Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Hacker Breaches T-Mobile Systems, Reads US Secret Service Email
The Register ^ | January 12, 2005 | By Kevin Poulsen

Posted on 01/13/2005 11:16:20 AM PST by Yonkers Finest

Hacker Breaches T-Mobile Systems, Reads US Secret Service Email

By Kevin Poulsen, SecurityFocus Published Wednesday 12th January 2005 09:47 GMT

A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor US Secret Service email, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.

Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records.

Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with web access to their T-Mobile email accounts. He did not have access to credit card numbers.

The case arose as part of the Secret Service's "Operation Firewall" crackdown on internet fraud rings last October, in which 19 men were indicted for trafficking in stolen identity information and documents, and stolen credit and debit card numbers. But Jacobsen was not charged with the others. Instead he faces two felony counts of computer intrusion and unauthorized impairment of a protected computer in a separate, unheralded federal case in Los Angeles, currently set for a 14 February status conference.

The government is handling the case well away from the spotlight. The US Secret Service, which played the dual role of investigator and victim in the drama, said Tuesday it couldn't comment on Jacobsen because the agency doesn't discuss ongoing cases - a claim that's perhaps undermined by the 19 other Operation Firewall defendants discussed in a Secret Service press release last fall. Jacobsen's prosecutor, assistant US attorney Wesley Hsu, also declined to comment. "I can't talk about it," Hsu said simply. Jacobsen's lawyer didn't return a phone call.

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile was available to comment on the matter. Cat and mouse game

According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.

"[A]m offering reverse lookup of information for a t-mobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEA#, and more," Ethics wrote.

The Secret Service contacted T-Mobile, according to an affidavit filed by cyber crime agent Matthew Ferrante, and by late July the company had confirmed that the offer was genuine: a hacker had indeed breached their customer database,

At the same time, agents received disturbing news from a prized snitch embedded in the identity theft and credit card fraud underground. Unnamed in court documents, the informant was an administrator and moderator on the Shadowcrew site who'd been secretly cooperating with the government since August 2003 in exchange for leniency. By all accounts he was a key government asset in Operation Firewall.

On 28 July the informant gave his handlers proof that their own sensitive documents were circulating in the underground marketplace they were striving to destroy. He had obtained a log of an IRC chat session in which a hacker named "Myth" copy-and-pasted excerpts of an internal Secret Service memorandum report, and a Mutual Legal Assistance Treaty from the Russian Federation. Both documents are described in the Secret Service affidavit as "highly sensitive information pertaining to ongoing USSS criminal cases".

At the agency's urging, the informant made contact with Myth, and learned that the documents represented just a few droplets in a full-blown Secret Service data spill. The hacker knew about Secret Service subpoenas relating to government computer crime investigations, and even knew the agency was monitoring his own ICQ chat account.

Myth refused to identify the source of his informational largesse, but agreed to arrange an introduction. The next day Myth, the snitch, and a third person using the nickname "Anonyman" met on an IRC channel. Over the following days, the snitch gained the hacker's trust, and the hacker confirmed that he and Ethics were one and the same. Ethics began sharing Secret Service documents and emails with the informant, who passed them back to the agency.

Honeypot proxy

By 5 August the agents already had a good idea what was going on, when Ethics made a fateful mistake. The hacker asked the Secret Service informant for a proxy server - a host that would pass through web connections, making them harder to trace. The informant was happy to oblige. The proxy he provided, of course, was a Secret Service machine specially configured for monitoring, and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York.

Cavicchia was the agent who last year spearheaded the investigation of Jason Smathers, a former AOL employee accused of stealing 92 million customer email addresses from the company to sell to a spammer. The agent was also an adopter of mobile technology, and he did a lot of work through his T-Mobile Sidekick - an all-in-one cellphone, camera, digital organizer and email terminal. The Sidekick uses T-Mobile servers for email and file storage, and the stolen documents had all been lifted from Cavicchia's T-Mobile account, according to the affidavit. (Cavicchia didn't respond to an email query from SecurityFocus Tuesday.)

By that time the Secret Service already had a line on Ethic's true identity. Agents had the hacker's ICQ number, which he'd used to chat with the informant. A web search on the number turned up a 2001 resume for the then-teenaged Jacobsen, who'd been looking for a job in computer security. The email address was listed as ethics@netzero.net.

The trick with the proxy honeypot provided more proof of the hacker's identity: the server's logs showed that Ethics had connected from an IP address belonging to the Residence Inn Hotel in Buffalo, New York. When the Secret Service checked the Shadowcrew logs through a backdoor set up for their use - presumably by the informant - they found that Ethics had logged in from the same address. A phone call to the hotel confirmed that Nicolas Jacobsen was a guest. Snapshots compromised

Eight days later, on 27 October, law enforcement agencies dropped the hammer on Operation Firewall, and descended on fraud and computer crime suspects across eight states and six foreign countries, arresting 28 of them. Jacobsen, then living in an apartment in Santa Ana in Southern California, was taken into custody by the Secret Service. He was later released on bail with computer use restrictions.

