Amateur pentester exploits client vulnerability, gets his door kicked in by FBI

This is why they say that the number one rule of pentesting is to get senior management approval in writing.

In his words: How a whitehat hacked a university and became an FBI target | Ars Technica

Basically, a guy who worked as a developer (for a company that had the University of Maryland as a client) realized that the university had some major security vulnerabilities that exposed a database full of SSNs and other PII. After he realized that his company wasn't planning to do anything about the vulnerability, this guy exploited it and posted some of the information, including the university president's SSN, to Reddit. Then the FBI kicked in his door...

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

GarudaMin

I didn't read the article. But based on what you wrote, this has nothing to do with getting approval in writing. This is about ethics of that developer. Even if one is frustrated in the fact that his/her company is not doing anything, it is not the right way to expose those the way that developer did.

ratbuddy

What an absolute moron. He broke the law, simple as that.

iBrokeIT

That guy was getting paid as a professional but acted like an amateur in many ways. He certainly had the technical skills and knowledge to be a professional but he lacked the maturity and communication skills to effectively get his point across. I really have a hard time feeling sympathy for him.

Starting to see this more and more where "IT pros" get too emotionally attached to the network they are paid to manage leading to their down fall and possibly ruining their careers. Anyone remember Terry Childs?

chopsticks

Agree. That's rule No. 1 before any pentesting can be carried out. It's a regrettable thing because his guy meant well and is talented.

NovaHax

He definitely didn't approach it correctly. It may have even been overlooked if he delivered the information to the right person in confidence. But disclosing to Reddit DOES NOT make you a white-hat.

stryder144

Pure and simple, he is an idiot. I think he wanted to be congratulated but the information fell on deaf ears. Not an uncommon issue. To take things into his own hands, and posting it publicly, is plain wrong.

tpatt100

Sounds like somebody had some issues with not being taken seriously.

Shdwmage

He wanted to be hailed a hero like the traitor Edward Snowden. He crossed a line one simply doesn't walk back over. There are many different moronic things he could have done that wouldn't have landed him in as hot of water.

Truth be told if I found a security breach so severe and it wasn't being addressed I would feel compelled to do something. I'd go the media as an anonymous source, but I wouldn't show them any of the social security numbers or anything like that. Especially in a case of a large amount of valuable data to be exposed.

Frankly I'm of the belief that all breaches to security leading to the possible leak of data should be reported publically. So many companies don't care about our privacy, and only worry about their bottom line. The only way its going to get better is if people start speaking up more. Until it affects their bottom line, most companies won't move on it.

jesseou812

Shdwmage wrote: »

He wanted to be hailed a hero like the traitor Edward Snowden. He crossed a line one simply doesn't walk back over. There are many different moronic things he could have done that wouldn't have landed him in as hot of water.

Truth be told if I found a security breach so severe and it wasn't being addressed I would feel compelled to do something. I'd go the media as an anonymous source, but I wouldn't show them any of the social security numbers or anything like that. Especially in a case of a large amount of valuable data to be exposed.

Frankly I'm of the belief that all breaches to security leading to the possible leak of data should be reported publically. So many companies don't care about our privacy, and only worry about their bottom line. The only way its going to get better is if people start speaking up more. Until it affects their bottom line, most companies won't move on it.

^^^ T h i s ^^^

Devilry

I don't hardly even know what to say, seems very immature; unprofessional doesn't even begin to describe it.

it_consultant

I read the whole article with interest and while I agree that the developer's actions were immature. He was able to hack UMD by googling known PHP scripts called "upload" and found those scripts - from the outside - installed by another hacker. This was after he informed his company of another malicious PHP script he found because he FTP'd the website to his computer and it set off alarm bells on his desktop AV software. In other words, he had to rattle a tree very loudly to get them to pay attention. I would have gone to a newspaper instead of reddit, but I would have gone public.

eansdad

it_consultant wrote: »

I read the whole article with interest and while I agree that the developer's actions were immature. He was able to hack UMD by googling known PHP scripts called "upload" and found those scripts - from the outside - installed by another hacker. This was after he informed his company of another malicious PHP script he found because he FTP'd the website to his computer and it set off alarm bells on his desktop AV software. In other words, he had to rattle a tree very loudly to get them to pay attention. I would have gone to a newspaper instead of reddit, but I would have gone public.

You have to remember that even though you know your neighbor has the fake rock where they hide their key next to the door doesn't mean you can go inside. I believe it was Adrian Lamo that hacked sites by going through their own links. What this guy did was stupid. He didn't like the speed at which they were fixing his found security holes so he decided to poke around some more. He should have chalked up the 1st victory on his resume and left it at that. Maybe applied for or tried to move to a security position to work on this issue. His action warrant the unemployment regardless of his intentions simply because if they allowed him to do it then others might try also. He shouldn't be prosecuted, as long as they can back up his story of it was already their and he found it. He might never get a coding job again but maybe he can parlay his recent publicity into a security position with a firm that is willing to take the time to go over proper procedures and boundaries.

aftereffector

Maybe - but I definitely wouldn't hire him for any security job. He strikes me as a vigilante and a liability, not an asset, regardless of his skills.

Bryzey

What about the company?

It's irresponsible to bury your head in the sand when someone brings a problem to you.. Especially considering how valuable information is these days.

colemic

He also publicly exposed PII. It might have been just one person (college president) but that is one too many, and it was reckless and irresponsible. Given the visibility of this, he will have the book thrown at him - hard.

it_consultant

Bryzey wrote: »

What about the company?

It's irresponsible to bury your head in the sand when someone brings a problem to you.. Especially considering how valuable information is these days.

I lean towards this a little bit too, the problem was he went to reddit - bad move. He should have gone to the State Attorney General or Inspector General or even the police. He had evidence of criminal activity (the uploaded scripts he utilized) so there were other avenues he could have pursued. I am less inclined to think he should have the book thrown at him, the real problem is/was the University.

YFZblu

Ah, ColdFusion - The gift that keeps on giving. Two thoughts:

1. I actually feel really bad for his wife, who's life as she knows it is crashing down on her.
2. Disclosure sucks - I used to get up in arms when I would see things like this during the course of my work. I'm not going to blame him for what he did, because I know how easy it is to get to your tipping point. A smarter move would have been to go to the FBI, IMO.

linuxlover

^^ Disclosure of confidential data for greater good is one thing, revealing some personal information of your boss is just stupid. How do you ever expect to be working again after something like this? Didn't he think about what's going to happen after he clicks the Send button? Jesus Christ, some people are seriously stupid.

bobloblaw

Dumb dumb dumb dumb dumb dumb.

MTciscoguy

I have to say, the exuberance of youth has clouded this persons mind, there are better ways to expose security problems without black listing yourself for the rest of your life. Technology information has a way with sticking with your forever, this was not a smart move on his part, all of that work down the tubes, even hacking for the greater good is really bad in this day and age.

DAVID Q

This is a and example of an individual being stupid-smart and smart-stupid. I myself can somewhat relate to this guy even though I'm not a hacker. I think he meant to use some form of common-sense a combination of ( logic & emotions ) to make the best decision , but being a busy-body and arrognant while seeking fame and attention at the same time dominanted this testers mental make-up when it came to making a life turning career decision at the end of the day.

Like I said before this is a bad case of when smart people make dumb decisions. It may even have something to do with emotional-intelligence I don't know someone tell me?