Teen’s Arrest Underscores Need for More Secure Web Development

A 15-year-old who claimed he was bored when he turned to hacking was arrested for breaking into almost 260 companies during the first three months of this year, according to a ZDNet article published earlier today.Austria’s Federal Criminal Police Office said the teenager, who used the hacker handle ACK!3STX, used tools available on the Internet to scan for vulnerable Web sites and publish stolen data. He then bragged about his exploits on Twitter. Victims included sports companies and adult entertainment sites, among many others.

HandcuffsA 15-year-old who claimed he was bored when he turned to hacking was arrested for breaking into almost 260 companies during the first three months of this year, according to a ZDNet article published earlier today.

Austria’s Federal Criminal Police Office said the teenager, who used the hacker handle ACK!3STX, used tools available on the Internet to scan for vulnerable Web sites and publish stolen data. He then bragged about his exploits on Twitter. Victims included sports companies and adult entertainment sites, among many others.

Police began to monitor the teen’s activity after receiving several complaints early in the year and got a big break last month when the hacker’s anonymizing software failed and his IP address was revealed. He allegedly confessed as soon as he was caught.

“The young man reportedly admitted to being responsible, saying that he was bored and wanted to prove himself. He was described as anti-social, and so looked to the online world for praise and affirmation, possibly being inspired by reports about the hacktivist group Anonymous,” according to the ZDNet report.

“After finding a hacker forum that gave members points for successful attacks, the boy went to work. Three months later, the 15-year-old was in the top 50 hackers of the approximately 2,000 users registered on the forum.”

The article did not say what online tools the Austrian teen used, nor what vulnerabilities he exploited to gain access to Web sites and databases. But the case underscores a security company’s recent findings that show serious vulnerabilities from faulty web site development are dropping, but there’s still a long delay in fixing those flaws once they are discovered.

In an interview with TechWorld, Jeremiah Grossman, the chief technology officer for WhiteHat Security, said last year 148 serious Web site vulnerabilities were introduced by developers, down from 230 in 2010 and 480 in 2009. But, he added, it took organizations an average of 100 days to seal just half of the flaws contained within custom coding.

Part of the delay is because developers must be pulled off other projects to figure out a fix; other times, companies will roll the dice and hope the hole is never discovered externally. But the odds are improving for attackers, who are using more sophisticated tools and techniques to find and take advantage of those coding vulnerabilities.

“Do you take the developer off that [project] and put them on correcting a vulnerability that they know they have but may or may not get exploited and may or may not cost them any money whatsoever?” Grossman said in the TechWorld article. He advocates for developers to write more secure software at the onset. “We’re not going to get perfect at software, but we can get economically good enough software.”

 

 

 

Suggested articles

Jeremiah Grossman on Adapting to a Changing Market

Dennis Fisher talks with Jeremiah Grossman of WhiteHat Security about his RSA Conference talk on the coming change in the security industry regarding guarantees, security insurance and how it will all affect customers.

Discussion

  • Anonymous on

    Austria's Federal Criminal Police Office said the teenager, who used the hacker handle ACK!3STX, used tools available on the Internet to scan for vulnerable Web sites and publish stolen data. 'He then bragged about his exploits on Twitter. Smart move! Blogging about your criminal activities on Twitter, ensures you'll never get caught. (Shakes his head).
  • TOR FAILED MY FOOT on

    I don't buy for one second that his TOR session "failed" and that led them to a "lucky break" to track this guy down.

    1.  Twitter identified him based on his relationships.

    2.  His TOR client was going through nodes run by government/intelligence in the first place and was not actually secure.

  • Anonymous on

    I think he deliberately posted on twitter......why?  How many companies are now trying to hire him to help bolster their security?????

     

     

    smart move kid.....

  • Anonymous on

    What's that they say about idle hands?

  • antihacker123 on

    How the hell does a kid get his hands on top notch security penetrating software and hack into websites without help? that's the QUESTION.

  • Mandy on

    This is a very good article. As far as I’ve read several articles. Thank you

  • Mandy on

    This is a very good article. As far as I’ve read several articles. Thank you

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.