[ISN] Hacker breaches T-Mobile systems, reads US Secret Service email

InfoSec News isn at c4i.org
Wed Jan 12 10:40:23 EST 2005


By Kelly Martin
12th January 2005 

A sophisticated computer hacker had access to servers at wireless
giant T-Mobile for at least a year, which he used to monitor US Secret
Service email, obtain customers' passwords and Social Security
numbers, and download candid photos taken by Sidekick users, including
Hollywood celebrities, SecurityFocus has learned.

Twenty-one year-old Nicolas Jacobsen was quietly charged with the
intrusions last October, after a Secret Service informant helped
investigators link him to sensitive agency documents that were
circulating in underground IRC chat rooms. The informant also produced
evidence that Jacobsen was behind an offer to provide T-Mobile
customers' personal information to identity thieves through an
Internet bulletin board, according to court records.

Jacobsen could access information on any of the Bellevue,
Washington-based company's 16.3 million customers, including many
customers' Social Security numbers and dates of birth, according to
government filings in the case. He could also obtain voicemail PINs,
and the passwords providing customers with web access to their
T-Mobile email accounts. He did not have access to credit card

The case arose as part of the Secret Service's "Operation Firewall"  
crackdown on internet fraud rings last October, in which 19 men were
indicted for trafficking in stolen identity information and documents,
and stolen credit and debit card numbers. But Jacobsen was not charged
with the others. Instead he faces two felony counts of computer
intrusion and unauthorized impairment of a protected computer in a
separate, unheralded federal case in Los Angeles, currently set for a
14 February status conference.

The government is handling the case well away from the spotlight. The
US Secret Service, which played the dual role of investigator and
victim in the drama, said Tuesday it couldn't comment on Jacobsen
because the agency doesn't discuss ongoing cases - a claim that's
perhaps undermined by the 19 other Operation Firewall defendants
discussed in a Secret Service press release last fall. Jacobson's
prosecutor, assistant US attorney Wesley Hsu, also declined to
comment. "I can't talk about it," Hsu said simply. Jacobsen's lawyer
didn't return a phone call.

T-Mobile, which apparently knew of the intrusions by July of last
year, has not issued any public warning. Under California's
anti-identity theft law "SB1386," the company is obliged to notify any
California customers of a security breach in which their personally
identifiable information is "reasonably believed to have been"  
compromised. That notification must be made in "the most expedient
time possible and without unreasonable delay," but may be postponed if
a law enforcement agency determines that the disclosure would
compromise an investigation.

Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile
was available to comment on the matter.

Cat and Mouse Game

According to court records the massive T-Mobile breach first came to
the government's attention in March 2004, when a hacker using the
online moniker "Ethics" posted a provocative offer on muzzfuzz.com,
one of the crime-facilitating online marketplaces being monitored by
the Secret Service as part of Operation Firewall.

"[A]m offering reverse lookup of information for a t-mobile cell
phone, by phone number at the very least, you get name, ssn, and DOB
at the upper end of the information returned, you get web
username/password, voicemail password, secret question/answer, sim#,
IMEA#, and more," Ethics wrote.

The Secret Service contacted T-Mobile, according to an affidavit filed
by cyber crime agent Matthew Ferrante, and by late July the company
had confirmed that the offer was genuine: a hacker had indeed breached
their customer database,

At the same time, agents received disturbing news from a prized snitch
embedded in the identity theft and credit card fraud underground.  
Unnamed in court documents, the informant was an administrator and
moderator on the Shadowcrew site who'd been secretly cooperating with
the government since August 2003 in exchange for leniency. By all
accounts he was a key government asset in Operation Firewall.

On 28 July the informant gave his handlers proof that their own
sensitive documents were circulating in the underground marketplace
they were striving to destroy. He had obtained a log of an IRC chat
session in which a hacker named "Myth" copy-and-pasted excerpts of an
internal Secret Service memorandum report, and a Mutual Legal
Assistance Treaty from the Russian Federation. Both documents are
described in the Secret Service affidavit as "highly sensitive
information pertaining to ongoing USSS criminal cases".

