Hack de T-Mobile

From Hack Story

Revision as of 10:28, 17 May 2011 by WikiSysop (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Staff Zap (Under Construction)black.jpg

http://www.theregister.co.uk/2005/01/12/hacker_penetrates_t-mobile/

By Kelly Martin SecurityFocus 12th January 2005

A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor US Secret Service email, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.

Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records.

Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with web access to their T-Mobile email accounts. He did not have access to credit card numbers.

The case arose as part of the Secret Service's "Operation Firewall" crackdown on internet fraud rings last October, in which 19 men were indicted for trafficking in stolen identity information and documents, and stolen credit and debit card numbers. But Jacobsen was not charged with the others. Instead he faces two felony counts of computer intrusion and unauthorized impairment of a protected computer in a separate, unheralded federal case in Los Angeles, currently set for a 14 February status conference.

The government is handling the case well away from the spotlight. The US Secret Service, which played the dual role of investigator and victim in the drama, said Tuesday it couldn't comment on Jacobsen because the agency doesn't discuss ongoing cases - a claim that's perhaps undermined by the 19 other Operation Firewall defendants discussed in a Secret Service press release last fall. Jacobson's prosecutor, assistant US attorney Wesley Hsu, also declined to comment. "I can't talk about it," Hsu said simply. Jacobsen's lawyer didn't return a phone call.

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile was available to comment on the matter.


Cat and Mouse Game

According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.

"[A]m offering reverse lookup of information for a t-mobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEA#, and more," Ethics wrote.

The Secret Service contacted T-Mobile, according to an affidavit filed by cyber crime agent Matthew Ferrante, and by late July the company had confirmed that the offer was genuine: a hacker had indeed breached their customer database,

At the same time, agents received disturbing news from a prized snitch embedded in the identity theft and credit card fraud underground. Unnamed in court documents, the informant was an administrator and moderator on the Shadowcrew site who'd been secretly cooperating with the government since August 2003 in exchange for leniency. By all accounts he was a key government asset in Operation Firewall.

On 28 July the informant gave his handlers proof that their own sensitive documents were circulating in the underground marketplace they were striving to destroy. He had obtained a log of an IRC chat session in which a hacker named "Myth" copy-and-pasted excerpts of an internal Secret Service memorandum report, and a Mutual Legal Assistance Treaty from the Russian Federation. Both documents are described in the Secret Service affidavit as "highly sensitive information pertaining to ongoing USSS criminal cases".

At the agency's urging, the informant made contact with Myth, and learned that the documents represented just a few droplets in a full-blown Secret Service data spill. The hacker knew about Secret Service subpoenas relating to government computer crime investigations, and even knew the agency was monitoring his own Microsoft ICQ chat account.

Myth refused to identify the source of his informational largesse, but agreed to arrange an introduction. The next day Myth, the snitch, and a third person using the nickname "Anonyman" met on an IRC channel. Over the following days, the snitch gained the hacker's trust, and the hacker confirmed that he and Ethics were one and the same. Ethics began sharing Secret Service documents and emails with the informant, who passed them back to the agency.


Honeypot Proxy

By 5 August the agents already had a good idea what was going on, when Ethics made a fateful mistake. The hacker asked the Secret Service informant for a proxy server - a host that would pass through web connections, making them harder to trace. The informant was happy to oblige. The proxy he provided, of course, was a Secret Service machine specially configured for monitoring, and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York.

Cavicchia was the agent who last year spearheaded the investigation of Jason Smathers, a former AOL employee accused of stealing 92 million customer email addresses from the company to sell to a spammer. The agent was also an adopter of mobile technology, and he did a lot of work through his T-Mobile Sidekick - an all-in-one cellphone, camera, digital organizer and email terminal. The Sidekick uses T-Mobile servers for email and file storage, and the stolen documents had all been lifted from Cavicchia's T-Mobile account, according to the affidavit. (Cavicchia didn't respond to an email query from SecurityFocus Tuesday.)

By that time the Secret Service already had a line on Ethic's true identity. Agents had the hacker's ICQ number, which he'd used to chat with the informant. A web search on the number turned up a 2001 resume for the then-teenaged Jacobsen, who'd been looking for a job in computer security. The e-mail address was listed as ethics@netzero.net.

