HOPE X (2014): "Stupid Whitehat Tricks" (Download)
Sunday, July 20, 2014: 5:00 pm (Serpico): How can you improve security at companies that haven't hired you or given you permission to test their systems? Non-intrusive methods such as Google searches and observing headers can detect some serious problems without trespassing on networks. Sam Bowne found problems at thousands of websites, including dozens of companies and big-name colleges that are currently under hostile control. These problems included SQL injections, website redirectors, Wordpress pingback exploits, and more. Many of the systems were being used by criminals to perform attacks. He notified the companies. Most ignored the notifications. Some of them fixed the problems, a few complained, and one made a serious effort to silence him. In this talk, Sam will show how he found the problems, how he notified the administrators, and how they reacted. Whitehatting can be useful and rewarding, as long as you have realistic expectations and a thick skin.