Feeds

Twitter worm author gets security job

Teen causes chaos, employed, hacked

Choosing a cloud hosting partner with confidence

The self-confessed author of the recent Twitter worm has scored a potentially lucrative job doing security analysis and web development work.

Michael "Mikeyy" Mooney, a 17 year-old student from Brooklyn, New York, created a worm that exploited cross-site scripting vulnerabilities in a ham-fisted attempt to promote a site he ran, called StalkDaily. The worm created thousands of automated tweets and spawned a number of copy-cat attacks.

Two software development firms have offered Mikeyy-boy jobs since his worm created chaos on the social networking site last weekend. The miscreant has reportedly already accepted one of these jobs.

Travis Rowland, 24, founder and chief exec of Web applications development firm exqSoft Solutions, told ABC that Mooney has accepted the job he offered, which will involve security analysis and Web development. Rowland admits that hiring Mooney will help publicise his firm, adding that he's sympathetic to Mooney's situation because he once worked in military intelligence and "landed that position in a similar fashion".

There's no independent confirmation of this claim from the previously obscure Rowland.

Mooney describes creating computer worms as a hobby, telling ABC he's made five other worms over recent years. He's aware that he crossed the line with the Twitter attack but claims that he could have done much worse and suggests he was only attempting to publicise flaws. Nonetheless, his parents have still retained the services of a lawyer.

History repeating

The teenager is far from the first malicious hacker to be offered a job after a high-profile hack. For example, convicted Kiwi botherder Owen Thor Walker was offered a job as as a security consultant for TelstraClear, the NZ subsidiary of the Australian telco, last month.

In both cases the individuals involved were young and therefore capable of rehabilitation. Security watchers however criticised the indecent haste in which they were brought back into the world of work and questioned their security credentials.

"Mikeyy didn't just waste the time of thousands of Twitter users - he also put them at considerable risk," said Graham Cluley, senior technology consultant at Sophos. "Imagine if financially-motivated hackers had seen what Mikeyy was doing and used the XSS flaw to steal identities and install malware, as Twitter scrabbled to get the problem fixed."

"So, Mikeyy proved two things with his worms. One was that there was a problem with Twitter. The other was that Mikeyy Mooney had no problem with acting irresponsibly. He may very well be skilled in some aspects of computing, but there are plenty of other people out there with those skills who have not shown themselves to have such questionable judgment," he added.

Cluley dismissed exqSoft's job offer as a cheap publicity stunt.

"The company that has offered Mikeyy a job has got itself some cheap exposure in the press. It's a publicity stunt. But they are in effect encouraging other youngsters to behave like complete twits. Hackers who act like Mikeyy Mooney are not geniuses, and we don't need a stream of other kids who want a job hunting for flaws to exploit in software and websites, rather than reporting them responsibly."

Chris Boyd, director of research at FaceTime Security Labs, also argued Mooney would have done better to report the problem to Twitter, rather than offering lame excuses after creating malware.

"Anytime someone causes intentional disruption to a service with the rather lame excuse that 'they weren't listening to me' as justification, is a very clear and public signal that they probably can't be trusted. I've seen 'they weren't listening to me' used for everything from defacing an entire school's set of websites to wiping out hundreds of gaming forums with SQL exploits. If we all gave up at the first point of contact with a company having security issues, I tend to think the net would be a smoldering pile of dead wood before long."

Mikeyy is far from the elite hacker some reports have painted him as, Boyd adds.

"As far as "Mikeyy" goes, his rather overt display has gained attention from numerous groups in the hacking realm, one of which has already claimed his scalp in rather spectacular fashion (see here)."

"All he has to show for his exploit is a lot of bad rep and a pile of hacked accounts. I doubt he still thinks it was worth it," Boyd concludes. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.