Skip to comments.Hacker Breaches T-Mobile Systems, Reads US Secret Service Email
Posted on 01/13/2005 11:16:20 AM PST by Yonkers Finest
Hacker Breaches T-Mobile Systems, Reads US Secret Service Email
By Kevin Poulsen, SecurityFocus Published Wednesday 12th January 2005 09:47 GMT
A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor US Secret Service email, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.
Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records.
Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with web access to their T-Mobile email accounts. He did not have access to credit card numbers.
The case arose as part of the Secret Service's "Operation Firewall" crackdown on internet fraud rings last October, in which 19 men were indicted for trafficking in stolen identity information and documents, and stolen credit and debit card numbers. But Jacobsen was not charged with the others. Instead he faces two felony counts of computer intrusion and unauthorized impairment of a protected computer in a separate, unheralded federal case in Los Angeles, currently set for a 14 February status conference.
The government is handling the case well away from the spotlight. The US Secret Service, which played the dual role of investigator and victim in the drama, said Tuesday it couldn't comment on Jacobsen because the agency doesn't discuss ongoing cases - a claim that's perhaps undermined by the 19 other Operation Firewall defendants discussed in a Secret Service press release last fall. Jacobsen's prosecutor, assistant US attorney Wesley Hsu, also declined to comment. "I can't talk about it," Hsu said simply. Jacobsen's lawyer didn't return a phone call.
T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.
Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile was available to comment on the matter. Cat and mouse game
According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.
"[A]m offering reverse lookup of information for a t-mobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEA#, and more," Ethics wrote.
The Secret Service contacted T-Mobile, according to an affidavit filed by cyber crime agent Matthew Ferrante, and by late July the company had confirmed that the offer was genuine: a hacker had indeed breached their customer database,
At the same time, agents received disturbing news from a prized snitch embedded in the identity theft and credit card fraud underground. Unnamed in court documents, the informant was an administrator and moderator on the Shadowcrew site who'd been secretly cooperating with the government since August 2003 in exchange for leniency. By all accounts he was a key government asset in Operation Firewall.
On 28 July the informant gave his handlers proof that their own sensitive documents were circulating in the underground marketplace they were striving to destroy. He had obtained a log of an IRC chat session in which a hacker named "Myth" copy-and-pasted excerpts of an internal Secret Service memorandum report, and a Mutual Legal Assistance Treaty from the Russian Federation. Both documents are described in the Secret Service affidavit as "highly sensitive information pertaining to ongoing USSS criminal cases".
At the agency's urging, the informant made contact with Myth, and learned that the documents represented just a few droplets in a full-blown Secret Service data spill. The hacker knew about Secret Service subpoenas relating to government computer crime investigations, and even knew the agency was monitoring his own ICQ chat account.
Myth refused to identify the source of his informational largesse, but agreed to arrange an introduction. The next day Myth, the snitch, and a third person using the nickname "Anonyman" met on an IRC channel. Over the following days, the snitch gained the hacker's trust, and the hacker confirmed that he and Ethics were one and the same. Ethics began sharing Secret Service documents and emails with the informant, who passed them back to the agency.
By 5 August the agents already had a good idea what was going on, when Ethics made a fateful mistake. The hacker asked the Secret Service informant for a proxy server - a host that would pass through web connections, making them harder to trace. The informant was happy to oblige. The proxy he provided, of course, was a Secret Service machine specially configured for monitoring, and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York.
Cavicchia was the agent who last year spearheaded the investigation of Jason Smathers, a former AOL employee accused of stealing 92 million customer email addresses from the company to sell to a spammer. The agent was also an adopter of mobile technology, and he did a lot of work through his T-Mobile Sidekick - an all-in-one cellphone, camera, digital organizer and email terminal. The Sidekick uses T-Mobile servers for email and file storage, and the stolen documents had all been lifted from Cavicchia's T-Mobile account, according to the affidavit. (Cavicchia didn't respond to an email query from SecurityFocus Tuesday.)
By that time the Secret Service already had a line on Ethic's true identity. Agents had the hacker's ICQ number, which he'd used to chat with the informant. A web search on the number turned up a 2001 resume for the then-teenaged Jacobsen, who'd been looking for a job in computer security. The email address was listed as email@example.com.
The trick with the proxy honeypot provided more proof of the hacker's identity: the server's logs showed that Ethics had connected from an IP address belonging to the Residence Inn Hotel in Buffalo, New York. When the Secret Service checked the Shadowcrew logs through a backdoor set up for their use - presumably by the informant - they found that Ethics had logged in from the same address. A phone call to the hotel confirmed that Nicolas Jacobsen was a guest. Snapshots compromised
Eight days later, on 27 October, law enforcement agencies dropped the hammer on Operation Firewall, and descended on fraud and computer crime suspects across eight states and six foreign countries, arresting 28 of them. Jacobsen, then living in an apartment in Santa Ana in Southern California, was taken into custody by the Secret Service. He was later released on bail with computer use restrictions.
Jacobsen lost his job at Pfastship Logistics, an Irvine, California company where he worked as a network administrator, and he now lives in Oregon.
