'I Hacked Facebook -- and Found Someone Had Beaten Me To It'

An anonymous reader shares an article on The Register: A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp -- and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system. According to Tsai, he or she stumbled across malware installed by someone else that was stealing usernames and passwords of FB employees who logged into the machine. The login credentials were siphoned off to an outside computer. According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.

Makes sense

[fustakrakich]

May as well exploit the the machine for a while before revealing the bug.

Re:Makes sense

You have to in order to claim the bounty.

Corporations have a long history of refusing to cough up the cash in bug bounties (or worse, siccing the authorities on the bug bounty hunter). So to protect themselves (and to prove the bug exists), the "official" way to report bug bounties is to steal a bunch of data, rig it to be released to the public in the event the bug bounty hunter fails to "check in" every so often and THEN report it, just in case the company decides to renege on the deal.

Re: Makes sense

[liqu1d]

"Fails to check in"? Suddenly bug bounties sound a lot more sinister than they used to :/.

Re: Makes sense

nah, Just five years ago I was threatened by the same person who personally authorized me to hack their organization for 5 grand prize that they're gonna sue me if I keep digging. still hurts. what hurts more is that the vulnerabilites are still there. on all the damn servers. the fucking tftp is still open to the world

Re:Makes sense

This sounds like a Shadowrun plot.

Re: Makes sense

Ip address? Just so I can verify your story is true...

Re: Makes sense

You weren't hired to find bugs, only to declare none existed. You failed.

Re: Makes sense

[radiumsoup]

you got that authorization in writing, though, right? ...right???

Re: Makes sense

[silentcoder]

They dont call it a "dead man's switch" for nothing.

Yet another Accellion file appliance hack

http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-employees-secure.html

It amazes me that despite all of their problems, so many companies still trust Accellion. I think our installation was $50k.

Re:Yet another Accellion file appliance hack

Yeah google for soggycat, this shit's been vulnerable since 2011. This isn't a FB vuln, it's 100% Accellion. What a piece of shit appliance. I'm in the wrong business, I should create a "cloud file upload service" with no security and sell it as an enterprise solution for $50K apiece.

Re:Yet another Accellion file appliance hack

There's really no reason to use the hosted, "cloud" version. We rolled out Acellion on prem, local storage is cheep and with stale data being rolled off after X days you hardly need that much free space. And when nobody cares to use it, the per user licencing is actually not bad since its only concurrent users. Every mailbox doesn't need a licence, unless everybody in the company decides to use it at the same time. But it still is a security nightmare, I can't believe how many .gov's use it.

Re:Yet another Accellion file appliance hack

[Z34107]

Holy shit, you weren't kidding. Quoting selected bugs:

• The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key [...] These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF.
• One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent
• The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. The "soggycat" user account [...] also has two SSH keys configured for passwordless login. These keys were generated over eight years ago.
• All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services.
• The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the appliance.

This is amateur hour, though still better than what runs our power grid and water treatment plants.

Re:Yet another Accellion file appliance hack

[HappyHackerness]

When ShellShock hit, Accellion was the *LAST* vendor of the many I deal with to patch their product. The LAST. That's pretty sad for a web-facing security product. Shame on them.

cat tongues are like sandpaper

[rmdingler]

If the universe is indeed a clever simulation, are you now discovering a hack with a hack in a universe that's been hacked and hacked until it resembles an infinity mirror?

Re:cat tongues are like sandpaper

Electric sheep dream of me.

It's just to sell toys to the boys

Yeah, but if I am the one poiting a gun into his face, I am the winner therefore making the history. I prefer telling that, they are terrorists instead.

A $10,000 reward is peanuts in this context.

[BarbaraHudson]

$10,000 is peanuts for the login credentials of a ton of facebook employees.

In today's Internet, Facebook hacks YOU!

Re:A $10,000 reward is peanuts in this context.

[phantomfive]

Yeah. That's why the previous hackers decided to steal credentials instead of reporting it.

code is on comments

take comments generated by bots, what if suposed conversation could be be translated to computer code?

What,

no lawn joke?

SSH keys

[NotInHere]

Yet another reason why SSH password based authentication is so bad. Both SSH agent forwarding and SSH password based auth are best disabled. Then they can't intercept anything.

Re:SSH keys

fantastic reflexion , im thinking same

http://imprentaonline-naturaprint.com/imprentaonline/imprenta/

Re:SSH keys

Yet another reason why SSH password based authentication is so bad. Both SSH agent forwarding and SSH password based auth are best disabled. Then they can't intercept anything.

Yet another reason why SSH password based authentication is so bad. Both SSH agent forwarding and SSH password based auth are best disabled. Then they can't intercept anything.

Yet another reason why SSH password based authentication is so bad. Both SSH agent forwarding and SSH password based auth are best disabled. Then they can't intercept anything.

fantastic reflexion , im thinking same

http://imprentaonline-naturaprint.com/imprentaonline/imprenta/

Re:SSH keys

What a bunch of incoherent trash.

You need a neurologist or a psychologist real bad, buddy.

