US Air Force Hacked By Teenager

Uploaded on 2017-10-17 in GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW, INTELLIGENCE--USA, NEWS-Cybersecurity News, TECHNOLOGY--Hackers

Bug bounty programs are projects that companies and organizations start to get people to find and report website vulnerabilities. Think of these hackers as the good guys, hackers in white hats. Plenty of big companies run bug bounty programs, including Facebook, Google and Uber.

You might think the people doing this kind of work are seasoned pros, but often the hackers making bug bounty money are teens like Jack Cable. He competed against 600 hackers from around the world in the Hack the Air Force, a partnership between the US Department of Defense and HackerOne, a bug bounty platform.

Cable sat down with Marketplace Tech's Ben Johnson to talk about his win. An edited excerpt of their interview follows.

Ben Johnson: My condolences on the end of your summer break. You have to go be a senior in high school. But you were pretty busy this summer.

Jack Cable: Yeah, so this summer I participated in the Hack the Air Force program, and that was the U.S. government's third bug bounty program. So they invited 600 of the top hackers from across the world to try to find vulnerabilities in the Air Force's site.

Johnson: And you won the whole thing?

Cable: Yeah, so I found 40 vulnerabilities, and that placed me first in the leader board.

Johnson: Do you have a favorite?

Cable: So I found what's known as an XML external entities vulnerability. That handles the applications processing of XML, which is a type of input data. I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on for a few hours into a remote code execution.

So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to.

Johnson: Wow. How did you get into this?

Cable: I was 15 and I accidentally stumbled across a vulnerability in a financial site. I found that I was able to send negative amount of money to other users, and that would effectively steal money from their accounts. That financial site ran a bug bounty program, so I submitted to there. And then I sort of got into hacking from there.

Johnson: It seems like you're one of the good guys. Why did you decide to be a good guy?

Cable: I try to be because it's really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.

Marketplace.org

You Might Also Read:

HBO Offers Hackers $250,000 'bug bounty':

The US Air Force Wants You to Build a Drone Engine:

 

« Former Spy Chief Takes Top Cybersecurity Job
Mini Drones That Can See In The Dark »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Covenco

Covenco

Covenco is a data management and IT infrastructure specialist. Working with customers to transform their IT environments, with data protection and security at the forefront of everything we do.

Hewlett Packard Enterprise (HPE)

Hewlett Packard Enterprise (HPE)

HPE is an information technology company focused on Enterprise networking, Services and Support.

Truth Technologies Inc (TTI)

Truth Technologies Inc (TTI)

TTI is a premier provider of worldwide anti-money laundering, anti-fraud, customer identification, and compliance products and services.

ReversingLabs

ReversingLabs

ReversingLabs develops cyber threat detection and mitigation tools that address the the latest directed attacks, advanced persistent threats and polymorphic malware.

Torsion Information Security

Torsion Information Security

Torsion is an innovative information security and compliance engine, which runs either in the cloud or your data centre.

Open Connectivity Foundation (OCF)

Open Connectivity Foundation (OCF)

OCF is dedicated to ensuring secure interoperability ensuring secure interoperability of IoT for consumers, businesses and industries.

Corsica Technologies

Corsica Technologies

Corsica Technologies is recognized as one of the top managed IT and cybersecurity service providers. Our integrated IT and cybersecurity services protect companies and enable them to succeed.

PKF Infuse

PKF Infuse

PKF Infuse provide the highest level of cybersecurity support, implementing practical solutions to protect against cyber-attacks, from simple phishing scams to complex data security breaches.

CERT.JE

CERT.JE

CERT.JE is responsible for promoting and improving the cyber resilience across the critical national infrastructure, business communities and citizens in Jersey.

Transatlantic Cyber Security Business Network

Transatlantic Cyber Security Business Network

The Transatlantic Cyber Security Business Network is a coalition of UK and US cyber security companies which facilitates collaboration to help address critical cyber security challenges.

iomart Group

iomart Group

iomart is a cloud computing and IT managed services business providing secure hybrid cloud, network connectivity, data management, and digital workplace capability.

Fingerprints

Fingerprints

Fingerprints is the world-leading biometrics company. Our solutions are found in millions of devices providing safe and convenient identification and authentication with a human touch.

ABPCyber

ABPCyber

ABPCyber offers holistic cybersecurity solutions spanning DevSecOps, advisory and consultancy, designing and integration, managed operations, and cybersecurity investment optimization.

DefectDojo

DefectDojo

DefectDojo is a DevSecOps and vulnerability management tool.

Orchid Security

Orchid Security

Orchid Security provides unprecedented insight and action to your identity security with the help of advanced technologies like Large Language Models (LLM).

Qubika

Qubika

Qubika are shaping the future of next-generation applications by seamlessly integrating high-quality UX, robust security, and AI-driven intelligence.