Feeds

Twitter worm author gets security job

Teen causes chaos, employed, hacked

High performance access to file storage

The self-confessed author of the recent Twitter worm has scored a potentially lucrative job doing security analysis and web development work.

Michael "Mikeyy" Mooney, a 17 year-old student from Brooklyn, New York, created a worm that exploited cross-site scripting vulnerabilities in a ham-fisted attempt to promote a site he ran, called StalkDaily. The worm created thousands of automated tweets and spawned a number of copy-cat attacks.

Two software development firms have offered Mikeyy-boy jobs since his worm created chaos on the social networking site last weekend. The miscreant has reportedly already accepted one of these jobs.

Travis Rowland, 24, founder and chief exec of Web applications development firm exqSoft Solutions, told ABC that Mooney has accepted the job he offered, which will involve security analysis and Web development. Rowland admits that hiring Mooney will help publicise his firm, adding that he's sympathetic to Mooney's situation because he once worked in military intelligence and "landed that position in a similar fashion".

There's no independent confirmation of this claim from the previously obscure Rowland.

Mooney describes creating computer worms as a hobby, telling ABC he's made five other worms over recent years. He's aware that he crossed the line with the Twitter attack but claims that he could have done much worse and suggests he was only attempting to publicise flaws. Nonetheless, his parents have still retained the services of a lawyer.

History repeating

The teenager is far from the first malicious hacker to be offered a job after a high-profile hack. For example, convicted Kiwi botherder Owen Thor Walker was offered a job as as a security consultant for TelstraClear, the NZ subsidiary of the Australian telco, last month.

In both cases the individuals involved were young and therefore capable of rehabilitation. Security watchers however criticised the indecent haste in which they were brought back into the world of work and questioned their security credentials.

"Mikeyy didn't just waste the time of thousands of Twitter users - he also put them at considerable risk," said Graham Cluley, senior technology consultant at Sophos. "Imagine if financially-motivated hackers had seen what Mikeyy was doing and used the XSS flaw to steal identities and install malware, as Twitter scrabbled to get the problem fixed."

"So, Mikeyy proved two things with his worms. One was that there was a problem with Twitter. The other was that Mikeyy Mooney had no problem with acting irresponsibly. He may very well be skilled in some aspects of computing, but there are plenty of other people out there with those skills who have not shown themselves to have such questionable judgment," he added.

Cluley dismissed exqSoft's job offer as a cheap publicity stunt.

"The company that has offered Mikeyy a job has got itself some cheap exposure in the press. It's a publicity stunt. But they are in effect encouraging other youngsters to behave like complete twits. Hackers who act like Mikeyy Mooney are not geniuses, and we don't need a stream of other kids who want a job hunting for flaws to exploit in software and websites, rather than reporting them responsibly."

Chris Boyd, director of research at FaceTime Security Labs, also argued Mooney would have done better to report the problem to Twitter, rather than offering lame excuses after creating malware.

"Anytime someone causes intentional disruption to a service with the rather lame excuse that 'they weren't listening to me' as justification, is a very clear and public signal that they probably can't be trusted. I've seen 'they weren't listening to me' used for everything from defacing an entire school's set of websites to wiping out hundreds of gaming forums with SQL exploits. If we all gave up at the first point of contact with a company having security issues, I tend to think the net would be a smoldering pile of dead wood before long."

Mikeyy is far from the elite hacker some reports have painted him as, Boyd adds.

"As far as "Mikeyy" goes, his rather overt display has gained attention from numerous groups in the hacking realm, one of which has already claimed his scalp in rather spectacular fashion (see here)."

"All he has to show for his exploit is a lot of bad rep and a pile of hacked accounts. I doubt he still thinks it was worth it," Boyd concludes. ®

High performance access to file storage

More from The Register

next story
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.