US Air Force Hacked By Teenager

Bug bounty programs are projects that companies and organizations start to get people to find and report website vulnerabilities. Think of these hackers as the good guys, hackers in white hats. Plenty of big companies run bug bounty programs, including Facebook, Google and Uber.

You might think the people doing this kind of work are seasoned pros, but often the hackers making bug bounty money are teens like Jack Cable. He competed against 600 hackers from around the world in the Hack the Air Force, a partnership between the US Department of Defense and HackerOne, a bug bounty platform.

Cable sat down with Marketplace Tech's Ben Johnson to talk about his win. An edited excerpt of their interview follows.

Ben Johnson: My condolences on the end of your summer break. You have to go be a senior in high school. But you were pretty busy this summer.

Jack Cable: Yeah, so this summer I participated in the Hack the Air Force program, and that was the U.S. government's third bug bounty program. So they invited 600 of the top hackers from across the world to try to find vulnerabilities in the Air Force's site.

Johnson: And you won the whole thing?

Cable: Yeah, so I found 40 vulnerabilities, and that placed me first in the leader board.

Johnson: Do you have a favorite?

Cable: So I found what's known as an XML external entities vulnerability. That handles the applications processing of XML, which is a type of input data. I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on for a few hours into a remote code execution.

So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to.

Johnson: Wow. How did you get into this?

Cable: I was 15 and I accidentally stumbled across a vulnerability in a financial site. I found that I was able to send negative amount of money to other users, and that would effectively steal money from their accounts. That financial site ran a bug bounty program, so I submitted to there. And then I sort of got into hacking from there.

Johnson: It seems like you're one of the good guys. Why did you decide to be a good guy?

Cable: I try to be because it's really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.

Marketplace.org

You Might Also Read:

HBO Offers Hackers $250,000 'bug bounty':

The US Air Force Wants You to Build a Drone Engine:

 

« Former Spy Chief Takes Top Cybersecurity Job
Mini Drones That Can See In The Dark »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

Vade Secure

Vade Secure

Vade Secure provides protection against the most sophisticated email scams such as phishing and spear phishing, malware and ransomware.

ComCode

ComCode

ComCode provides consulting services and solutions in the area of digitization and cyber security for mid-sized and big businesses.

IABG

IABG

Activities include consulting services in the development of software systems in the area of secure information and data communication.

Caretower

Caretower

Caretower is one of Europe’s leading value added managed service provider in cyber security.

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic's main goal is toward establishing an international reference centre for excellence in the field of digital forensics and data recovery services.

Secure Blockchain Technologies (SBT)

Secure Blockchain Technologies (SBT)

SBT is a team of Enterprise IT Security Professionals weaving security and Blockchain Technology into our customer’s operational fabric.

Ten Eleven Ventures

Ten Eleven Ventures

Ten Eleven is a specialized venture capital firm exclusively dedicated to helping cybersecurity companies thrive.

Cybolt

Cybolt

Cybolt helps companies, organizations, and governments manage digital risks and live in an environment of confidence and certainty.

Redbot Security

Redbot Security

Redbot Security provides industry leading manual penetration testing. Protecting critical systems and data - red team attack and breach simulations, (OT) critical infrastructure testing.

gener8tor

gener8tor

The gener8tor Cybersecurity Accelerator offers a cutting-edge program in San Antonio, home to the second-largest concentration of cybersecurity experts in the United States.

Federal Bureau of Investigation (FBI)

Federal Bureau of Investigation (FBI)

The mission of the FBI is to protect and defend against intelligence threats, uphold and enforce criminal laws, and provide criminal justice services.

CloudCoCo

CloudCoCo

CloudCoCo help UK businesses of all sizes and industries succeed by providing enterprise-grade technology at small-business prices.

Ultima

Ultima

Ultima are on a mission to help businesses unlock their true potential by using the right IT to protect your company’s revenue and reputation – 24/7.

NoviFlow

NoviFlow

NoviFlow is a leading provider of terabit networking software solutions for Communication Service Providers (CSPs).

Entitle

Entitle

Entitle's SaaS-based platform automates how permissions are managed, enabling organizations to eliminate bottlenecks and implement robust cloud least privilege access.