Lessons Learned from a Teenage Hacker

Opinion: Security pros need to learn from those who succeed in hacking-such as a Massachusetts teen who wreaked havoc for over a year.

When the fire alarms are not sounding and calling us to immediate reactive action, security pros need to be kicking back a bit and taking a look at how a serious security problem unfolds. Thats why we should take a look at a Massachusetts teenage who pled guilty of, among other things, hacking—to see what, if anything, could have been done to prevent him and his buddies from succeeding in doing what they did.

The juvenile pled guilty in federal court last week and was sentenced in connection with a series of hacking incidents into Internet and telephone service providers; the theft of an individuals personal information and the posting of it on the Internet; and making bomb threats to high schools in Florida and Massachusetts—all of which took place over a 15-month period. Victims of the juveniles conduct have suffered a total of approximately $1 million in damages, according to official estimates.

/zimages/3/28571.gifIT administrators must "think like hackers," claims one security veteran. Click here to read more.

This budding sociopath snuck a program onto an ISP employees computer in 2004 that gave him remote access to it. Juvie could use it as his own. So, the first point is to ask where and when did the admin become aware of Juvies activities, if he did at all.

In 2005, Juvie hacked the internal directory of a "major telephone provider" to get information on someone who had an account with them. He used this to hack the users cell phone (Hello, Paris!) and post the contents of the phone/messenger to the Internet.

Juvies subtlety emerged even further as he then set up numerous free accounts for all his buddies, never thinking that a bunch of uncollected accounts might trigger a financial review program or anything like that. No, he was too busy hacking into one of the Big 3 like Equifax to get personal information on people that he then posted to the Internet. (Do you see a pattern emerging?)

He then progressed this spring into wirelessly making bomb threats to a school and in June threatened a DDoS attack against a different "major telephone service" who refused to deal with him. Juvie shut down a significant portion of their Web services, just to show them who their daddy was.

They caught him. How could they not, as he bounced higher and higher until they could see him quite clearly? He had a run of a year from the first incident until he self-destructed in the shakedown of a corporation. Sad, really.

The judge imposed a sentence of 11 months detention in a juvenile facility, to be followed by two years of supervised release. During his periods of detention and supervised release, the juvenile is also barred from possessing or using any computer, cell phone or other electronic equipment capable of accessing the Internet.

If Juvie had been an adult, he would have faced charges of three counts of making bomb threats against a person or property, three counts of causing damage to a protected computer system, two counts of wire fraud, one count of aggravated identity theft and one count of obtaining information from a protected computer in furtherance of a criminal act.

While younguns trying to make their mark on the scene dont always find the best way to do it (think graffiti thats not art), this particular Juvie crashed and burned with a ferocity that may leave him a burned-out crisp. I keep hoping he can turn his talents away from the Dark Side, and I wonder who is in line to pull the same stupid kind of stunts in his place.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.