By Brian Krebs
washingtonpost.com Staff Writer
Thursday, May 19, 2005 3:24 PM
The caper had all the necessary ingredients to spark a media firestorm -- a beautiful socialite-turned-reality TV star, embarrassing photographs and messages, and the personal contact information of several young music and Hollywood celebrities.
When hotel heiress Paris Hilton found out in February that her high-tech wireless phone had been taken over by hackers, many assumed that only a technical mastermind could have pulled off such a feat. But as it turns out, a hacker involved in the privacy breach said, the Hilton saga began on a decidedly low-tech note -- with a simple phone call.
Computer security flaws played a role in the attack, which exploited a programming glitch in the Web site of Hilton's cell phone provider, Bellevue, Wash.-based T-Mobile International. But one young hacker who claimed to have been involved in the data theft said the crime only succeeded after one member of a small group of hackers tricked a T-Mobile employee into divulging information that only employees are supposed to know.
The young hacker described the exploit during online text conversations with a washingtonpost.com reporter and provided other evidence supporting his account, including screen shots of what he said were internal T-Mobile computer network pages. Washingtonpost.com is not revealing the hacker's identity because he is a juvenile crime suspect and because he communicated with the reporter on the condition that he not be identified either directly or through his online alias.
A senior law enforcement official involved in the case said investigators believe the young hacker's group carried out the Paris Hilton data theft and was also involved in illegally downloading thousands of personal records from database giant LexisNexis Inc. The source asked not to be identified because of his role in this and other ongoing investigations.
A third source, a woman who has communicated with the hacker group's members for several years, also confirmed key portions of the young hacker's story and said she saw images and other information downloaded from Hilton's T-Mobile account hours before they were released on several Web sites.
T-Mobile declined to comment on the details of the hacker's account of the Paris Hilton incident, saying through a spokesman that the company cannot discuss an ongoing investigation. The spokesman said the company "will work with federal law enforcement agencies to investigate and prosecute anyone that attempts to gain unauthorized access to T-Mobile systems."Getting Access
In the months leading up to the Hilton incident, the hacker group freely exploited a security glitch in the Web site of wireless phone giant T-Mobile, according to the hacker, who described himself as the youngest member of the group. The group had found that a tool on the T-Mobile site that allowed users to reset their account passwords contained a key programming flaw.
By exploiting the flaw, the group's members were able to gain access to the account of any T-Mobile subscriber who used a "Sidekick," a pricey phone-organizer-camera combination device that stores videos, photos and other data on T-Mobile's central computer servers.
The hackers could only exploit the Web site vulnerability if they actually knew a Sidekick user's phone number. The loose-knit group had grown bored of using the flaw to toy with friends and acquaintances who owned Sidekicks and decided to find a high-profile target, one that would ensure their exploits were reported in the press, the young hacker said. They ultimately settled on Hilton, in part because they knew she owned a Sidekick; Hilton had previously starred in a commercial advertising the device.
The group's members --- who range in age from their mid-teens to early 20s -- include a handful of "AOLers," a term used in hacker circles to describe youths who honed their skills over the years by tampering with various portions of the network run by Dulles, Va.-based America Online Inc. Four members of the group have all met face-to-face, but as with most hacking groups, the majority of their day-to-day interactions took place online.
Before gaining access to Hilton's wireless phone account, the group had spent a year studying weaknesses in T-Mobile's Web sites. The group member interviewed for this story had already written a simple computer program that could reset the password for any T-Mobile user whose phone number the hackers knew.
According to the young hacker's account, the Hilton caper started the afternoon of Feb. 19, when a group member rang a T-Mobile sales store in a Southern California coastal town posing as a supervisor from T-Mobile inquiring about reports of slowness on the company's internal networks.
The conversation -- which represents the recollection of the hacker interviewed by washingtonpost.com -- began with the 16-year-old caller saying, "This is [an invented name] from T-Mobile headquarters in Washington. We heard you've been having problems with your customer account tools?"
The sales representative answered, "No, we haven't had any problems really, just a couple slowdowns. That's about it."
Prepared for this response, the hacker pressed on: "Yes, that's what is described here in the report. We're going to have to look into this for a quick second."
The sales rep acquiesced: "All right, what do you need?"
