[ISN] How Paris Got Hacked?

From: InfoSec News (isn@private)
Date: Tue Feb 22 2005 - 23:06:59 PST


http://www.macdevcenter.com/pub/a/mac/2005/01/01/paris.html

By Brian McWilliams
02/22/2005 

Paris Hilton's Chihuahua couldn't protect her Hollywood home from a 
burglary last summer. So why was Hilton counting on her dog to protect 
her T-Mobile account from intruders? 

Despite repeated attacks on her T-Mobile email and telephone records 
in recent months, the actress and heiress has persisted in using the 
little dog's name to secure her password at the T-Mobile site. 

Like many online service providers, T-Mobile.com requires users to 
answer a "secret question" if they forget their passwords. For 
Hilton's account, the secret question was "What is your favorite pet's 
name?" By correctly providing the answer, any internet user could 
change Hilton's password and freely access her account. 

Hilton makes no secret of her affection for her Chihuahua. Last 
August, Hilton offered a reward of $5,000 when her beloved pet 
disappeared after the house she shared with sister Nicole was 
burglarized. 

An anonymous source provided O'Reilly Network with a screen grab, 
proving he was able to access the contents of Hilton's T-Mobile inbox 
as of Tuesday morning. Another image confirmed that Hilton's "secret 
answer" was her dog's name. 

Upon being notified Tuesday, T-Mobile corrected the potential security 
vulnerability in Hilton's account. 

Last weekend, Hilton's T-Mobile online account was accessed by 
intruders calling themselves "The Niggas at DFNCTSC." The trespassers 
posted the contents of her address book, notes, and photo folder on 
the internet. 

In January, Hilton reportedly suspected that a "hacker" had access to 
her email account and was reading messages there. 

It's unclear how those intruders gained access to Hilton's account. A 
T-Mobile spokesperson said the company is "actively investigating" the 
situation. 

Weak passwords are cited as one of the top twenty internet security 
vulnerabilities by the SANS Institute. 

Account information belonging to Hilton and other T-Mobile users has 
been circulating in the computer underground since at least late March 
of 2004. A California man named Nicholas Jacobsen has admitted to 
hacking into T-Mobile's servers and accessing records on at least 400 
customers. (Last week, security professionals openly speculated about 
how Jacobsen gained access to the wireless provider's internal 
systems.) 

According to court papers, Jacobsen, who used the online alias Ethics, 
offered to sell the stolen information on an online message board on 
March 15, 2004. Jacobsen also apparently provided excerpts of the data 
to friends and colleagues. 

A log file of a March 2004 instant-message conversation apparently 
between Ethics and an associate includes a section containing Hilton's 
T-Mobile phone number, password, social security number, and other 
confidential information. 

Password hint systems like the one used by T-Mobile are common on the 
internet. Online service providers including the MSN Hotmail service 
have encountered security breaches involving attackers correctly 
answering "secret questions" and then locking victims out of their 
accounts. 

T-Mobile representatives said Hilton uses a Sidekick II, a 
communication device that offers wireless telephone and internet 
access as well as a built-in flash camera. 


-=-

Brian McWilliams is the author of Spam Kings and is an investigative 
journalist who has covered business and technology for web magazines 
including Wired News and Salon, as well as the Washington Post and PC 
World, Computerworld, and Inc. magazines. 



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005



This archive was generated by hypermail 2.1.3 : Tue Feb 22 2005 - 23:47:50 PST