Teen Sentenced in Hilton Phone-Hacking Case

The teenager is believed to be behind both the hack of cell phone company T-Mobile's Web site that yielded Paris Hilton's account and the hack of LexisNexis' Seisint database.

A Massachusetts teenager pleaded guilty in federal court in Boston for a string of hacking crimes reported to include the February compromise of online information broker LexisNexis and socialite Paris Hiltons T-Mobile cellular phone account.

In a Sept. 8 statement, U.S. Attorney Michael Sullivan said that the juvenile told U.S. District Court Judge Rya Zobel that he was responsible for a 15-month hacking spree that included breaches of computer networks belonging to Internet service providers, a telecommunications company, and a "company which stores identity information concerning millions of individuals."

The individual was charged with nine counts of juvenile delinquency and sentenced to 11 months of detention in a juvenile facility and two years of supervised release.

The teen was not named because of a Massachusetts law that prohibits revealing the identities of juvenile defendants.

A spokesperson for the U.S. Attorneys Office declined to name companies or individuals involved in the attacks, but the teenager is believed to be behind both the hack of cell phone company T-Mobiles Web site that yielded Hiltons account and the hack of LexisNexis Seisint database.

A T-Mobile spokesperson confirmed that the teenager mentioned in the press release was the one responsible for hacking Paris Hiltons T-Mobile account using a vulnerability in the companys Web site and posting the information on the Internet.

Authorities first became aware of the teenager in March 2004 after he sent an e-mail bomb threat that forced the evacuation of a school in Florida.

Working with accomplices online, the teenager sent two more bomb threats to a Massachusetts school in the following months, used a Trojan horse program to gain access to a "major" ISP, and accessed a phone company to create accounts for himself and his friends.

/zimages/1/28571.gifClick here to read more from columnist Larry Loeb about the security lessons that can be learned from the hacking case.

The teenager is also believed to have used a network of compromised machines to launch a denial of service attack against another phone company, which had shut off a friends fraudulent phone account, the statement said.

Authorities, including the FBI and U.S. Secret Service, are still investigating the teenagers associates, the statement said.

T-Mobile is satisfied that the individual responsible for the Hilton account hacking has been brought to justice.

However, the incident prompted the company to take steps to shore up its security, which security experts warned was lax.

Calling the hacking spree a "wakeup call" for the telecommunications industry, the spokesman said that T-Mobile has increased training for its employees to avoid so-called "social engineering" attacks, in which hackers communicate with employees directly through e-mail, phone calls or face-to-face meetings to garner information necessary to compromise a network.

Still, one security expert said that enterprises shouldnt take too much comfort from the fact that authorities "got their man" in the Hilton and Seisint cases.

"It just goes to show you how much damage an unskilled, but highly motivated, teenager can do," wrote Jack Koziol, program manager at InfoSec Institute in an e-mail message.

The teenager made the mistake of targeting a high-profile celebrity like Hilton, which drew worldwide attention to his actions, he said.

"The lowest 1 percent of hackers are caught, if that, and the other 99 percent [who] are just a hair less obvious are able to move in and out of organizations at their leisure," Koziol said.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.