Menu Close

Tag: penetration testing

This website was archived on July 20, 2019. It is frozen in time on that date.
Exolymph creator Sonya Mann's active website is Sonya, Supposedly.

Hacking as a Business

Update 1/19/2018: The interviewee asked me to redact his identity from this blog post, and I obliged.

[Redacted] describes himself as a “web application penetration tester.” I asked him a bunch of questions about what that entails. [Redacted] answered in great depth, so I redacted my boring questions, lightly edited hisanswers, and made it into an essay. Take a tour through the 2000s-era internet as well as a crash course in how an independent hacker makes money. Without any further ado, here’s the story…


Origin Story

I got into my line of work when I was thirteen, playing the game StarCraft. I saw people cheating to get to the top and I wanted to know how they did it. At first I wasn’t that interested in programming, purely because I didn’t understand it. I moved my gaming to Xbox (the original!) shortly thereafter and was a massive fan of Halo 2. Again, I saw people cheating (modding, standbying, level boosting) and instantly thought, “I want to do this!” I learned how people were making mods and took my Xbox apart to start mucking with things.

I moved away from Xbox and back to the computer (I can never multitask). Bebo was just popping up. With an intro to coding already, I saw that you could send people “luv”. Based on my mentality from the last two games I played… I wanted the most luv and to be rank #1. I joined a forum called “AciidForums” and went by the names [redacted] and [redacted]. Suddenly I was surrounded by people who shared my interests. I started to code bots for Bebo to send myself luv. My coding got a lot better and so did my thinking path. I’d come home from school and instantly go on my computer — it was a whole new world to me. I still have old screenshots of myself with seventy-six million luv.

As my coding came along I met a lot of different types of people. Some couldn’t code but had ideas for bots; some couldn’t code but knew how to break code. We all shared information and formed a team. Suddenly I became the main coder and my friends would tell me about exploits they found. We got noticed. I’m not sure how, or why, but I seem to always get in with the right people. Perhaps it’s the way I talk or act — who knows. I made friends with a couple of Bebo employees. They were interested in how I was doing what I was doing.

This was my introduction to hacking and exploiting. I moved on from Bebo after coming to an agreement with the company that I’d leave them alone. Sadly my friends and I all lost contact, and it was time to move on.

Next came Facebook. At this point I already knew how to code and exploit. I instantly found exploits on Facebook and started again, getting up to mischief. Along the way I meet [redacted] and we became best friends because we share the same ideas and interests. Two years passed and again, my mischief went a bit far, so I got in trouble with Facebook. We resolved the issue and I vowed to never touch Facebook again.

I guess three times lucky, hey? I moved my exploiting to porn sites. After a year I was finally forced to make peace with the porn site I was targeting. I was getting fed up with always having to stop… but I was also getting annoyed at how easy it was to exploit. I needed a challenge.

I took a year off from exploiting to focus on improving my coding skills. I worked for a few people and also on some of my own personal projects, but it got repetitive and I needed a change. At this point, I was actually arrested by the eCrime Unit for apparently being [redacted] from [a hacking group; name redacted]. The charges were dropped since I was innocent. My former friend [redacted] was in prison for hacking so I was feeling quite lonely and not sure what to do. I’ll be honest, he had become like a brother to me.

I kept on coding for a bit, feeling too scared to even look for exploits after what happened to [friend’s name redacted]. (A few years have passed since then — [redacted] is out and he’s learned his lesson.) I knew that hacking was illegal and bad. I’d just like to note that I’ve never once maliciously hacked a site or stolen data, in case you think I was a super blackhat hacker, but the incident also scared me. Especially since I got arrested too.

Because of this and through other life changes, I knew I wanted to help people. I took my exploiting skills and starting looking. I found some exploits instantly and started reporting them to companies to let them know, and to also help fix them. 99% of the companies replied and were extremely thankful. Some even sent me T-shirts, etc.

I started targeting a few sites (I can’t name which because we have NDAs now; I’m still actively helping many). By using my words right, I managed to get in with a few people. I start reporting vulnerabilities and helping many companies. Months passed and one company showed a lot of interest in what I was doing. I got invited to fly over to meet them. I knew something was going right at this point, so I knuckled down and put all of my focus on finding vulnerabilities and reporting them to this company. Things were going great and I soon overloaded their team with more than they could handle. I started looking further afield at more sites, and suddenly I was introduced to HackerOne. I saw that LOADS of sites had bounties and paid for vulnerabilities. I instantly knew that this was where I wanted to stay. To this day I am still active on HackerOne, but normally I run in private programs now (better payouts).

Fast forward through a year of exploiting and helping companies and now we’re here. I’ve been a nerd for ten years. Eight years coding, and around seven years exploiting.