At the agency's urging, the informant made contact with Myth, and
learned that the documents represented just a few droplets in a
full-blown Secret Service data spill. The hacker knew about Secret
Service subpoenas relating to government computer crime
investigations, and even knew the agency was monitoring his own
Microsoft ICQ chat account.

Myth refused to identify the source of his informational largesse, but
agreed to arrange an introduction. The next day Myth, the snitch, and
a third person using the nickname "Anonyman" met on an IRC channel.  
Over the following days, the snitch gained the hacker's trust, and the
hacker confirmed that he and Ethics were one and the same. Ethics
began sharing Secret Service documents and emails with the informant,
who passed them back to the agency.

Honeypot Proxy

By 5 August the agents already had a good idea what was going on, when
Ethics made a fateful mistake. The hacker asked the Secret Service
informant for a proxy server - a host that would pass through web
connections, making them harder to trace. The informant was happy to
oblige. The proxy he provided, of course, was a Secret Service machine
specially configured for monitoring, and agents watched as the hacker
surfed to "My T-Mobile," and entered a username and password belonging
to Peter Cavicchia, a Secret Service cyber crime agent in New York.

Cavicchia was the agent who last year spearheaded the investigation of
Jason Smathers, a former AOL employee accused of stealing 92 million
customer email addresses from the company to sell to a spammer. The
agent was also an adopter of mobile technology, and he did a lot of
work through his T-Mobile Sidekick - an all-in-one cellphone, camera,
digital organizer and email terminal. The Sidekick uses T-Mobile
servers for email and file storage, and the stolen documents had all
been lifted from Cavicchia's T-Mobile account, according to the
affidavit. (Cavicchia didn't respond to an email query from
SecurityFocus Tuesday.)

By that time the Secret Service already had a line on Ethic's true
identity. Agents had the hacker's ICQ number, which he'd used to chat
with the informant. A web search on the number turned up a 2001 resume
for the then-teenaged Jacobsen, who'd been looking for a job in
computer security. The e-mail address was listed as
ethics at netzero.net.

The trick with the proxy honeypot provided more proof of the hacker's
identity: the server's logs showed that Ethics had connected from an
IP address belonging to the Residence Inn Hotel in Buffalo, New York.  
When the Secret Service checked the Shadowcrew logs through a backdoor
set up for their use - presumably by the informant - they found that
Ethics had logged in from the same address. A phone call to the hotel
confirmed that Nicolas Jacobsen was a guest.

Snapshots Compromised

Eight days later, on 27 October, law enforcement agencies dropped the
hammer on Operation Firewall, and descended on fraud and computer
crime suspects across eight states and six foreign countries,
arresting 28 of them. Jacobsen, then living in an apartment in Santa
Ana in Southern California, was taken into custody by the Secret
Service. He was later released on bail with computer use restrictions.

Jacobson lost his job at Pfastship Logistics, an Irving, California
company where he worked as a network administrator, and he now lives
in Oregon.

The hacker's access to the T-Mobile gave him more than just Secret
Service documents. A friend of Jacobson's says that prior to his
arrest, Jacobson provided him with digital photos that he claimed
celebrities had snapped with their cell phone cameras. "He basically
just said there was flaw in the way the cell phone servers were set
up," says William Genovese, a 27-year-old hacker facing unrelated
charges for allegedly selling a copy of Microsoft's leaked source code
for $20.00. Genovese provided SecurityFocus with an address on his
website featuring what appears to be grainy candid shots of Demi
Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.

The swiped images are not mention in court records, but a source close
to the defense confirmed Genovese's account, and says Jacobson amused
himself and others by obtaining the passwords of Sidekick-toting
celebrities from the hacked database, then entering their T-Mobile
accounts and downloading photos they'd taken with the wireless
communicator's built-in camera.

The same source also offers an explanation for the secrecy surrounding
the case: the Secret Service, the source says, has offered to put the
hacker to work, pleading him out to a single felony, then enlisting
him to catch other computer criminals in the same manner in which he
himself was caught. The source says that Jacobson, facing the prospect
of prison time, is favorably considering the offer.

More information about the ISN mailing list