Slashdot Mirror
Hacker Penetrates T-Mobile Systems
An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."
Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.
:)
Okay, all my Karma points for a link.
The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.
As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.
Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?
BTW, the Black Hat's email address (and online identity) is ethics@netzero.net and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!
The force that blew the Big Bang continues to accelerate.
Didn't know Demi Moore and Paris Hilton were that good with computers.
The Register's Article
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
http://lists.jammed.com/securityjobs/2001/09/att-0 059/01-RESUME_OF_NICHOLAS_JACOBSEN.txt
Surely the Secret Service would encrypt anything important? I would have though that they would not have used a commercial network service like that. But then again mum always told me not to think too much.
Smokey, this is not 'Nam, this is bowling. There are rules.
I bet the American public will be more flabergasted over the fact that he has pictures of Demi Moore and Paris Hilton that haven't been released then the fact he was spying on the Secret Service.
Some days I'm proud to be american, but then the drugs wear off.
*DrugCheese rants*
you mean cracker?
How do you know he's white?
Can somebody please post the Paris Hilton photos?
Where is the -1 Disgusting mod when you need it?
I dunno who it is
but it prolly is fhqwhgads.
Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?
feh, lots of things are pointless, this one too
FA says that he was offering ssn, dob, passwords, etc. for sale.
So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?
Who performs first? Are there criminal escrow services?
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Is there something I'm missing here?
No, really.
Never attribute to malice that which can be explained by mere idiocy.
Comment removed based on user account deletion
Why on earth is the Secret Service of the United States using T-Mobile as an ISP/Email provider?
What's next? The FBI, CIA, etc is compromised while using hotmail, Yahoo, or Google mail?
Are Gov IT cutbacks so severe they have to turn to places like this to send messages?
"Beer is proof that God loves us and wants us to be happy - Benjamin Franklin"
I hope it came with an 18-dollar bill.
are uploaded to a phone company server and a link is sent to the recipient's phone, which then downloads the picture. So the content is by default stored on the company's server.
What, you're somehow expecting corporations and governments to be non-evil?
My guess is that the Secret Service was using Blackberries, which uses encrypted transmissions between the Blackberry server and the device, and even multiple encryptions, if I remember correctly (one for the message, one for the Wireless). I doubt that they were stupid enough to use unencrpyted service, when regular non-Govt. customers can have encryption (We have it here at our job on our BBs). Note that they say "emails" and not "SMS" or "Text Messages."
You know it seems like the reason this guy got caught was because he was sloppy with his own identity online... If he would have been more careful with the names / icq numbers / people he trusted online, it's very unlikely that he would have gotten caught.
:-/
I think he let his greed / ego get in the way when trying to offload this information that he obtained.
This really makes you wonder about the guys you never hear about, the ones that don't get caught.
Even though I am not a T-Mobile subcriber, it's distrubing to me that my personal information is protected by the whim of a corporation and not by any standards. I think everyone is in agreement that corporations are driven by cost of security and not the security of it's subscribers. The government should fine T-Mobile for inadequet IT security and a security standards board should be created to set baseline security measures for corporations and other institutions. I'm not sure such a committee exists but it's clear to me that there are no defined rules to protect information. We have rules from the FDA in regards to food, rules to handle securities etc. Why not rules and laws to protect customer and employee information?
http://herbopen24hours.blogspot.com or http://tolietman.blogspot.com
So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?
If you think the Secret Service won't use his skills in exactly the same way he was offering to the public before he got busted, you are mistaken. That is to say (explicitly), the Feds will use this guy to break into private computer networks and steal information of interest to them. They will keep him at arms length in case he gets caught. This is the way law enforcement (unfortunately) works...
Situational ethics are pervasive in our society. Steal 100,000,000 through insurance fraud, you get 5 years. Rob 10,000 at a bank, and get 20.
This is also the same country where we gave a dictator the technology and biological weapons to kill his own people by the tens of thousands, and used that as a reason 15 years later to depose him.
Get used to it.
A few replies to this posting have expressed surprise that SS agents use commercial wireless accounts, but how else could they send information to and from the field wirelessly? A few more have suggested that the compromised SS data may just be intra-agency chit-chat, but a couple things suggest that may not be so.
First of all, the nature of the documents that were leaked in the IRC chat - one is described as an "internal memo", and the other is probably a treaty with the Russians to share criminal information. No details are given re the content of the memo, but it could have been extremely damaging to a case in progress. And the treaty is probably not sensitive in and of itself, but its presence could tip off Russian computer criminals to watch their backs.
Now, the guy whose account was raided for this info is a recent celebrity for taking out a previous hacker. It would probably be extremely embarassing to the agency for his goof to be exposed like this.