"Security Researcher"? Really?

[Frosty+Piss]

According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.

And this is why I have a problem with this whole "terminology" of the so-called "security researcher". Facts are facts and who ever it was that installed and left malware that "slurped" passwords and usernames clearly was not a "security researcher", but rather a run-of-the-mill hacker , or call him (almost certainly a him) what every you want, but NOT a "security researcher".

Re:"Security Researcher"? Really?

[Frosty+Piss]

Don't call him hacker either after all "hacker" is a positive term...

You know as well as I do that is "politically correct" garbage. Good or bad, a hacker is a hacker, and "cracker" is a made-up term. Now, if you want to assign hat color (white, black), feel free. But please do give me this crap that a "black hat" hacker is not a hacker but rather something else because you want to reserve the Hip And Trendy term hacker for yourself... Seriously. That's bullshit.

Re:"Security Researcher"? Really?

[NotInHere]

Same argumentation works for "Security Researcher" too. The evil russians who built the nuclear bombs were "researchers" too. And only because the commercial criminal who hacked into the facebook servers wasn't a white hat we shouldn't be prevented from calling him security researcher.

Re: "Security Researcher"? Really?

Trendy? The term hacker has been used for over 40 years! And it's been used to describe people who *don't* do malicious things for much of that time.

Re:"Security Researcher"? Really?

[phantomfive]

Good points. A hacker can be good, or a hacker can be bad.

Re: "Security Researcher"? Really?

Politically they use the term white, black, grey hacker. But the true term to this is a hacker is someone that is exploring multiple possible routes and ideas to what they can achieve with a certain product or software to either understand or make for another purpose. A cracker also know as a black hat is someone that does this simular to a hacker but does this for either personal gain or another purpose which is usually for profit.

Re:"Security Researcher"? Really?

Strange indeed... Hmmmm.... Then tell me, why all the C64 Pirate groups in the mid to late 80's referred to them self and others alike, as cracker-groups?
I bet the word "Hacker" changed from tinkering-with-hardware-only term to breaking-the-security-on-software when the media and press began using the word in the present terminologt. Let's say... The mid-90's perhaps. As well as the word "cyberspace" are wrongly used.

Re:"Security Researcher"? Really?

What in gods name are you on about?
He is totally a security researcher.
Breaking in to secure installations doesn't automatically make it Pure Good, it is a heavily grey area even when sanctioned.
Just because the previous person also happened to install a backdoor doesn't change the fact that he was researching the security systems of Facebook in hopes of payment on top of stealing credentials.
Loads of things like this happen in the industry from seemingly innocent people, even in face-to-face situations.
Hell, you've surely heard of the malicious sysadmins holding companies hostage because they got fired, or the programmers that deliberately make their coding obscure so that the company will need to depend on them till the End Of Time itself.
People are dicks. Deal with it. Doesn't nullify their job position.

Just because you don't like it, doesn't make it untrue.
Same goes for all the cry-babies trying to say Hacker isn't the correct term for someone hacking (not cracking) because my hurt fee-fees.

Re: "Security Researcher"? Really?

Cracker is the term used for someone who breaks copy protection such as used on games.

Re:"Security Researcher"? Really?

I hacked my phone, car, and TV so that I could control the software on it and disable privacy invading malware from the manufacturer. Am I evil?

Re: "Security Researcher"? Really?

[Bob_Who]

.... A cracker also known as a black hat is someone that does this.....

Aren't crackers white?

Terminology

I love the term "security researcher." It is very endearing yet humble. Though I wish the official name was little more powerful.

Heh, penetration tester

Maybe it's just because it's midnight Saturday and I'm home reading Slashdot, but when I read "penetration tester" I pictured something else and wondered if there is a scenario where that could become an an actual job. Ah well, at least I still have enough sense to post this as anon.

Nope. In this, you and the majority loses.

Nope. Hat colour is a sign that the guys using the term have forgotten what it means entirely and are now just as confused as you always were. The problem with the security industry is that it's a bunch of script kiddies. Nothing more. There is no depth at all in the industry anywhere. Hence, no success except make-believe.

They are not hackers in any sense. Not a hacker in the older positive sense. Not a hacker in the "look ma Ima bein k-rad kewl wif ma komputor" poser sense for it no longer means anything at all -- see "hat colour". Not "researcher", since they're just doodling along. Not "scientist" since computer science already isn't and computer security science much less so, amazing how that is possible. (Go on, ask Abelson and Sussman how that works.)

So your use is in fact the "hip and trendy" bullshit, incited by hollywood and breathless but content-free reporting and marketeering, including the "ETHICAL" shouting match and the hat colour shtick. Hacker in the original sense was a meritocratic term, but has been smudged into unusability. Note that anybody calling themselves a hacker already were posers under the old term. We just have many more posers now, o child of '93. Hacker in the "dodgy stuff with a computer" sense always was the tool of the computer-illiterate wannabe, the script kiddie, the poser, the reporter, the nitwit. In that sense, hacker is very meta-useful, for it instantly tells us what you are. We know now, so thanks for that, I suppose.

