Jacobsen and T-Mobile Break-in

february 28, 2005

So, how did Nicolas Jacobsen break into T-Mobile's servers from 2003 all the way to 2004? Through a known security hole that T-Mobile neglected to patch. According to this article this morning from Wired:

The Justice Department and the U.S. Secret Service have handled the Jacobsen prosecution with unusual secrecy, and T-Mobile has been tight-lipped on how the hacker penetrated their systems. But two sources close to the case and a hacker friend of Jacobsen's who hosted some of his purloined files all point to the same security hole: a vulnerability discovered in early 2003 in the WebLogic application server produced by San Jose, California, company BEA Systems. Found by researchers at security vendor SPI Dynamics, the WebLogic hole took the form of an undocumented function that allows an attacker to remotely read or replace any file on a system by feeding it a specially-crafted web request. BEA produced a patch for the bug in March 2003 and issued a public advisory rating it a high-severity vulnerability. In July of that year, the hole was spotlighted in a presentation at the Black Hat Briefings convention in Las Vegas. Approximately 1,700 computer security professionals and corporate executives attended that conference, where an SPI Dynamics researcher detailed precisely how to exploit the vulnerability.
Ouch, now that's got to get someone in T-Mobile fired for not keeping up with simple (and high risk) security updates! T-Mobile better have changed their IT policies to start keeping up with security patches, because "The attack method is 'kiddy simple,' says Caleb Sima, founder and CTO of SPI Dynamics."