[ISN] Paris Hilton Hack Started With Old-Fashioned Con

[InfoSec News]

http://www.washingtonpost.com/wp-dyn/content/article/2005/05/19/AR2005051900711.html

By Brian Krebs
washingtonpost.com Staff Writer
May 19, 2005

The caper had all the necessary ingredients to spark a media firestorm
-- a beautiful socialite-turned-reality TV star, embarrassing
photographs and messages, and the personal contact information of
several young music and Hollywood celebrities.

When hotel heiress Paris Hilton found out in February that her
high-tech wireless phone had been taken over by hackers, many assumed
that only a technical mastermind could have pulled off such a feat.  
But as it turns out, a hacker involved in the privacy breach said, the
Hilton saga began on a decidedly low-tech note -- with a simple phone
call.

Computer security flaws played a role in the attack, which exploited a
programming glitch in the Web site of Hilton's cell phone provider,
Bellevue, Wash.-based T-Mobile International. But one young hacker who
claimed to have been involved in the data theft said the crime only
succeeded after one member of a small group of hackers tricked a
T-Mobile employee into divulging information that only employees are
supposed to know.

The young hacker described the exploit during online text
conversations with a washingtonpost.com reporter and provided other
evidence supporting his account, including screen shots of what he
said were internal T-Mobile computer network pages. Washingtonpost.com
is not revealing the hacker's identity because he is a juvenile crime
suspect and because he communicated with the reporter on the condition
that he not be identified either directly or through his online alias.

A senior law enforcement official involved in the case said
investigators believe the young hacker's group carried out the Paris
Hilton data theft and was also involved in illegally downloading
thousands of personal records from database giant LexisNexis Inc. The
source asked not to be identified because of his role in this and
other ongoing investigations.

A third source, a woman who has communicated with the hacker group's
members for several years, also confirmed key portions of the young
hacker's story and said she saw images and other information
downloaded from Hilton's T-Mobile account hours before they were
released on several Web sites.

T-Mobile declined to comment on the details of the hacker's account of
the Paris Hilton incident, saying through a spokesman that the company
cannot discuss an ongoing investigation. The spokesman said the
company "will work with federal law enforcement agencies to
investigate and prosecute anyone that attempts to gain unauthorized
access to T-Mobile systems."


Getting Access

In the months leading up to the Hilton incident, the hacker group
freely exploited a security glitch in the Web site of wireless phone
giant T-Mobile, according to the hacker, who described himself as the
youngest member of the group. The group had found that a tool on the
T-Mobile site that allowed users to reset their account passwords
contained a key programming flaw.

By exploiting the flaw, the group's members were able to gain access
to the account of any T-Mobile subscriber who used a "Sidekick," a
pricey phone-organizer-camera combination device that stores videos,
photos and other data on T-Mobile's central computer servers.

The hackers could only exploit the Web site vulnerability if they
actually knew a Sidekick user's phone number. The loose-knit group had
grown bored of using the flaw to toy with friends and acquaintances
who owned Sidekicks and decided to find a high-profile target, one
that would ensure their exploits were reported in the press, the young
hacker said. They ultimately settled on Hilton, in part because they
knew she owned a Sidekick; Hilton had previously starred in a
commercial advertising the device.

The group's members --- who range in age from their mid-teens to early
20s -- include a handful of "AOLers," a term used in hacker circles to
describe youths who honed their skills over the years by tampering
with various portions of the network run by Dulles, Va.-based America
Online Inc. Four members of the group have all met face-to-face, but
as with most hacking groups, the majority of their day-to-day
interactions took place online.

Before gaining access to Hilton's wireless phone account, the group
had spent a year studying weaknesses in T-Mobile's Web sites. The
group member interviewed for this story had already written a simple
computer program that could reset the password for any T-Mobile user
whose phone number the hackers knew.

According to the young hacker's account, the Hilton caper started the
afternoon of Feb. 19, when a group member rang a T-Mobile sales store
in a Southern California coastal town posing as a supervisor from
T-Mobile inquiring about reports of slowness on the company's internal
networks.

The conversation -- which represents the recollection of the hacker
interviewed by washingtonpost.com -- began with the 16-year-old caller
saying, "This is [an invented name] from T-Mobile headquarters in
Washington. We heard you've been having problems with your customer
account tools?"

The sales representative answered, "No, we haven't had any problems
really, just a couple slowdowns. That's about it."