Business Practices

For companies that don’t have a bug bounty, I tend to spend thirty minutes to an hour finding simple bugs such as XSS (cross-site scripting) or CSRF (cross-site request forgery). I’ll try find a contact email and send them a nice detailed email about what I’ve found and what the impact is. I also supply them with information about how they can fix it. I never ask for money or anything over the first few emails — I tend to get their attention first, get them to acknowledge what I’ve found, and get them to agree that I can look for more. At that point I’ll ask if they offer any type of reward for helping them. The majority reply that they are up for rewarding me, due to the amount of help I’ve given them.

After I’ve helped the company for a while and they’ve rewarded me, etc, I usually suggest that they join HackerOne for a much cleaner process of reporting bugs and rewarding me (it also helps my rep on HackerOne). So far two have joined and one started their own private bounty system.

To sum it up, I’ll start of with basic bugs to get their attention, then once I’ve gotten the green light to dig deeper, I’ll go and find the bigger bugs. This helps me not waste my time on companies who don’t care about security. (Trust me, I’ve reported bugs and gotten no reply, or a very rude response!) I like to build a good relationship with companies before putting a lot of hours into looking for bugs. A good relationship with companies is a win-win situation for everyone — they get told about vulnerabilities on their site, and I get rewarded. Perfect.

In case you wanted to know, I’ve helped around ten companies who didn’t have a bug bounty. Nine of them have rewarded me (with either money, swag, or recognition on their website). Only one has told me they don’t offer any type of reward, but welcomed me to look for bugs to help them (pfft, who works for free?). Out of the nine who rewarded me, I’ve built a VERY close relationship with three of them. (Met with one company in January, and meeting with another in June.)

There are two types of companies. Those who simply can’t afford to reward researchers and those who think, “Well, no one has hacked us yet, so why bother paying someone to find bugs?” [Redacted] is probably the worst company I’ve dealt with after reporting a few critical bugs. They rarely reply to bugs, let alone fix them. It took an email letting them know that I was disclosing one bug to the public, to warn users that their information on [redacted] was at risk. After that they finally replied and fixed it.

100% of companies should change their perspectives. Again I’ll use [redacted] as an example. I only really look at their site when I’m bored (which is rarely) and I’ve uncovered a ton of vulns. I wonder what I could find if I spent a week looking for bugs (and if they rewarded me). Companies need to stop thinking, “No one has hacked us yet, so we’re good.”

If a company can’t afford to pay researchers to find bugs, then they should reconsider their business. Hacking is on the rise and it’s not going anywhere anytime soon (if ever). If you honestly can’t afford it, though, then my suggestion (if I was the CEO of a company that couldn’t afford security) would be to run a hackathon within the company. Let the devs go look for bugs and run a competition in-house. Your devs not only learn about writing secure code, but it’s fun too!


Many thanks to [redacted] for writing great answers to my questions.

Cybersecurity Tradeoffs & Risks

Kevin Roose hired a couple of high-end hackers to penetration-test his personal cybersecurity setup. It did not go well, unless you count “realizing that you’re incredibly vulnerable” as “well”. In his write-up of the exercise, Roose mused:

“The scariest thing about social engineering is that it can happen to literally anyone, no matter how cautious or secure they are. After all, I hadn’t messed up — my phone company had. But the interconnected nature of digital security means that all of us are vulnerable, if the companies that safeguard our data fall down on the job. It doesn’t matter how strong your passwords are if your cable provider or your utility company is willing to give your information out over the phone to a stranger.”

There is a genuine tradeoff between safety and convenience when it comes to customer service. Big companies typically err on the side of convenience. That’s why Amazon got in trouble back in January. Most support requests are legitimate, so companies practice lax security and let the malicious needles in the haystack slip through their fingers (to mix metaphors egregiously). If a business like Amazon enacts rigorous security protocols and makes employees stick to them, the average user with a real question is annoyed. Millions of average users’ mild discomfort outweighs a handful of catastrophes.

Artwork by Michael Mandiberg.

Artwork by Michael Mandiberg.

In semi-related commentary, Linux security developer Matthew Garrett said on Twitter (regarding the Apple-versus-FBI tussle):

“The assumption must always be that if it’s technically possible for a company to be compelled to betray you, it’ll happen. No matter how trustworthy the company [seems] at present. No matter how good their PR. If the law ever changes, they’ll leak your secrets. It’s important that we fight for laws that respect privacy, and it’s important that we design hardware on the assumption we won’t always win”

Although Garrett is commenting on a different issue within a different context, I think these two events are linked. The basic idea is that when you trust third parties to protect your privacy (including medical data and financial access), you should resign yourself to being pwned eventually. Perhaps with the sanction of your government.

© 2019 Exolymph. All rights reserved.

Theme by Anders Norén.