Teenage rebellion against authority is nothing new, but now it’s targeting faceless entities such as telecommunication firms in the recent TalkTalk breach.
Recent history shows that young cyber attackers are not a new phenomenon. The most high-profile cases that involved teenagers were probably the actions of the LulzSec hacker group. They claimed responsibility for several, mostly denial-of-service attacks against high-profile targets such as the US Senate, Sony Pictures, News Corporation, and the CIA. The group triggered an international investigation and was brought down during the second half of 2011. At least two members of the group, Ryan Cleary and Jake Davis, were identified as being under the age of 20 at that time.
A more current story is the hack of the AOL account of the CIA director John Brennan. The attacker then contacted The New York Post to describe his or her actions that involved acting as a Verizon worker to trick other employees into revealing personal information about Brennan and then using that information to ask for a password reset. The attacker got access to documents that Brennan forwarded to a personal account, some containing sensitive information. While claiming to be an American high school student, the FBI has just started their investigation, so the attacker’s true identity, including his or her age, hasn't been verified yet.
Our own company organized a global hacking competition at this year’s Black Hat USA conference, the eCSI Hacker Playground. It wasn’t too surprising that a high number of the best players were in their early 20s.
In the post-Snowden era, we are all attuned to how legislation such as the controversial Stop Online Piracy Act (SOPA) or various "eavesdropping" laws such as the Electronic Communications Privacy Act (ECPA) heavily affect our increasingly digital lives. This applies especially to the millennial generation who conduct the majority of their social lives online. For them, these laws are not about abstract ideas such as the right to privacy or freedom of speech: it's about taking away their possibilities to communicate with their friends in private or at all.
Very often the success of these rulings depends on how data carriers and service providers relate to such governmental requests; a company that's compliant with the authorities and does not even try to protect the privacy of its users can expect vocal, and maybe active, opposition from them.
Tools do get easier all the time, but easy-to-use software packages that can get through sloppy defenses through well-known vulnerabilities of unpatched systems have been around for a long time. The term "script kiddie," describing someone, presumed to be quite young, who can merely use such ready-to-use attack tools or "scripts" but lacking the advanced skills required to find vulnerabilities themselves, started to gain widespread adoption in the early 2000s.
There are toolkits that are designed to make the job of penetration testers easier but also present opportunity for attackers with a relatively limited set of skills, such as the Metasploit Framework or various security-oriented Linux distributions, and these have a track record running back at least 10 years or more.
In the year 2010, multiple distributed denial-of-service (DDoS) attacks were organized by the members of the 4chan message board using a simple tool called Low Orbit Ion Cannon against the Church of Scientology and organizations opposing WikiLeaks, and participating in that attack was as simple as downloading and starting an application.
On the other hand, just the fact that the alleged TalkTalk attacker is 15 does not necessarily mean that one needs trivial-to-use tools to achieve their goals. The history of computer science is full with young contributors. One example of that is the technologist, entrepreneur, and hacktivist Aaron Swartz, whose life and tragic death was documented in the critically acclaimed 2014 documentary "The Internet's Own Boy.” Swartz became the member of a tech group working on some of the most important new Internet communication standards at the age of 14 and along with the legal academic (and presidential candidate) Lawrence Lessig, is counted as one of the original architects of the Creative Commons organization.
Some 15-year-olds are using their talent to hack into corporate networks for fun, profit or to make a point, and as an industry we can make an impact to discourage the pursuit of criminal activity. By sponsoring events such as our hackathon we hope to inspire today’s young security experts to use these talents to create something great for the future.