A 15-year-old who claimed he was bored when he turned to hacking was arrested for breaking into almost 260 companies during the first three months of this year, according to a ZDNet article published earlier today.
Austria’s Federal Criminal Police Office said the teenager, who used the hacker handle ACK!3STX, used tools available on the Internet to scan for vulnerable Web sites and publish stolen data. He then bragged about his exploits on Twitter. Victims included sports companies and adult entertainment sites, among many others.
Police began to monitor the teen’s activity after receiving several complaints early in the year and got a big break last month when the hacker’s anonymizing software failed and his IP address was revealed. He allegedly confessed as soon as he was caught.
“The young man reportedly admitted to being responsible, saying that he was bored and wanted to prove himself. He was described as anti-social, and so looked to the online world for praise and affirmation, possibly being inspired by reports about the hacktivist group Anonymous,” according to the ZDNet report.
“After finding a hacker forum that gave members points for successful attacks, the boy went to work. Three months later, the 15-year-old was in the top 50 hackers of the approximately 2,000 users registered on the forum.”
The article did not say what online tools the Austrian teen used, nor what vulnerabilities he exploited to gain access to Web sites and databases. But the case underscores a security company’s recent findings that show serious vulnerabilities from faulty web site development are dropping, but there’s still a long delay in fixing those flaws once they are discovered.
In an interview with TechWorld, Jeremiah Grossman, the chief technology officer for WhiteHat Security, said last year 148 serious Web site vulnerabilities were introduced by developers, down from 230 in 2010 and 480 in 2009. But, he added, it took organizations an average of 100 days to seal just half of the flaws contained within custom coding.
Part of the delay is because developers must be pulled off other projects to figure out a fix; other times, companies will roll the dice and hope the hole is never discovered externally. But the odds are improving for attackers, who are using more sophisticated tools and techniques to find and take advantage of those coding vulnerabilities.
“Do you take the developer off that [project] and put them on correcting a vulnerability that they know they have but may or may not get exploited and may or may not cost them any money whatsoever?” Grossman said in the TechWorld article. He advocates for developers to write more secure software at the onset. “We’re not going to get perfect at software, but we can get economically good enough software.”
Austria’s Federal Criminal Police Office said the teenager, who used the hacker handle ACK!3STX, used tools available on the Internet to scan for vulnerable Web sites and publish stolen data.
‘He then bragged about his exploits on Twitter.
Smart move! Blogging about your criminal activities on Twitter, ensures you’ll never get caught. (Shakes his head).
I don’t buy for one second that his TOR session “failed” and that led them to a “lucky break” to track this guy down.
1. Twitter identified him based on his relationships.
2. His TOR client was going through nodes run by government/intelligence in the first place and was not actually secure.
I think he deliberately posted on twitter……why? How many companies are now trying to hire him to help bolster their security?????
smart move kid…..
What’s that they say about idle hands?
How the hell does a kid get his hands on top notch security penetrating software and hack into websites without help? that’s the QUESTION.
This is a very good article. As far as I’ve read several articles. Thank you
This is a very good article. As far as I’ve read several articles. Thank you
His techniques were the same as a script kiddie aka a noob and a beginner, meaning he wouldn’t pass most technical interviews with companies doing real penetration testing. Anyone can be taught how to use these tools, and they are relatively easy to use, even for someone that has never used a computer before. It’s that easy to “hack a website / company”.
It’s unrealistic they will hire someone who has done this kind of work as well, as some companies does not want blackhats or script kiddies who admit previous illegal actions. (What you don’t tell, no one worries about.)
A better way to get hired is by writing tools, advisories, and doing research and perhaps talks / presentations based on that. That’s what makes companies interested in hiring you, as they can see for themselves some of what you know, based on your previous public work. A website defacement and a leaked database says nothing.
Best regards,
MaXe
Should of been using those idle hands for something that other 15 year olds do. Probably wouldnt be in jail, just going blind! lol