Teenage hacker Aaron Caffrey has walked free from court after
being cleared of trying to bring down one of North America's
biggest ports by hacking into its computer systems.
Aaron Caffrey, 19, was accused of bringing computers to a
standstill at the port of Houston in Texas - but was found not
guilty by a jury today. This was despite both the prosecution and
defence agreeing that Caffrey's machine was responsible for
launching the attack, that a list of 11,608 IP addresses of
vulnerable servers was found on his hard drive, and the discovery
of a malicious script on his system signed by someone called
"Aaron".
Speaking outside Southwark Crown Court in the UK, Caffrey said
he was "very angry" at the way he had been treated by the police.
His barrister, Iain Ross, said "He wishes to say that this ordeal
has been a dark cloud hanging over him for the last two years. He
had always insisted he was not guilty and that he was a victim of a
criminal act rather than being a criminal himself."
The prosecution had alleged that Caffrey had hacked into the
port's computer servers in an attempt to attack a female chatroom
user called Bokkie, who had made anti-USA comments online. Caffrey
was said to have fallen in love with an American girl called
Jessica. He had never met Jessica, but conducted a year-long
internet relationship with her. Transcripts of steamy transatlantic
exchanges between the couple were read out in court. Caffrey's
computer was even named after Jessica, and the malicious attack
script which was launched against the port included a dedication to
her.
Computers at the port suffered a severe denial-of-service attack
on 20 September, 2001. The attack crashed systems at the port which
contained vital data for shipping and mooring companies responsible
for helping ships navigate into and out of the harbour. An
investigation by US authorities traced the attack back to a
computer at Caffrey's home in Shaftesbury, Dorset. Investigators
found a copy of the attack script on the computer.
Caffrey, who has admitted being a member of a group called
Allied Haxor Elite and hacking into computers for friends to test
their security, but only with their permission, claimed that
unidentified hackers broke into his computer and launched the
attack script against the port of Houston. The jury accepted
Caffrey's story, even though prosecution expert witnesses could
find no evidence that his computer had ever been broken into.
Aaron Caffrey told the court "I have hacked into computers
legally for friends to test their server security because they
asked me to but never illegally."
"Caffrey has said that he would like to seek out a future career
in computer security," said Graham Cluley, senior technology
consultant for Sophos. "However, according to his own story he left
his own computer wide open for attack, infiltration and
exploitation by unknown hackers who attempted to frame him.
Although he may have served his career prospects well by not
receiving a criminal record today, he has harmed them by claiming
that he was not following some of the most basic steps of computer
security."
Sophos notes that the "Trojan" defence has been successfully
used in the UK courts before. In July, a man was cleared of possessing
child porn when a number of Trojan horses were discovered on his
computer.
"Clearly the authorities are facing a fundamental problem when
attempting to prosecute suspected computer criminals," continued
Cluley. "The Caffrey case suggests that even if no evidence of a
computer break-in is unearthed they might still be able to
successfully claim that they were not responsible for what their
computer does, or what is found on its hard drive."
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.