From the Techdirt Blog...

<< Jury Invalidates Patent On Bond Trading Tech   |    A Missed Connection Found Online >>

Stupidity

Stupidity

by Mike Masnick

Tue, Feb 22nd 2005 8:26pm

Share This


Print



How Paris Hilton Got Hacked? Bad Password Protection

from the tinkerbell dept

This morning, in Good Morning Silicon Valley, John Paczkowski joked (I think) that he'd bet "$5 and a Swarovski-encrusted dunce cap says her password was Tinkerbell." He might be right. While T-Mobile still says they're trying to figure out how Paris Hilton's T-Mobile account got hacked, Brian McWilliams has it all figured out. Her password might not have been Tinkerbell (the well known name of her dog), but the secret question to get her password reset was: "What is your favorite pet's name?" Yup. It wasn't necessarily social engineering or a security hole or even real hacking (though, in some sense, it was a combination of all three). It was good, old fashioned, stupidity -- leaving the keys under the front door matt with a big sign that says "keys under the matt" next to it.

9 Comments | Leave a Comment..

 

Reader Comments (rss)

(Flattened / Threaded)

  1. the joke may be on Hilton by nonuser on Feb 22nd, 2005 @ 8:51pm

    but the real culprit are service providers who rely on such an insecure backdoor that gets hacked when customers use it the way they suggest.

    (reply to this comment) (link to this comment)

  2. Bruce Schneier wrote just recently about this secu by Precision Blogger on Feb 23rd, 2005 @ 6:59am

    Bingo! Bruce Schneier wrote just recently about how the backup question weakens password protection. He says when forced to supply a Q&A, he hitsrandom keys that he won't remember for the answer. See:
    http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html


    - The Precision Blogger
    http://precision-blogging.blogspot.com

    (reply to this comment) (link to this comment)

  3. Use " other " ? & make one up by Anonymous Coward on Feb 23rd, 2005 @ 7:38am


    Use the " oter " question catagory.
    Ask yourself a question that NOONE would understand BUT you.
    Works for me & even if the system were hacked, my question wouldn't even make sense to the hacker.

    Problem solved.

    (reply to this comment) (link to this comment)

  4. Re: Bruce Schneier wrote just recently about this by Tim on Feb 23rd, 2005 @ 8:16am

    Do it jeopardy-style:

    secret reminder question: meow
    reminder answer: What do dogs say?

    That's one heck of a long passphrase for no extra work ;)

    (reply to this comment) (link to this comment)

  5. Re: Use by seth on Feb 23rd, 2005 @ 8:31am

    I always just enter a lot of gibberish whenever I am required to have a reminder question. Then I just don't forget my password or I have it emailed to me if I do forget. I always distrusted the back-up password.

    (reply to this comment) (link to this comment)

  6. Re: Use by Ranger on Feb 24th, 2005 @ 10:26am

    Am I the only one suspicious of her getting hacked in the first place? I mean, isn't she due for some scandalous web-activity about now?

    I mean, who keeps perfect naked pictures of themselves on their mobile camera? For what possible reason? "Hey, I want to see if I've gained any extra weight from eating that ice cream sundae?"


    (reply to this comment) (link to this comment)

  7. T-Mobile Password Hacking by Nick on Feb 25th, 2005 @ 8:19am

    ... another likely theory was given in this post over at Kevin Rose's site.

    The hack is a simple one that I duplicated easily. If you have Sprint or T-Mobile and have auto voicemail login enabled, you are vulnerable to this type of attack. I have auto voicemail login enabled because I hate entering my voicemail PIN number each time I want to check my messages. The voicemail authentication system is simple. It uses caller ID to validate the originating number – if the caller ID matches your cell phone number (ie. your cell phone calling in to check your voicemail messages), it will log you in automatically. This system has worked great for the last few years. Well, that is until the advent of commercial caller ID spoofing systems such as CovertCall and Telespoof. For those not in-the-know, caller ID spoofing allows you to change your caller ID number to anything you like. To hack myself, I simply logged into CovertCall and placed a spoofed call to my cell phone. The spoofed call was to my cell phone, from my cell phone, forwarded to a pay phone. Sprint (my provider) thought I was calling from my cell, and automatically logged me in (even though I was performing this from a pay phone down the street).

    (reply to this comment) (link to this comment)

  8. Paris Hilton by Katie on Oct 30th, 2006 @ 6:50am

    Finally her stupidity is realized!!!

    (reply to this comment) (link to this comment)

  9. paris hiltoon by chester.. on May 23rd, 2008 @ 9:23am

    There is NOTHING iconic about Paris Hilton..

    (reply to this comment) (link to this comment)

Add Your Comment

Get Techdirt’s Daily Email
Plain Text HTML Save me a cookie
  • Plain Text: A CRLF will be replaced by break <br> tag, all other allowable HTML is intact
  • HTML: No formatting of any kind is done without explicitly being written in
  • Allowed HTML Tags: <b> <i> <p> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Close
Get Techdirt’s Daily Email
Plain Text HTML Save me a cookie

<< Jury Invalidates Patent On Bond Trading Tech   |    A Missed Connection Found Online >>

Search the Techdirt Blog
And now, a word from our Sponsors..
Subscribe to Techdirt's Daily Email Newsletter

Techdirt's Daily Email Newsletter

Related Stories

AP Goes After Bloggers For Posting Article Headlines And Snippets (62)

Marvel Should Keep A Tighter Leash On Its Lawyers (31)

Sometimes You Wonder If The Recording Industry Is Purposely Destroying Itself (35)

Thailand Sliding Down The Slippery Slope Of Net Censorship (12)

In Case You Didn't Know, Revealing Your Bank Info Isn't Very Smart (17)

Close
E-mail It