[ISN] How Paris Got Hacked?
InfoSec News
isn at c4i.org
Wed Feb 23 02:06:59 EST 2005
http://www.macdevcenter.com/pub/a/mac/2005/01/01/paris.html
By Brian McWilliams
02/22/2005
Paris Hilton's Chihuahua couldn't protect her Hollywood home from a
burglary last summer. So why was Hilton counting on her dog to protect
her T-Mobile account from intruders?
Despite repeated attacks on her T-Mobile email and telephone records
in recent months, the actress and heiress has persisted in using the
little dog's name to secure her password at the T-Mobile site.
Like many online service providers, T-Mobile.com requires users to
answer a "secret question" if they forget their passwords. For
Hilton's account, the secret question was "What is your favorite pet's
name?" By correctly providing the answer, any internet user could
change Hilton's password and freely access her account.
Hilton makes no secret of her affection for her Chihuahua. Last
August, Hilton offered a reward of $5,000 when her beloved pet
disappeared after the house she shared with sister Nicole was
burglarized.
An anonymous source provided O'Reilly Network with a screen grab,
proving he was able to access the contents of Hilton's T-Mobile inbox
as of Tuesday morning. Another image confirmed that Hilton's "secret
answer" was her dog's name.
Upon being notified Tuesday, T-Mobile corrected the potential security
vulnerability in Hilton's account.
Last weekend, Hilton's T-Mobile online account was accessed by
intruders calling themselves "The Niggas at DFNCTSC." The trespassers
posted the contents of her address book, notes, and photo folder on
the internet.
In January, Hilton reportedly suspected that a "hacker" had access to
her email account and was reading messages there.
It's unclear how those intruders gained access to Hilton's account. A
T-Mobile spokesperson said the company is "actively investigating" the
situation.
Weak passwords are cited as one of the top twenty internet security
vulnerabilities by the SANS Institute.
Account information belonging to Hilton and other T-Mobile users has
been circulating in the computer underground since at least late March
of 2004. A California man named Nicholas Jacobsen has admitted to
hacking into T-Mobile's servers and accessing records on at least 400
customers. (Last week, security professionals openly speculated about
how Jacobsen gained access to the wireless provider's internal
systems.)
According to court papers, Jacobsen, who used the online alias Ethics,
offered to sell the stolen information on an online message board on
March 15, 2004. Jacobsen also apparently provided excerpts of the data
to friends and colleagues.
A log file of a March 2004 instant-message conversation apparently
between Ethics and an associate includes a section containing Hilton's
T-Mobile phone number, password, social security number, and other
confidential information.
Password hint systems like the one used by T-Mobile are common on the
internet. Online service providers including the MSN Hotmail service
have encountered security breaches involving attackers correctly
answering "secret questions" and then locking victims out of their
accounts.
T-Mobile representatives said Hilton uses a Sidekick II, a
communication device that offers wireless telephone and internet
access as well as a built-in flash camera.
-=-
Brian McWilliams is the author of Spam Kings and is an investigative
journalist who has covered business and technology for web magazines
including Wired News and Salon, as well as the Washington Post and PC
World, Computerworld, and Inc. magazines.
More information about the ISN
mailing list