Jacobsen lost his job at Pfastship Logistics, an Irvine, California company where he worked as a network administrator, and he now lives in Oregon.

The hacker's access to the T-Mobile gave him more than just Secret Service documents. A friend of Jacobsen's says that prior to his arrest, Jacobsen provided him with digital photos that he claimed celebrities had snapped with their cell phone cameras. "He basically just said there was flaw in the way the cell phone servers were set up," says William Genovese, a 27-year-old hacker facing unrelated charges for allegedly selling a copy of Microsoft's leaked source code for $20.00. Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.

The swiped images are not mention in court records, but a source close to the defense confirmed Genovese's account, and says Jacobsen amused himself and others by obtaining the passwords of Sidekick-toting celebrities from the hacked database, then entering their T-Mobile accounts and downloading photos they'd taken with the wireless communicator's built-in camera.

The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobsen, facing the prospect of prison time, is favorably considering the offer.


TOPICS: Crime/Corruption; Government
KEYWORDS: computerfraud; computersecurity; cracking; datasecurity; hacking; nationalid; security
Navigation: use the links below to view more comments.
first previous 1-2021-29 last
To: Yonkers Finest

Hands up if you want the carriers to continue with plans for a mobile phone 411 directory!


21 posted on 01/15/2005 7:46:28 AM PST by relictele (so there)
[ Post Reply | Private Reply | To 1 | View Replies]

To: kaktuskid
What you said . . .

Why are we using a foreign gov't controlled company?

This is an EXTREMELY good question and one which, I fear, we will NEVER see answered!

The Deutsche Telekom (the parent of T-Mobile) is a STATE Controlled Company - considering this - WHY would the US Government allow ANY of it's e-mail / phone / or other service to be provided by them? What guarantees are there that these "sensitive" e-mails where not forwarded - as a matter of course - to German Intelligence Angencies?

It is INSANE to allow this, and, IMHO, the person(s) responsible for allowing it should be thrown out of government service ASAP!!!

22 posted on 01/15/2005 7:53:34 AM PST by An.American.Expatriate (A joke is a very serious thing.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: expatguy

What exactly is at that link that you wanted us to see? I didn't see anything related to this at the link (but I may be "blind").


23 posted on 01/15/2005 7:55:55 AM PST by An.American.Expatriate (A joke is a very serious thing.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: bikepacker67

It seems to me he left the country and the State Department because he is about to be Rice'd.

I don't think it is a coincidence he is languishing in a country that does not have an extradition treaty with us.

Now, if only the Indonesian Federalis would find the drugs Burks is obviously using and selling to the Indonesian people, then we'd never have to hear from him ever again.


24 posted on 01/15/2005 7:57:03 AM PST by mabelkitty (Blackwell for Governor in 2006!!!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: An.American.Expatriate

Follow the money.....there's a reason some people in DC chose this company. The "who" is the real question - not the "why".


25 posted on 01/15/2005 7:58:57 AM PST by mabelkitty (Blackwell for Governor in 2006!!!)
[ Post Reply | Private Reply | To 22 | View Replies]

To: mabelkitty

Why so cryptic Mabel?? Do you have any info on who allowed this?


26 posted on 01/15/2005 8:03:26 AM PST by An.American.Expatriate ((This space for let))
[ Post Reply | Private Reply | To 25 | View Replies]

To: Happy2BMe

email is just as safe as cordless phones.


27 posted on 01/15/2005 9:02:42 AM PST by B4Ranch (Don't remain seated until this ride comes to a full and complete stop! We're going the wrong way!)
[ Post Reply | Private Reply | To 19 | View Replies]

To: Happy2BMe
You know, these ar$eholes that spend their time hacking and causing all this mess could probably make a decent living if they chose to be a productive person in life. What creeps these folks are.

We signed my wife up with T-Mobile in early December.


28 posted on 01/15/2005 9:03:32 AM PST by MeekOneGOP (There is only one GOOD 'RAT: one that has been voted OUT of POWER !! Straight ticket GOP!)
[ Post Reply | Private Reply | To 19 | View Replies]

To: An.American.Expatriate

No particular personal knowledge on this event, but I guarantee you there is something there.


29 posted on 01/17/2005 5:51:37 PM PST by mabelkitty (Blackwell for Governor in 2006!!!)
[ Post Reply | Private Reply | To 26 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-29 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson