Hacker breaches T-Mobile systems, reads US Secret Service email
By Kevin Poulsen, SecurityFocus
Published Wednesday 12th January 2005 09:47 GMT
A sophisticated computer hacker had access to servers at wireless
giant T-Mobile for at least a year, which he used to monitor US
Secret Service email, obtain customers' passwords and Social Security
numbers, and download candid photos taken by Sidekick users,
including Hollywood celebrities, SecurityFocus has learned.
Twenty-one year-old Nicolas Jacobsen was quietly charged with the
intrusions last October, after a Secret Service informant helped
investigators link him to sensitive agency documents that were
circulating in underground IRC chat rooms. The informant also
produced evidence that Jacobsen was behind an offer to provide T-
Mobile customers' personal information to identity thieves through an
Internet bulletin board, according to court records.
Jacobsen could access information on any of the Bellevue, Washington-
based company's 16.3 million customers, including many customers'
Social Security numbers and dates of birth, according to government
filings in the case. He could also obtain voicemail PINs, and the
passwords providing customers with web access to their T-Mobile email
accounts. He did not have access to credit card numbers.
The case arose as part of the Secret Service's "Operation Firewall"
crackdown on internet fraud rings last October, in which 19 men were
indicted for trafficking in stolen identity information and
documents, and stolen credit and debit card numbers. But Jacobsen was
not charged with the others. Instead he faces two felony counts of
computer intrusion and unauthorized impairment of a protected
computer in a separate, unheralded federal case in Los Angeles,
currently set for a 14 February status conference.
The government is handling the case well away from the spotlight. The
US Secret Service, which played the dual role of investigator and
victim in the drama, said Tuesday it couldn't comment on Jacobsen
because the agency doesn't discuss ongoing cases - a claim that's
perhaps undermined by the 19 other Operation Firewall defendants
discussed in a Secret Service press release last fall. Jacobsen's
prosecutor, assistant US attorney Wesley Hsu, also declined to
comment. "I can't talk about it," Hsu said simply. Jacobsen's lawyer
didn't return a phone call.
T-Mobile, which apparently knew of the intrusions by July of last
year, has not issued any public warning. Under California's anti-
identity theft law "SB1386," the company is obliged to notify any
California customers of a security breach in which their personally
identifiable information is "reasonably believed to have been"
compromised. That notification must be made in "the most expedient
time possible and without unreasonable delay," but may be postponed
if a law enforcement agency determines that the disclosure would
compromise an investigation.
Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile
was available to comment on the matter.
Cat and mouse game
According to court records the massive T-Mobile breach first came to
the government's attention in March 2004, when a hacker using the
online moniker "Ethics" posted a provocative offer on muzzfuzz.com,
one of the crime-facilitating online marketplaces being monitored by
the Secret Service as part of Operation Firewall.
"[A]m offering reverse lookup of information for a t-mobile cell
phone, by phone number at the very least, you get name, ssn, and DOB
at the upper end of the information returned, you get web
username/password, voicemail password, secret question/answer, sim#,
IMEA#, and more," Ethics wrote.
The Secret Service contacted T-Mobile, according to an affidavit
filed by cyber crime agent Matthew Ferrante, and by late July the
company had confirmed that the offer was genuine: a hacker had indeed
breached their customer database,
At the same time, agents received disturbing news from a prized
snitch embedded in the identity theft and credit card fraud
underground. Unnamed in court documents, the informant was an
administrator and moderator on the Shadowcrew site who'd been
secretly cooperating with the government since August 2003 in
exchange for leniency. By all accounts he was a key government asset
in Operation Firewall.
On 28 July the informant gave his handlers proof that their own
sensitive documents were circulating in the underground marketplace
they were striving to destroy. He had obtained a log of an IRC chat
session in which a hacker named "Myth" copy-and-pasted excerpts of an
internal Secret Service memorandum report, and a Mutual Legal
Assistance Treaty from the Russian Federation. Both documents are
described in the Secret Service affidavit as "highly sensitive
information pertaining to ongoing USSS criminal cases".
At the agency's urging, the informant made contact with Myth, and
learned that the documents represented just a few droplets in a full-
blown Secret Service data spill. The hacker knew about Secret Service
subpoenas relating to government computer crime investigations, and
even knew the agency was monitoring his own ICQ chat account.
Myth refused to identify the source of his informational largesse,
but agreed to arrange an introduction. The next day Myth, the snitch,
and a third person using the nickname "Anonyman" met on an IRC
channel. Over the following days, the snitch gained the hacker's
trust, and the hacker confirmed that he and Ethics were one and the
same. Ethics began sharing Secret Service documents and emails with
the informant, who passed them back to the agency.
Honeypot proxy
By 5 August the agents already had a good idea what was going on,
when Ethics made a fateful mistake. The hacker asked the Secret
Service informant for a proxy server - a host that would pass through
web connections, making them harder to trace. The informant was happy
to oblige. The proxy he provided, of course, was a Secret Service
machine specially configured for monitoring, and agents watched as
the hacker surfed to "My T-Mobile," and entered a username and
password belonging to Peter Cavicchia, a Secret Service cyber crime
agent in New York.
Cavicchia was the agent who last year spearheaded the investigation
of Jason Smathers, a former AOL employee accused of stealing 92
million customer email addresses from the company to sell to a
spammer. The agent was also an adopter of mobile technology, and he
did a lot of work through his T-Mobile Sidekick - an all-in-one
cellphone, camera, digital organizer and email terminal. The Sidekick
uses T-Mobile servers for email and file storage, and the stolen
documents had all been lifted from Cavicchia's T-Mobile account,
according to the affidavit. (Cavicchia didn't respond to an email
query from SecurityFocus Tuesday.)
By that time the Secret Service already had a line on Ethic's true
identity. Agents had the hacker's ICQ number, which he'd used to chat
with the informant. A web search on the number turned up a 2001
resume for the then-teenaged Jacobsen, who'd been looking for a job
in computer security. The email address was listed as
[email protected]
The trick with the proxy honeypot provided more proof of the hacker's
identity: the server's logs showed that Ethics had connected from an
IP address belonging to the Residence Inn Hotel in Buffalo, New York.
When the Secret Service checked the Shadowcrew logs through a
backdoor set up for their use - presumably by the informant - they
found that Ethics had logged in from the same address. A phone call
to the hotel confirmed that Nicolas Jacobsen was a guest.
Snapshots compromised
Eight days later, on 27 October, law enforcement agencies dropped the
hammer on Operation Firewall, and descended on fraud and computer
crime suspects across eight states and six foreign countries,
arresting 28 of them. Jacobsen, then living in an apartment in Santa
Ana in Southern California, was taken into custody by the Secret
Service. He was later released on bail with computer use
restrictions.
Jacobsen lost his job at Pfastship Logistics, an Irvine, California
company where he worked as a network administrator, and he now lives
in Oregon.
The hacker's access to the T-Mobile gave him more than just Secret
Service documents. A friend of Jacobsen's says that prior to his
arrest, Jacobsen provided him with digital photos that he claimed
celebrities had snapped with their cell phone cameras. "He basically
just said there was flaw in the way the cell phone servers were set
up," says William Genovese, a 27-year-old hacker facing unrelated
charges for allegedly selling a copy of Microsoft's leaked source
code for $20.00. Genovese provided SecurityFocus with an address on
his website featuring what appears to be grainy candid shots of Demi
Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.
The swiped images are not mention in court records, but a source
close to the defense confirmed Genovese's account, and says Jacobsen
amused himself and others by obtaining the passwords of Sidekick-
toting celebrities from the hacked database, then entering their T-
Mobile accounts and downloading photos they'd taken with the wireless
communicator's built-in camera.
The same source also offers an explanation for the secrecy
surrounding the case: the Secret Service, the source says, has
offered to put the hacker to work, pleading him out to a single
felony, then enlisting him to catch other computer criminals in the
same manner in which he himself was caught. The source says that
Jacobsen, facing the prospect of prison time, is favorably
considering the offer.
---
* Origin: [adminz] tech, security, support (192:168/0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:03:57
search: