[ISN] Known Hole Aided T-Mobile Breach

[InfoSec News]

http://www.wired.com/news/privacy/0,1848,66735,00.html

By Kevin Poulsen
Feb. 28, 2005

An intrusion into T-Mobile's servers that compromised customer 
records, sensitive government documents, private e-mail and candid 
celebrity photos last year occurred because the wireless giant failed 
to patch a known security hole in a commercial software package, Wired 
News has learned. 

In a sealed plea agreement with prosecutors, Nicolas Jacobsen, 22, 
pleaded guilty on February 15 in federal court in Los Angeles to a 
single felony charge of intentionally gaining access to a protected 
computer and recklessly causing damage. His cybercrime spree in 
T-Mobile's network began in late 2003, and didn't end until his arrest 
last fall. 

Jacobsen's victims last year included Paris Hilton, a conspicuous 
T-Mobile Sidekick user. But the hacker is not known to be connected to 
a new intrusion last week that scattered Hilton's private files across 
the Internet. 

The Justice Department and the U.S. Secret Service have handled the 
Jacobsen prosecution with unusual secrecy, and T-Mobile has been 
tight-lipped on how the hacker penetrated their systems. But two 
sources close to the case and a hacker friend of Jacobsen's who hosted 
some of his purloined files all point to the same security hole: a 
vulnerability discovered in early 2003 in the WebLogic application 
server produced by San Jose, California, company BEA Systems. 

Found by researchers at security vendor SPI Dynamics, the WebLogic 
hole took the form of an undocumented function that allows an attacker 
to remotely read or replace any file on a system by feeding it a 
specially-crafted web request. BEA produced a patch for the bug in 
March 2003 and issued a public advisory rating it a high-severity 
vulnerability. 

In July of that year, the hole was spotlighted in a presentation at 
the Black Hat Briefings convention in Las Vegas. Approximately 1,700 
computer security professionals and corporate executives attended that 
conference, where an SPI Dynamics researcher detailed precisely how to 
exploit the vulnerability. 

The attack method is "kiddy simple," says Caleb Sima, founder and CTO 
of SPI Dynamics. "All you have to do is add a special header with the 
request, with special commands at the end of it, and that's it." 

Jacobsen learned of the WebLogic hole from the advisory, crafted his 
own 20-line exploit in Visual Basic, then began digging around the 
internet for potential targets who had failed to install the patch, 
the sources say. By October 2003, he'd hit pay dirt at T-Mobile, where 
he used the exploit to gain a foothold in the company's systems. He 
then wrote his own front-end to the customer database to which he 
could return at his convenience. 

"He eventually made his own interface," says William Genovese, a 
friend of Jacobsen's in the hacking community, who is currently facing 
unrelated charges for allegedly selling a copy of leaked source code 
for portions of Microsoft's Windows 2000 and Windows NT operating 
systems for $20. 

According to court records, Jacobsen continued to enjoy illicit access 
to T-Mobile systems until his arrest in October 2004 -- more than 18 
months after the WebLogic vulnerability was first made public. The 
hacker had access to T-Mobile customer passwords, Social Security 
numbers, dates-of-birth and other information, which he offered to 
make available to fraudsters and identity thieves over an online web 
forum. 

Additionally, Jacobson used passwords stolen from the database to read 
T-Mobile customers' e-mail, including that of a U.S. Secret Service 
agent. Sources close to the case say the hacker also downloaded candid 
photos taken by Sidekick users, including images of celebrities Demi 
Moore, Ashton Kutcher, Nicole Richie and Paris Hilton, which until 
recently could be found on a webpage hosted by Genovese. 

A phone call to Jacobsen's lawyer went unreturned last week. 

T-Mobile says it has notified 400 customers that their data was 
leaked, and continues to investigate the case. But the company said 
last week it couldn't comment on its vulnerabilities or patching 
policies without placing customers at further risk. 

"We will not publicly discuss specifics of our systems, or attempts to 
gain access to our systems, for the protection of our customers and 
their data," spokesman Peter Dobrow wrote in an e-mail. Dobrow claims 
the company has closed the holes that Jacobsen exploited. "As part of 
our security efforts, safeguards are in place to prevent illegal 
access similar to Jacobsen's activity," he wrote. 

BEA failed to return repeated phone calls on the WebLogic 
vulnerability and its role in the T-Mobile hacks. 

Jacobsen's hacks were neither the first nor the last consumer privacy 
problem at T-Mobile. Last year, the company faced criticism for giving 
cell phone users a default voice mail configuration that leaves them 
open to Caller I.D.-spoofing snoops -- an issue that lingers today. 

And last week a copycat hacker penetrated Paris Hilton's T-Mobile 
Sidekick account a second time, posting the hotel chain heiress' 
electronic memo pad, address book and a new batch of private photos on 
the web. The company's security thus became the unlikely topic of 
tabloid media interest. 

In a press release Saturday, T-Mobile chief operating officer Sue 
Swenson said the company takes its customers' privacy seriously. 

"We are aggressively investigating the illegal dissemination of 
information over the internet of T-Mobile customers' personal data," 
said Swenson. The press release made no mention of T-Mobile's failure 
to secure its systems, but encouraged customers to be more careful 
with their passwords.