Disclaimer These lists of people are examples not complete lists I dont intend any slight by omitting people from this presentation If anything here is inaccurate feel free to contact me sbowneccsfedu ID: 1003704
Download Presentation The PPT/PDF document "Stupid Whitehat Tricks" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Stupid Whitehat Tricks
2. DisclaimerThese lists of people are examples, not complete listsI don't intend any slight by omitting people from this presentationIf anything here is inaccurate, feel free to contact mesbowne@ccsf.edu@sambowne
3. Blackhat HackersBreak the law & love it
4. Dread Pirate RobertsRoss William UlbrichtRan Silk Road; eBay for drugs, guns, and crimeArrested Oct 1, 2013 at the Glen Park library in San FranciscoPaid hitmen to kill people six timesarstechnica.com/tech-policy/2013/10/how-the-feds-took-down-the-dread-pirate-roberts/
5. Albert Gonzalez Stole 90 million credit cards from TJX and other retailersBroke into WEP wireless networksSentenced to 20 years in 2010www.wired.com/threatlevel/2010/03/tjx-sentencing/
6. Max ButlerDominated the world's market in stolen credit card numbersOperated from a 4th floor apartment in San FranciscoUsed neighbor's unsecured Wi-Fi networksSentenced to 13 years in 2010www.wired.com/techbiz/people/magazine/17-01/ff_max_butlerwww.wired.com/threatlevel/2010/02/max-vision-sentencing/
7. SabuHector Xavier MonsegurMember of LulzsecFBI informantSentencing postponedwww.theguardian.com/technology/2013/feb/22/lulzsec-sabu-sentencing-monsegur-postponed
8. Andrey HodirevskiUkranian Presumed to have the Target credit cards stolen in 2013Still at largekrebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target
9. Gray Hat HackersBreak the law, but claim to serve some higher cause
10. Jeremy HammondLeader of LulzsecStole 60,000 credit card numbers from StratforFounded HackThisSiteSentenced to 10 years in 2013www.huffingtonpost.com/vivien-lesnik-weisman/post_4885_b_3352308.html
11. The UFO HackerGary McKinnonHacked the Pentagon and NASA in 2001Won a battle to avoid extradition from the UK to the USA in 2012 on mental health groundswww.examiner.com/article/ufo-hacker-wins-battle-against-us-government
12. St0rmNeil J McDonald18-year-old university student in New ZealandHacked U of Melbourne and many other companiesTold them about vulnerabilities so they could patch themNever prosecuted, but convinced to knock it offnews.softpedia.com/news/University-of-Melbourne-Possibly-Hacked-After-Failing-to-Listen-to-Gray-Hat-235452.shtmlwww.binrand.com/post/985173-st0rm-some-love-trolls-3.html
13. Joshua RogersExploited a SQLi at Metlink in AustraliaNotified the company afterwardsReported to policeNo charges filed yetwww.wired.com/threatlevel/2014/01/teen-reported-security-hole
14. Aaron SwartzDownloaded millions of academic articles at MIT in 2010-2011, intending to publish them freely, violating MIT's use rightsProsecuted, faced possible prison termDepressed, committed suicide in 2013www.wired.com/threatlevel/2013/01/aaron-swartz
15. Whitehat HackersObey the law
16. Whitehat HackersObey the lawPositions of trust and responsibilityFrequently abused as cowardly and incompetent by criminalsImage from Wikipedia
17. Dan KaminskyFound a DNS flaw in 2008Got it patched before it was exposed & exploitedTestified before CongressICANN Trusted Community Representative for the DNSSEC rootwikipedia.org/wiki/Dan_Kaminsky
18. H D MooreChief Architect of MetasploitRecent work involves scanning the entire Internet for security problems, in partnership with DHSresources.infosecinstitute.com/hd-moore-reveals-his-process-for-security-research
19. Jeremiah GrossmanYahoo's first hackerFounded WhiteHat SecurityScans customers for vulnerabilities and helps them patchReports vulnerability statisticshttps://www.whitehatsec.com/resource/grossman.html
20. Katie MoussourisSenior Security Strategist Lead at MicrosoftMother of Microsoft's Bounty ProgramsEx pen-testerlinkedin.com/in/kmoussouris
21. Joanna RutkowskaPolish computer security researcherDevelops low-level rootkits, including the "Blue Pill" which converts a running OS into a VMDeveloped Qubes OS providing security through isolationwikipedia.org/wiki/Joanna_Rutkowska
22. Cold Calls
23. Warning CompaniesWithout being hired to test their securityRequires care to stay legalDon't execute unauthorized code on anyone else's serverConsidered dangerous and taboo in the security community
24. Risks of Cold Calls &Whitehat ReputationCCSF servers attacked twice to stop me(ISC)^2 Ethics Complaint to revoke my certificationAccused of racism to get me fired from CCSFThreatened with lawsuit from CanadaHatchet job in the CCSF newspaperMany outrageous accusations in print from CCSF's disgraced ex-CTOLots of online trolling
25. DEMO: SQL Injection
26. SQL Injections at CollegesI found over 100Most are still openJohns HopkinsBrigham Young
27. Viagra Sales from College Servers
28. http://www.networkworld.com/news/2013/122413-web-server-malware-for-nginx-277201.html
29. DDoS Attack
30. 2,000 BotsAll Wordpress sitesBeing used to attack sites
31. Wordpress Bug 7 Yrs. Old
32. Open DNS ResolversAllow colleges to be used as weapons to harm other sitesUsed in the largest DDoS in history (300 Gbps)http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
33. I notified 45 USA universities last month
34. Insecure Login Pages at 90 Colleges
35. Demo: UC Riverside
36. Confidential DemoInsecure server versions at colleges
37. Conclusion
38. Be a WhitehatNever hack past any security barrierDon't run code on anyone else's server without permissionGet to know FBI agents, police, etc.Join legitimate security organizationsISSA, HTCIA, OWASP, etc.Establish a solid respectable reputationSquare and Boring are GOOD THINGS
39. Don't Hack the CollegeOr anyone elseWe are the good guysThese are dangerous, powerful skillsCCSF is trusting you to be responsible with themIf anything strange is happening, talk to me about it