Edit: pardon the tone, I understand that these types of problems are very very hard to solve because they aren't purely technical and involve humans.
- nginx version disclosed in headers
- "Feature-Policy" header missing
- DNSSEC not set up on zone
- Domain not in HSTS preload list
Responding to this sort of thing with "not a vulnerability" is intensely difficult because the of the potential for a PR backlash about "poor security" from people who just don't know better, particularly when the company is definitely not a tech company.
Ps: remember those days that we were looking for codecs for our Windows Players back in the Win95-98-2000-XP days???
- Dump of CVEs for "Web App X" or "Server X", even though literally zero of them apply to the version that I'm currently running.
- Dumps of port scans with warnings like "Running SSH on port 22 is not recommended" and "Server accepts HTTP. Always use HTTPS".
I assume there are tools that generate these reports because the reports use decent English but the accompanying emails are written in very broken English.
Then again my favorite bug back in the day was veritas backup acting as a reverse shell. I only learned of that by running nessus.
I'm having a hard time imagining a scenario where I manage a web server that is accessible to anonymous people running pen scanners on it that has a justifiable reason for broadcasting port 80.
“But there I stood anyway, hoping my requests to load simple web pages would bear fruit, and I could continue teaching basic web principles to a group of vocational students. Because Wikipedia wouldn’t cache. Google wouldn’t cache. Meyerweb wouldn’t cache. Almost nothing would cache.
Imho (and sorry to intervene) it is uninsteresting because each of us can and DO run these tools and get the same reports, and since we do care enough, these are low hanging fruits that we have all assessed on day1, and either addressed, or ignored for a valid reason (e.g. on a client site, someone was making noise for a vuln on a system that was a standalone server, disconnected from any network. I understand that security requires that all layers are secure, but we need to use sense and logic before we start yelling 'fire!! fire!!'.
There are some patterns where I've seen people not get paid just on general principle; for instance, people find systemic issues and, rather than disclosing the root cause, try to claim bounties for every instance of the flaw (you'll get paid, but not for every instance). It's possible that naive development teams sometimes get this confused, and, for example, consider "all XSS" to be a single systemic bug.
> for real companies
I wouldn't consider those entirely equivalent sets. I imagine plenty of startups probably don't fall under the criteria you would consider "real companies", or at least not in the beginning before people have a chance to mature into their roles or flunk out of them.
> the economics of ruthlessly withdrawing bounties don't make sense
The economics of something and how people try to justify it or let their own egos get in the way often don't match. I mean, I still have to kick myself sometimes because while I work at a small company, agonizing over a couple hundred dollars a month in service fee differences is not a good way to spend my time given my hourly rate and the time a more expensive option might save if it does what it says. Ingrained thinking can be hard to overcome.
These days I generally just sit on issues. The work involved in putting together a bulletproof report that can be understood by whoever reads the security alias (could be a security engineer, could be a PHB, could be /dev/null...) is just too high to do for free.
I literally had to twist their arm to get it patched... since was a something to 'reduce friction' which allowed you to steal someone's Bitcoins.
At the time, the POC would have netted me $40 for every person I scammed, today, it's a $400 profit and that tool would generate a QR telling people there's free bitcoin at Coinbase so I bet you someone would have used it.
Edit: I told my boss if they didn't do shit about it, I would put that QR code with 'Social Engineering' into Facebook ads since it had just started and see how much money I made out of it.
Amazon still doesn't offer a bug bounty program to my knowledge. Also, it's the only cloud provider my active security researcher friends tell me that attempts to regulate them by some weird pen test authorization requirements which are very foreign to industry standards of other cloud providers.
I'm just on the side lines watching, but there is a difference of how transparent AWS vs. GCP vs. Azure are when it comes to security. GCP > Azure > AWS
Yes, we don't want people to publicize when we fuck up so we'd rather just NDA them to death when they tell us about bugs.
Edit: If you don't accept, we just use the hacking laws in the US to silence you.
Edit: I assume you are speaking as employee of Amazon of course, which is not necessarily true.
just tell the submitter that it is a duplicate
10k was for a bug that had actually been found by the internal test-team on a Friday after a new release on Wednesday. Over the weekend however, a bounty hunter/pen-tester discovered the same thing...
There was some internal discussion (certainly because an internal ticket existed with an extensive discussion) about paying out this bounty - but eventually was decided to not bother with it and not get a rep of screwing over bounty hunters/pen-testers, certainly because this was a guy they already worked with before, and they had actually informed him and a few others specifically about the new release that Wednesday.
They did inform the guy that the internal testing had already found this, but since it was still open on the public-facing service at the time he reported it, they would pay him.
They closed it with severity 8.8 on hackerone but the bounty wasn’t very high given how serious it was. There’s not really any sorta process for selling your bugs elsewhere though, you know?
Vuln escrow is a trivial problem to solve, just publish timestamped hashes of reports. Anything else is simply inexcusable.
