Stupid Whitehat Tricks

Presented at HOPE X (2014), July 20, 2014, 5 p.m. (60 minutes)

How can you improve security at companies that haven't hired you or given you permission to test their systems? Non-intrusive methods such as Google searches and observing headers can detect some serious problems without trespassing on networks. Sam found problems at thousands of websites, including dozens of companies and big-name colleges that are currently under hostile control. These problems included SQL injections, website redirectors, Wordpress pingback exploits, and more. Many of the systems were being used by criminals to perform attacks. He notified the companies. Most ignored the notifications. Some of them fixed the problems, a few complained, and one made a serious effort to silence him. In this talk, Sam will show how he found the problems, how he notified the administrators, and how they reacted. Whitehatting can be useful and rewarding, as long as you have realistic expectations and a thick skin.


Presenters:

  • Sam Bowne
    Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at Defcon, BayThreat, LayerOne, Toorcon, and lightning talks at HOPE. He has a CISSP and a PhD and a lot of computers and cables and firewalls and stuff.

Links:

Similar Presentations: