A Massachusetts juvenile has pleaded guilty to a January 2005 attack that ultimately exposed the cell phone address book of U.S. socialite Paris Hilton to the Internet, according to T-Mobile USA, the mobile phone provider whose servers were compromised in the attack.
The juvenile, who was not identified because of his age, has been sentenced to 11 months' detention, to be followed by two years of supervised release, for a series of hacking incidents and threats made over a 15-month period beginning in March 2004. He is also prohibited from using computers, cell phones or any device capable of accessing the Internet during the period of this sentence.
A copy of Hilton's cell phone address book was posted to the Web in February of this year, giving millions of Internet users access to private phone numbers and e-mail addresses for celebrities such as Eminem and Anna Kournikova.
The juvenile in question was able to obtain this information by tricking T-Mobile employees into revealing sensitive information, a hacking technique called "social engineering," and by exploiting a flaw in T-Mobile's Web site, according to Peter Dobrow, a T-Mobile spokesman. "The main issue here was social engineering," he said. "There also was a password reset function that we addressed on our end."
T-Mobile has also taken steps to prevent such social engineering attacks from succeeding in the future, Dobrow said.
The juvenile was sentenced by U.S. District Court Judge Rya Zobel in Boston last Thursday, according to a statement from the U.S. Attorney's Office.
The juvenile had been charged with a variety of crimes, including hacking into unnamed Internet and telephone service providers and making bomb threats to schools in Massachusetts and Florida. Damages from these crimes amounted to about US$1 million, the statement said.
In January 2005, the hacker gained access to the computer system of a "major telephone service provider" and posted information stored on the mobile phone of one of its subscriber, the statement said, without naming Hilton or T-Mobile.
The subscriber identified in that statement was, in fact, T-Mobile customer Paris Hilton, Dobrow said. "We're satisfied that this one individual has been brought to justice as it relates to the Paris Hilton matter," he added.
The juvenile in question was part of a loosely organized group of about 8 to 12 hackers, called the Defonic Team Screen Name Club, which hacked into a number of computer networks, according to a security expert who was contacted by the group. "These kind of kids, they come and go," said Jack Koziol, program manager with Infosec Institute. "They put one of them in juvenile hall, there are 500 to replace them the next day."
More charges are expected, according to William Sims, special agent in charge of the U.S. Secret Service in Miami. "There were some hacks down here, and there are some co-defendants down here who were still involved," he said. "It's still an active, ongoing investigation."
T-Mobile may still have more work to do, according to Koziol. When he examined the company's Web site recently, the security researcher found that there were still some flaws. "I was amazed that a year after this kid did that, there were all sorts of Web security problems prevalent throughout their Web site," he said.
For example, T-Mobile still uses outdated server software with known Java vulnerabilities, he said. "The exact same Web hack that those kids used has been fixed, but the global issues are still there."