US Air Force Hacked By Teenager

Bug bounty programs are projects that companies and organizations start to get people to find and report website vulnerabilities. Think of these hackers as the good guys, hackers in white hats. Plenty of big companies run bug bounty programs, including Facebook, Google and Uber.

You might think the people doing this kind of work are seasoned pros, but often the hackers making bug bounty money are teens like Jack Cable. He competed against 600 hackers from around the world in the Hack the Air Force, a partnership between the US Department of Defense and HackerOne, a bug bounty platform.

Cable sat down with Marketplace Tech's Ben Johnson to talk about his win. An edited excerpt of their interview follows.

Ben Johnson: My condolences on the end of your summer break. You have to go be a senior in high school. But you were pretty busy this summer.

Jack Cable: Yeah, so this summer I participated in the Hack the Air Force program, and that was the U.S. government's third bug bounty program. So they invited 600 of the top hackers from across the world to try to find vulnerabilities in the Air Force's site.

Johnson: And you won the whole thing?

Cable: Yeah, so I found 40 vulnerabilities, and that placed me first in the leader board.

Johnson: Do you have a favorite?

Cable: So I found what's known as an XML external entities vulnerability. That handles the applications processing of XML, which is a type of input data. I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on for a few hours into a remote code execution.

So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to.

Johnson: Wow. How did you get into this?

Cable: I was 15 and I accidentally stumbled across a vulnerability in a financial site. I found that I was able to send negative amount of money to other users, and that would effectively steal money from their accounts. That financial site ran a bug bounty program, so I submitted to there. And then I sort of got into hacking from there.

Johnson: It seems like you're one of the good guys. Why did you decide to be a good guy?

Cable: I try to be because it's really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.

Marketplace.org

You Might Also Read:

HBO Offers Hackers $250,000 'bug bounty':

The US Air Force Wants You to Build a Drone Engine:

 

« Former Spy Chief Takes Top Cybersecurity Job
Mini Drones That Can See In The Dark »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Globalscape

Globalscape

Globalscape is a leader in secure data exchange solutions.

KoolSpan

KoolSpan

KoolSpan’s security and privacy solutions address the growing threat of loss or theft of intellectual property, information, and proprietary assets.

D3 Security

D3 Security

D3's Smart SOAR platform is at the forefront of the security automation revolution, helping clients around the world to rapidly identify, analyze, and resolve advanced threats.

ISGroup (Information Security Group)

ISGroup (Information Security Group)

ISGroup services include network penetration testing, Web application penetration testing, ethical hacking, vulnerability assessments, code review and associated training.

VNT Software

VNT Software

VNT's vision is to change the way complex IT problems are resolved by predicting business disruptions before they occur.

Neurosoft

Neurosoft

Neursoft is a fully integrated ICT company with Software Development, System Integration and Information Technology Security capabilities.

Valire Software

Valire Software

Valire provide a solution for the automated detection of internal fraud.

GlassSquid

GlassSquid

glasssquid.io simplifies your cyber security job search. We want to help you find your next perfect fit opportunity by removing the confusion.

Injazat

Injazat

Injazat Data Systems is an industry recognized market leader in the Gulf region for Information Technology, Data Center and Managed Services.

Cyber Polygon

Cyber Polygon

Cyber Polygon is an annual online exercise which connects various global organisations to train their competencies and exchange best practices.

Forever Group

Forever Group

Forever Group is a Managed Services Provider specialising in Telecommunications, IT Support, and Cyber Security.

Cyber Gate Defense (CyberGate)

Cyber Gate Defense (CyberGate)

CyberGate is an Emirati establishment founded with an objective to provide cyber security services that would improve the overarching cyber security posture of the UAE.

DeVry University - Cyber Security Degree

DeVry University - Cyber Security Degree

Explore the dynamic world of data protection with a hybrid or online cyber security degree specialization with DeVry's IT & Networking Bachelor's Degree.

The Citadel Department of Defense Cyber Institute (CDCI)

The Citadel Department of Defense Cyber Institute (CDCI)

CDCI is established to address the critical national security needed for a skilled cybersecurity workforce.

CSIOS Corp.

CSIOS Corp.

At CSIOS we help our customers achieve and sustain information and cyberspace superiority through a full range of defensive and offensive cyberspace operations and cybersecurity consulting services.

Barclay Simpson

Barclay Simpson

Barclay Simpson is proud to have a long history of delivering cyber security, technology and governance recruitment services.