Re:Nope. In this, you and the majority loses.

[Your.Master]

I know this is a bold claim from somebody that's merely 31 years old, but no, that etymology does not hold. The word hacker was always at best neutral, and that's a stretch -- it was realistically negative, albeit usually carrying the implication of shoddy worksmanship rather than a malicious intruder. The notion of hacker as meaning a black-hat goes back at least 40 years.

Re:Nope. In this, you and the majority loses.

[phantomfive]

I know this is a bold claim from somebody that's merely 31 years old, but no, that etymology does not hold. The word hacker was always at best neutral, and that's a stretch -- it was realistically negative,

It would be a more believable claim if you had cited evidence to back it up, but instead for some reason you gave us reasons not to believe you. It's like you're debating yourself!

The notion of hacker as meaning a black-hat goes back at least 40 years.

The notion of a hacker as a positive thing, someone who tries to deeply understand the system, goes back 50 or 60 years (look up the TMRC or even look for 'hacker' in the jargon dictionary for a citation).

Re:Nope. In this, you and the majority loses.

The English language evolves over time. A hacker is now someone who attempts to gain access to systems they're not permitted, or performs actions in that system of which they're not permitted.
Whilst I would have liked to keep hacker as a positive term, the battle is lost, give it up already! (Targeted at NotInhere, if you're only posting facts and not advocating the use of hacker as a positive term)

Re:Nope. In this, you and the majority loses.

Isn't that referring to someone as a hack, which still holds its meaning today?

Re:Nope. In this, you and the majority loses.

It's worse than that. A "hacker" is someone who (possibly, maybe, who even knows who they are?) "hacks", and "hacking" is now... anything probably vaguely bad-ish, like, we don't know, like, but it's probably no good, so y'better not b'doin' that, y'hear. GIT OFF MA COMPUTOR.

It's a term instantly identifying the speaker as one or both of: A smooth talker trying to pull a fast one, ie. someone from a "computer security" outfit, or someone who plain doesn't know what he's talking about. You know, someone who thinks "cpu" is the box underneath the monitor, and so "cpu holder" is a legitimate term for that thing holding the case off the floor. That may have been true in PDP days, it hasn't been true in a long while.

You can see it in the news, too, where many many companies faced with very visible and embarrasing computer trouble will instantly go "it was hackers!" and quite often it turns out it was an inside job or general incompetence instead. It's a scapegoat that's conveniently unknown and often unknowable, so the blame just up and vanishes into thin air, right?

Except it doesn't, quite. What it does do instead is tarnish an once useful term where most of the time "internet crook" would have been a better fit for conveying what we do know. Yes, despite its bland generality, for so often we really don't know more. Except that's boring, and "hacker" sounds more dangerous-like, so we can write breathless headlines around the bare fact that the writer doesn't know enough to fill an informative press article with. It's so bad that you can safely s/hacker/smurf/g, s/hacking/smufily smurfing/g and you've lost nothing of substance in the uttering. In fact, you've added actual worthwhile content to it. Minimally worthwhile, but still AUs ahead of what was in there before.

This is what is wrong with computer security today. They really are Purveyors of Imperial Textiles and other Shoddy Goods. And the computer-related press in particular, with general media taking their cue from there and from hollywood, are perpetuating this sad state of affairs. So no, they're not "hackers", as that could apply to anyone, and they're not "security researchers", because their research isn't.

They are "script kiddies", because all their "hacks" are minute variations on a particular kind of security exploit, in fact often found mechanically or sometimes even right out in the manufacturer's manual. And yes, that includes such luminaries as Eugene "internet passport" Kaspersky and John "international drama queen" McAfee.

Just saying "oh yeah but English evolves" is no excuse for this bare fact and glaring problem. In fact, computer security is going nowhere because all the posers, and "hacker" is being deliberately used to cover it up for the uninitiated. Which includes the s'kiddies who make up the bulk of the work force in the industry, but hey, like any good consultant making a dime off prolonging the problem, it's a living, right?

So I'm saying, yes, I know what the status quo is. No, it's no good, because it's getting us nowhere. Stop using the terms "hack", "hacking", "hacker", and so on, stop using them entirely and say what you know instead. Yes, you will find it's very little. That's the fscking point of the exercise, as it forces us to get a handle on the problem of computer security.

Unless you perhaps like your breathless uninformative non-reporting with a side of drive-by-downloads and malvertising?

Re:Nope. In this, you and the majority loses.

[Hognoxious]

I know some people use it more widely, but I always thought it referred specifically to the writing profession - novelists, journalists etc.

Euwww!

[Hognoxious]

He got sloppy seconds!

2 things

[AndyKron]

Aren't poking around in a system, and slurping passwords two different things?

Re:2 things

[Bob_Who]

Aren't poking around in a system, and slurping passwords two different things?

Poking and slurping both sound a bit kinky. But snorting passwords is definitely illicit.

Fock this

I remember a time when fscking was something only a sysadmin would do, to resolve corruption. Oh, how the terminology has fallen, for such a noble and functional term to become a weak cuss word.