Paris Hilton Hack Started With Old-Fashioned Con

By early Feb. 20, the pictures, private notes and contact listings from Hilton's phone account -- including phone numbers of celebrities such as Cristina Aguilera, Eminem, Anna Kournikova and Vin Diesel -- had appeared on GenMay.com (short for General Mayhem), an eclectic, no-holds-barred online discussion forum.

Within hours of the GenMay posting, Hilton's information was published on Illmob.org, a Web site run by 27-year-old William Genovese of Meriden, Conn., known online as "illwill." (The FBI charged Genovese in November with selling bits of stolen source code for Microsoft Windows 2000 and Windows NT operating systems.) By Monday morning, dozens of news sites and personal Web logs had picked up the story, with many linking to the illmob.org post or mirroring the purloined data on their own.

Hallissey, who describes herself as a kind of "den mom" to a cadre of budding hackers, confirmed that the teenage source has been engaged in various hacking activities for several years. Hallissey met a slew of the hacker group's members after a three-year stint during the 1990s as one of thousands of people who helped AOL maintain its online content in exchange for free Internet access and various other perks. Hallissey has since joined a still-active wage lawsuit against AOL and maintains www.observers.net, a Web site critical of the Dulles-based company.

Hallissey said her sense of privacy has been erased gradually over the past two years as a result of her association with a number of AOLers who playfully bragged to her about their success with social engineering. They showed her online screen shots of her water, gas and electric bills, her Social Security number, credit card balances and credit ratings, pictures of her e-mail inbox, as well as all of her previous addresses, including those of her children.

"This was all done not by skilled 'hackers' but by kids who managed to 'social' their way into a company's system and gain access to it within one or two phone calls," said Hallissey, who asked that her current place of residence not be disclosed. "Major corporations have made social engineering way too easy for these kids. In their call centers they hire low-pay employees to man the phones, give them a minimum of training, most of which usually dwells on call times, canned scripts and sales. This isn't unique to T-Mobile or AOL. This has become common practice for almost every company."

AOL officials declined to comment about the young hacker or other "AOLers" for this story.

The Weakest Link

Security experts say the raiding of Hilton's wireless account highlights one of the most serious security challenges facing corporations -- teaching employees to be watchful for "social engineering," the use of deception to trick people into giving away sensitive data, usually over the phone.

In his book "The Art of Deception," notorious ex-hacker Kevin Mitnick says major corporations spend millions of dollars each year on new technologies to keep out hackers and viruses, yet few dedicate significant resources to educating employees about the dangers of old-fashioned con artistry.

"The average $10-an-hour sales clerk or call-center employee will tell you anything you want, including passwords," Mitnick said in a telephone interview. "These people are usually not well-trained, but they also interact with people to sell products and services, so they tend to be more customer-friendly and cooperative."

During his highly publicized hacking career in the 1990s, Mitnick -- who spent four years in prison and now works as a computer security consultant -- broke into the computer networks of some of the top companies in the technology and telecommunications industries, but rarely targeted computers systems directly.

Rather, he phoned employees and simply asked them for user names, passwords or other "insider" data that he could use to sound more authentic in future phone inquiries. "This kind of thing works with just about every mobile carrier," Mitnick said.

He said all of the major wireless carriers -- not just T-Mobile -- are popular targets for social engineering attacks. Mitnick said he knows private investigators who routinely obtain phone records of people they are investigating by calling a sales office at the target's wireless carrier and pretending to be an employee from another sales office.

Mitnick described how an investigator will claim to have the customer they're investigating in the store, but can't access their data because of computer trouble. Then the investigator asks the sales representative at the other store to look up that person's password, account number and Social Security number. In many cases the employee provides the information without verifying the caller's identity. Armed with that data, he said, investigators usually can create an account at the wireless provider's Web site and pull all of the target's phone records.

Large organizations that maintain numerous branches around the country are especially susceptible to social engineering attacks, said Peter Stewart, president of Baton Rouge, La.-based Trace Security, a company that is hired to test the physical and network security for some of the most paranoid companies in the world: banks.

More often than not, Stewart says, his people can talk their way into employee-only areas of banks by pretending to be a repairman or just another employee. In most cases, the break-in attempts are aided by information gleaned over the phone.

"Usually your corporate headquarters are more stringent and things get more lax the further away from there you get," Stewart said. "The larger you are as a company the more likely it is that you're not going to know everyone by name, and lots of companies have no policy in place of verifying who's calling you and how to respond to that person."

'Web Security 101'

Social engineering can be difficult to counter, but the now-infamous Paris Hilton attack follows other recent serious T-Mobile security breaches engineered by hackers.

On Feb. 15, Nicolas Jacobsen, 22, of Santa Ana, Calif., pleaded guilty to compromising a T-Mobile Web server that granted access to hundreds of wireless accounts. He faces a maximum of five years in jail and a $250,000 fine at a sentencing hearing originally scheduled for mid-May.

Jacobsen was arrested last fall by the U.S. Secret Service as part of a large-scale investigation into an international online credit card fraud ring. According to court records, Jacobsen had hijacked hundreds of T-Mobile accounts, including a mobile phone belonging to a then-active Secret Service agent. Jacobsen had posted to an online bulletin board that he could be hired to look up the name, Social Security number, birth date, and voice-mail and e-mail passwords of any T-Mobile subscriber.

T-Mobile later alerted 400 customers that their e-mails, phone records and other data had been compromised as a result of that break-in.

The court files don't give details about how it happened, but Jack Koziol, a senior instructor for the Oak Park, Ill.-based InfoSec Institute, said the intruder likely took advantage of security flaws in the company's Web servers. Koziol conducted an informal audit of T-Mobile's site in March and uncovered hundreds of pages run by Web servers vulnerable to well-known security flaws, he said.

"It's pretty amazing how poorly secured their Web properties are," said Koziol, whose company offers training to corporate, law enforcement and government clients on the latest techniques and tactics used by hackers. "Most of these flaws are simple Web Security 101, stuff you'd learn about in the first few chapters of a basic book on how to secure Web applications."

T-Mobile officials declined to say what steps they took to close the security holes identified by the Hilton hackers or how many other accounts may have been hijacked.

"T-Mobile has invested millions of dollars to protect our customers' information, and we continue to reinforce our systems to address the security needs of our subscribers," company spokesman Peter Dobrow wrote in an e-mail. "For our customers' protection, we do not publicly disclose the specific actions taken to reinforce our systems."