Tuesday, February 22, 2005

Paris Hilton T-Mobile Musings

Reuters reporter Andy Sullivan asked me to comment for his story Paris Hilton Exposed on Web After Phone Hacked. I believe this is a continuation of the T-Mobile database incident I blogged earlier. Chances are the original perpetrators obtained T-Mobile customer credentials (user names and passwords) and kept them to themselves, initially. Then, to impress their friends, the intruders shared some or all of the data. Eventually the credentials were passed to one or more parties who thought to make themselves "famous" by posting sensitive information fraudulently obtained with those user names and passwords.

This "disclosure cycle" is similar to the way exploits circulate through the underground. One or more people independently or jointly discover a vulnerability and code an exploit. They keep it closely guarded, perhaps using it to access sensitive targets. If they are professional black hats, they never reveal the fact they have the exploit. If they are not using the exploit to advance certain goals, or they feel the exploit's shelf life is expiring, they pass the exploit to others. That new group is more likely to circulate the exploit widely throughout the underground. Eventually one or more black hats down the distribution food chain decide to go public, perhaps to gain some notoriety for themselves or their group.

It's an example of intruders becoming more sophisticated in the way they publicize their ability to gain unauthorized access to important systems. Five to ten years ago they demonstrated their expertise by defacing Web sites. Now they show off their skills by posting sensitive information. I would expect to see more of this.


Anonymous said...

Hilton's voicemail (as well as Vin Diesel's) were compromised because they did not use a password at all, but used T-Mobile's auto-login feature for accessing voicemail. Apparently someone learned Hilton's ESN and cloned her cell phone, allowing them to "auto-login" without a PIN.

Richard Bejtlich said...

Thanks for the pointer. I see kevinrose.com can't remove posts faster than Google caches them!