And then there's the fact that this MASSIVE series of criminal acts is being written down to just a single felony... and they're giving the guy a job!
Now I don't want to sound like a conspiracy theorist, but it seems likely to me that this dude got off (and got a job!) so light not for his m4d-l33t h4x0r skills, but because of the potential embarrasment to the service, and the damage the publicity might do to other cases. It seems the lesson here is that it doesn't matter what crime you commit online, or on what scale, as long as you:
The precedent that these two points set is worrying. Crackers are annoying when they deface websites, bring down servers or spread virus-like software - but it's only a few hours annoyance (a week at the most), then the problem passes (for most people). Once crackers get the message that the clowns get stiff fines and the real dangerous people get off light (plus get a lot more out of it if they don't get caught), it would seem to make sense to stop "tagging" or writing viruses and go for the big game. Furthermore, the cops become a very attractive target, which could compromise many more, unrelated cases.
So the message as I read it is: "Don't be a script kiddie, crack the FBI! If you get away with it you get rich, and if you get caught you get a job."
Both the Secret Service and T-Mobile should be publicly shamed for the debacle, and the response, if only it wouldn't risk compromising other cases.
It's hard to soar like an eagle when you're surrounded by turkeys.
Um...you do realize they're blackmailing him, right?
Honestly, I can't decide if being blackmailed is better or worse than him rotting in jail. We don't let people off the hook for robbing convenience stores "for fun" or "for the challenge", unless they're insane enough that they don't understand it's wrong (in which case, they go to a mental institution, not jail) and people intelligent enough to do the hacking are intelligent enough to understand breaking into something that doesn't belong to you is wrong; anything else is just creative ass-covering by hackers and their lawyers.
In case you hadn't figured it out by now, I'm not a Mitnick fanboy, which I know isn't very popular even today...
Please help metamoderate.
--> Johanne (urarrested@ARN-34.i_am_from_the_united_states_sec ret_service.gov)
Hello fellow criminals. Let's do crime.
cyn, free software and *nix operating systems enthusiast.
So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?
Who performs first? Are there criminal escrow services?
This page, linked in the posted article, has some explanation about how they traded:
"The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.
Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..
Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.
Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?
The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them
I'm still waiting for my "+1: Skank" mod to be approved.
So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?
The government does this all the time in organized crime and drug cases. Look at a guy like Sammy "The Bull" Gravano. He killed god knows how many as a member of the Gambino family not to mention a list of other crimes a mile long but was given a slap on the wrist and a new identity for turning states evidence.
Nothing new here.
Where does the school board find them and why do they keep sending them to ME?
Here's a link
Did he inhale?
The guy crossed the line when he went to sell personal information to identity theives. Looking at famous people's candid photos is pretty harmless (as long as he's not selling them to some tabloid or spreading them around). Reading the SS's email is the ultimate in poetic justice; they should be more aware of just how insecure email is than just about anyone. It's inexcuable for the frelling SS to have been sending sensitive documents around in unencrypted emails.
In the end, it sounds like the guy got caught because of his own hubris. Which, when you think about it, is typical... criminals get busted not because the cops are spectacuarly competant, but because they run their mouths off.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
"William Genovese...unrelated charges for allegedly selling a copy of Microsoft's leaked source code for $20.00.
...
Musta been one hell of a SE to get that much
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
.. now *that* would be a story ;o)
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
I agree, the most disturbing thing about all of this is the low level of knowledge of the hacker. He was nothing but a script kiddie on his resume and he was caught with obvious mistakes. We can be sure that TMobile and others are still owned by more sophisticated crackers who will not be caught.
The article links to a 2001 resume which never mentions GNU and only once mentions Unix but lots of Windozed based cracker toys and garbage. His efforts, while many, were too narrowly focused.
It does not look like he mastered Windoze cracking or much else by the time he was caught three years later. Besides being dumb enough to try to sell information, he accepted a proxy from a stranger. Someone who knew what they were doing would have a botnet proxy they set up themselves that could never be traced through. What else is windoze cracking good for?
The whole mindset was script kiddie. Own a phone service and collect stuff. What a waste of time.
He got his resume wish in a perverse way. He wanted a job is computer security. Now he's a felon and gets to spend some quality time as a government slave, snitching on his friends till he's all used up. Or he can go to jail and take the usual felon jobs: dishwasher, garbage man and other highly undesirable manual labor in tiny shops that know they can abuse you. Those jobs will be waiting for him when the government is through with him.
Friends don't help friends install M$ junk.
as its weakest link.
(This event could be called "backdoor", couldn't it?)
That said, I've used the SSH client myself and even glanced through the source briefly, and nothing struck me as suspicious. As for the hiptop lacking the power to do the encryption, that's why it takes the client a good thirty seconds or so just to perform the initial handshake.