Prepared for this response, the hacker pressed on: "Yes, that's what
is described here in the report. We're going to have to look into this
for a quick second."

The sales rep acquiesced: "All right, what do you need?"

When prompted, the employee then offered the Internet address of the
Web site used to manage T-Mobile's customer accounts -- a
password-protected site not normally accessible to the general public
-- as well as a user name and password that employees at the store
used to log on to the system.

To support his story, the hacker provided washingtonpost.com with an
image of a page he said was from the protected site. T-Mobile declined
to comment on the screenshot, and washingtonpost.com has no way to
verify its authenticity.


Inside the Walls

The hackers accessed the internal T-Mobile site shortly thereafter and
began looking up famous names and their phone numbers. At one point,
the youth said, the group harassed Laurence Fishburne, the actor
perhaps best known for his role in the "Matrix" movies as Morpheus,
captain of the futuristic ship Nebuchadnezzar.

"We called him up a few times and said, 'GIVE US THE SHIP!'" the youth
typed in one of his online chats with a reporter. "He picked up a
couple times and kept saying stuff like YOUR ILLEGALLY CALLING ME."

Later, using their own Sidekick phone, the hackers pulled up the
secure T-Mobile customer records site, looked up Hilton's phone number
and reset the password for her account, locking her out of it. Typical
wireless devices can only be hacked into by someone physically nearby,
but a Sidekick's data storage can be accessed from anywhere in
T-Mobile's service area by someone with control of the account. That
means the hackers were at that point able to download all of her
stored video, text and data files to their phone.

"As soon as I went into her camera and saw nudes my head went
JACKPOT," the young hacker recalled of his reaction to first seeing
the now-public photos of a topless Hilton locked in an intimate
embrace with a female friend. "I was like, HOLY [expletive] DUDE ...  
SHES GOT NUDES. THIS [expletive]'s GONNA HIT THE PRESS SO [expletive]
QUICK."

The hackers set up a conference call and agreed to spread the news to
several friends, all the while plotting ways to get the photos up on
various Web sites. Kelly Hallissey, a 41-year-old New York native who
has been in contact with the group of hackers for several years, said
the group's members showed her evidence that they had gained access to
Hilton's phone during these early hours -- before the images made
their way online.

By early Feb. 20, the pictures, private notes and contact listings
from Hilton's phone account -- including phone numbers of celebrities
such as Cristina Aguilera, Eminem, Anna Kournikova and Vin Diesel --
had appeared on GenMay.com (short for General Mayhem), an eclectic,
no-holds-barred online discussion forum.

Within hours of the GenMay posting, Hilton's information was published
on Illmob.org, a Web site run by 27-year-old William Genovese of
Meriden, Conn., known online as "illwill." (The FBI charged Genovese
in November with selling bits of stolen source code for Microsoft
Windows 2000 and Windows NT operating systems.) By Monday morning,
dozens of news sites and personal Web logs had picked up the story,
with many linking to the illmob.org post or mirroring the purloined
data on their own.

Hallissey, who describes herself as a kind of "den mom" to a cadre of
budding hackers, confirmed that the teenage source has been engaged in
various hacking activities for several years. Hallissey met a slew of
the hacker group's members after a three-year stint during the 1990s
as one of thousands of people who helped AOL maintain its online
content in exchange for free Internet access and various other perks.  
Hallissey has since joined a still-active wage lawsuit against AOL and
maintains www.observers.net, a Web site critical of the Dulles-based
company.

Hallissey said her sense of privacy has been erased gradually over the
past two years as a result of her association with a number of AOLers
who playfully bragged to her about their success with social
engineering. They showed her online screen shots of her water, gas and
electric bills, her Social Security number, credit card balances and
credit ratings, pictures of her e-mail inbox, as well as all of her
previous addresses, including those of her children.

"This was all done not by skilled 'hackers' but by kids who managed to
'social' their way into a company's system and gain access to it
within one or two phone calls," said Hallissey, who asked that her
current place of residence not be disclosed. "Major corporations have
made social engineering way too easy for these kids. In their call
centers they hire low-pay employees to man the phones, give them a
minimum of training, most of which usually dwells on call times,
canned scripts and sales. This isn't unique to T-Mobile or AOL. This
has become common practice for almost every company."

AOL officials declined to comment about the young hacker or other
"AOLers" for this story.


The Weakest Link

Security experts say the raiding of Hilton's wireless account
highlights one of the most serious security challenges facing
corporations -- teaching employees to be watchful for "social
engineering," the use of deception to trick people into giving away
sensitive data, usually over the phone.

