Hacker Penetrates T-Mobile Systems 396
An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."
At first ... (Score:2, Funny)
Re:At first ... (Score:2)
-
At first, I got "Nothing to see here"
... but Paris Hilton? Sounds like that guy had plenty to see ;-)
Nah, everyone's already seen plenty of Paris Hilton, a few grainy cell phone camera shots aren't worth anything.linkie? and recruitment (Score:5, Insightful)
Okay, all my Karma points for a link.
The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.
As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.
Re:linkie? and recruitment (Score:3, Insightful)
Re:linkie? and recruitment (Score:4, Funny)
Yep, the guy was stupid (Score:5, Interesting)
The guy crossed the line when he went to sell personal information to identity theives. Looking at famous people's candid photos is pretty harmless (as long as he's not selling them to some tabloid or spreading them around). Reading the SS's email is the ultimate in poetic justice; they should be more aware of just how insecure email is than just about anyone. It's inexcuable for the frelling SS to have been sending sensitive documents around in unencrypted emails.
In the end, it sounds like the guy got caught because of his own hubris. Which, when you think about it, is typical... criminals get busted not because the cops are spectacuarly competant, but because they run their mouths off.
Re:Yep, the guy was stupid (Score:3, Funny)
The SS? Don't these guys use Enigma? [codesandciphers.org.uk]
Re:linkie? and recruitment (Score:2)
If his aren't enough I'll add my own to the lot.
uh, blackmail? (Score:3, Interesting)
Um...you do realize they're blackmailing him, right?
Honestly, I can't decide if being blackmailed is better or worse than him rotting in jail. We don't let people off th
Re:linkie? and recruitment (Score:2)
Try telling the old lady whose credit card was swiped that you just gave the thief a six-figure salary and a supercomputer. We neutered our intelligence community a while back because it wasn't politically correct to work with bad people. Of course, you have to associate with unsavo
Re:linkie? and recruitment (Score:3, Informative)
I hate to break it to you, but that's a movie. It is, however, based on a true story. You might want to see how the real Frank Abagnale has been doing lately, though:
http://www.abagnale.com/index2.asp [abagnale.com]
Re:linkie? and recruitment (Score:3, Insightful)
See the case of the chinese woman who had a 20 year affair with a FBI agent. She was spying on the Chinese, for the FBI, and they paid her 1.7 million. Then the FBI got an interesting notion that she might be spying for the chinese, so they dragged her in court. Of course, the prosecution screwed up and the judge dismissed the case for infringement of her constitutional right. (that was in the paper a couple days ago).
All this to show that the US government is no
Re:linkie? and recruitment (Score:2)
Apparently, most Vegas casinos hire ex-cheats to watch over the tables in the security monitor rooms.
Re:linkie? and recruitment (Score:2)
I would hope that the Secret Service would watch these guys like a hawk while they are employeed there...
Re:linkie? and recruitment (Score:3, Insightful)
Get Moore !?! (Score:5, Interesting)
Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?
BTW, the Black Hat's email address (and online identity) is ethics@netzero.net [mailto] and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!
Re:Get Moore !?! (Score:4, Informative)
Re:Get Moore !?! (Score:5, Informative)
RTFA:
It appears that if you sue, you won't win.
Re:Get Moore !?! (Score:5, Interesting)
As I read even more of the FA:
It appears the feds knew about this months ago.
How many others? (Score:2)
"Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.
Makes you wonder how many other crackers have gotten access to similar information, but weren't stupid enough to post that fact online, but went to a competitor (or the local Godfather, or the Chinese embassy) instead.
Re:Get Moore !?! (Score:2)
Trouble with that is, I don't live in California, if it was a federal law, then that would apply. However, I do think that most courts would say that to protect a ongoing investigation, it might be permissable for a short time. Of course it looks like the Feds held this for more than 6 months! Also, the initial breech was due to T-Mobile's lack of security.
Personally I don't think that companies will start taking their security seriously until big
Sophisticated Hackers (Score:5, Funny)
Demi Moore and Paris Hilton are involved. (Score:4, Funny)
Re:Demi Moore and Paris Hilton are involved. (Score:2, Offtopic)
Re:Demi Moore and Paris Hilton are involved. (Score:4, Insightful)
Wealthy
Thin to the point of being unhealthy
High Libido
Slutty
Blond
Dumb as a post.
As a result, the media HAS to go nuts about her, because toothpicks like her are the kind of trash they've been throwing at us for ages.
Re:Demi Moore and Paris Hilton are involved. (Score:3, Insightful)
Mind you, I don't for a moment think this is the result of any kind of organized conspiracy. This is the logical consequence of about a century and a half of advertising campaigns telling us ways we're "not go
Re:T&A (Score:2)
The Register has an article too ... (Score:2, Informative)
If a thread doesn't include pictures? (Score:2, Funny)
Demi Moore and Paris Hilton are involved? (Score:2)
His Resume is posted online ! (Score:5, Informative)
Re:His Resume is posted online ! (Score:5, Informative)
Clicky... AC, so no karma whoring for me. :-)
Re:His Resume is posted online ! (Score:2)
* Applications: Microsoft Visual Studio, Microsoft Office Suite,
* Techniques: Firewall Configuration,
Re:His Resume is posted online ! (Score:3, Funny)
Wow, Ubbercracker!