The trick with the proxy honeypot provided more proof of the hacker's identity: the server's logs showed that Ethics had connected from an IP address belonging to the Residence Inn Hotel in Buffalo, New York. When the Secret Service checked the Shadowcrew logs through a backdoor set up for their use - presumably by the informant - they found that Ethics had logged in from the same address. A phone call to the hotel confirmed that Nicolas Jacobsen was a guest.


Snapshots Compromised

Eight days later, on 27 October, law enforcement agencies dropped the hammer on Operation Firewall, and descended on fraud and computer crime suspects across eight states and six foreign countries, arresting 28 of them. Jacobsen, then living in an apartment in Santa Ana in Southern California, was taken into custody by the Secret Service. He was later released on bail with computer use restrictions.

Jacobson lost his job at Pfastship Logistics, an Irving, California company where he worked as a network administrator, and he now lives in Oregon.

The hacker's access to the T-Mobile gave him more than just Secret Service documents. A friend of Jacobson's says that prior to his arrest, Jacobson provided him with digital photos that he claimed celebrities had snapped with their cell phone cameras. "He basically just said there was flaw in the way the cell phone servers were set up," says William Genovese, a 27-year-old hacker facing unrelated charges for allegedly selling a copy of Microsoft's leaked source code for $20.00. Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.

The swiped images are not mention in court records, but a source close to the defense confirmed Genovese's account, and says Jacobson amused himself and others by obtaining the passwords of Sidekick-toting celebrities from the hacked database, then entering their T-Mobile accounts and downloading photos they'd taken with the wireless communicator's built-in camera.

The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.

----

http://www.cnn.com/2005/TECH/02/16/cell.phone.hacker.ap/

February 16, 2005

LOS ANGELES, California (AP) -- A hacker who broke into the network of T-Mobile USA Inc. and accessed personal information on hundreds of customers including a Secret Service agent has pleaded guilty to a felony hacking charge.

Nicholas Lee Jacobsen, a 21-year-old computer engineer who now lives in Oregon, entered his plea Tuesday in U.S. District Court in Los Angeles. He faces up to five years in federal prison and a $250,000 fine when he is sentenced May 16.

The break-in targeted the network of Bellevue, Washington-based T-Mobile USA, which has 16.3 million customers nationwide. It was discovered during a broader Secret Service investigation.

T-Mobile acknowledged the hacker was able to view the names and Social Security numbers of 400 customers, all of whom it said were notified in writing about the break-in, which lasted at least seven months.

The company said customer credit card numbers and other financial information were not revealed.

Prosecutors alleged Jacobsen posted a notice on an online bulletin board that said he could look up the name, Social Security number, birth date and passwords for voice mails and e-mails for T-Mobile customers.

Jacobsen was accused of targeting the desktop computer of a Secret Service agent on his trail. The agent, Peter Cavicchia, was also a T-Mobile customer and sometimes used the wireless network to communicate about the case, unaware it wasn't safe.

Jacobsen was arrested in October in Orange County, where he used to live, and was later released on $25,000 bail.

--

http://www.computerworld.com/securitytopics/security/story/0,10801,99934,00.html

[My understanding of the Danger Hiptop/T-Mobile Sidekick is that unlike Blackberry's or Palm PDA's, the Sidekick does a real time sync with the T-Mobile servers automatically. Update a note, take a photo or a phone number and the information is transmitted on the fly back to T-Mobile network servers, compromise the internal servers, and more then likely you wouldn't need physical access to PDA to steal the data. - WK]


By Paul Roberts FEBRUARY 21, 2005 IDG NEWS SERVICE

Hackers penetrated the crystalline ranks of Hollywood celebrity Saturday, posting the cellular phone address book of hotel heiress and celebrity Paris Hilton on a Web page and passing the phone numbers and e-mail addresses of some of Tinsel Town's hottest stars into the public realm.

A copy of Hilton's T-Mobile USA Inc. cell phone address book appeared on the Web site of a group calling itself "illmob." The address book contains information on over 500 of Hilton's acquaintances, including super celebrities such as Eminem and Christina Aguilera. It is not known how the information was obtained, but the release of the contact book may be further fallout from a hack of T-Mobile's servers that came to light in January.

The Hilton address book was posted on the illmob Web site early Sunday and is a simple HTML table listing the phone numbers and e-mail addresses for acquaintances, along with other useful information, such as the number of the San Francisco Hilton Hotel and celebrity attorney Robert Shapiro.

