Update: Mass. teen pleads guilty in Paris Hilton hacking case

Computerworld - A Massachusetts juvenile has pleaded guilty to a January 2005 attack that ultimately exposed the cell phone address book of U.S. socialite Paris Hilton to the Internet, according to T-Mobile USA Inc., the mobile phone provider whose servers were compromised in the attack.

The 17-year-old boy charged in the case was sentenced to 11 months' detention in a juvenile facility, to be followed by two years of supervised release. During that time, he is barred from possessing or using any computer, cell phone or other electronic equipment capable of accessing the Internet.

A copy of Hilton's cell phone address book was posted to the Web in February, giving millions of Internet users access to private phone numbers and e-mail addresses for celebrities such as Eminem and Anna Kournikova (see "Hackers post Paris Hilton's address book online").

The teen was able to obtain the information by tricking T-Mobile employees into revealing sensitive information, a hacking technique called "social engineering," and by exploiting a flaw in T-Mobile's Web site, according to Peter Dobrow, a T-Mobile spokesman. "The main issue here was social engineering," he said. "There also was a password reset function that we addressed on our end."

T-Mobile has also taken steps to prevent such social engineering attacks from succeeding in the future, Dobrow said.

"We're satisfied that this one individual has been brought to justice as it relates to the Paris Hilton matter," Dobrow said.

The teen was charged with a variety of crimes, including hacking into unnamed Internet and telephone service providers and making bomb threats to schools in Massachusetts and Florida. Damages from these crimes amounted to about $1 million, the statement said.

The teen was part of a loosely organized group of about 8 to 12 hackers, called the Defonic Team Screen Name Club, which hacked into a number of computer networks, according to a security expert who was contacted by the group. "These kind of kids, they come and go," said Jack Koziol, program manager with Infosec Institute Inc., in Oak Park, Ill. "They put one of them in juvenile hall, there are 500 to replace them the next day."

Last spring, the teen used a portable wireless Internet access device to send a bomb threat to a school in Massachusetts and local emergency services, twice requiring emergency units to respond to the school, which had to be evacuated, prosecutors said.
In June, the teen threatened a telephone company after a phone that a friend of his had fraudulently activated was shut off, prosecutors said. Ina recorded phone call, the boy told the service provider that if it didn't give him access to its computer system, he would cause its Web service to collapse through a denial-of-service attack. The telephone service provider refused, and about 10 minutes later the teen and others initiated an attack that succeeded in shutting down a significant portion of the company's Web operations.
The investigation into the teen's associates is continuing, and more charges are expected, according to William Sims, special agent in charge of the U.S. Secret Service in Miami. "There were some hacks down here, and there are some co-defendants down here who were still involved," he said. "It's still an active, ongoing investigation."