Hacker TinKode has been arrested by the Romanian police after the 20-year-old bragged about hacking into Pentagon and NASA computer systems.
Razvan Manole Cernaianu, 20, is the second Romanian to be arrested following that of 26-year-old Robert Butyka, who received a three-year suspended sentence for hacking multiple NASA servers. TinKode has previously claimed credit for hacking the MySQL website with an SQL injection attack last year and the Royal Navy website in 2010.
TinKode is now accused of revealing security holes and publishing information about SQL injection vulnerabilities in NASA and the Pentagon.
The Romanian Directorate for Investigating Organised Crime and Terrorism said Cernaianu also offered a computer program on his blog that could be used to hack into websites and published a video showing internet attacks he had made against the US government.
The FBI and NASA assisted in the investigation. The US Embassy in Bucharest said that Cernaianu used, "advanced hacking tools to gain unauthorised access to government and commercial systems".
Cernaianu allegedly hacked into a computer server at NASA's Goddard Space Flight Center last April, and posted a screen grab that showed files connected to confidential satellite data.
Anthony M. Freed, managing editor of Infosec Island, said that TinKode is known to have taken advantage of several well-known vulnerabilities that many of his targets should have resolved before he exploited them through SQL injections - a technique many security experts now derisively call 'Hacking 101'.
"His targets tend to be large entities that undoubtedly have complex network deployments and multiple interfaces for third parties like contractors or client bases," said Freed, "which provide a higher product probability of his finding unprotected points of entry."
Freed said that penetration by a determined hacker is almost guaranteed in networks of this size.
Advanced hacking tools
"They should focus on detection and data protection within the networks," he says, "while working under the assumption that they will not be able to prevent all breach attempts.
"Advanced monitoring systems, appropriate data classification, and secondary authentication protocols for access to the most sensitive information is critical both for detecting an intrusion and slowing hackers progress. This can buy the needed time to lock down the compromised system and prevent data theft."
Gary McGraw, CTO of Cigital, says if TinKode didn't want to get caught, he should not have been bragging so publicly. "If you go looking for attention, you're probably going to get it," he said.
McGraw says the damage caused was probably minor. "But, to get past all of these silly problems, agencies like these should build systems with security in mind in the first place. Right now they are trying to fix broken systems."