A 15-year-old who claimed he was bored when he turned to hacking was arrested for breaking into almost 260 companies during the first three months of this year, according to a ZDNet article published earlier today.
Austria’s Federal Criminal Police Office said the teenager, who used the hacker handle ACK!3STX, used tools available on the Internet to scan for vulnerable Web sites and publish stolen data. He then bragged about his exploits on Twitter. Victims included sports companies and adult entertainment sites, among many others.
Police began to monitor the teen’s activity after receiving several complaints early in the year and got a big break last month when the hacker’s anonymizing software failed and his IP address was revealed. He allegedly confessed as soon as he was caught.
“The young man reportedly admitted to being responsible, saying that he was bored and wanted to prove himself. He was described as anti-social, and so looked to the online world for praise and affirmation, possibly being inspired by reports about the hacktivist group Anonymous,” according to the ZDNet report.
“After finding a hacker forum that gave members points for successful attacks, the boy went to work. Three months later, the 15-year-old was in the top 50 hackers of the approximately 2,000 users registered on the forum.”
The article did not say what online tools the Austrian teen used, nor what vulnerabilities he exploited to gain access to Web sites and databases. But the case underscores a security company’s recent findings that show serious vulnerabilities from faulty web site development are dropping, but there’s still a long delay in fixing those flaws once they are discovered.
In an interview with TechWorld, Jeremiah Grossman, the chief technology officer for WhiteHat Security, said last year 148 serious Web site vulnerabilities were introduced by developers, down from 230 in 2010 and 480 in 2009. But, he added, it took organizations an average of 100 days to seal just half of the flaws contained within custom coding.
Part of the delay is because developers must be pulled off other projects to figure out a fix; other times, companies will roll the dice and hope the hole is never discovered externally. But the odds are improving for attackers, who are using more sophisticated tools and techniques to find and take advantage of those coding vulnerabilities.
“Do you take the developer off that [project] and put them on correcting a vulnerability that they know they have but may or may not get exploited and may or may not cost them any money whatsoever?” Grossman said in the TechWorld article. He advocates for developers to write more secure software at the onset. “We’re not going to get perfect at software, but we can get economically good enough software.”