Hacker Penetrates T-Mobile Systems

An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."

Get Moore !?!

[rednip]

Most troubling...

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning.

Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?

BTW, the Black Hat's email address (and online identity) is ethics@netzero.net [mailto] and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!

Not-so Secret Service

[Vollernurd]

Surely the Secret Service would encrypt anything important? I would have though that they would not have used a commercial network service like that. But then again mum always told me not to think too much.

Secret Service Mail Encryption

[dnno]

Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?

Re:Get Moore !?!

[lucabrasi999]

As I read even more of the FA:

According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.

"[A]m offering reverse lookup of information for a t-mobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEA#, and more," Ethics wrote.

It appears the feds knew about this months ago.

Gets ya thinking...

[jchawk]

You know it seems like the reason this guy got caught was because he was sloppy with his own identity online... If he would have been more careful with the names / icq numbers / people he trusted online, it's very unlikely that he would have gotten caught.

I think he let his greed / ego get in the way when trying to offload this information that he obtained.

This really makes you wonder about the guys you never hear about, the ones that don't get caught. :-/

Re:Hmm...

[pegr]

So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?

If you think the Secret Service won't use his skills in exactly the same way he was offering to the public before he got busted, you are mistaken. That is to say (explicitly), the Feds will use this guy to break into private computer networks and steal information of interest to them. They will keep him at arms length in case he gets caught. This is the way law enforcement (unfortunately) works...

uh, blackmail?

[SuperBanana]

As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.

Um...you do realize they're blackmailing him, right?

Honestly, I can't decide if being blackmailed is better or worse than him rotting in jail. We don't let people off the hook for robbing convenience stores "for fun" or "for the challenge", unless they're insane enough that they don't understand it's wrong (in which case, they go to a mental institution, not jail) and people intelligent enough to do the hacking are intelligent enough to understand breaking into something that doesn't belong to you is wrong; anything else is just creative ass-covering by hackers and their lawyers.

In case you hadn't figured it out by now, I'm not a Mitnick fanboy, which I know isn't very popular even today...

Re:Secret Service Mail Encryption

[Maestro4k]

• Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?

If you'd RTFA, you'd know that many of things he had access to were important, sensitive and, in an ideal world, should have been encrypted. One good question the article didn't ask is why'd the secret service agent send these things unencrypted over a monitorable network? Personally I'd like to know that he had been disciplined for allowing this security breach to occur.

Yep, the guy was stupid

[Tassach]

From the article:

[He] even knew the agency was monitoring his own Microsoft ICQ chat account

Come on, how frelling stupid can you be? You've got hard intel that the opposition is on to you and you don't shut down your operation? At the very least you crank up your operational security a notch or ten in that situation.

The guy crossed the line when he went to sell personal information to identity theives. Looking at famous people's candid photos is pretty harmless (as long as he's not selling them to some tabloid or spreading them around). Reading the SS's email is the ultimate in poetic justice; they should be more aware of just how insecure email is than just about anyone. It's inexcuable for the frelling SS to have been sending sensitive documents around in unencrypted emails.

In the end, it sounds like the guy got caught because of his own hubris. Which, when you think about it, is typical... criminals get busted not because the cops are spectacuarly competant, but because they run their mouths off.

Re:Get Moore !?!

[maotx]

Google search [google.com] of his e-mail brings up 161 posts.

Re:Are you new here?

[captwheeler]

Calling it " Situational ethics" is a red herring: the situation does matter in ethics. Fraud is less serious then the possibility of violence.

The problem is the governments willingness to use criminals.