15-Year-Old Arrested For Hacking 259 Companies

An anonymous reader writes "Austrian police have arrested a 15-year-old student suspected of hacking into 259 companies across the span of three months. Authorities allege the suspect scanned the Internet for vulnerabilities and bugs in websites and databases that he could then exploit. As soon as he was questioned, the young boy confessed to the attacks, according to Austria's Federal Criminal Police Office (BMI)."

Not hacking

nerd voice

Excuuuuse me. The term is 'cracking'.

/ nerd voice

Re:Not hacking

[SJHillman]

2600 would disagree

Re:Not hacking

[Tarlus]

The teenager used various hacking tools widely available on the Internet, including software that helped him remain anonymous.

Nothing more than a script kiddie.

Re:Not hacking

[jellomizer]

A real hacker would break into 256 companies, not 259... What was he thinking?
Unless he actually broke into 512 or 1024 companies.

Re:Not hacking

[mcgrew]

Citation? because the AC is correct. I understand how muggles confuse nerd terms, but they've taken OUR word for modifying hardware or writing quick-and-dirty single-use code and we let the muggles mangle the meaning of OUR word! As someone already pointed out, he's not a "hacker", he's a script kiddie. The hackers wrote the code he used for his cyberburglary and cybervandalism.

I never thought I'd see the day when we would be acceptable, let alone the day normal people pretend to be us.

Re:Not hacking

[Nrrqshrr]

He was probably aiming for 1337 companies...

Re:Not hacking

[betterunixthanunix]

He is saying that some people say that "hacker" only refers to people who like to illegally break computer security systems, by referring to 2600, a hacker group known for that sort of thing. I say that anyone who is curious can read 2600 magazine and see that while there are a lot of articles about breaking security systems, there are other articles that are within the scope of the old school meaning of the word "hacker."

Re:Not hacking

[amRadioHed]

First, you use a made-up word...

Care to give an example of a word that is not made-up?

Re:Not hacking

[SJHillman]

Go read 2600 - or go buy their Best Of book, a good read. The editors have repeatedly stated that they're against using the term "cracker" to denote a malicious hacker. I never said whether or not cracker is the correct term, just that 2600 disagrees.

Re:Not hacking

[treeves]

Well, there are only a few of those. That's why they're 1337. Duh.

Re:Not hacking

[naturaverl]

Not anonymous enough.

Re:Not hacking

Care to give an example of a word that is not made-up?

Grunt

It's not made up, because its use predates written languages.

Re:Not hacking

[DurendalMac]

I'd say it's more the level of understanding that differentiates. If you get the tools, have no idea how they work, don't care how they work, etc, then you're a skiddie. If you do know, understand, try to, maybe tinker with them on the lower levels, then maybe you're something more.

Re:Not hacking

[SendBot]

Look, I haven't read any Harry Potter books or seen any of the movies, but even *I* know what a muggle is! God forbid you try to look it up yourself:
http://en.wikipedia.org/wiki/Muggle

Re:Not hacking

[DarwinSurvivor]

all words are made up. Muggle is a valid word. It is in the dictionary because people use it.

http://oxforddictionaries.com/definition/muggle?q=muggle

Re:Not hacking

[Medievalist]

Bruce Perens was addressing a bunch of geeks once and somebody asked him to use the word cracker instead of hacker when referring to computer criminals. Bruce replied "I refuse to use the word cracker because it's insulting to georgian-americans, and will continue to use the phrase computer criminals". I laughed my ass off, but he was right.

Re:Not hacking

[Tarlus]

"Script kiddie" doesn't mean the use of scripts, it's about the attitude embodied in the attack. If the tools are nothing but a means to an end (draining a bank account, blackmailing an executive, etc.) then you're looking at a script kiddie. The fact that tools were used, on its own is not enough to make that call.

I certainly have no qualm with this. That said, I hold that "script kiddie" perfectly fits the description of a 15-year-old who defaces websites and leaks their back-end to the Internet, with probably limited skills. I could be wrong, maybe he's a technical genius who just needs better guidance. Either way, that is a purely pernicious attitude, and while I agree that most web developers/admins deserve this kind of wake-up call, the kid had no greater motive than the enjoyment of stirring the pot under the shroud of anonymity. And that attitude deserves a derogatory name like "script kiddie."

Re:Not hacking

[MightyYar]

I'm asking this as someone who wouldn't even qualify as a script kiddie...