The leak is bound to prompt a furious round of unplanned number changes among Hilton's coterie, after fans and curious Web surfers learned of the hack and began dialling their favorite celebrities.

Eminem's phone number was changed. Limp Bizkit front man Fred Durst's voice mailbox was full. Tennis star Anna Kournikova's number was busy, despite repeated attempts to get through. Robert Shapiro's answering machine picked up when called and provided a number to page the star attorney in an emergency.

There was no answer at Hilton's home, nor did sister Nicky Hilton answer calls to her phone.

Reached by phone, actor Kevin Connelly, of the cable television show "Entourage," said he had received between 200 and 300 phone calls since early Sunday, as word of the hacked address book spread across the Internet. Connelly plays opposite Adrian Grenier in the HBO show about a young celebrity and his colorful entourage of old school chums. He declined to comment on whether he knew Hilton or why his name appeared in her T-mobile phone list.

Connelly, who received at least one other call while on the line with this reporter, said he would likely change his phone number today to stop the harassment.

It was unclear yesterday how the cell phone contact list was obtained. However, Hilton's was one of a number of celebrity cell phones that was reportedly compromised in an attack on T-Mobile's network that netted information on 400 of the company's customers, including sensitive information from the account of a U.S. Secret Service agent.

In January, the Bellevue, Wash., mobile carrier acknowledged that Nicholas Jacobsen, a California-based hacker, compromised its internal computer systems in 2003 and viewed the Social Security numbers of 400 customers. T-Mobile, which is part of Deutsche Telekom AG, did not immediately respond to requests for comment late Sunday.

Jacobsen pleaded guilty last week to one felony charge of accessing a protected computer and causing reckless damage. He is scheduled to be sentenced in May and faces a maximum possible sentence of five years imprisonment and a $250,000 fine.

--

http://www.macdevcenter.com/pub/a/mac/2005/01/01/paris.html

By Brian McWilliams 02/22/2005

Paris Hilton's Chihuahua couldn't protect her Hollywood home from a burglary last summer. So why was Hilton counting on her dog to protect her T-Mobile account from intruders?

Despite repeated attacks on her T-Mobile email and telephone records in recent months, the actress and heiress has persisted in using the little dog's name to secure her password at the T-Mobile site.

Like many online service providers, T-Mobile.com requires users to answer a "secret question" if they forget their passwords. For Hilton's account, the secret question was "What is your favorite pet's name?" By correctly providing the answer, any internet user could change Hilton's password and freely access her account.

Hilton makes no secret of her affection for her Chihuahua. Last August, Hilton offered a reward of $5,000 when her beloved pet disappeared after the house she shared with sister Nicole was burglarized.

An anonymous source provided O'Reilly Network with a screen grab, proving he was able to access the contents of Hilton's T-Mobile inbox as of Tuesday morning. Another image confirmed that Hilton's "secret answer" was her dog's name.

Upon being notified Tuesday, T-Mobile corrected the potential security vulnerability in Hilton's account.

Last weekend, Hilton's T-Mobile online account was accessed by intruders calling themselves "The Niggas at DFNCTSC." The trespassers posted the contents of her address book, notes, and photo folder on the internet.

In January, Hilton reportedly suspected that a "hacker" had access to her email account and was reading messages there.

It's unclear how those intruders gained access to Hilton's account. A T-Mobile spokesperson said the company is "actively investigating" the situation.

Weak passwords are cited as one of the top twenty internet security vulnerabilities by the SANS Institute.

Account information belonging to Hilton and other T-Mobile users has been circulating in the computer underground since at least late March of 2004. A California man named Nicholas Jacobsen has admitted to hacking into T-Mobile's servers and accessing records on at least 400 customers. (Last week, security professionals openly speculated about how Jacobsen gained access to the wireless provider's internal systems.)

According to court papers, Jacobsen, who used the online alias Ethics, offered to sell the stolen information on an online message board on March 15, 2004. Jacobsen also apparently provided excerpts of the data to friends and colleagues.

A log file of a March 2004 instant-message conversation apparently between Ethics and an associate includes a section containing Hilton's T-Mobile phone number, password, social security number, and other confidential information.

Password hint systems like the one used by T-Mobile are common on the internet. Online service providers including the MSN Hotmail service have encountered security breaches involving attackers correctly answering "secret questions" and then locking victims out of their accounts.

