TELECOM Digest OnLine - Sorted: SecurityFocus HOME News: Hacker Penetrates T-Mobile Systems


SecurityFocus HOME News: Hacker Penetrates T-Mobile Systems


Marcus Didius Falco (falco_marcus_didius@yahoo.co.uk)
Fri, 14 Jan 2005 17:50:53 -0500

http://www.securityfocus.com/news/10271

By Kevin Poulsen, SecurityFocus Jan 11 2005 7:43PM A sophisticated
computer hacker had access to servers at wireless giant T-Mobile for
at least a year, which he used to monitor U.S. Secret Service e-mail,
obtain customers' passwords and Social Security numbers, and download
candid photos taken by Sidekick users, including Hollywood
celebrities, SecurityFocus has learned.

Twenty-one year-old Nicolas Jacobsen was quietly charged with the
intrusions last October, after a Secret Service informant helped
investigators link him to sensitive agency documents that were
circulating in underground IRC chat rooms. The informant also produced
evidence that Jacobsen was behind an offer to provide T-Mobile
customers' personal information to identity thieves through an
Internet bulletin board, according to court records.

Jacobsen could access information on any of the Bellevue,
Washington-based company's 16.3 million customers, including many
customers' Social Security numbers and dates of birth, according to
government filings in the case. He could also obtain voicemail PINs,
and the passwords providing customers with Web access to their
T-Mobile e-mail accounts. He did not have access to credit card
numbers.

The case arose as part of the Secret Service's "Operation Firewall"
crackdown on Internet fraud rings last October, in which 19 men were
indicted for trafficking in stolen identity information and documents,
and stolen credit and debit card numbers. But Jacobsen was not charged
with the others. Instead he faces two felony counts of computer
intrusion and unauthorized impairment of a protected computer in a
separate, unheralded federal case in Los Angeles, currently set for a
February 14th status conference.

On July 28th the informant gave his handlers proof that their own
sensitive documents were circulating in the underground marketplace
they'd been striving to destroy. The government is handling the case
well away from the spotlight. The U.S. Secret Service, which played
the dual role of investigator and victim in the drama, said Tuesday it
couldn't comment on Jacobsen because the agency doesn't discuss
ongoing cases -- a claim that's perhaps undermined by the 19 other
Operation Firewall defendants discussed in a Secret Service press
release last fall. Jacobsen's prosecutor, assistant U.S. attorney
WesleyHsu, also declined to comment. "I can't talk about it," Hsu said
simply. Jacobsen's lawyer didn't return a phone call.

T-Mobile, which apparently knew of the intrusions by July of last year, has

not issued any public warning. Under California's anti-identity theft
law "SB1386," the company is obliged to notify any California
customers of a security breach in which their personally identifiable
information is "reasonably believed to have been" compromised. That
notification must be made in "the most expedient time possible and
without unreasonable delay," but may be postponed if a law enforcement
agency determines that the disclosure would compromise an
investigation.

Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile
was available to comment on the matter.

Cat and Mouse Game

According to court records the massive T-Mobile breach first came to
the government's attention in March 2004, when a hacker using the
online moniker "Ethics" posted a provocative offer on muzzfuzz.com,
one of the crime-facilitating online marketplaces being monitored by
the Secret Service as part of Operation Firewall.

"[A]m offering reverse lookup of information for a t-mobile cell
phone, by phone number at the very least, you get name, ssn, and DOB
at the upper end of the information returned, you get web
username/password, voicemail password, secret question/answer, sim#,
IMEA#, and more," Ethics wrote.

The Secret Service contacted T-Mobile, according to an affidavit filed
by cyber crime agent Matthew Ferrante, and by late July the company
had confirmed that the offer was genuine: a hacker had indeed breached
their customer database.

At the same time, agents received disturbing news from a prized snitch
embedded in the identity theft and credit card fraud
underground. Unnamed in court documents, the informant was an
administrator and moderator on the Shadowcrew site who'd been secretly
cooperating with the government since August 2003 in exchange for
leniency. By all accounts he was a key government asset in Operation
Firewall.

On July 28th the informant gave his handlers proof that their own
sensitive documents were circulating in the underground marketplace
they'd been striving to destroy. He'd obtained a log of an IRC chat
session in which a hacker named "Myth" copy-and-pasted excerpts of an
internal Secret Service memorandum report, and a Mutual Legal
Assistance Treaty from the Russian Federation. Both documents are
described in the Secret Service affidavit as "highly sensitive
information pertaining to ongoing USSS criminal cases."

At the agency's urging, the informant made contact with Myth, and
learned that the documents represented just a few droplets in a
full-blown Secret Service data spill. The hacker knew about Secret
Service subpoenas relating to government computer crime
investigations, and even knew the agency was monitoring his own ICQ
chat account.