If you were hacking into sites (blackhat, whitehat, whatever), would you do so from home? I would think that at the very least, you'd get in your car and look for open WiFi. I imagine that with the high-speed cell networks and prepaid phones you could even afford to hack from anywhere with a cell signal.

But certainly not from your home network?

Re:Not hacking

[hellkyng]

Actually I believe he was going for 640 companies broken into, and that really ought to be enough for anyone.

Re:Not hacking

[History's+Coming+To]

One of the connotations "script kiddie" carries is of a certain naiveté. In many cases people will download a ready-made script (hence the term) to, for example, scan for a security hole in an out-dated Wordpress installation, I see them the whole time in my server logs.

You're correct though, doing it from behind your home router is generally a dumb thing to do because it's so traceable. The easy alternative is to go through anonymous proxy servers which don't log the traffic (and they do have legitimate uses, both morally and legally). Or, as you point out, find a different physical network, although this is still traceable in many ways if you're suspected of nefarious japes.

Re:Not hacking

because you always use the word muggles incorrectly.

Re:Not hacking

[cffrost]

all words are made up. Muggle is a valid word. It is in the dictionary because people use it.

http://oxforddictionaries.com/definition/muggle?q=muggle

Haha I love Oxford's example: "she’s a muggle: no IT background, understanding, or aptitude at all"

Re:Not hacking

[Securityemo]

For defacement, "asshole" is a much better term regardless of skill level. Moral judgment should be separate from judgment of skill.

Re:Not hacking

[WillHirsch]

When are nerds going to accept that "hacking" has a perfectly legitimate second meaning? It is really really simple. If the object of the hacking is a technology, you can carry on using the maker-hobbyist-anorak definition. But when the object is an individual or a group using some sort of electronic security, hacking means compromising that security in whatever way you want. If the hacking is being done "into" something, there is no ambiguity at all. This has been the understood meaning ever since people who don't know how to hack in any form have had cause to talk about hacking.

Re:Not hacking

[DurendalMac]

Well, you can be an asshole if you just throw crap for defacement or you can be an asshole if you build your own custom software and find a new exploit to steal a bunch of SSNs for identity theft. Skiddie is almost universally negative, but someone could use such tools for a good cause. Shame that it's so rare.

Re:Not hacking

[DarwinSurvivor]

Hmm, sounds like an IT-Crowd reference... Must investigate!

Re:Not hacking

[tehcyder]

First, you use a made-up word...

Care to give an example of a word that is not made-up?

God.

Oh, wait...

Re:Not hacking

[Ash-Fox]

When are nerds going to accept that "hacking" has a perfectly legitimate second meaning?

Never. You have your answer.

Re:Not hacking

[mcgrew]

Yes, it's a made-up word, but is in common useage. It's simply someone who is normal, not a wizard.

Re:Not hacking

[sfhock]

http://bit.ly/IAXJB0 he disagrees

Re:Not hacking

[Myopic]

I disagree. My understanding is that "hacker" predates "cracker", and that some nerds decided they didn't like the pejorative sense of "hacker", so they adopted it as their own (cf. "nigger") and proffered "cracker" as a pejorative replacement. Most nerds, and all non-nerds, rejected this attempt at redefining the word "hacker", and continued to use it with its original meaning. To this day, that minority of nerds, especially the ones who like rhetorical pugilism, continue to make their specious case on Internet forums.

I offer the Oxford dictionary as a cite: hacker. Note that your preferred definition is given as a secondary, informal definition. Their definition of "cracker" is similar.

Hacking is not a crime.

It's a survival trait.

Re:Hacking is not a crime.

[kelemvor4]

It's a survival trait.

Right. Just like when I was a kid we used to say "skateboarding is not a crime".... until we got in trouble for it.

Re:Hacking is not a crime.

[Dainsanefh]

He will probably get probation instead. This is Europe, not Amerika, remember...

Not surprised

Austria is a former penal colony. All their citizens are descended from criminals.

Re:Not surprised

[DarwinSurvivor]

Right, because nobody immigrates there...

Re:Not surprised

As this is Austria I would say the correct /idiotic/ reply should have been something like "Thow another strudel in the oven"

script kiddie

[rst123]

Any one else read this as nmap and known vulnerabilities?

