whitehat vigilante baythreat dec. 10, 2011. executive summary this talk has no – demos –...
TRANSCRIPT
![Page 1: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/1.jpg)
Whitehat Vigilante
BayThreatDec. 10, 2011
![Page 2: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/2.jpg)
Executive Summary
• This talk has no– Demos– Exploits– 1337ness
• It's just a sermon about social skills– Ethics– Legality– Attitude
![Page 3: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/3.jpg)
Bio
![Page 4: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/4.jpg)
![Page 5: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/5.jpg)
PBS Hacked
![Page 6: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/6.jpg)
PBS Hacked
![Page 7: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/7.jpg)
Attitudes
![Page 8: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/8.jpg)
Blend In:Hide
Image from presenceinbusiness.com
![Page 9: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/9.jpg)
Make Your Own Rules
Images from listentoleon.net & anpop.com
![Page 10: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/10.jpg)
Cyber-TerroristsMasked Mobs
• Create fear• Cause paranoia• Intimidate critics
into silence
![Page 11: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/11.jpg)
Lone Vigilantes
![Page 12: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/12.jpg)
Nobody's Right if Everybody's Wrong
Buffalo Springfield image from freewebs.com
![Page 13: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/13.jpg)
The Middle Way
![Page 14: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/14.jpg)
Laws
From cybercrime.gov
![Page 15: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/15.jpg)
CISSP Code of Ethics
![Page 16: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/16.jpg)
Cold Calls
![Page 17: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/17.jpg)
Find Vulnerable Sites Dumped on Pastebin
![Page 18: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/18.jpg)
Verify the Vulnerability
• Do NOT explore any further• Actually injecting commands is a crime
![Page 19: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/19.jpg)
Find a Contact Address
![Page 20: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/20.jpg)
My Letter
![Page 21: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/21.jpg)
Letter Design
• Simple management-level summary of the problem
• No technical details• Give your real name & contact information• Don't demand anything• Don't make any threats
![Page 22: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/22.jpg)
Pilot Study
• 3 days after notification
• 7/23 Fixed (30%)– http://samsclass.info/lulz/cold-calls.htm
![Page 23: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/23.jpg)
Student Projects
• Done by CISSP-prep students at CCSF• Contacted over 200 sites with SQL injections
> 15% of them were fixed
![Page 24: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/24.jpg)
Major Breaches or Vulnerabilities
![Page 25: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/25.jpg)
Breaches or VulnerabilitiesI Reported
• FBI (many times)• UK Supreme Court• Chinese Government• Police departments (many of them)• Other Courts• CNN, PBS• Apple• Schools (many of them)
![Page 26: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/26.jpg)
I Sought Personal Contacts
![Page 27: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/27.jpg)
CERT
![Page 28: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/28.jpg)
Positive Results
• Several good security contacts inside corporations, law enforcement, and government agencies
• Many problems fixed, several before they were exploited
![Page 29: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/29.jpg)
Negative Results
• A few of my Twitter followers were offended and suspicious when I found so many high-profile vulnerabilities so fast
• Accusations– Performing unauthorized vulnerability scans– Peddling bogus security services– Betraying the USA
• All 100% false & baseless
![Page 30: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/30.jpg)
Ethics Complaint
![Page 31: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/31.jpg)
Fortuitous Timing
![Page 32: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/32.jpg)
Recommendationsfor Cold Calls
![Page 33: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/33.jpg)
Be Respectful
• No abuse or criticism• Sincere desire to help• Accept being ignored without protest• Demand nothing• Respect their right to leave their servers
unpatched
![Page 34: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/34.jpg)
Be Right
• Report clear-cut vulnerabilities, widely understood and important, like SQL Injection
• Do nothing illegal or suspicious– No vulnerability scans– No intrusion or exploits– Report only vulnerabilities that are already
published by others
![Page 35: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/35.jpg)
Clarity of Purpose
• Genuine desire to help the people you are contacting
• No hidden agenda– Desire to sell a product– Desire to belittle or mock– Dominate and control others– Plans to attack sites yourself– Revenge
![Page 36: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/36.jpg)
Expect Abuse
• If you become visible in the hacking community, you are a target
• It doesn't matter what you say or do• Many hackers are arrogant, insecure, and
emotionally immature
![Page 37: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/37.jpg)
Be Fearless
• Understand the importance of the sites you are helping
• Are they worth more than your– Inconvenience– Time expended– Exposure to criticism and humiliation
![Page 38: Whitehat Vigilante BayThreat Dec. 10, 2011. Executive Summary This talk has no – Demos – Exploits – 1337ness It's just a sermon about social skills –](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bff91a28abf838cc0062/html5/thumbnails/38.jpg)
Acknowledgements
• I am very grateful for the support of CNIT, MPICT, and CCSF
• Especially– Carmen Lamha– Maura Devlin-Clancy– Pierre Thiry– James Jones– Tim Ryan
• It would be much simpler to just fire me than to support my mad actions