Myth refused to identify the source of his informational largesse, but
agreed to arrange an introduction. The next day Myth, the snitch, and
a third person using the nickname "Anonyman" met on an IRC
channel. Over the following days, the snitch gained the hacker's
trust, and the hacker confirmed that he and Ethics were one and the
same. Ethics began sharing Secret Service documents and e-mails with
the informant, who passed them back to the agency.

Honeypot Proxy

By August 5th the agents already had a good idea what was going on,
when Ethics made a fateful mistake. The hacker asked the Secret
Service informant for a proxy server -- a host that would pass through
Web connections, making them harder to trace. The informant was happy
to oblige. The proxy he provided, of course, was a Secret Service
machine specially configured for monitoring, and agents watched as the
hacker surfed to "My T-Mobile," and entered a username and password
belonging to Peter Cavicchia, a Secret Service cyber crime agent in
New York.

Cavicchia was the agent who last year spearheaded the investigation of
Jason Smathers, a former AOL employee accused of stealing 92 million
customer e-mail addresses from the company to sell to a spammer. The
agent was also an adopter of mobile technology, and he did a lot of
work through his T-Mobile Sidekick -- an all-in-one cellphone, camera,
digital organizer and e-mail terminal. The Sidekick uses T-Mobile
servers for e-mail and file storage, and the stolen documents had all
been lifted from Cavicchia's T-Mobile account, according to the
affidavit. (Cavicchia didn't respond to an e-mail query from
SecurityFocus Tuesday.)

By that time the Secret Service already had a line on Ethic's true
identity. Agents had the hacker's ICQ number, which he'd used to chat
with the informant. A Web search on the number turned up a 2001 resume
for the then-teenaged Jacobsen, who'd been looking for a job in
computer security. The e-mail address was listed as
ethics@netzero.net.

The trick with the proxy honeypot provided more proof of the hacker's
identity: the server's logs showed that Ethics had connected from an
IP address belonging to the Residence Inn Hotel in Buffalo, New
York. When the Secret Service checked the Shadowcrew logs through a
backdoor set up fo their use -- presumably by the informant -- they
found that Ethics had logged in from the same address. A phone call to
the hotel confirmed that Nicolas Jacobsen was a guest.

Snapshots Compromised

Eight days later, on October 27th, law enforcement agencies dropped
the hammer on Operation Firewall, and descended on fraud and computer
crime suspects across eight states and six foreign countries,
arresting 28 of them. Jacobsen, then living in an apartment in Santa
Ana in Southern California, was taken into custody by the Secret
Service. He was later released on bail with computer use restrictions.

Jacobsen lost his job at Pfastship Logistics, an Irvine, California
company where he worked as a network administrator, and he now lives
in Oregon.

The hacker's access to the T-Mobile gave him more than just Secret
Service documents. A friend of Jacobsen's says that prior to his
arrest, Jacobsen provided him with digital photos that he claimed
celebrities had snapped with their cell phone cameras. "He basically
just said there was flaw in the way the cell phone servers were set
up," says William Genovese, a 27-year-old hacker facing unrelated
charges for allegedly selling a copy of Microsoft's leaked source code
for $20.00. Genovese provided SecurityFocus with an address on his
website featuring what appears to be grainy candid shots of Demi
Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.

The swiped images are not mentioned in court records, but a source
close to the defense confirmed Genovese's account, and says Jacobsen
amused himself and others by obtaining the passwords of
Sidekick-toting celebrities from the hacked database, then entering
their T-Mobile accounts and downloading photos they'd taken with the
wireless communicator's built-in camera.

The same source also offers an explanation for the secrecy surrounding
the case: the Secret Service, the source says, has offered to put the
hacker to work, pleading him out to a single felony, then enlisting
him to catch other computer criminals in the same manner in which he
himself was caught.

The source says that Jacobsen, facing the prospect of prison time, is
favorably considering the offer.

<tips@securityfocus.com>

Discussion
<<links deleted--see original>>

NEWS

Netizens eye Web-enabled surveillance cams
Jan 07, 2005

Sims 2 hacks spread like viruses
Jan 06, 2005

Groups fight Internet wiretap push
Dec 22, 2004

Report: DHS cyber security lagging
Dec 16, 2004

<<links deleted--see original>>

FROM THE WIRES

US slaps on the wardriver-busting paint
Jan 13, 2005

US jails Brit credit card fraud mastermind for 14 years
Jan 12, 2005

Microsoft releases two critical security fixes for Windows
Jan 11, 2005

MS virus clean-up tool sparks controversy
Jan 11, 2005

<<links deleted--see original>>

Privacy Statement
Copyright 1999-2005 SecurityFocus

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Marcus Didius Falco: "Don't Allow Under-9s to Use a Mobile"
Go to Previous message: Danny Burstein: "Gov't Mandated Advertising, was: Another VoIP Company Adds Bogus"
TELECOM Digest: Home Page