'I Hacked Facebook -- and Found Someone Had Beaten Me To It' (theregister.co.uk) 51
An anonymous reader shares an article on The Register: A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp -- and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system. According to Tsai, he or she stumbled across malware installed by someone else that was stealing usernames and passwords of FB employees who logged into the machine. The login credentials were siphoned off to an outside computer. According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.
Makes sense (Score:1)
May as well exploit the the machine for a while before revealing the bug.
Re: (Score:1)
You have to in order to claim the bounty.
Corporations have a long history of refusing to cough up the cash in bug bounties (or worse, siccing the authorities on the bug bounty hunter). So to protect themselves (and to prove the bug exists), the "official" way to report bug bounties is to steal a bunch of data, rig it to be released to the public in the event the bug bounty hunter fails to "check in" every so often and THEN report it, just in case the company decides to renege on the deal.
Re: Makes sense (Score:3)
Re: (Score:1)
nah, Just five years ago I was threatened by the same person who personally authorized me to hack their organization for 5 grand prize that they're gonna sue me if I keep digging. still hurts. what hurts more is that the vulnerabilites are still there. on all the damn servers. the fucking tftp is still open to the world
Re: Makes sense (Score:2, Funny)
Ip address? Just so I can verify your story is true...
Re: (Score:2)
you got that authorization in writing, though, right? ...right???
Re: Makes sense (Score:2)
They dont call it a "dead man's switch" for nothing.
Yet another Accellion file appliance hack (Score:1)
http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-employees-secure.html
It amazes me that despite all of their problems, so many companies still trust Accellion. I think our installation was $50k.
Re: (Score:1)
Yeah google for soggycat, this shit's been vulnerable since 2011. This isn't a FB vuln, it's 100% Accellion. What a piece of shit appliance. I'm in the wrong business, I should create a "cloud file upload service" with no security and sell it as an enterprise solution for $50K apiece.
Re:Yet another Accellion file appliance hack (Score:5, Informative)
Holy shit, you weren't kidding [seclists.org]. Quoting selected bugs:
This is amateur hour, though still better than what runs our power grid and water treatment plants.
Re: (Score:1)
cat tongues are like sandpaper (Score:5, Funny)
Re: (Score:1)
Electric sheep dream of me.
A $10,000 reward is peanuts in this context. (Score:2)
$10,000 is peanuts for the login credentials of a ton of facebook employees.
In today's Internet, Facebook hacks YOU!
Re: (Score:2)
SSH keys (Score:3)
Yet another reason why SSH password based authentication is so bad. Both SSH agent forwarding and SSH password based auth are best disabled. Then they can't intercept anything.
"Security Researcher"? Really? (Score:5, Interesting)
According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.
And this is why I have a problem with this whole "terminology" of the so-called "security researcher". Facts are facts and who ever it was that installed and left malware that "slurped" passwords and usernames clearly was not a "security researcher", but rather a run-of-the-mill hacker , or call him (almost certainly a him) what every you want, but NOT a "security researcher".
Re:"Security Researcher"? Really? (Score:5, Insightful)
Don't call him hacker either after all "hacker" is a positive term...
You know as well as I do that is "politically correct" garbage. Good or bad, a hacker is a hacker, and "cracker" is a made-up term. Now, if you want to assign hat color (white, black), feel free. But please do give me this crap that a "black hat" hacker is not a hacker but rather something else because you want to reserve the Hip And Trendy term hacker for yourself... Seriously. That's bullshit.
Re: (Score:2)
Same argumentation works for "Security Researcher" too. The evil russians who built the nuclear bombs were "researchers" too. And only because the commercial criminal who hacked into the facebook servers wasn't a white hat we shouldn't be prevented from calling him security researcher.
Re: (Score:3)
Re: (Score:2)
.... A cracker also known as a black hat is someone that does this.....
Aren't crackers white?
Nope. In this, you and the majority loses. (Score:1)
Nope. Hat colour is a sign that the guys using the term have forgotten what it means entirely and are now just as confused as you always were. The problem with the security industry is that it's a bunch of script kiddies. Nothing more. There is no depth at all in the industry anywhere. Hence, no success except make-believe.
They are not hackers in any sense. Not a hacker in the older positive sense. Not a hacker in the "look ma Ima bein k-rad kewl wif ma komputor" poser sense for it no longer means anything
Re: (Score:2)
I know this is a bold claim from somebody that's merely 31 years old, but no, that etymology does not hold. The word hacker was always at best neutral, and that's a stretch -- it was realistically negative, albeit usually carrying the implication of shoddy worksmanship rather than a malicious intruder. The notion of hacker as meaning a black-hat goes back at least 40 years.
Re: (Score:2)
I know this is a bold claim from somebody that's merely 31 years old, but no, that etymology does not hold. The word hacker was always at best neutral, and that's a stretch -- it was realistically negative,
It would be a more believable claim if you had cited evidence to back it up, but instead for some reason you gave us reasons not to believe you. It's like you're debating yourself!
The notion of hacker as meaning a black-hat goes back at least 40 years.
The notion of a hacker as a positive thing, someone who tries to deeply understand the system, goes back 50 or 60 years (look up the TMRC or even look for 'hacker' in the jargon dictionary for a citation).
Re: (Score:2)
I know some people use it more widely, but I always thought it referred specifically to the writing profession - novelists, journalists etc.
Euwww! (Score:2)
He got sloppy seconds!
2 things (Score:2)
Re: (Score:2)
Aren't poking around in a system, and slurping passwords two different things?
Poking and slurping both sound a bit kinky. But snorting passwords is definitely illicit.