Hacker Penetrates T-Mobile Systems

An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."

Get Moore !?!

[rednip]

Most troubling...

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning.

Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?

BTW, the Black Hat's email address (and online identity) is ethics@netzero.net and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!

Re:Get Moore !?!

[lucabrasi999]

As I read even more of the FA:

According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.

"[A]m offering reverse lookup of information for a t-mobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEA#, and more," Ethics wrote.

It appears the feds knew about this months ago.

Re:Secret Service Mail Encryption

[Maestro4k]

• Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?

If you'd RTFA, you'd know that many of things he had access to were important, sensitive and, in an ideal world, should have been encrypted. One good question the article didn't ask is why'd the secret service agent send these things unencrypted over a monitorable network? Personally I'd like to know that he had been disciplined for allowing this security breach to occur.

Yep, the guy was stupid

[Tassach]

From the article:

[He] even knew the agency was monitoring his own Microsoft ICQ chat account

Come on, how frelling stupid can you be? You've got hard intel that the opposition is on to you and you don't shut down your operation? At the very least you crank up your operational security a notch or ten in that situation.

The guy crossed the line when he went to sell personal information to identity theives. Looking at famous people's candid photos is pretty harmless (as long as he's not selling them to some tabloid or spreading them around). Reading the SS's email is the ultimate in poetic justice; they should be more aware of just how insecure email is than just about anyone. It's inexcuable for the frelling SS to have been sending sensitive documents around in unencrypted emails.

In the end, it sounds like the guy got caught because of his own hubris. Which, when you think about it, is typical... criminals get busted not because the cops are spectacuarly competant, but because they run their mouths off.