Tuesday, June 26, 2007

Security and its ethics

'Cool I hacked some site! I must now tell the owner (whoever that may be) how he should fix his bogus security.. and of course, what a 1337 H@xor I am!'..

When I find SQL injections, most of the time i don't even bother telling the owner of the site, unless of course, its something big and important, and lives are (or my money is) at stake. Most of the time you get a lame reply or none at all.. and this made me think.

Finding security leaks is fun for me, its a challenge. When I'm actually IN, I lose interest real fast. The rush you get, when you get closer and closer, is the best there is! The thing is.. telling the owner you were in his backend, proving it with pretty screenshots is roughly equivalent to forcing your way into his living room and sending him a postcard afterwards (with you in it.. on his couch.. watching his p0rn) . What more can we expect but a pale faced: "Thank you for not telling anyone.."?

This is different for the bigger companies. They have the beauty of bureaucracy! This is just a fancy word for: "Hi Boss, I didn't do it, it was that guy over there.. oh wait.. he quit a few weeks ago.. you want me to fix it? I'd be happy to!"

This is even more different for the really big companies with a security team on top. They tend to sue you to death, or if they are really impressed, hire you! (probably worse)
Just picture yourself in a bank vault, explaining your 'bendy paperclip technique' that allowed you to open the door while disabling any surrounding camera's or alarms.. pure horror!

So.. its better to not say anything.. is it? Well no.. the best thing i can think of is, just be real careful when you do tell. Don't try to be the all knowing hacker that saved them from a pity full doom. Just tell them what you do, why you do it, and... what you did :)

Or even better, contact them in advance, ask them if its ok. I did it a few times, it works great. The only problem is that this approach kind of kills the ninja feeling of it all.. but thats just me i guess.

3 comments:

Anonymous said...

Awsome plugin, but dude, you need to write a whole book on its use as lame n00bs like me are lost with what to do with it beyond split URL and Execute.

Which I did try, I must confess on one site called HackTheBackUpBox(dot)net part of the Hackthissite(dot)org ring of site's, which I found hilariously funny when it actually succeeded in pwning his (epoch's) forum.

I must confess the XSS cross site scripting features designed into the plugin are pure mind candy and have me dribbling with 'want to learn'. I need to brush up on my PHP and SQL remote code execution but man, what an awsome attachment to have with Firef0x.

It's come in handy a few times, one time I can think of was on another site which I applied to for a Job (heaven forbid) and they wrote back telling me I needed more experiance for a helpdesk Job as apparently they only hire people with a Masters of Science so my certificates from Microsoft dont really count (for a helpdesk?).

It had me laughing no end to replace their advertisment with "BEEP... We're sorry but the webpage of the Village idiot that you are trying to access would appear to be offline at present, please try again later!"

I wonder if they still feel I need more experiance?

Absolutly awsome plugin but it needs a tutorial for the neophytes.

That part about pulling up SQL tables has me drooling... But as you yourself said, a lot of the time they forget to change the defaults of Login SYSTEM, Pass MANAGER.

Their is no patch for human stupidity!

*PhJeAr TeH LeEt HaXoRz 4 We CaMe fRoM OuTtEr SpAcE 2 InVaDe JoOr InNeR sPaCe*

Theirs a guy living in the same building as me used to Pentest his way into Banks and Financial companies and is he gainfully employed, no, poor bugger keeps getting told he's over qualified and I do like the way he remapped my user space onto the root space, that was a revelation in how to exploit a shell.

Cant get over that one, the guy who wrote the 't0rn' rootkit, lives next door to me... We'll have to put our heads together and create a symphony.

Hey their DEVEL if you havent stuck your nose in a copy of hackthiszine I highly recommend it, simply because its full of glorious PHP ideas that'll blow your mind... But this is nothing new people who get good ideas are often overlooked and ignored, the establishment frowns at us, but we in turn frown at the establishment.

~Jimmy_Riddle of teh !HTS 'Hacking the Planet since 1998'

Anonymous said...

Hi,

I have tried your plug-in, but i was looking at the bug in firefox.
I am not able to submit the full path of a file. FF3 is striping out the rest of the link except filename.
Could you please help me to fix this bug if Firefox 3.
Is there any script to do that.

Related sites: http://support.mozilla.com/tiki-view_forum_thread.php?comments_offset=0&comments_threadId=0&comments_parentId=91513&comments_threshold=0&thread_sort_mode=commentDate_asc&forumId=1&time_control=86400

Thanks
Abhinav

Unknown said...

hi...
gud plugin for a naive ethical hacker like me....but could someone explain how exactly to use it to full extent....as of now I only split and execute...I dont understand a damn about its full functionality....