US Air Force Hacked By Teenager

Uploaded on 2017-10-17 in GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW, INTELLIGENCE--USA, NEWS-Cybersecurity News, TECHNOLOGY--Hackers

Bug bounty programs are projects that companies and organizations start to get people to find and report website vulnerabilities. Think of these hackers as the good guys, hackers in white hats. Plenty of big companies run bug bounty programs, including Facebook, Google and Uber.

You might think the people doing this kind of work are seasoned pros, but often the hackers making bug bounty money are teens like Jack Cable. He competed against 600 hackers from around the world in the Hack the Air Force, a partnership between the US Department of Defense and HackerOne, a bug bounty platform.

Cable sat down with Marketplace Tech's Ben Johnson to talk about his win. An edited excerpt of their interview follows.

Ben Johnson: My condolences on the end of your summer break. You have to go be a senior in high school. But you were pretty busy this summer.

Jack Cable: Yeah, so this summer I participated in the Hack the Air Force program, and that was the U.S. government's third bug bounty program. So they invited 600 of the top hackers from across the world to try to find vulnerabilities in the Air Force's site.

Johnson: And you won the whole thing?

Cable: Yeah, so I found 40 vulnerabilities, and that placed me first in the leader board.

Johnson: Do you have a favorite?

Cable: So I found what's known as an XML external entities vulnerability. That handles the applications processing of XML, which is a type of input data. I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on for a few hours into a remote code execution.

So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to.

Johnson: Wow. How did you get into this?

Cable: I was 15 and I accidentally stumbled across a vulnerability in a financial site. I found that I was able to send negative amount of money to other users, and that would effectively steal money from their accounts. That financial site ran a bug bounty program, so I submitted to there. And then I sort of got into hacking from there.

Johnson: It seems like you're one of the good guys. Why did you decide to be a good guy?

Cable: I try to be because it's really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.

Marketplace.org

You Might Also Read:

HBO Offers Hackers $250,000 'bug bounty':

The US Air Force Wants You to Build a Drone Engine:

 

« Former Spy Chief Takes Top Cybersecurity Job
Mini Drones That Can See In The Dark »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

National Crime Agency (NCA) - United Kingdom

National Crime Agency (NCA) - United Kingdom

The NCA's Cyber Crime Unit focuses on critical cyber incidents in the UK as well as longer-term activity against the criminals and the services on which they depend.

Optimum Insurance

Optimum Insurance

Optimum's Cyber Risk & Data Protection Insurance policies are designed to protect against cyber exposures that arise when a company’s data and customer information is breached or stolen.

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

Wavestone

Wavestone

Wavestone is a strategy and technology consulting company with areas of expertise including digital transformation and cybersecurity.

Referentia

Referentia

Referentia leads the development of critical infrastructure solutions that benefit society, including cyber security and network performance management.

QA

QA

QA is a leading IT training provider in the UK with over 1,500 courses covering all areas of IT including Cyber Security.

Attack Research

Attack Research

We go far beyond standard tools and scripted tests. Find out if your network or technology can stand real-world and dedicated attackers.

Upfort

Upfort

Upfort (formerly Paladin Cyber) unifies award-winning security and robust cyber insurance to deliver comprehensive cyber risk solutions.

StickmanCyber

StickmanCyber

At StickmanCyber we are on a mission to create a digital world that is safe for everyone - we are your trusted cybersecurity partner.

Quzara

Quzara

Quzara provides trusted advisory services and highly adaptive cybersecurity services to federal, commercial and Defense Industrial Base customers to meet their security compliance and cyber needs.

CyberGate Technologies

CyberGate Technologies

CyberGate Technologies is a world-class, customer focus cyber security service and consultancy company operating the UK, Europe, Middle East, and Africa.

Northdoor

Northdoor

Northdoor provides a comprehensive set of services around information security and works with leading global technology vendors to deploy and manage cyber security solutions.

Galvanick

Galvanick

Galvanick enables your operations and IT teams to protect your industrial systems and networks against digital threats.

Ethnos Cyber

Ethnos Cyber

Ethnos Cyber is Africa’s leading cybersecurity and compliance management company. We provide Information Security, Risk Management, Cybersecurity and Compliance Management solutions to clients.

StealthMole

StealthMole

StealthMole is a deep and dark web threat intelligence company that delivers a cloud-based, unified platform for digital investigation, risk assessment, and threat monitoring.

Cloudaeris

Cloudaeris

Cloudaeris is a trusted Microsoft Partner, and we've got what it takes to make your business more efficient and agile.