Feeds

Twitter worm author gets security job

Teen causes chaos, employed, hacked

Security for virtualized datacentres

The self-confessed author of the recent Twitter worm has scored a potentially lucrative job doing security analysis and web development work.

Michael "Mikeyy" Mooney, a 17 year-old student from Brooklyn, New York, created a worm that exploited cross-site scripting vulnerabilities in a ham-fisted attempt to promote a site he ran, called StalkDaily. The worm created thousands of automated tweets and spawned a number of copy-cat attacks.

Two software development firms have offered Mikeyy-boy jobs since his worm created chaos on the social networking site last weekend. The miscreant has reportedly already accepted one of these jobs.

Travis Rowland, 24, founder and chief exec of Web applications development firm exqSoft Solutions, told ABC that Mooney has accepted the job he offered, which will involve security analysis and Web development. Rowland admits that hiring Mooney will help publicise his firm, adding that he's sympathetic to Mooney's situation because he once worked in military intelligence and "landed that position in a similar fashion".

There's no independent confirmation of this claim from the previously obscure Rowland.

Mooney describes creating computer worms as a hobby, telling ABC he's made five other worms over recent years. He's aware that he crossed the line with the Twitter attack but claims that he could have done much worse and suggests he was only attempting to publicise flaws. Nonetheless, his parents have still retained the services of a lawyer.

History repeating

The teenager is far from the first malicious hacker to be offered a job after a high-profile hack. For example, convicted Kiwi botherder Owen Thor Walker was offered a job as as a security consultant for TelstraClear, the NZ subsidiary of the Australian telco, last month.

In both cases the individuals involved were young and therefore capable of rehabilitation. Security watchers however criticised the indecent haste in which they were brought back into the world of work and questioned their security credentials.

"Mikeyy didn't just waste the time of thousands of Twitter users - he also put them at considerable risk," said Graham Cluley, senior technology consultant at Sophos. "Imagine if financially-motivated hackers had seen what Mikeyy was doing and used the XSS flaw to steal identities and install malware, as Twitter scrabbled to get the problem fixed."

"So, Mikeyy proved two things with his worms. One was that there was a problem with Twitter. The other was that Mikeyy Mooney had no problem with acting irresponsibly. He may very well be skilled in some aspects of computing, but there are plenty of other people out there with those skills who have not shown themselves to have such questionable judgment," he added.

Cluley dismissed exqSoft's job offer as a cheap publicity stunt.

"The company that has offered Mikeyy a job has got itself some cheap exposure in the press. It's a publicity stunt. But they are in effect encouraging other youngsters to behave like complete twits. Hackers who act like Mikeyy Mooney are not geniuses, and we don't need a stream of other kids who want a job hunting for flaws to exploit in software and websites, rather than reporting them responsibly."

Chris Boyd, director of research at FaceTime Security Labs, also argued Mooney would have done better to report the problem to Twitter, rather than offering lame excuses after creating malware.

"Anytime someone causes intentional disruption to a service with the rather lame excuse that 'they weren't listening to me' as justification, is a very clear and public signal that they probably can't be trusted. I've seen 'they weren't listening to me' used for everything from defacing an entire school's set of websites to wiping out hundreds of gaming forums with SQL exploits. If we all gave up at the first point of contact with a company having security issues, I tend to think the net would be a smoldering pile of dead wood before long."

Mikeyy is far from the elite hacker some reports have painted him as, Boyd adds.

"As far as "Mikeyy" goes, his rather overt display has gained attention from numerous groups in the hacking realm, one of which has already claimed his scalp in rather spectacular fashion (see here)."

"All he has to show for his exploit is a lot of bad rep and a pile of hacked accounts. I doubt he still thinks it was worth it," Boyd concludes. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.