No, Seriously... is my mom a hacker too? She just
Re:from his resume: (Score:2)
netzero?
Not-so Secret Service (Score:4, Interesting)
Re:Not-so Secret Service (Score:5, Funny)
In other news, The President had to be reminded (again) that the White House Lobby Pay Phone should not be used to call Ariel Sharon.
Re:Not-so Secret Service (Score:5, Insightful)
A lot of people have crazy delusions that secret agencies live in some far off technical wonderhome, where all communications are encrypted with some super 733t MD67 algorithm never before seen by any other person in the world, all access is controlled by handprint and retinal scan identification and everyone walks around with James Bond gadgets in their pockets. It's just not so. These people live and work in normal offices and normal homes and deal with the same crappy, bug-ridden and insecure hardware and software that the rest of us do. It's probably a bit better than your normal corporate office, but not by much.
Re:Not-so Secret Service (Score:2)
So, MILNET doesn't exist any more?
Re:Not-so Secret Service (Score:3, Insightful)
Re:Not-so Secret Service (Score:2)
Re:Not-so Secret Service (Score:2)
Probably encrypted, but maybe not always if it's not a considered a very sensitive communication.
FTFA:
I think the grandparent has a point. Maybe not use their own dedicated network, but there is certainly emai
Re:Not-so Secret Service (Score:3, Insightful)
Mod Parent Up! (Score:2)
The News (Score:5, Insightful)
Some days I'm proud to be american, but then the drugs wear off.
Secret Service?! (Score:2)
Re:Secret Service?! (Score:2)
Secret Service Mail Encryption (Score:3, Interesting)
Re:Secret Service Mail Encryption (Score:5, Interesting)
-
Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?
If you'd RTFA, you'd know that many of things he had access to were important, sensitive and, in an ideal world, should have been encrypted. One good question the article didn't ask is why'd the secret service agent send these things unencrypted over a monitorable network? Personally I'd like to know that he had been disciplined for allowing this security breach to occur.But how could he NOT get caught? (Score:5, Insightful)
So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?
Who performs first? Are there criminal escrow services?
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Is there something I'm missing here?
No, really.
Re:But how could he NOT get caught? (Score:2)
Well, it might have been stupid on his part, but he was smarter than the SS agent that used a public mobile network to transmit files.
Re:But how could he NOT get caught? (Score:2)
Re:But how could he NOT get caught? (Score:2)
Re:But how could he NOT get caught? (Score:2)
After all, they only caught him after he tried to sell the stuff, not through any security monitoring.
The smart money would have been on selling the demi moore etc pics; what secret service agent is going to investigate where some paparazzi pics came from?
Even Hung Out On UnderNet? (Score:5, Insightful)
Who performs first? Are there criminal escrow services?
This page [securityfocus.com], linked in the posted article, has some explanation about how they traded:
"The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.
Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..
Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.
Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?
The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them
Re:Even Hung Out On UnderNet? (Score:3, Funny)
Re:But how could he NOT get caught? (Score:2)
Some people launder money through online poker games. Invite your buyer to a game and have them "lose" some money to you. Internet gambling companies are usually based in offshore banking havens, making it difficult for the authorities to scrutinize your transaction. (I'd never do this myself, of course.)
Comment removed (Score:5, Insightful)
Re:Hmm... (Score:3, Insightful)
Re:Hmm... (Score:2)
Re:Hmm... (Score:4, Interesting)
If you think the Secret Service won't use his skills in exactly the same way he was offering to the public before he got busted, you are mistaken. That is to say (explicitly), the Feds will use this guy to break into private computer networks and steal information of interest to them. They will keep him at arms length in case he gets caught. This is the way law enforcement (unfortunately) works...
Are you new here? (Score:5, Insightful)
This is also the same country where we gave a dictator the technology and biological weapons to kill his own people by the tens of thousands, and used that as a reason 15 years later to depose him.
Get used to it.
Re:Hmm... (Score:2)
Not really, this stuff all takes place online in forums and IRC so all he has to do is create new identities and work his back into the scene. If he does get exposed, just lather, rinse, repeat. I'm sure the secret service can make sure he has plenty of different IPs to come from to help him
Re:Hmm... (Score:3, Funny)
Hello fellow criminals. Let's do crime.
Re:Hmm... (Score:3, Insightful)
The government does this all the time in organized crime and drug cases. Look at a guy like Sammy "The Bull" Gravano. He killed god knows how many as a member of the Gambino family not to mention a list of other crimes a mile long but was given a slap on the wrist and a new identi
Are budget cuts that severe? (Score:5, Insightful)
What's next? The FBI, CIA, etc is compromised while using hotmail, Yahoo, or Google mail?
Are Gov IT cutbacks so severe they have to turn to places like this to send messages?