Re:script kiddie

[rsmith84]

I was thinking the exact thing. That plus good old hacker-target.com

Re:script kiddie

[sl4shd0rk]

Any one else read this as nmap

No, Nessus.

Re:script kiddie

[motd2k]

Almost all the kiddie sweeps we're seeing these days are from acunetix.

Hey

[obliv!on]

That's 1507 systems to you and he's 11! ;)

Re:Hey

[nschubach]

Hell, if it were me... I think I'd stop at popular numbers. Pick a pattern of common computer values like 16 sites, then stop for a while, then 64, then 256, then 1024.

System Operator arrested

[Ranx]

System Operator arrested for leaving the computer system of the company he worked for vulnerable for attacks by kids. Oh wait...

Re:System Operator arrested

[nschubach]

...or their lawn gnomes stolen for not chaining them down!

Re:System Operator arrested

[TehZorroness]

But do we arrest bankers who keep confidential client information in their house while they are on vacation and leave the back door unlocked so their neighbor can feed their cat? That seems like a closer analogy.

Re:System Operator arrested

[noahwh]

Perhaps you mean fired? Or possibly promoted, if it's a government job.

Re:System Operator arrested

[Lunix+Nutcase]

No. We don't arrest bankers, silly. We give them golden parachutes.

Re:System Operator arrested

[Skapare]

Yes, that is not an arrestable offense. Just as we don't arrest people who leave their house unlocked.

There, fixed it for ya.

Re:System Operator arrested

[izomiac]

OTOH, we would probably fire a safe designer if a 15 year old could easily open it without the combination. Similar to how someone in charge of physical security would be terminated if 15 year olds could non-destructively enter the building as they pleased.

Re:System Operator arrested

[Opportunist]

But at least the insurance refuses to pay if you leave the key under the doormat, or don't even close the door altogether.

Not so with computer crimes. No matter what a complete idiot you are, you're never to blame.

Re:System Operator arrested

[Opportunist]

We arrest bankers? Huh? Where? Hell, they're completely exempt from any liability as well, they can ruin whole economies and nobody will bother.

Re:System Operator arrested

[ArsenneLupin]

But what if the lawn gnomes then commit mischief elsewhere? Shouldn't the owner be held responsible? Just look at what happened to France, after some sloppy gardener didn't pay attention to his gnome...

Re:System Operator arrested

[ZeroSumHappiness]

Wow. That's absurd. That's beyond absurd. That's Monty Python level absurdity. I can see it now, a thief informing a cop that he just stole everything from a cop and the cop going off to fine the car's owner.

I can't wait until a thief unlocks a car, steals everything in it, then leaves it unlocked for the owner to later be fined. I guess that means it's effectively illegal to have broken locks on your car or to lose your door key for older cars that have separate door and ignition keys.

What is going on here. I don't get it. This is pretty much just victim blaming.

Re:System Operator arrested

[Nikker]

You have to wonder, at what point do these companies start to feel stupid and have to *share* the blame?

Re:System Operator arrested

[MightyYar]

If only... gold would make a terrible parachute.

Re:System Operator arrested

[JonySuede]

then maybe not.
If the resistance of a nano-wiremade out of gold is acceptable, you could make a parachute constructed out of a few layer of bi-dimensionally woven gold nanowires. But it would be incredibly expensive to do so; so much that at that point that banker's parachute could be made out of unobtainium.

Re:System Operator arrested

[skine]

Not necessarily.

For example, the Mythbusters made a lead balloon that flew.

Re:System Operator arrested

[aaaaaaargh!]

Actually, if you store others confidential personal information, money, credit card info, and so in in your house as a free "cloud service" and then leave the backdoor wide open, you will get arrested if someone gets to know about it.

Re:System Operator arrested

[MightyYar]

I don't understand... gold doesn't hold a sharp point at all. Terrible material for that.

You people are crazy - first this talk of using golden parachutes, which would likely kill the poor bankers.

Then you talk of making gold into points... not only would it cost way too much and add undue weight to the front of your projectile, but if the banker has any kind of body armor on it certainly couldn't pierce it.

Re:Fucking Australians

[Mitchell314]

The the number of Austrians living among Australians isn't that high though, so you can't really blame the latter . . .

Hey, it's Zer0C00L!

His youthful adventure is about to begin.

Re:Fucking Americans

Always fucking things up, hey dude, go on a geography class? Idiots can't tell the difference between Austria and Australia.

