US Air Force Hacked By Teenager

Bug bounty programs are projects that companies and organizations start to get people to find and report website vulnerabilities. Think of these hackers as the good guys, hackers in white hats. Plenty of big companies run bug bounty programs, including Facebook, Google and Uber.

You might think the people doing this kind of work are seasoned pros, but often the hackers making bug bounty money are teens like Jack Cable. He competed against 600 hackers from around the world in the Hack the Air Force, a partnership between the US Department of Defense and HackerOne, a bug bounty platform.

Cable sat down with Marketplace Tech's Ben Johnson to talk about his win. An edited excerpt of their interview follows.

Ben Johnson: My condolences on the end of your summer break. You have to go be a senior in high school. But you were pretty busy this summer.

Jack Cable: Yeah, so this summer I participated in the Hack the Air Force program, and that was the U.S. government's third bug bounty program. So they invited 600 of the top hackers from across the world to try to find vulnerabilities in the Air Force's site.

Johnson: And you won the whole thing?

Cable: Yeah, so I found 40 vulnerabilities, and that placed me first in the leader board.

Johnson: Do you have a favorite?

Cable: So I found what's known as an XML external entities vulnerability. That handles the applications processing of XML, which is a type of input data. I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on for a few hours into a remote code execution.

So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to.

Johnson: Wow. How did you get into this?

Cable: I was 15 and I accidentally stumbled across a vulnerability in a financial site. I found that I was able to send negative amount of money to other users, and that would effectively steal money from their accounts. That financial site ran a bug bounty program, so I submitted to there. And then I sort of got into hacking from there.

Johnson: It seems like you're one of the good guys. Why did you decide to be a good guy?

Cable: I try to be because it's really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.

Marketplace.org

You Might Also Read:

HBO Offers Hackers $250,000 'bug bounty':

The US Air Force Wants You to Build a Drone Engine:

 

« Former Spy Chief Takes Top Cybersecurity Job
Mini Drones That Can See In The Dark »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

CCN-CERT

CCN-CERT

CCN-CERT is the Spanish national government computer security incident response centre.

Citicus

Citicus

Citicus provides world-class security, risk and compliance management software, plus supporting services.

ACI Solutions

ACI Solutions

ACI Solutions is a managed IT services and network security provider working with diverse global commercial, government and public sector clients.

Platin Bilişim

Platin Bilişim

Platin Bilisim is an IT Security company providing consultancy, solutions and operational support services.

Harel Mallac Technologies

Harel Mallac Technologies

Harel Mallac Technologies is a Mauritian organisation that has developed a strong network of ICT specialists with nodes across the African continent.

IoT Defense

IoT Defense

IoT Defense (IOTD) is a cybersecurity and networking company building solutions that enable the protection of networks and the ever-increasing prevalence of IoT devices.

CipherTrace

CipherTrace

CipherTrace develops cryptocurrency Anti-Money Laundering, cryptocurrency forensics, and blockchain threat intelligence solutions.

ST Engineering

ST Engineering

ST Engineering is a leading provider of trusted and innovative cybersecurity solutions.

Munich Re

Munich Re

Munich Re is a leading global provider of reinsurance, primary insurance and insurance-related risk solutions including Cyber.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

IDECSI

IDECSI

IDECSI delivers cutting-edge technology and engages all employees in the security system for effective and cost-efficient data protection.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.

Sardine

Sardine

Sardine is a leader in financial crime prevention. Using unparalleled device intelligence and behavior biometrics, Sardine applies machine learning to detect and stop fraud before it happens.

Sinergi Digital

Sinergi Digital

Sinergi Digital is a business unit of the Metrodata Group with a focus on providing ICT solution to help accelerating digital transformation.

Verosint

Verosint

Verosint (formerly 443ID) provides real-time account fraud prevention that reveals fraudsters hiding in user accounts and proactively blocks them before their attacks can cause harm.