In his book "The Art of Deception," notorious ex-hacker Kevin Mitnick
says major corporations spend millions of dollars each year on new
technologies to keep out hackers and viruses, yet few dedicate
significant resources to educating employees about the dangers of
old-fashioned con artistry.

"The average $10-an-hour sales clerk or call-center employee will tell
you anything you want, including passwords," Mitnick said in a
telephone interview. "These people are usually not well-trained, but
they also interact with people to sell products and services, so they
tend to be more customer-friendly and cooperative."

During his highly publicized hacking career in the 1990s, Mitnick --
who spent four years in prison and now works as a computer security
consultant -- broke into the computer networks of some of the top
companies in the technology and telecommunications industries, but
rarely targeted computers systems directly.

Rather, he phoned employees and simply asked them for user names,
passwords or other "insider" data that he could use to sound more
authentic in future phone inquiries. "This kind of thing works with
just about every mobile carrier," Mitnick said.

He said all of the major wireless carriers -- not just T-Mobile -- are
popular targets for social engineering attacks. Mitnick said he knows
private investigators who routinely obtain phone records of people
they are investigating by calling a sales office at the target's
wireless carrier and pretending to be an employee from another sales
office.

Mitnick described how an investigator will claim to have the customer
they're investigating in the store, but can't access their data
because of computer trouble. Then the investigator asks the sales
representative at the other store to look up that person's password,
account number and Social Security number. In many cases the employee
provides the information without verifying the caller's identity.  
Armed with that data, he said, investigators usually can create an
account at the wireless provider's Web site and pull all of the
target's phone records.

Large organizations that maintain numerous branches around the country
are especially susceptible to social engineering attacks, said Peter
Stewart, president of Baton Rouge, La.-based Trace Security, a company
that is hired to test the physical and network security for some of
the most paranoid companies in the world: banks.

More often than not, Stewart says, his people can talk their way into
employee-only areas of banks by pretending to be a repairman or just
another employee. In most cases, the break-in attempts are aided by
information gleaned over the phone.

"Usually your corporate headquarters are more stringent and things get
more lax the further away from there you get," Stewart said. "The
larger you are as a company the more likely it is that you're not
going to know everyone by name, and lots of companies have no policy
in place of verifying who's calling you and how to respond to that
person."


'Web Security 101'

Social engineering can be difficult to counter, but the now-infamous
Paris Hilton attack follows other recent serious T-Mobile security
breaches engineered by hackers.

On Feb. 15, Nicolas Jacobsen, 22, of Santa Ana, Calif., pleaded guilty
to compromising a T-Mobile Web server that granted access to hundreds
of wireless accounts. He faces a maximum of five years in jail and a
$250,000 fine at a sentencing hearing originally scheduled for
mid-May.

Jacobsen was arrested last fall by the U.S. Secret Service as part of
a large-scale investigation into an international online credit card
fraud ring. According to court records, Jacobsen had hijacked hundreds
of T-Mobile accounts, including a mobile phone belonging to a
then-active Secret Service agent. Jacobsen had posted to an online
bulletin board that he could be hired to look up the name, Social
Security number, birth date, and voice-mail and e-mail passwords of
any T-Mobile subscriber.

T-Mobile later alerted 400 customers that their e-mails, phone records
and other data had been compromised as a result of that break-in.

The court files don't give details about how it happened, but Jack
Koziol, a senior instructor for the Oak Park, Ill.-based InfoSec
Institute, said the intruder likely took advantage of security flaws
in the company's Web servers. Koziol conducted an informal audit of
T-Mobile's site in March and uncovered hundreds of pages run by Web
servers vulnerable to well-known security flaws, he said.

"It's pretty amazing how poorly secured their Web properties are,"  
said Koziol, whose company offers training to corporate, law
enforcement and government clients on the latest techniques and
tactics used by hackers. "Most of these flaws are simple Web Security
101, stuff you'd learn about in the first few chapters of a basic book
on how to secure Web applications."

T-Mobile officials declined to say what steps they took to close the
security holes identified by the Hilton hackers or how many other
accounts may have been hijacked.

"T-Mobile has invested millions of dollars to protect our customers'
information, and we continue to reinforce our systems to address the
security needs of our subscribers," company spokesman Peter Dobrow
wrote in an e-mail. "For our customers' protection, we do not publicly
disclose the specific actions taken to reinforce our systems."