Posts tagged: Ethical Hackers

Dec 31 2011

Facebook Debit Card for White Hat Hackers

Facebook Debit CardA few companies pay money to bug hunters. But Facebook is giving out something more unique than just a check.

Some security researchers are getting a customized “White Hat Bug Bounty Program” Visa debit card.

The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to their accounts.

Facebook wanted to do something special for the people who are helping the company shore up its software and keep hackers and malware out.

“Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them,” Ryan McGeehan, manager of Facebook’s security.

Besides holding cash value, the White Hat card may proffer other advantages. “We might make it a pass to get into a party,” for instance, McGeehan said. “We’re trying to be creative.”

The most Facebook has paid out for one bug report is $5,000, and it has done that several times, according to McGeehan. Payments have been made to 81 researchers, he said.

Szymon Gruszecki, a Polish security researcher and penetration tester; Neal Poole, a junior at Brown University who will be an intern at Facebook next summer; Charlie Miller, a researcher at Accuvant known for finding holes in iOS 5 and Safari, praised the card. “Facebook whitehat card not as prestigious as the SVC card, but very cool ;) Fun way to implement no more free bugs,” he tweeted.

Facebook has plans to leverage the knowledge and skills of the researchers beyond just providing the bug bounty incentive.

“Whenever possible we’re going to try to load-in White Hat researchers into products early–as soon as (they are) in production,” McGeehan said. Thus Facebook “will get an early warning on anything they find.”

Jul 07 2011

Anonymous Vows Revenge After 15 Arrested

AnonymousAfter 32 raids across Italy (and one in Switzerland), 15 alleged members of Anonymous have been arrested. The detainees, aged between 15 and 28 with five under 18, have been accused of performing denial of service attacks on Italian Web sites belonging to the government, and on both state and private broadcasters.

The Italian authorities are describing one of the suspects, a 26-year-old Swiss-Italian going by the monkier “Phre,” as a “leader” of the hacking group. A further 30 suspects are still being sought.

As was the case with the Anonymous arrests in Spain and Turkey, the AnonOps faction within Anonymous has been swift to both promise revenge and dismiss claims that there are “leaders” of the group.

The AnonOps response ends with a call to arms for other Italian Anons, imploring them to “Let [the government] have it, stronger than ever.” In Italy, as with Spain before it, further denial of service attacks are likely to be the chosen response.

In spite of the arrests, hacking under the Anonymous banner continues unabated. The “Anti-Security” movement, promoted by breakaway Anonymous faction Lulz Security, and subsequently picked up by Anonymous after LulzSec returned to the fold, has resulted in the compromise of numerous poorly secured Web servers around the world. Over the past few days, AntiSec hacks have included huge numbers of defacements of Turkish websites—a few dozen government sites here, a thousand here, and another few hundred here, database dumps from 20 Italian universities, and futher attacks on the Arizona Department of Public Safety.

Jun 20 2011

LulzSec – Anonymous Teamed Up For “Operation AntiSec”

LulzSec Anonymous Hackers
Over the weekend, LulzSec has seemingly finally moved away from being in it “for the lulz” and has acquired a cause: it has announced it has teamed up with Anonymous and other “affiliated battleships” and that it is launching “Operation Anti-Security”.

“Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments,” it says in the call-to-arms published on Sunday on “We encourage any vessel, large or small, to open fire on any government or agency that crosses their path. We fully endorse the flaunting of the word “AntiSec” on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered.”

It is widely speculated that the members of the LulzSec team have, at one time, been part of Anonymous, so this teaming up shouldn’t be wholly unexpected.

Another curious thing that happened over the weekend is that the group has released a press release following their 1000th tweet.

In it, they address the speculations that the real goal of their actions is to allow the passing of restrictive laws for Internet users, saying that users should be more worried about the hackers who don’t publish their exploits. “Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn’t silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off?”

“We’ve been entertaining you 1000 times with 140 characters or less, and we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be,” they pointed out. “But you know, we just don’t give a living f*ck at this point – you’ll forget about us in 3 months’ time when there’s a new scandal to gawk at, or a new shiny thing to click on via your 2D light-filled rectangle.”

Nov 28 2009

Symantec Online Store Hacked

Symantec Exposed Passwords, Serials – SQL Injection, Full Database Access

Symantec HackedA self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the website, allows for a Blind SQL Injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

The content of the website is written in Japanese, but from what we could determine, it serves a product called Norton PC Doctor. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2000 as database back-end.

From the screen shots released by Unu there are many potentially interesting databases, but the one he chose to look at is called “symantecstore.” One of the tables in this database is named “PaymentInformationInfo” and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

Source: Unu’s Blog

Sep 05 2009

How I cross-site scripted Twitter in 15 minutes

How I cross-site scripted Twitter in 15 minutes, and why you shouldn’t store important data on 37signals’ applications
“Today the Ruby on Rails security team released a patch for a cross-site scripting issue which affected multiple high-profile applications, including Twitter and Basecamp. If you’re concerned about the issue and would like to see the patch, please read the advisory from the Rails security team. In this post, I discuss the overall process of finding the issue, and the reason why I’d suggest that no important information be stored on the 37signals applications (Basecamp, Highrise, Backpack, and Campfire).

After seeing a bug in Unicode handling in an unrelated program a few weeks ago, I suddenly had an idea: “I wonder if there are any web applications which have Unicode handling problems that might be security issues?”

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?”
- Brian Mastenbrook

Source: Brian Mastenbrook