The hacker's access to the T-Mobile gave him more than just Secret Service documents. A friend of Jacobsen's says that prior to his arrest, Jacobsen provided him with digital photos that he claimed celebrities had snapped with their cell phone cameras. "He basically just said there was flaw in the way the cell phone servers were set up," says William Genovese, a 27-year-old hacker facing unrelated charges for allegedly selling a copy of Microsoft's leaked source code for $20.00. Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.
The swiped images are not mention in court records, but a source close to the defense confirmed Genovese's account, and says Jacobsen amused himself and others by obtaining the passwords of Sidekick-toting celebrities from the hacked database, then entering their T-Mobile accounts and downloading photos they'd taken with the wireless communicator's built-in camera.
The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobsen, facing the prospect of prison time, is favorably considering the offer.
Not gonna see that on the T-mobile commercials. Wonder if Catherine-Zeta jones got her account jacked?
And she had that scary person stalking her too.
I read this earlier and laughed real good. Typical of a 21 year old. This kid is good but he got caught.
Why are we using a foreign gov't controlled company?
Ping-win-less interesting read.
The USSS uses commercial e-mail to send unencrypted "highly sensitive information pertaining to ongoing USSS criminal cases"?
Doesn't say much for the USSS, does it?
It's been going on for years. A recently published excerpt sample of SS email from 1997:
"Thunder Thighs called me a no good bastard today when I opened the door for her. Then she kicked B-dog when he ran up to greet her.
If that wasn't enough to be a typical day around here along comes Bent-1 with another awestruck, glassy eyed intern in tow. He sends the secratary out of the office takes the intern into the Oval and asks me to watch the door. A while later he sticks his head out asking for a light for a soggy cigar he's gumming."
I would say he is a man who needs to shut up.
I love it. These technotards get burned all the time. If you want to keep a secret don't tell anyone, don't write it down, and for sure don't record it electronically.
I certainly feel comfortable that the National ID system that we're about to have will be secure, that no one will be able to more easily steal our identities than now, or simply find out private information about us. A-yup, I feel very comfortable, indeed...baaaaaah!
I'm prone to projectile vomit whenever I hear the words "National ID" mentioned.
Just how absurd that is in and of itself didn't even strike me at first.
I mean why even bother with emails. Secret Service should just create an online forum messageboard to post and discuss cureent secret intelligence. It will build a nice little community of sorts. Of course the website will have to be kept super duper extra top secret so the bad guys dont find it.
Hacker hit US wireless carrier, Secret ServiceSENSITIVE INFORMATION: Personal details of 400 T-Mobile USA's customers were obtained over a 10 month period, including those of a special agent
AP , WASHINGTON
Friday, Jan 14, 2005,Page 7
A hacker broke into a wireless carrier's network over at least seven months and read e-mails and personal computer files of hundreds of customers, including the Secret Service agent investigating the hacker, the government said on Wednesday.
The hacker obtained an internal Secret Service memorandum and part of a mutual assistance legal treaty from Russia. The documents contained "highly sensitive information pertaining to ongoing ... criminal cases," according to court records.
The break-in targeted the network for Bellevue, Washington-based T-Mobile USA, which has 16.3 million customers in the US. It was discovered during a Secret Service investigation, "Operation Firewall," which targeted underground hacker organizations known as Shadowcrew, Carderplanet and Darkprofits.
The hacker was able to view the names and Social Security numbers of 400 customers, all of whom were notified in writing about the break-in, T-Mobile said. It said customer credit card numbers and other financial information never were revealed.
"Safeguarding T-Mobile customer information is a top priority for the company," said a spokesman, Peter Dobrow. He said T-Mobile discovered the break-in late in 2003 and "immediately took steps that prevented any further access to this system."
Court records said the hacker had access to T-Mobile customer information from at least March through last October.
The Secret Service said its agent, Peter Cavicchia, should not have been using his personal handheld computer for government work. Cavicchia, a respected investigator who has specialized in tracking hackers, was a T-Mobile customer who coincidentally was investigating the T-Mobile break-in, according to court documents and a Secret Service spokesman, Jonathan Cherry.
Cavicchia, who won the Secret Service's medal of valor for his actions in the Sept. 11 terror attacks, resigned to work in the private sector. He said he was not asked to leave and said he was cleared during an internal investigation into whether he had improperly revealed sensitive information or violated agency rules.
Nicolas Lee Jacobsen, 21, of Santa Ana, California, a computer engineer, has been charged with the break-in in US District Court in Los Angeles. Court records said an online offer last March, traced to Jacobsen, claimed hackers could look up the name, Social Security number, birth date and passwords for voice mails and e-mails for T-Mobile customers.
Investigators said they traced the hacker's online activities to a hotel in Williamsport, New York, where Jacobsen was staying. Jacobsen, who was arrested in October in California, was released on a US$25,000 bond posted by his uncle, who was ordered to keep his own personal computer locked up so Jacobsen couldn't use it.
The case against Jacobsen was first reported by the Web site Security Focus. This story has been viewed 75342 times.
Sigh....I wonder when folks are going to realize that nothing is absolutely secure and hack-proof.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.