Hacker Penetrates T-Mobile Systems

An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."

linkie? and recruitment

[BoldAC]

Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.

Okay, all my Karma points for a link. :)

The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.


As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.

The News

[DrugCheese]

I bet the American public will be more flabergasted over the fact that he has pictures of Demi Moore and Paris Hilton that haven't been released then the fact he was spying on the Secret Service.

Some days I'm proud to be american, but then the drugs wear off.

But how could he NOT get caught?

[HawkinsD]

FA says that he was offering ssn, dob, passwords, etc. for sale.

So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?

Who performs first? Are there criminal escrow services?

And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?

Is there something I'm missing here?

No, really.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Are budget cuts that severe?

[motherjoe]

Why on earth is the Secret Service of the United States using T-Mobile as an ISP/Email provider?

What's next? The FBI, CIA, etc is compromised while using hotmail, Yahoo, or Google mail?

Are Gov IT cutbacks so severe they have to turn to places like this to send messages?

Re:Hmm...

[phats garage]

What, you're somehow expecting corporations and governments to be non-evil?

Re:linkie? and recruitment

[JaffaKREE]

I don't understand why he asked for a proxy from this dude he had just met. Really, really stupid, especially when it turned out to be a government monitoring server.

Re:Not-so Secret Service

[fizban]

Hello? Welcome to the United States. The internet infrastructure is built and controlled by companies. It's not like our government agencies have their own internet. If a Secret Service Agent needs to send an email to the home office, he'll pick up his sidekick, his Blackberry, his Palm, his laptop, etc., connect to a service provider like T-mobile, Verizon, Comcast, etc. and send his message or store his files. Probably encrypted, but maybe not always if it's not a considered a very sensitive communication.

A lot of people have crazy delusions that secret agencies live in some far off technical wonderhome, where all communications are encrypted with some super 733t MD67 algorithm never before seen by any other person in the world, all access is controlled by handprint and retinal scan identification and everyone walks around with James Bond gadgets in their pockets. It's just not so. These people live and work in normal offices and normal homes and deal with the same crappy, bug-ridden and insecure hardware and software that the rest of us do. It's probably a bit better than your normal corporate office, but not by much.

standards board

[shameus_burp]

Even though I am not a T-Mobile subcriber, it's distrubing to me that my personal information is protected by the whim of a corporation and not by any standards. I think everyone is in agreement that corporations are driven by cost of security and not the security of it's subscribers. The government should fine T-Mobile for inadequet IT security and a security standards board should be created to set baseline security measures for corporations and other institutions. I'm not sure such a committee exists but it's clear to me that there are no defined rules to protect information. We have rules from the FDA in regards to food, rules to handle securities etc. Why not rules and laws to protect customer and employee information?

Re:standards board

[nberardi]

I agree that T-Mobile should be fined for the lack of security and anybody that has a T-Mobile should be able to drop the account with out the early fees. But setting up another level of bueracracy to do something is never the answer, and the data was probably protected by some kind of standards. But as we have seen in the last week even an Open Standard such as Linux has holes in it. I don't know what T-Mobile uses, but this problem was due to a whole in security not a lack of security.

There is always going to be some enterprising person that can get by any measure of security that you put in place, so setting up more buercracy to look at standards just makes it easier, because now the world knows how you store/protect data and thus makes it easier to find exploits.

Re:Not-so Secret Service

[visualight]

I don't know what they're complaining about. I thought we weren't supposed to have an "expectation of privacy" with email. So it's legal to read anyones email without violating their privacy right?

Are you new here?

[copponex]

Situational ethics are pervasive in our society. Steal 100,000,000 through insurance fraud, you get 5 years. Rob 10,000 at a bank, and get 20.

This is also the same country where we gave a dictator the technology and biological weapons to kill his own people by the tens of thousands, and used that as a reason 15 years later to depose him.

Get used to it.

Re:Not-so Secret Service

[Maestro4k]

• A lot of people have crazy delusions that secret agencies live in some far off technical wonderhome, where all communications are encrypted with some super 733t MD67 algorithm never before seen by any other person in the world, all access is controlled by handprint and retinal scan identification and everyone walks around with James Bond gadgets in their pockets. It's just not so. These people live and work in normal offices and normal homes and deal with the same crappy, bug-ridden and insecure hardware and software that the rest of us do. It's probably a bit better than your normal corporate office, but not by much.

Well I don't think they have any super leet encryption, but I do expect them to be smart enough to encrypt anything sensitive. According to the article many of the documents this guy obtained were things that most definitely should have been encrypted. I think a good question is why this agent was sending this stuff unsecured, and if he was disciplined for allowing a security breach to occur. (Face it, since he didn't encrypt the documents and passed them over a monitorable network he's partially responsible.)

No wonder this is being kept quiet

[IndiJ]

A few replies to this posting have expressed surprise that SS agents use commercial wireless accounts, but how else could they send information to and from the field wirelessly? A few more have suggested that the compromised SS data may just be intra-agency chit-chat, but a couple things suggest that may not be so.

First of all, the nature of the documents that were leaked in the IRC chat - one is described as an "internal memo", and the other is probably a treaty with the Russians to share criminal information. No details are given re the content of the memo, but it could have been extremely damaging to a case in progress. And the treaty is probably not sensitive in and of itself, but its presence could tip off Russian computer criminals to watch their backs.

Now, the guy whose account was raided for this info is a recent celebrity for taking out a previous hacker. It would probably be extremely embarassing to the agency for his goof to be exposed like this.

And then there's the fact that this MASSIVE series of criminal acts is being written down to just a single felony... and they're giving the guy a job!

Now I don't want to sound like a conspiracy theorist, but it seems likely to me that this dude got off (and got a job!) so light not for his m4d-l33t h4x0r skills, but because of the potential embarrasment to the service, and the damage the publicity might do to other cases. It seems the lesson here is that it doesn't matter what crime you commit online, or on what scale, as long as you:

1. Do not make a spectacle of yourself (ex. by altering google's start page to display your hacker handle, or making a massively infectious trojan/worm/virus).
2. Embarass or otherwise compromise the investigators.

The precedent that these two points set is worrying. Crackers are annoying when they deface websites, bring down servers or spread virus-like software - but it's only a few hours annoyance (a week at the most), then the problem passes (for most people). Once crackers get the message that the clowns get stiff fines and the real dangerous people get off light (plus get a lot more out of it if they don't get caught), it would seem to make sense to stop "tagging" or writing viruses and go for the big game. Furthermore, the cops become a very attractive target, which could compromise many more, unrelated cases.

So the message as I read it is: "Don't be a script kiddie, crack the FBI! If you get away with it you get rich, and if you get caught you get a job."

Both the Secret Service and T-Mobile should be publicly shamed for the debacle, and the response, if only it wouldn't risk compromising other cases.

Re:linkie? and recruitment

[neoform]

Why not hire convicted murderers as police officers/ditectives.. that way they can catch other killers better..

Even Hung Out On UnderNet?

[oobob]

So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?

Who performs first? Are there criminal escrow services?

This page [securityfocus.com], linked in the posted article, has some explanation about how they traded:

"The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.

Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..

Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."

And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?

Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.

Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?

The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them

Re:Hmm...

[dr_dank]

So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?

The government does this all the time in organized crime and drug cases. Look at a guy like Sammy "The Bull" Gravano. He killed god knows how many as a member of the Gambino family not to mention a list of other crimes a mile long but was given a slap on the wrist and a new identity for turning states evidence.

Nothing new here.

Re:linkie? and recruitment

[The Ultimate Fartkno]

Because murder isn't really an analog of hacking. Murder is usually a 1-time, spontaneous act of violence with little if any planning involved. It's more like breaking into an office and stealing the computer to get at the contents instead of hacking your way in via a network connection. I think a better comparison would be between hacking and *serial* killers, who traditionally put a lot more method into their madness because - like hackers - they want to keep coming back for more. And serial killers are quite frequently "hired" by the police afterwards when their methods and expertise are studied through profiling. A regular murderer doesn't get studied - just a jail sentence. A serial killer who's caught becomes a tool by which we catch the next one.