No, but it does suggest that you're likely capable of learning security work. Just like your data structure and algorithm knowledge didn't come for free, nobody is born knowing how to find security problems. You need to work for it.
They have 30+ levels where you ssh into a server and attempt to find some type of vulnerability. They start out very easy and get tough quick. It’s very eye opening to see the types of exploits that exist.
They also have a set of challenges aimed at serverside web security. http://overthewire.org/wargames/natas/ I went through the web challenges last year and they helped a ton in my web dev roles.
Never knew about these. I'm visually impaired, so a text-based system like this appeals. Thanks!
Out of curiosity I visited your first link and played the first dozen+ levels. It's just been bash-fu and occasional man reading/googling. Judging by the subsequent level instructions I went through, there didn't seem to be much more in there. I'm like, if you really want to learn more about shell commands, there are man pages. Admittedly, a game is arguably a good way to tutor a lazy reader. Still, did I miss anything else in there by not finishing the game?
Beside that lower level knowledge of how computer systems work is always worth studying up on.
There are 3 courses they give for it:
1) Computer & Network Security
2) Binary and Malware Analysis
3) Hardware Security
The lower level it gets, the better they are at it. Each course costs 1200 euro's for non-EU students. I recommend it.
I learned about (in random order):
- Rowhammer (I hope memory vendors will fix this)
- Cache attacks (I hope Intel will fix this)
- Stack smashing
- String buffer trickery in C
- Spoofing IPs
- DNS cache poisoning
- Using machine learning to fingerprint things
- Dictionary attacks for password cracking
- Cold boot attacks
- Spotting vulnerabilities in C code
- Reverse engineering binaries with IDA Pro and knowing x86 and x64 assembly
- Taint analysis
- Instrumenting binaries with PIN
- Using SMT solvers to crack passwords in binaries
* Lecture notes, slides, and assignments from university courses
* Subreddits, Quora topics, etc
* Prominent community members you can follow on Twitter
Word of mouth, chat groups where things are shared, conferences, blog posts... yes, those are resources. But it's also just a whole lot of curiosity and poking at systems.
The only security-relevant subreddit I'm subscribed to is /r/netsec, and sometimes interesting things come by, but I don't use it a lot. HN is more useful for (context about / following) big security events than netsec. Perhaps /r/sysadmin is also fair to mention, but that's more to see what's hot in sysadmin world (and get their perspective on breaking security news) than to learn about security.
Instead of Quora, I use the IT Security StackExchange site: answering questions makes me dive into topics just a little deeper than what I already knew and I always come out knowing a few more useful details. The site has some really hardcore security people who are typically find any mistakes in your answers as well. I'd recommend that site a lot for learning, whether that is through asking or answering questions (though with answering, perhaps it's more to deepen knowledge than to get into the field), or even if it's just for getting correct answers to security questions like "What are the optimal WPA3 settings for a home router" or something.
So then, how does one get into security? Most people I know just started breaking things and noticed that others usually found it useful if we told them about it. After a while you'll have seen most of the common issues. Add to that some more structured materials like the OWASP top 10 and similar resources, and now I feel fairly confident that my reports are not just a haphazard collection of what I came across in previous years, but that I can actually give a reasonably complete assessment of the security of a system.
I don't know why the security field doesn't have as many structured resources as other fields. Maybe the field is just too small compared to how fast it moves? Or maybe security people are, y'know, as breakers of other people's systems, as hackers, as those who outsmart the people who made the system... maybe we want to be different and not follow norms by studying the normal way? And most of us just started doing it for fun before it became a profession, so few people would use the resources even if they were there? I'm just speculating.
Though what you hear about more often are misconfigurations -- which, are valid, but that's more on execution vs truly finding something wrong.
talented hackers, white, gray, black, whatever, excel at breaking and exploiting things. and people. and i have always struggled with that...
in college i took a computer security class. my class had the team ranked #1 in Maryland (US) among young coming up group of hackers. what i saw them do is always, and i mean always, thinking of ways to break things. i mean, well, it's broken a tad bit, adding this or that will fix it. no! i saw them exploit every little tiny thing!
i wanted to "fix" things. i wanted to be a "good" programmer. i was like: "oh they didn't do this, what should they have done to make more secure?". a good hacker was like "oh they didn't do this, what can i do to exploit it?"
i hope my little experience convey to you how they think. or at least what i saw first hand while taking that class. for me it's hard, i wanted to fix things. they wanted to break things. i didn't fail my class. i wasn't good at it either...
but i admire them and i am still amazed by what these people can pull off.
> As productive as the top 1% are, their earnings are equally depressing. The top seven participants in the Facebook data set averaged 0.87 bugs per month, earning an average yearly salary of $34,255; slightly less than what a pest control worker makes in Mississippi.
From reading some of these hacks on peoples blogs it seems like quite often they just man in the middle a mobile app and find out the api provides way more info than should be shown to the user and the ui hides it.
Not sure why there are not more people doing it. I thought about it as well for years but still don't do it.