Re:Are budget cuts that severe? (Score:2)
They were monitoring sites that did illegal business and found out about this.
Re:Are budget cuts that severe? (Score:2)
The agent was also an adopter of mobile technology, and he did a lot of work through his T-Mobile Sidekick
The agent mentioned here, Cavicchia, was an "early adopter".
With all the money that USSS has, I'd hope they'd develop some custom encryption solutions for their Sidekicks and Blackberries, if they indeed find them useful.
Re:Are budget cuts that severe? (Score:2)
Blackberries encrypt the data on the device, send it to the cellular network, to blackberry and back, IIRC (I believe blackberry acts as the routing between the different networks hostings its devices - i.e, nextel vs tmobile, etc)
ostiguy
Re:Are budget cuts that severe? (Score:2)
Do you really think the US Government should build up a cellular-like network for its own use? Now, I wouldn't mind if they would put up some towers in the middle of nowhere so my re
Demi Moore and Paris Hilton are involved. (Score:2, Funny)
How very nice of T-Mobile to not let us know (Score:2)
I already sent them a nastygram over this. What kind of irresponsible piece of s*** company not let their customers know all their information is in the hands of a hacker???
Funniest quote (Score:4, Funny)
I hope it came with an 18-dollar bill.
T-Mobile Security (Score:2, Informative)
We know what follows now (Score:2, Funny)
Most impressive that it took them a year to find him, and unsirprisingly they catched him when he tried to make a mint out of his exploiting. Remember kiddies, bragging is not good for you.
Michael Powell loves you. (Score:2)
Bank on it.
Gets ya thinking... (Score:3, Interesting)
I think he let his greed / ego get in the way when trying to offload this information that he obtained.
This really makes you wonder about the guys you never hear about, the ones that don't get caught.
Re:Gets ya thinking... (Score:2)
I find it unlikely that T-Mobile didn't know who was doing the work in a very short matter of time. It's likely that they knew within a few months and were simply gathering enough information to present a compelling case against him. If they wanted to use the patriot act against him they have to turn it over to the FBI, who also takes a long time.
I find it
Meet the script kiddie. (Score:3, Informative)
I agree, the most disturbing thing about all of this is the low level of knowledge of the hacker. He was nothing but a script kiddie on his resume and he was caught with obvious mistakes. We can be sure that TMobile and others are still owned by more sophisticated crackers who will not be caught.
The article links to a 2001 resume [securityfocus.com] which never mentions GNU and only once mentions Unix but lots of Windozed
You, sir, are an idiot... (Score:2)
You appear to be glamorizing the life of a common thief. I hate to break this to you, but anyone who spends their time hacking computers for money is not only without decency, but also without brains.
These guys do eventually get caught, or worse, end up slaves to some
standards board (Score:4, Insightful)
Re:standards board (Score:2, Insightful)
There is always
Well, they used the right word. (Score:2)
Pretty much anyone who uses that services got "Penetrated" pretty well -- and if you weren't doing your work over a good vpn with encryption, well, lets just say that it probably hurt.
He did not have access to credit card numbers. (Score:2)
So when did securityfocus become People magazine? (Score:2)
Why (Score:2)
No wonder this is being kept quiet (Score:2, Insightful)
A few replies to this posting have expressed surprise that SS agents use commercial wireless accounts, but how else could they send information to and from the field wirelessly? A few more have suggested that the compromised SS data may just be intra-agency chit-chat, but a couple things suggest that may not be so.
First of all, the nature of the documents that were leaked in the IRC chat - one is described as an "internal memo", and the other is probably a treaty with the Russians to share criminal inform
Hacker penetrates Demi Moore and Paris Hilton (Score:3, Funny)
A chain is as strong... (Score:3, Insightful)
(This event could be called "backdoor", couldn't it?)
Re:Argh... (Score:5, Funny)
How do you know he's white?
Re:Argh... (Score:2)
Just a little NPOV pointer.
Re:Paris Pictures (Score:2, Funny)
Where is the -1 Disgusting mod when you need it?
Re:Paris Pictures (Score:3, Funny)
Picture messages, (Score:2, Informative)
Re:My question is (Score:2)
Re:Anyone know what to do? (Score:2)
If everything checks out on the report, no worries -- no one is treading on your credit. If there are some strangeness (like a credit card opened in Brazil), then immediately you can contact the companies to begin the trace process.
Re:You Mean (Score:2)
While in college, one month I used all of my whenever minutes (something like 600 or so) and ended up going over a good 100 minutes. Extra minutes were roughly $.40 PER minute. 100*.40 = $40. That may not seem like much, but on top of the already $45
Re:And this is why (Score:2)
Re:Candid and intimate photos of Paris? (Score:3, Funny)
Re:SSH on T-Mobile - Not Secure (Score:3, Informative)
That said, I've used the SSH client myself and even glanced through the source briefly, and nothing struck me as suspicious. As for the hiptop lacking the power to do the encryption, that's why it takes the client a good thirty seconds or so just to perform the initial handshake.