Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/25/2015
10:30 AM
Peter Gyongyosi
Peter Gyongyosi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Youthful Side Of Hacking

If the iconic 1955 movie Rebel Without a Cause was remade today, would James Dean be a computer hacker?

Teenage rebellion against authority is nothing new, but now it’s targeting faceless entities such as telecommunication firms in the recent TalkTalk breach.

Recent history shows that young cyber attackers are not a new phenomenon. The most high-profile cases that involved teenagers were probably the actions of the LulzSec hacker group. They claimed responsibility for several, mostly denial-of-service attacks against high-profile targets such as the US Senate, Sony Pictures, News Corporation, and the CIA. The group triggered an international investigation and was brought down during the second half of 2011. At least two members of the group, Ryan Cleary and Jake Davis, were identified as being under the age of 20 at that time.

A more current story is the hack of the AOL account of the CIA director John Brennan. The attacker then contacted The New York Post to describe his or her actions that involved acting as a Verizon worker to trick other employees into revealing personal information about Brennan and then using that information to ask for a password reset. The attacker got access to documents that Brennan forwarded to a personal account, some containing sensitive information. While claiming to be an American high school student, the FBI has just started their investigation, so the attacker’s true identity, including his or her age, hasn't been verified yet.

Our own company organized a global hacking competition at this year’s Black Hat USA conference, the eCSI Hacker Playground. It wasn’t too surprising that a high number of the best players were in their early 20s.

Can teens today channel rebellious urges into positive activities?  
Image Source IMDb
Can teens today channel rebellious urges into positive activities?
Image Source IMDb

In the post-Snowden era, we are all attuned to how legislation such as the controversial Stop Online Piracy Act (SOPA) or various "eavesdropping" laws such as the Electronic Communications Privacy Act (ECPA) heavily affect our increasingly digital lives. This applies especially to the millennial generation who conduct the majority of their social lives online. For them, these laws are not about abstract ideas such as the right to privacy or freedom of speech: it's about taking away their possibilities to communicate with their friends in private or at all.

Very often the success of these rulings depends on how data carriers and service providers relate to such governmental requests; a company that's compliant with the authorities and does not even try to protect the privacy of its users can expect vocal, and maybe active, opposition from them. 

Tools do get easier all the time, but easy-to-use software packages that can get through sloppy defenses through well-known vulnerabilities of unpatched systems have been around for a long time. The term "script kiddie," describing someone, presumed to be quite young, who can merely use such ready-to-use attack tools or "scripts" but lacking the advanced skills required to find vulnerabilities themselves, started to gain widespread adoption in the early 2000s.

There are toolkits that are designed to make the job of penetration testers easier but also present opportunity for attackers with a relatively limited set of skills, such as the Metasploit Framework or various security-oriented Linux distributions, and these have a track record running back at least 10 years or more.

In the year 2010, multiple distributed denial-of-service (DDoS) attacks were organized by the members of the 4chan message board using a simple tool called Low Orbit Ion Cannon against the Church of Scientology and organizations opposing WikiLeaks, and participating in that attack was as simple as downloading and starting an application.

On the other hand, just the fact that the alleged TalkTalk attacker is 15 does not necessarily mean that one needs trivial-to-use tools to achieve their goals. The history of computer science is full with young contributors. One example of that is the technologist, entrepreneur, and hacktivist Aaron Swartz, whose life and tragic death was documented in the critically acclaimed 2014 documentary "The Internet's Own Boy.” Swartz became the member of a tech group working on some of the most important new Internet communication standards at the age of 14 and along with the legal academic (and presidential candidate) Lawrence Lessig, is counted as one of the original architects of the Creative Commons organization.

Some 15-year-olds are using their talent to hack into corporate networks for fun, profit or to make a point, and as an industry we can make an impact to discourage the pursuit of criminal activity. By sponsoring events such as our hackathon we hope to inspire today’s young security experts to use these talents to create something great for the future. 

Péter Gyöngyösi is product manager of Blindspotter with Balabit. A graduate of Budapest University of Technology and Economics, he has been creating security products for over 10 years and is a frequent speaker at industry events. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Alainduflon
50%
50%
Alainduflon,
User Rank: Apprentice
6/17/2016 | 4:00:04 AM
Re: Interesting
One of the best inspiration is maybe to watch the new serie Mr Robot.

Now it could be cool to be an hacker, so maybe James Dean should love to be cool in this days ;)
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/28/2015 | 9:23:54 PM
Re: Interesting
IoT has made so many devices accessible as well as exploitable. It's amazing to see how it is influencing lives from smart phones to home automation. But security needs to be at the forefront of the SDLC...This does not seem to be the case in a lot of instances.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2015 | 10:48:39 AM
Re: Interesting
Agree, fixing is less of an issue anymore, it is just recycle oriented world.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2015 | 10:45:59 AM
Re: Interesting
I would think, hacking would be more intuitionalize simple because we know that countries have each other so there will be lots of money would be spent in the hacking sector in the future.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2015 | 10:39:12 AM
Re: Interesting
I would agree, hacking is becoming a way of living, a life style.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2015 | 10:37:58 AM
Re: Interesting
Agree. IoT is like a heaven for hackers, their play ground will be extended dramatically so more fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2015 | 10:35:41 AM
Hacking; fun and exciting
 

Lots of young people who are in IT want to know how to hack simply because it is fun and exciting. So no wonder there why we see too many young age people who are into it. The other reason there are vast amount of tool to try different hacking strategies and tactics, that gives additional incentives for hackers.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
11/26/2015 | 7:53:36 AM
Re: Interesting
That's an interesting idea, though I have read others with the opposite of opinions. The ease of use with which new generations of children will have with their technology, apps rather than programs, touch-screens versus controller and mouse/keyboard input, will lead to less tinkering and less inquisitive behaviour - as they will rarely have to fix anything. 

In comparison, 80s and 90s  computer users were forced to spend plenty of time fixing and fiddling to make things work. 

It won't be black and white, but there's a fair argument to suggest that we may have fewer numbers of homegrown hackers in the future.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/25/2015 | 11:15:17 PM
POI
Just a simple point of information: Lessig is out of the race as of around the start of this month.

One can always throw their support behind John McAfee...
gyp
50%
50%
gyp,
User Rank: Author
11/25/2015 | 12:26:22 PM
Re: Interesting
That can be a factor, too. Security and hacking (in the "making" or "tinkering" sense of the word) has always been sexy. It is now that more and more of our lives go digital that actually becoming an expert in it and making a living out of it is becoming accessible for more and more people. 
Page 1 / 2   >   >>
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVE-2019-18985
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.
CVE-2019-18928
PUBLISHED: 2019-11-15
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.