You can almost always make more as a contractor because you're shifting risk from the company onto your LLC. They pay for a la carte results instead of paying for an employee who could hypothetically deliver results.
There's basically no job like this. Any form of pre-vetting, even just a face-to-face, would have excluded him.
Could someone recommend some a website or blog post that explains this? (Or is it a simple enough explanation to fit in an HN comment without going hugely off topic?)
Gas stations next to each other but divided by a state line in the US have different prices. Taco Bell sells the same burrito for different prices. The same factors apply internationally too, nothing to do with exchange rate.
Hope this was as ELI5 as necessary for HN-level discussion.
Hell, gas stations divided by a street have different prices. In one case I saw, the one you could see from the freeway was +$0.50 per gallon compared to the one you couldn't see from the freeway.
All the reasons you haven't are why everyone else doesn't either, so that's why it's the proper exchange rate.
For other goods, you should be surprised if the price discrepancy is one that you really could exploit for significant profit (after accounting for shipping, import/export restrictions and taxes, and so on) -- but otherwise, I don't think it's a very strange phenomenon. Prices will always be set somewhere in the overlapping region between the cost of production (and distribution, and taxes, minus any subsidies, etc.) and the amount that customers are willing and able to pay. Both of those amounts can vary pretty dramatically from place to place.
The demand curve maps the relationship between supply, demand and price.
It says that for high demand and low supply the price is high, for low demand and high supply the price is low and over time supply, demand and price will find an equilibrium.
So if you consider the housing market, on the supply side you are looking at a constrained resource (i.e. it is constrained by the land available to build).
The demand side will be driven by the numbers of people looking to rent and that will be driven by many other factors like work prospects, quality of life, crime rates etc etc.
So for places like SF there will be great demand for that limited housing which means the price (i.e. the rent) goes up.
Case in point: my friend that worked at Waymo paid $900/mo for a room in a house in Lower Haight...
On the other hand, Google refused to pay me a bug bounty for a bug I found in the same component, in part because I used to work on it when I was at Mozilla, even though I didn't write the vulnerable code.
From a purely fiscal point of view, why hire expensive full time staff to go digging when you can just throw a few sheckles at stuff as it comes up?
> Moussouris, who created the bug bounty at Microsoft, warned that if badly implemented such programmes could see talent leaving organisations in favour of pursuing bug bounties, and thus damage the talent pipeline.
I've seen her argue this on Twitter before - the argument IIRC is that bug bounties should always pay less than getting a job helping the blue team / writing secure code in the first place, otherwise the incentives are all wrong. It's great that you know about bugs, but it would be better not to have them. And, also, there's a bit of a prisoner's dilemma involved in that you don't want to let the rest of the industry drive up the expected payouts of bug bounties beyond the expected salaries of secure developers, but you also don't want to lose out on vulnerability reports either.
Step two: Introduce subtle vulnerabilities
Step three: Claim bug bounty under a pseudonym (or just get someone else to claim it)
Google, for example, pays out bug bounties regularly, but their main security expense is wages/etc of security professionals, and that is probably in the neighborhood of a billion dollars a year.
Also, a bug bounty usually limits the scope a lot more than a typical pentest does, i.e. no testing of infrastructure security, internal networks etc..
Lastly, if your bug bounty is high enough to make highly skilled people spent time to find your bugs its probably cheaper to just higher some security folks yourself and prevent excessive payouts (by preventing bugs).
Of course all of this does not stop some C-levels from using a bug bounty as replacement, but the issue is not as clear cut and especially the last point should even make sense to non-technical people.
Outsourcing bug finding is only a retroactive solution, not a proactive one
Then again, I can imagine some teams would get utterly spammed with inane, wrong or non-bounty-able reports, which could be an issue.
"Lopez specializes in the identification of Insecure Direct Object Reference flaws also known as IDOR vulnerabilities."
Then this, explaining IDOR: https://github.com/OWASP/CheatSheetSeries/blob/master/cheats...
It certainly sounds like the sort of thing you could automate to a pretty big scale.
They do note that IDOR poses some difficulties with it needing heuristics that might have high, false positives. The tools are in the references section toward the bottom. Try them out.
It seems hard to automatically understanding the difference with IDOR-vulnerability in the HR-system (from your link), salary.php?employee=EMP-00000 where you can change the ID for another employee and article.php?id=123 in a newspaper site.
I expect there are languages where a word that translates neatly into "while" would be most appropriate, while actually meaning something more like "because". It's been a while since the last time I had to speak any foreign, but I remember stuff like this being very common - a large part of the reason I refuse to do it any more.
But damn, I wonder what Srinivasa Ramanujan or Norbert Wiener would have focused on if they were 13 now.
And maybe that's just whataboutism.
Shopify, Uber used to be at the top of the list.
Not so much by accident, but by virtue of catering to clientelle disinterested in accuracy, and with the awareness that all participants (both buyers and sellers) are motivated to reduce costs at all levels of the creative process.
I want to believe.
Personally, I call that a "Brain Fart".