josian

Secret Service hacker, how did he do it?
Nick Jacobsen pleaded guilty today to hacking into T-Mobile, specifically for violating 18 U.S.C. § 1030(a)(2)(C), accessing a computer without authorization. It looks like Nick was part of the carding community that has been recently attracting a lot of attention from the US Secret Service (little known, but the Secret Service have jurisdiction over counterfeiting crimes). Carders have gotten bold in the last couple of years, opening online exchanges (muzzfuzz.com, shadowcrew.org) for trading stolen credit cards, selling data used for identity theft, etc. When I first heard of this incident a few months ago, I was very interested on how he actually did it. There was very little information on how the attack was performed, and I decided to a little bit of research to see what I could find.

A summarization of affidavit, is that Nick was already under investigation by the Secret Service, hacked into T-Mobile, where was able to access accounts including those of agents in the Secret Service that were investigating him for other activities. He found that they had been monitoring his conversations over ICQ, (Nick's ICQ # was 23292256). Nick also discovered a number of Secret Service documents that an Agent, Peter Cavicchia, had left in his inbox unencrypted. Nick posted on muzzfuzz that he was selling T-Mobile account information, offering:

reverse lookup of information for a tmobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEI#, and more.

Also of interest, he went on to access Paris Hilton's account and capture some of the pictures she had been taking with her camera. Now, here is where it gets interesting. How did Nick get into T-Mobile? Did he use an IIS exploit? Did he hack the web interface for T-Mobile accounts?

The affidavit from Nick's case states that he was observed logging into a specific server, http://login.sidekick.dngr.com, with Agent Peter Cavicchi's account information. While this site itself is hosted by Danger, Inc., the makers of the Sidekick device used by Agent Cavicchi, it appears that the same username/passwords that are used on the primary T-Mobile login page, https://my.t-mobile.com/Login, can also be used to log into this page. We also get some very valuable information from the affidavit, that will help us narrow down how Nick hacked these accounts (the CI is a Confidential Information, who was working with the Secret Service to bring Nick in, ethics is the semi-ironic pseudonym Nick chose for himself):

On or about October 19, 2004, Ethics sent a private message to the CI which contained a link that provides unauthorized access to the T-Mobile database. This link allows a user to input a phone number ultimately allowing access to the user?s personal information.

This information leads me to believe it was likely a web application attack, not a "traditional" buffer overflow attack against a server storing account information. Although it is possible to peform a buffer overflow against a program by passing input through a web app, we can also read Nick's resume on SecurityFocus, and see that he doesn't seem to have enough experience in that area. Unless he picked up a copy of The Shellcoder's Handbook last year. ;)

To further corraborate that Nick used a web application hack, most likely SQL Injection (a little research shows that the T-Mobile site uses IIS/ASP/SQL Server, which happens to be the easiest and most well documented platform for SQL Injection attacks), we can check out the website and try to put some invalid input into the T-Mobile login page. I was very surprised with the results, we can still put all sorts of crazy input into the login page! It is still vulnerable, even after one of the largest, most well known, and high profile hacks in the last couple of years! Let's try some (notice the error text on the resulting T-Mobile webpage):

xlogger

That "nick" dude have some balls.

__________________

----------
XLOGGER [REFLECTED] [OH]

pornstar2pac

that's old news

__________________
Trump haters gonna hate. that's all they can do

toddler

NOT exclusive, known about for weeks.

__________________
http://www.flickr.com/photos/zoddler/

BRISK

Exclusive?

__________________
I post on GFY so that when people ask me what I do,
I can tell them that I work with the mentally retarded.

brand0n

stc is the greatest

OzMan

very old news

xlogger

__________________

----------
XLOGGER [REFLECTED] [OH]

pxxx

Guy got some skills though.

digifan

Quote:
Originally Posted by brand0n
STD is the greatest

__________________
[email protected]
Webair Rocks

yaz

loves it

Chris

that is the OLD one from along time ago
not what just happend

__________________
[email protected]

XPays

tmobile et al need to get better security


Signup To Promote HotelHeiress.com Right Now Exclusively at http://XPays.com UNLIMITED EARNING POTENTIAL

__________________
InterNext Expo Domain Auction Live Now thru Feb 5
HuntingMoon GFY Domains Marketplace is LIVE
XPays always pays! Top Site: * RealJasmine.com * + HotelHeiress® with The Paris Hilton Sex Video
Insert the HotelHeiress® HD FEED into your members areas
XPin.com Opening for Pin Partners Soonish
Mainstream Offers For Emailers and DomainersNONADULT.COM


Like Us!

rollinOn20s

Unlike a lot of peeps on this board!

__________________
Trade With xApsters Thumb TGP's Today - Some Of The Biggest and Best On The Net!

xlogger

I have huge balls. Thank you.

__________________

----------
XLOGGER [REFLECTED] [OH]

reynold

That's one cool hacker.

quantum-x

old news, it was on slashdot 4 days ago now ;)

__________________
PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

ytcracker

shut the fuck up

__________________
www.ytcracker.com | www.digitalgangster.com
i love you

tungsten

welcome to 2 weeks ago

__________________

• VOYEUR /HOMEMADE, HENTAI / CARTOON, Reality, Amateur, Shemale, Hardcore, Cuckold, Celebrity, Retro/Vintage, ect...ALL OUR SITES >>
• Unbelievable Ratio | High % of Rebills | Bi-Monthly Payments (also to E-Passporte)
• Ton's of EXCLUSIVE Free content & FHG's |=> GREAT REVENUE $$$ GUARANTEED!

sickkittens

He'll have a job w/ the CIA/FBI I'm sure.

__________________

HIGHEST PAYOUTS FOR NO-CONSOLE TOURS IN THE ENTIRE INDUSTRY!
THIS SIG CAN BE YOURS FOR $200 - ICQ: 78881543

maddox

pretty old

foxxx

rofl @ exclusive

yellowmenace

that's fucking awesome!!

__________________
Yellow Menace
icq# 322981173

MGPspots

Tmobile are gonna go to town on this guy after the Feds are done with him

__________________
SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, you may use a 624x80 instead of a 120x60. Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.

spideriux

I hear ti about 2 weeks ago, old :/

__________________
FreeOnes