Things like this are why they elected presidents like W Bush...

Re:Brilliant

[Tarlus]

crumb* of intelligence

Win

[jdog90000]

That child is a beast. Too bad he got caught xD

Re:Win

[doston]

That child is a beast. Too bad he got caught xD

That's what I thought. Thought the same about the barefoot bandit. But fear not, they'll get the kid in college, hook him up with a job and turn him into a cubicle drone in no time.

Re:Fucking Australians

[Tarlus]

Austria. Not Australia.

Re:Brilliant

[Lunix+Nutcase]

Ha ha! Spelling Nazi fail.

Re:Brilliant

[delysid-x]

Let's make a scrumb of intelligence

Re:Fucking Australians

[Lunix+Nutcase]

Yeah, it's almost as if they were making a joke about people who confuse them...

Re:Fucking Australians

[Tarlus]

One can only wonder...

Re:hmm

[delysid-x]

Most 15 year olds are too lazy to even run a script if they can't do it with a console controller. The new crop of teens doesn't know anything about computers because they came up on Windows and Mac systems. When I was a teener hacking was pretty cool and got you respect on the BBS scene. These days kids just aren't into that sort of thing. I gotta give this kid props for even trying, even if he was a script kiddie. He knows a lot more than the rest of his school probably.

8bit hacking

[tom17]

See, the problem was that he is only an 8-bit hacker. He should have stopped at 256 companies or upgraded to 16-bit.

It's the overflows that got him :(

Hollywood would disagree

[betterunixthanunix]

If you actually read 2600 magazine, the scope of the articles fits in with the typical definition of a hacker: someone who likes to tinker with computers and other electronics. There is something of a bias toward computer security, but I have also seen articles about undocumented functions of electronics, technical information about various networking equipment, and so forth.

Hollywood, on the other hand, turned "hacker" into a code word for "computer criminal." No surprises there, given that Hollywood's view of computing is basically the antithesis of what the old school hackers had in mind. Hollywood thinks that computers should only be programmed by licensed professionals, who can be held accountable for the software they write (e.g. deCSS). In Hollywood's view of the world, if you buy a computer that has been programmed to stop you from running your own software (e.g. an iPhone, a PS3, etc.), then defeating those restrictions is criminal behavior -- and they got that codified in the law with the DMCA.

Re:Hollywood would disagree

[FingerDemon]

Hollywood thinks...

Citation needed...

Re:Hollywood would disagree

[SJHillman]

I was referring to the parent poster who (sarcastically) was saying it's cracking, not hacking. The editors of 2600 have repeatedly stated that they don't support segregating cracking and hacking, that malicious acts do fall under "hacking" just as much as non-malicious acts.

Re:Hollywood would disagree

[Cerium]

http://www.imdb.com/title/tt0113243/ :D

Re:Hollywood would disagree

[Ash-Fox]

The editors of 2600 have repeatedly stated that they don't support segregating cracking and hacking, that malicious acts do fall under "hacking" just as much as non-malicious acts.

It's more to do with the fact they (2600) fall under the 'grey hat' category .

Re:Hollywood would disagree

[The+Pirou]

I haven't read a fresh copy of 2600 in a very long time, but in picking up a random copy off the shelf (Fall 1998) there is an article on page 15 called 'Back Orifice Tutorial.' The article went on to describe basic social engineering skills and methodology for operating this software. There were are also several other articles of interest such as 'Screwing with Moviefone' and 'Screwing with Radio Shack & Compaq' in the particular issue, all of which seemed like they were aimed at script kiddies. As you mentioned, there are articles about undocumented functions of electronics and old school technical breakdowns, but by and large those articles probably aren't what were driving 2600 sales numbers. (After all, Emmanuel Goldstein did get name dropped by Cereal Killer in Hackers, and there was never a cooler movie than Hackers)

As far as the typical definition of hacker, things change, then CISCO makes it course material so that the next generation believes it.

some of the CIOs at the hacked places tell ceo

[Joe_Dragon]

some of the CIOs at the hacked places should tell the ceo. This is what your cost cutting did it got us hacked as you did not give the IT team the funds to upgrade to newer software and hardware.

Re:some of the CIOs at the hacked places tell ceo

[danbuter]

Except that would likely get the CIO fired, as CEOs are incapable of making bad decisions.

BEULLER!!!!!