T-Mobile representatives said Hilton uses a Sidekick II, a communication device that offers wireless telephone and internet access as well as a built-in flash camera.

--
-------------------------------------------------------------------
 Hispasec - una-al-día                                  27/02/2005
 Todos los días una noticia de seguridad          www.hispasec.com
-------------------------------------------------------------------

La pregunta secreta del caso "Paris Hilton"
-------------------------------------------

Hace apenas unos días saltó la noticia de que los contenidos del teléfono móvil de Paris Hilton habían sido publicados en Internet. En un principio se barajó la posibilidad de que hubieran accedido a la tarjeta SIM, o de que se tratara de una intrusión a los servidores de T-Mobile aprovechando inyecciones SQL. Al final parece ser que el método empleado fue mucho más sencillo, bastaba con contestar a la pregunta "¿cuál es el nombre de su mascota favorita?".

El teléfono de Paris Hilton, un Sidekick II de T-Mobile, permite mantener una copia de los contenidos en un servidor de Internet, accesible a través de la web. Como ocurre en muchos servicios en línea, T-Mobile utiliza el método de preguntas secretas para permitir el acceso a aquellos usuarios que han olvidado sus contraseñas. De forma que si eres capaz de contestar a la pregunta secreta, tienes opción a introducir una nueva contraseña.

Paris Hilton eligió la pregunta "¿cuál es el nombre de su mascota favorita?" por si algún día se olvidaba de su contraseña. Aunque evidentemente es más fácil para un atacante acertar el nombre de una mascota o el color favorito de una persona que una contraseña a priori aleatoria, el caso de Paris Hilton roza lo esperpéntico. El nombre de su perro chihuahua era bien conocido a raíz de que la famosa heredera ofreciera en el pasado una recompensa de varios miles de dólares tras extraviarlo.

El resultado de tanto despropósito es que a día de hoy cualquiera puede descargar todo el contenido del móvil de Paris Hilton. Entre otras cosas podemos encontrar los números de teléfono de Christina Aguilera, Avril Lavigne, Eminem, o Anna Kournikova, entre los más de 400 contactos con e-mail o teléfonos que mantenía almacenados. También se puede acceder a 35 fotos que había realizado con su móvil, entre las que se puede ver desde a su perro hasta algunas más subiditas de tono realizadas con una amiga.

Para terminar es posible darse un paseo por su agenda, donde por descontado encontraremos anotaciones de todos locales que frecuenta, e incluso podemos escuchar varias llamadas que mantiene almacenadas. Para ello ya no es necesario conocer el nombre del chihuahua, "Tinkerbell", ahora basta con hacer una simple búsqueda en eMule y bajarse el archivo de moda.

Dejando a un lado las anécdotas de este caso particular, queda en evidencia el gran riesgo que implica el método de preguntas secretas. No tiene sentido alguno "proteger" una contraseña con algo más débil, como es contestar a preguntas tipo como cual es nuestro color favorito. Precisamente Bruce Schneier criticaba hace unos días esta práctica, aunque fue más lejos y terminó por enterrar a las propias contraseñas.

Lo cierto es que cualquiera de nosotros que en alguna ocasión nos haya tocado administrar servicios con una gran cantidad de usuarios hemos sufrido el problema de las contraseñas. Por un lado les pedimos a los usuarios unos mínimos a la hora de elegirlas para que no sean fáciles de adivinar, y por el otro pretendemos que no nos llamen cada cinco minutos porque se les ha olvidado o han bloqueado la cuenta al realizar más de cinco intentos fallidos.

Esa es otra, llegado el momento de la llamada al administrador del servicio para reiniciar la contraseña, ahora a ver como se las ingenia para estar seguro de que quién llama por teléfono, cuya voz es la primera vez que escucha, es quién dice ser. Al final terminan preguntando datos personales pero que también pueden ser más o menos fáciles de conseguir. En definitiva, caldo de cultivo para los ataques de ingeniería social.

Y tú, dejando a un lado los sistemas alternativos de autenticación, ¿cómo resuelves el problemas de las contraseñas en tus servicios?

Opina sobre esta noticia: http://www.hispasec.com/unaaldia/2318/comentar

Más información:

The Curse of the Secret Question http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html

El lado humano de las contraseñas http://www.hispasec.com/unaaldia/2245

Hackstory.es - La historia nunca contada del underground hacker en la Península Ibérica.