-Mobile - Not Secure

[Wonko42]

The source code for Danger's SSH client is included in the hiptop SDK. If you suspect it's doing something shady, why not sign up for a developer account at http://developer.danger.com and download the source?

That said, I've used the SSH client myself and even glanced through the source briefly, and nothing struck me as suspicious. As for the hiptop lacking the power to do the encryption, that's why it takes the client a good thirty seconds or so just to perform the initial handshake.

Re:Not-so Secret Service

[flosofl]

Actually it started as ARPAnet. And it wasn't started to send information "all over the world" for the government offices. It was started as way to:

1 - eliminate the need for 4 different terminal types on one desk.(that was how the idea germinated)

2 - Facilitate the sharing of information beteween gov't contractors and researchers who had ARPA grants.

3 - A way to timeshare systems for researchers who would not oridinarily have access to such systems.

It was US centric at the beginning and ARPA and ARPA's subcontractors/researchers only.

And to head this off at the pass, ARPA net was NOT designed for fault tolerence of command/control during a nuclear war. That was the impetus behind Paul Baran's development of the idea of packet-switching networks (that wasn't his name - the term "packet" came from Davies who sorta developed the same idea concurrently). He could never drum up support for the idea with ATT (really the only entity that could impliment it at the time). They said it was stupid idea. ARPA later grabbed the idea and used it because it lent a robustness to otherwise unlreliable lines of communications and the IMPs that terminated each line. The fact of the fault tolerence in terms of catastrophic destruction due to war is simply a coincidental side effect when you take into account the reasons the ARPA project was using packet switched networks.

Sorry. Got on my high-horse there. I just can't stand when people say that ARPAnet was designed in a distributed manner to survive a nuclear war (and even though no one's said it yet - well, this is Slashdot, so some future comments are predictable). Not true. It was the basis of Paul Baran's conceptual model of a packet switching distributed network.