Re:Demi Moore and Paris Hilton are involved.

[doublem]

She's what the media says should be the "perfect" woman. According to Hollywood and fashion designers, she's ideal.

Wealthy
Thin to the point of being unhealthy
High Libido
Slutty
Blond
Dumb as a post.

As a result, the media HAS to go nuts about her, because toothpicks like her are the kind of trash they've been throwing at us for ages.

Re:His Resume is posted online !

[infochuck]

HAHAHAA... has anybody actually read this? Basically, his experience amounts to attending security conferences and listening to presentations, as well as setting up booths for other computer conferences. Lots of experience on IRC.

So basically, some script kiddy gets luckky and finds a router with the default password set and wreaks havoc. Nice to know the Telecom business is paying attention to security.

A chain is as strong...

[Spy der Mann]

as its weakest link.

(This event could be called "backdoor", couldn't it?)

Re:linkie? and recruitment

[chris_mahan]

Spy agencies use a lot of different levers.

See the case of the chinese woman who had a 20 year affair with a FBI agent. She was spying on the Chinese, for the FBI, and they paid her 1.7 million. Then the FBI got an interesting notion that she might be spying for the chinese, so they dragged her in court. Of course, the prosecution screwed up and the judge dismissed the case for infringement of her constitutional right. (that was in the paper a couple days ago).

All this to show that the US government is not above giving lots of money (if for 20 years, 1.7 million is 85,000 a year, and I bet she did not pay taxes on that (what whould she put under profession?)).

What the chinese used as a lever, if indeed they used her (she might have been a throwaway agent (read last chapter of The Art of War)), might also have been money (they have lots), since it obviously worked as a lever for her.

As far as keeping them blackmailed, that's very very bad. It is very easy for foreign agents to turn such elements over. They say something like: We'll fake your death, you move to japan, give you an interpreter/girlfriend (here's her picture: Yowza!) and a beautiful house on the hill, with internet and computers, and 140,000 a year for 10 years. After that, you're free to go as you please. Think about it, you can get back at the SS for making you miserable. And you'll be helping mankind by keeping the balance of power so that there is no war.

You think the CIA was born yesterday? (well, actually, under Bush Jr, it's being strangled to death now) They know their stuff. perhapes not as well as the russians or the chinese, but they do know their stuff. They would not be stupid enough to blackmail the guy. They want to make him think they saved his life from being the cig trade.

Re:Demi Moore and Paris Hilton are involved.

[doublem]

Actually, it all has to do with economics. The western economy is a culture of shame. "You're not good enough, so buy this product to BECOME good enough." The idea is to create expectations that are impossible to reach, so people are always striving and buying to get something they can never have.

Mind you, I don't for a moment think this is the result of any kind of organized conspiracy. This is the logical consequence of about a century and a half of advertising campaigns telling us ways we're "not good enough."

Toys like Barbie don't help matters much. I won't speculate about the motives behind the people who created the doll and it's proportions, but the end result has been a couple of generations of women growing up trying to look like that, and men growing up to expect women to look like that.

One of the replies to your post was from someone who finds Paris attractive. I'm sure there's a percentage of people who are just naturally hard wired for those preferences, but given the fact that Paris' body isn't really capable of supporting a pregnancy without medical aid, I doubt she matches the image of what we EVOLVED to prefer.

This advertising based image of the "ideal" is older than anyone alive today, and has become so ingrained that most people think its "normal" to find such an absurd image attractive, and even grow hostile towards those who imply otherwise.

Actually, given the photos I've seen of Paris, and the statistics I've read (Some VERY thin friends are having kids) her chances of having a child with birth defects are a few orders of magnitude greater than the average American's. Having so little weight probably makes it difficult to carry a fetus to term and provide it the nutrients it needs to develop properly.