http://www.wired.com/news/privacy/0,1848,66735,00.html By Kevin Poulsen Feb. 28, 2005 An intrusion into T-Mobile's servers that compromised customer records, sensitive government documents, private e-mail and candid celebrity photos last year occurred because the wireless giant failed to patch a known security hole in a commercial software package, Wired News has learned. In a sealed plea agreement with prosecutors, Nicolas Jacobsen, 22, pleaded guilty on February 15 in federal court in Los Angeles to a single felony charge of intentionally gaining access to a protected computer and recklessly causing damage. His cybercrime spree in T-Mobile's network began in late 2003, and didn't end until his arrest last fall. Jacobsen's victims last year included Paris Hilton, a conspicuous T-Mobile Sidekick user. But the hacker is not known to be connected to a new intrusion last week that scattered Hilton's private files across the Internet. The Justice Department and the U.S. Secret Service have handled the Jacobsen prosecution with unusual secrecy, and T-Mobile has been tight-lipped on how the hacker penetrated their systems. But two sources close to the case and a hacker friend of Jacobsen's who hosted some of his purloined files all point to the same security hole: a vulnerability discovered in early 2003 in the WebLogic application server produced by San Jose, California, company BEA Systems. Found by researchers at security vendor SPI Dynamics, the WebLogic hole took the form of an undocumented function that allows an attacker to remotely read or replace any file on a system by feeding it a specially-crafted web request. BEA produced a patch for the bug in March 2003 and issued a public advisory rating it a high-severity vulnerability. In July of that year, the hole was spotlighted in a presentation at the Black Hat Briefings convention in Las Vegas. Approximately 1,700 computer security professionals and corporate executives attended that conference, where an SPI Dynamics researcher detailed precisely how to exploit the vulnerability. The attack method is "kiddy simple," says Caleb Sima, founder and CTO of SPI Dynamics. "All you have to do is add a special header with the request, with special commands at the end of it, and that's it." Jacobsen learned of the WebLogic hole from the advisory, crafted his own 20-line exploit in Visual Basic, then began digging around the internet for potential targets who had failed to install the patch, the sources say. By October 2003, he'd hit pay dirt at T-Mobile, where he used the exploit to gain a foothold in the company's systems. He then wrote his own front-end to the customer database to which he could return at his convenience. "He eventually made his own interface," says William Genovese, a friend of Jacobsen's in the hacking community, who is currently facing unrelated charges for allegedly selling a copy of leaked source code for portions of Microsoft's Windows 2000 and Windows NT operating systems for $20. According to court records, Jacobsen continued to enjoy illicit access to T-Mobile systems until his arrest in October 2004 -- more than 18 months after the WebLogic vulnerability was first made public. The hacker had access to T-Mobile customer passwords, Social Security numbers, dates-of-birth and other information, which he offered to make available to fraudsters and identity thieves over an online web forum. Additionally, Jacobson used passwords stolen from the database to read T-Mobile customers' e-mail, including that of a U.S. Secret Service agent. Sources close to the case say the hacker also downloaded candid photos taken by Sidekick users, including images of celebrities Demi Moore, Ashton Kutcher, Nicole Richie and Paris Hilton, which until recently could be found on a webpage hosted by Genovese. A phone call to Jacobsen's lawyer went unreturned last week. T-Mobile says it has notified 400 customers that their data was leaked, and continues to investigate the case. But the company said last week it couldn't comment on its vulnerabilities or patching policies without placing customers at further risk. "We will not publicly discuss specifics of our systems, or attempts to gain access to our systems, for the protection of our customers and their data," spokesman Peter Dobrow wrote in an e-mail. Dobrow claims the company has closed the holes that Jacobsen exploited. "As part of our security efforts, safeguards are in place to prevent illegal access similar to Jacobsen's activity," he wrote. BEA failed to return repeated phone calls on the WebLogic vulnerability and its role in the T-Mobile hacks. Jacobsen's hacks were neither the first nor the last consumer privacy problem at T-Mobile. Last year, the company faced criticism for giving cell phone users a default voice mail configuration that leaves them open to Caller I.D.-spoofing snoops -- an issue that lingers today. And last week a copycat hacker penetrated Paris Hilton's T-Mobile Sidekick account a second time, posting the hotel chain heiress' electronic memo pad, address book and a new batch of private photos on the web. The company's security thus became the unlikely topic of tabloid media interest. In a press release Saturday, T-Mobile chief operating officer Sue Swenson said the company takes its customers' privacy seriously. "We are aggressively investigating the illegal dissemination of information over the internet of T-Mobile customers' personal data," said Swenson. The press release made no mention of T-Mobile's failure to secure its systems, but encouraged customers to be more careful with their passwords. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Tue Mar 01 2005 - 03:23:38 PST