Paris Hilton T-Mobile Musings

Reuters reporter Andy Sullivan asked me to comment for his story Paris Hilton Exposed on Web After Phone Hacked. I believe this is a continuation of the T-Mobile database incident I blogged earlier. Chances are the original perpetrators obtained T-Mobile customer credentials (user names and passwords) and kept them to themselves, initially. Then, to impress their friends, the intruders shared some or all of the data. Eventually the credentials were passed to one or more parties who thought to make themselves "famous" by posting sensitive information fraudulently obtained with those user names and passwords.

This "disclosure cycle" is similar to the way exploits circulate through the underground. One or more people independently or jointly discover a vulnerability and code an exploit. They keep it closely guarded, perhaps using it to access sensitive targets. If they are professional black hats, they never reveal the fact they have the exploit. If they are not using the exploit to advance certain goals, or they feel the exploit's shelf life is expiring, they pass the exploit to others. That new group is more likely to circulate the exploit widely throughout the underground. Eventually one or more black hats down the distribution food chain decide to go public, perhaps to gain some notoriety for themselves or their group.

It's an example of intruders becoming more sophisticated in the way they publicize their ability to gain unauthorized access to important systems. Five to ten years ago they demonstrated their expertise by defacing Web sites. Now they show off their skills by posting sensitive information. I would expect to see more of this.