Slashdot Mirror
Hacker Penetrates T-Mobile Systems
An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."
Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.
:)
Okay, all my Karma points for a link.
The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.
As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.
Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?
BTW, the Black Hat's email address (and online identity) is ethics@netzero.net and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!
The force that blew the Big Bang continues to accelerate.
Didn't know Demi Moore and Paris Hilton were that good with computers.
http://lists.jammed.com/securityjobs/2001/09/att-0 059/01-RESUME_OF_NICHOLAS_JACOBSEN.txt
Surely the Secret Service would encrypt anything important? I would have though that they would not have used a commercial network service like that. But then again mum always told me not to think too much.
Smokey, this is not 'Nam, this is bowling. There are rules.
I bet the American public will be more flabergasted over the fact that he has pictures of Demi Moore and Paris Hilton that haven't been released then the fact he was spying on the Secret Service.
Some days I'm proud to be american, but then the drugs wear off.
*DrugCheese rants*
you mean cracker?
How do you know he's white?
Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?
feh, lots of things are pointless, this one too
FA says that he was offering ssn, dob, passwords, etc. for sale.
So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?
Who performs first? Are there criminal escrow services?
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Is there something I'm missing here?
No, really.
Never attribute to malice that which can be explained by mere idiocy.
Comment removed based on user account deletion
Why on earth is the Secret Service of the United States using T-Mobile as an ISP/Email provider?
What's next? The FBI, CIA, etc is compromised while using hotmail, Yahoo, or Google mail?
Are Gov IT cutbacks so severe they have to turn to places like this to send messages?
"Beer is proof that God loves us and wants us to be happy - Benjamin Franklin"
I hope it came with an 18-dollar bill.
Even though I am not a T-Mobile subcriber, it's distrubing to me that my personal information is protected by the whim of a corporation and not by any standards. I think everyone is in agreement that corporations are driven by cost of security and not the security of it's subscribers. The government should fine T-Mobile for inadequet IT security and a security standards board should be created to set baseline security measures for corporations and other institutions. I'm not sure such a committee exists but it's clear to me that there are no defined rules to protect information. We have rules from the FDA in regards to food, rules to handle securities etc. Why not rules and laws to protect customer and employee information?
http://herbopen24hours.blogspot.com or http://tolietman.blogspot.com
So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?
If you think the Secret Service won't use his skills in exactly the same way he was offering to the public before he got busted, you are mistaken. That is to say (explicitly), the Feds will use this guy to break into private computer networks and steal information of interest to them. They will keep him at arms length in case he gets caught. This is the way law enforcement (unfortunately) works...
Situational ethics are pervasive in our society. Steal 100,000,000 through insurance fraud, you get 5 years. Rob 10,000 at a bank, and get 20.
This is also the same country where we gave a dictator the technology and biological weapons to kill his own people by the tens of thousands, and used that as a reason 15 years later to depose him.
Get used to it.
So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?
Who performs first? Are there criminal escrow services?
This page, linked in the posted article, has some explanation about how they traded:
"The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.
Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..
Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.
Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?
The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them
The guy crossed the line when he went to sell personal information to identity theives. Looking at famous people's candid photos is pretty harmless (as long as he's not selling them to some tabloid or spreading them around). Reading the SS's email is the ultimate in poetic justice; they should be more aware of just how insecure email is than just about anyone. It's inexcuable for the frelling SS to have been sending sensitive documents around in unencrypted emails.
In the end, it sounds like the guy got caught because of his own hubris. Which, when you think about it, is typical... criminals get busted not because the cops are spectacuarly competant, but because they run their mouths off.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?