When prompted, the employee then offered the Internet address of the Web site used to manage T-Mobile's customer accounts -- a password-protected site not normally accessible to the general public -- as well as a user name and password that employees at the store used to log on to the system.
To support his story, the hacker provided washingtonpost.com with an image of a page he said was from the protected site. T-Mobile declined to comment on the screenshot, and washingtonpost.com has no way to verify its authenticity.Inside the Walls
The hackers accessed the internal T-Mobile site shortly thereafter and began looking up famous names and their phone numbers. At one point, the youth said, the group harassed Laurence Fishburne, the actor perhaps best known for his role in the "Matrix" movies as Morpheus, captain of the futuristic ship Nebuchadnezzar.
"We called him up a few times and said, 'GIVE US THE SHIP!'" the youth typed in one of his online chats with a reporter. "He picked up a couple times and kept saying stuff like YOUR ILLEGALLY CALLING ME."
Later, using their own Sidekick phone, the hackers pulled up the secure T-Mobile customer records site, looked up Hilton's phone number and reset the password for her account, locking her out of it. Typical wireless devices can only be hacked into by someone physically nearby, but a Sidekick's data storage can be accessed from anywhere in T-Mobile's service area by someone with control of the account. That means the hackers were at that point able to download all of her stored video, text and data files to their phone.
"As soon as I went into her camera and saw nudes my head went JACKPOT," the young hacker recalled of his reaction to first seeing the now-public photos of a topless Hilton locked in an intimate embrace with a female friend. "I was like, HOLY [expletive] DUDE ... SHES GOT NUDES. THIS [expletive]'s GONNA HIT THE PRESS SO [expletive] QUICK."
The hackers set up a conference call and agreed to spread the news to several friends, all the while plotting ways to get the photos up on various Web sites. Kelly Hallissey, a 41-year-old New York native who has been in contact with the group of hackers for several years, said the group's members showed her evidence that they had gained access to Hilton's phone during these early hours -- before the images made their way online.
By early Feb. 20, the pictures, private notes and contact listings from Hilton's phone account -- including phone numbers of celebrities such as Cristina Aguilera, Eminem, Anna Kournikova and Vin Diesel -- had appeared on GenMay.com (short for General Mayhem), an eclectic, no-holds-barred online discussion forum.
Within hours of the GenMay posting, Hilton's information was published on Illmob.org, a Web site run by 27-year-old William Genovese of Meriden, Conn., known online as "illwill." (The FBI charged Genovese in November with selling bits of stolen source code for Microsoft Windows 2000 and Windows NT operating systems.) By Monday morning, dozens of news sites and personal Web logs had picked up the story, with many linking to the illmob.org post or mirroring the purloined data on their own.
Hallissey, who describes herself as a kind of "den mom" to a cadre of budding hackers, confirmed that the teenage source has been engaged in various hacking activities for several years. Hallissey met a slew of the hacker group's members after a three-year stint during the 1990s as one of thousands of people who helped AOL maintain its online content in exchange for free Internet access and various other perks. Hallissey has since joined a still-active wage lawsuit against AOL and maintains www.observers.net, a Web site critical of the Dulles-based company.
Hallissey said her sense of privacy has been erased gradually over the past two years as a result of her association with a number of AOLers who playfully bragged to her about their success with social engineering. They showed her online screen shots of her water, gas and electric bills, her Social Security number, credit card balances and credit ratings, pictures of her e-mail inbox, as well as all of her previous addresses, including those of her children.
"This was all done not by skilled 'hackers' but by kids who managed to 'social' their way into a company's system and gain access to it within one or two phone calls," said Hallissey, who asked that her current place of residence not be disclosed. "Major corporations have made social engineering way too easy for these kids. In their call centers they hire low-pay employees to man the phones, give them a minimum of training, most of which usually dwells on call times, canned scripts and sales. This isn't unique to T-Mobile or AOL. This has become common practice for almost every company."
AOL officials declined to comment about the young hacker or other "AOLers" for this story.The Weakest Link
Security experts say the raiding of Hilton's wireless account highlights one of the most serious security challenges facing corporations -- teaching employees to be watchful for "social engineering," the use of deception to trick people into giving away sensitive data, usually over the phone.
