True Tales of (Mostly) White-Hat Hacking

Stings, penetration pwns, spy games -- it's all in a day's work along the thin gray line of IT security.

By Roger A. Grimes
Mon, July 22, 2013

InfoWorld — In the mainstream media, hacking gets a bum rap. Sure, the headline grabbers are often nefarious, but all computer professionals are hackers at heart. We all explore the systems we use, often reaching beyond their normal intent. This knowledge and freedom can come through big time in sticky situations.

[ MacGyver IT: 20 Tools for Hero Hacks ]

[ Hacker vs. Hacker ]

In my three decades fighting malicious hackers, I've come to rely heavily on that desire to scratch an itch. Improvisation and familiarity with computing systems are essential when combating those who will do almost anything to compromise your network.

[ Verse yourself in 14 dirty IT security consultant tricks, 9 popular IT security practices that just don't work, and 10 crazy security tricks that do. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

Some call it white-hat hacking. I call it a good day's work -- or weekend fun, depending on whether it's at home or business.

Here are five true tales of bringing down the baddies. I can't say I'm proud of all the things I did, but the stories speak for themselves. Got one of your own to pass along? Send it my way, or share it in the comments.

True tale of (mostly) white-hat hacking No. 1: Disney, porn, and XSS

Cross-site scripting (XSS) continues to be the No. 1 problem plaguing websites, even today. XSS vulnerabilities arise when a website allows another entity to post Web scripting commands that can then be viewed and executed by others.

Oftentimes, these vulnerabilities fly under the radar. Simply offering users the ability to post comments is enough, if your site allows script commands to be posted, viewed, and executed. A malicious party writes a malicious scripting command that is then consumed and acted upon by other visitors to your site.

When asked why you should worry about cross-site scripting attacks, I like to tell the following story, although the XSS scripting part was just one piece of a great week of hacking.

I was working at a well-known computer security company at the time, and we had been hired to perform penetration testing on an IP TV device that a large cable company was considering producing. Our mission was to find vulnerabilities in the set-top box, especially if any of those vulnerabilities could lead to stealing porn for free, posting porn to, say, the Disney channel, or leaking private customer or company information.

Continue Reading

Originally published on Click here to read the original story.
Our Commenting Policies