Feeds

Twitter worm author gets security job

Teen causes chaos, employed, hacked

Website security in corporate America

The self-confessed author of the recent Twitter worm has scored a potentially lucrative job doing security analysis and web development work.

Michael "Mikeyy" Mooney, a 17 year-old student from Brooklyn, New York, created a worm that exploited cross-site scripting vulnerabilities in a ham-fisted attempt to promote a site he ran, called StalkDaily. The worm created thousands of automated tweets and spawned a number of copy-cat attacks.

Two software development firms have offered Mikeyy-boy jobs since his worm created chaos on the social networking site last weekend. The miscreant has reportedly already accepted one of these jobs.

Travis Rowland, 24, founder and chief exec of Web applications development firm exqSoft Solutions, told ABC that Mooney has accepted the job he offered, which will involve security analysis and Web development. Rowland admits that hiring Mooney will help publicise his firm, adding that he's sympathetic to Mooney's situation because he once worked in military intelligence and "landed that position in a similar fashion".

There's no independent confirmation of this claim from the previously obscure Rowland.

Mooney describes creating computer worms as a hobby, telling ABC he's made five other worms over recent years. He's aware that he crossed the line with the Twitter attack but claims that he could have done much worse and suggests he was only attempting to publicise flaws. Nonetheless, his parents have still retained the services of a lawyer.

History repeating

The teenager is far from the first malicious hacker to be offered a job after a high-profile hack. For example, convicted Kiwi botherder Owen Thor Walker was offered a job as as a security consultant for TelstraClear, the NZ subsidiary of the Australian telco, last month.

In both cases the individuals involved were young and therefore capable of rehabilitation. Security watchers however criticised the indecent haste in which they were brought back into the world of work and questioned their security credentials.

"Mikeyy didn't just waste the time of thousands of Twitter users - he also put them at considerable risk," said Graham Cluley, senior technology consultant at Sophos. "Imagine if financially-motivated hackers had seen what Mikeyy was doing and used the XSS flaw to steal identities and install malware, as Twitter scrabbled to get the problem fixed."

"So, Mikeyy proved two things with his worms. One was that there was a problem with Twitter. The other was that Mikeyy Mooney had no problem with acting irresponsibly. He may very well be skilled in some aspects of computing, but there are plenty of other people out there with those skills who have not shown themselves to have such questionable judgment," he added.

Cluley dismissed exqSoft's job offer as a cheap publicity stunt.

"The company that has offered Mikeyy a job has got itself some cheap exposure in the press. It's a publicity stunt. But they are in effect encouraging other youngsters to behave like complete twits. Hackers who act like Mikeyy Mooney are not geniuses, and we don't need a stream of other kids who want a job hunting for flaws to exploit in software and websites, rather than reporting them responsibly."

Chris Boyd, director of research at FaceTime Security Labs, also argued Mooney would have done better to report the problem to Twitter, rather than offering lame excuses after creating malware.

"Anytime someone causes intentional disruption to a service with the rather lame excuse that 'they weren't listening to me' as justification, is a very clear and public signal that they probably can't be trusted. I've seen 'they weren't listening to me' used for everything from defacing an entire school's set of websites to wiping out hundreds of gaming forums with SQL exploits. If we all gave up at the first point of contact with a company having security issues, I tend to think the net would be a smoldering pile of dead wood before long."

Mikeyy is far from the elite hacker some reports have painted him as, Boyd adds.

"As far as "Mikeyy" goes, his rather overt display has gained attention from numerous groups in the hacking realm, one of which has already claimed his scalp in rather spectacular fashion (see here)."

"All he has to show for his exploit is a lot of bad rep and a pile of hacked accounts. I doubt he still thinks it was worth it," Boyd concludes. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.