[retroworks]

In his defense, the lad said " Life moves pretty fast. If you don't stop and look around once in a while, you could miss it. "

Re:Fucking Australians

[Wraithlyn]

Or maybe in his rush for a f1st p0st, this AC actually just misread it as Australia and made a stupid attempt at humour.

Re:hmm

[uigrad_2000]

Who ever brought up sympathy? I think you're in the wrong discussion.

There's a company with a professionally managed network (let's call it Goliath) that has huge open vulnerabilities. All the adults stand around and point, and discuss it. "I'd take it down, to show how bad this vulnerability is, except that it's too easy. It's not that I'm afraid of being caught... No, no, I'm not chicken. It's just... below me."

Finally some 15 year old kiddie named David steps up, and says "Why are you so afraid of Goliath? Give me a bash-style sling, and 5 smooth scripts, and I'll take it down!"

As David is hauled off to prison, the adults observing the matter continue to discuss it: "Well, he deserves prison. I have no sympathy for sling and smooth scripts kiddies."

Hack the planet!!1!

[WaffleMonster]

The only thing worse than being hacked by a bored 15 year old is being hacked by someone with an agenda.

I think governments should sponsor public hacking competitions with basic code of ethics rules and immunity from any legal or civil actions. Better than wasting billions "cyber defense".

Re:Security blanket

[b4dc0d3r]

A 15 year old most likely is not mature enough to have that level of understanding.

Disregarding his age, anyone would fall into the same trap. Dip your feet in the water, and don't get caught. Go a little further, and still remain undetected. Maybe you get detected next time, but they can't find you. All from the psychologically safe bedroom/basement instead of getting in your car (which a 15 year old in Austria may not be allowed to do).

Once you truly understand how the network works, and you're writing your own tools, you understand that the safest place you can be is in public, away from anything personal including hotel reservations. But that also has to include CCTV or other surveillance. Until then, the comfort zone of "home" makes you feel you can not get caught. The illusion of safety when you are at your most vulnerable. Especially when repeated attacks come from the same place.

Disclaimer: I'm not a white hat, nor a black hat, nor an any hat. But I have read a lot about people and what makes them do stupid things.

Re:Security blanket

[PuZZleDucK]

Thanks b4dc0d3r,

Now I know why i did all those stupid things :p

About as dangerous as foot fungus

[alphatel]

If you look at the screenshots of what he defaced, it was default joomla templates on dead websites. If you read the forum he was in, it has about 50 active members of 2000 registered, and he was ranked the 50th best. This kid is about as dangerous as soap. If they even bother to sentence him it would be a joke. He knows nothing of real hacking and we should be thankful that Darwin has weeded him out early.

Pathetic

[Steven_M_Campbell]

259 companies aren't terribly embarrassed about implementing systems so badly that a 15 yr kid using cut and paste broke into their systems and viewed our personal information, credit card numbers, the dreaded social security number, etc, etc.

We really need to start taking these companies to task for their pitiful respect of the information we entrust to them. The kids in the wrong, no argument from me there, but couldn't they at least have invested enough effort to prevent point and drool attacks from working?

"Pathetic" -- Chiun

Re:better tools would solve stupid law enforcement

[Securityemo]

Why would any of those care about the fate of 15-year-old script kiddies?

Not Hacking

[alan11]

Ok no problem, everyone is trying their best to give their best ,in my view boy's career is very bright if follows the + path Granite Worktops

Re:hmm

[tibman]

Already commented so i couldn't mod you up. I like your perspective on this. It's also silly to assume that a skiddie would stay at that level. Most people start with preexisting tools and work their way up. But there is still disdain for it.

Re:better tools would solve stupid law enforcement

[tibman]

I disagree that it should be made safer for unknowing people to get into hacking. How about more lenience and forgiveness? There are guns laying around (cyber weapons) within reach of teenagers. Some kid is going to shoot a hole in the neighbor's house because he wanted to see what happened when he pulled the trigger. Have the kid do the labor to fix it and forgive him. He'll either take up shooting at a range where it's safe, quit entirely, or start his criminal career. Hopefully one of the first two. Skilled shooters will always be needed though.

Damnit.. should have used cars in there somewhere.

Re:Security blanket

[karnal]

And an additional "a" if we really want to be going to specifics.

Re:Brilliant

[Tarlus]

Actually, I was just amused by the irony of that statement.