1 / 77

Stupid Whitehat Tricks

Stupid Whitehat Tricks. HOPE X July 20, 2014. How it Started 2011. PBS Hacked. PBS Hacked. Whitehatting. Contacting companies about security problems With no contract No authorization. What Limits Whitehatting?. Laws. CISSP Code of Ethics. DEMO SQLi on Pastebin.

soleil
Download Presentation

Stupid Whitehat Tricks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stupid Whitehat Tricks HOPE X July 20, 2014

  2. How it Started 2011

  3. PBS Hacked

  4. PBS Hacked

  5. Whitehatting • Contacting companies about security problems • With no contract • No authorization

  6. What Limits Whitehatting?

  7. Laws

  8. CISSP Code of Ethics

  9. DEMOSQLi on Pastebin

  10. Verify the Vulnerability • Do NOT explore any further • Actually injecting commands is a crime

  11. Find a Contact Address • Should be security@domain.com or abuse@domain.com • Those are rarely monitored

  12. Letter Design • Simple management-level summary of the problem • No technical details • Give your real name & contact information • No demands, no threats

  13. Pilot Study • 7/23 Fixed (30%) after 3 days • http://samsclass.info/lulz/cold-calls.htm

  14. Student Projects • Done by CISSP-prep students at CCSF • Contacted over 200 sites with SQL injections > 15% of them were fixed

  15. Major Breaches or Vulnerabilities

  16. Breaches or VulnerabilitiesI Reported in 2011 • FBI, Police Depts., UK Supreme Court • Chinese Gov't • Police departments (many of them) • CNN, PBS, Apple, Schools

  17. I Sought Personal Contacts

  18. I Sought Personal Contacts

  19. Positive Results • Several good security contacts inside corporations, law enforcement, and government agencies • Many problems fixed, several before they were exploited

  20. Negative Results • Some Twitter followers were offended and suspicious when I found so many high-profile vulnerabilities so fast • Accusations • Performing unauthorized vulnerability scans • Peddling bogus security services • Betraying the USA

  21. (ISC)^2 Ethics Complaint

  22. DEMOPharma Infections at Colleges

  23. User-Agent = GoogleBot

  24. Normal User-Agent

  25. 19 Colleges Infected with Pharma • 5 Fixed within a few weeks • 7 Fixed within 8 months • 7 Still Infected on 7-19-14 • http://samsclass.info/125/proj11/subtle-infect.htm#19more

  26. Many More Pharma Infections • Dozens of other schools, businesses, foreign sites, etc. • http://samsclass.info/125/proj11/subtle-infect.htm#19more

  27. DEMOSQLi at Colleges

  28. Exposed Student Data

  29. Exposed Password Hash

  30. Brigham Young U

  31. Repair Rate • 15/59 (25%) fixed it within 10 days • Rate of repair was then zero

  32. >2000 WordPress Bots • Thanks to Steven Veldkamp

  33. WordPress Has Known for 7 Years

  34. Open DNS Resolvers at Colleges

  35. Results • Seven months after notification • 38% decrease in open resolvers, from a total of 682 to 421

  36. DEMOInsecure Login Pages at Colleges

  37. Insecure Login Pages at Colleges 90 colleges notified in Dec, 2013

More Related