Cyber attack on US shipping exploited known security hole: teenager accused

Aaron Caffrey, the 19-year-old who faced trail at Southwark crown court last week, was accused of hacking into the computer...

Aaron Caffrey, the 19-year-old who faced trail at Southwark crown court last week, was accused of hacking into the computer system of the second biggest port in the US.

The denial of service attack, which came shortly after 11 September, exploited a security loophole that had been well publicised for almost a year.

Oil tankers and other ships entering the port of Houston were placed at serious risk after a denial of service attack launched from Caffrey's home computer halted a website which was carrying vital navigational data used by shipping pilots.

The website carried data on weather, tides, and water depths. Without access to the site, there could have been "catastrophic consequences to life and limb" the court heard.

Detectives from Scotland Yard's computer crime unit found software on Caffrey's PC designed to exploit a security vulnerability in Microsoft's Internet Information Server software during a raid on Caffrey's parents' house in January 2002.

The custom-written software exploited a vulnerability in servers using Microsoft software that had been publicised for a year before Caffrey allegedly launched his denial of service attack, it has emerged.

The port of Houston could have protected itself by ensuring its servers had been patched with the latest Microsoft updates.

Paul Addison, for the prosecution, told the court that Caffrey had used Unicode software to launch a distributed denial of service attack against a girl called Bokkie he had met on an online chat service.

The software allegedly took control of an undisclosed number of servers with the Unicode vulnerability, including the port of Houston server, and used them to flood the girl's computer with thousands of electronic messages or "pings".

Systems logs for 20 September identified Caffrey's IP address and the IP address of his target.

Caffrey denied breaching the Computer Misuse Act. He told police that hackers had broken into his PC and used a Trojan programme to launch the attack and plant incriminating evidence.

Read more on IT risk management