In his book "The Art of Deception," notorious ex-hacker Kevin Mitnick says major corporations spend millions of dollars each year on new technologies to keep out hackers and viruses, yet few dedicate significant resources to educating employees about the dangers of old-fashioned con artistry.
"The average $10-an-hour sales clerk or call-center employee will tell you anything you want, including passwords," Mitnick said in a telephone interview. "These people are usually not well-trained, but they also interact with people to sell products and services, so they tend to be more customer-friendly and cooperative."
During his highly publicized hacking career in the 1990s, Mitnick -- who spent four years in prison and now works as a computer security consultant -- broke into the computer networks of some of the top companies in the technology and telecommunications industries, but rarely targeted computers systems directly.
Rather, he phoned employees and simply asked them for user names, passwords or other "insider" data that he could use to sound more authentic in future phone inquiries. "This kind of thing works with just about every mobile carrier," Mitnick said.
He said all of the major wireless carriers -- not just T-Mobile -- are popular targets for social engineering attacks. Mitnick said he knows private investigators who routinely obtain phone records of people they are investigating by calling a sales office at the target's wireless carrier and pretending to be an employee from another sales office.
Mitnick described how an investigator will claim to have the customer they're investigating in the store, but can't access their data because of computer trouble. Then the investigator asks the sales representative at the other store to look up that person's password, account number and Social Security number. In many cases the employee provides the information without verifying the caller's identity. Armed with that data, he said, investigators usually can create an account at the wireless provider's Web site and pull all of the target's phone records.
Large organizations that maintain numerous branches around the country are especially susceptible to social engineering attacks, said Peter Stewart, president of Baton Rouge, La.-based Trace Security, a company that is hired to test the physical and network security for some of the most paranoid companies in the world: banks.
More often than not, Stewart says, his people can talk their way into employee-only areas of banks by pretending to be a repairman or just another employee. In most cases, the break-in attempts are aided by information gleaned over the phone.
"Usually your corporate headquarters are more stringent and things get more lax the further away from there you get," Stewart said. "The larger you are as a company the more likely it is that you're not going to know everyone by name, and lots of companies have no policy in place of verifying who's calling you and how to respond to that person."'Web Security 101'
Social engineering can be difficult to counter, but the now-infamous Paris Hilton attack follows other recent serious T-Mobile security breaches engineered by hackers.
On Feb. 15, Nicolas Jacobsen, 22, of Santa Ana, Calif., pleaded guilty to compromising a T-Mobile Web server that granted access to hundreds of wireless accounts. He faces a maximum of five years in jail and a $250,000 fine at a sentencing hearing originally scheduled for mid-May.
Jacobsen was arrested last fall by the U.S. Secret Service as part of a large-scale investigation into an international online credit card fraud ring. According to court records, Jacobsen had hijacked hundreds of T-Mobile accounts, including a mobile phone belonging to a then-active Secret Service agent. Jacobsen had posted to an online bulletin board that he could be hired to look up the name, Social Security number, birth date, and voice-mail and e-mail passwords of any T-Mobile subscriber.
T-Mobile later alerted 400 customers that their e-mails, phone records and other data had been compromised as a result of that break-in.
The court files don't give details about how it happened, but Jack Koziol, a senior instructor for the Oak Park, Ill.-based InfoSec Institute, said the intruder likely took advantage of security flaws in the company's Web servers. Koziol conducted an informal audit of T-Mobile's site in March and uncovered hundreds of pages run by Web servers vulnerable to well-known security flaws, he said.
"It's pretty amazing how poorly secured their Web properties are," said Koziol, whose company offers training to corporate, law enforcement and government clients on the latest techniques and tactics used by hackers. "Most of these flaws are simple Web Security 101, stuff you'd learn about in the first few chapters of a basic book on how to secure Web applications."
T-Mobile officials declined to say what steps they took to close the security holes identified by the Hilton hackers or how many other accounts may have been hijacked.
"T-Mobile has invested millions of dollars to protect our customers' information, and we continue to reinforce our systems to address the security needs of our subscribers," company spokesman Peter Dobrow wrote in an e-mail. "For our customers' protection, we do not publicly disclose the specific actions taken to reinforce our systems."