JerryGamblin.com

Why Companies Fear Bug Bounty Programs

Tags bug bounties, hacking, securityNovember 23, 2015635 Views

Yesterday Randy Westergren wrote this blog post: United Airlines Bug Bounty: An experience in reporting a serious vulnerability. I do not know Randy and do not think he did anything wrong but his post is a perfect example of why companies I talk to are afraid of implementing bug bounty programs.
He hit the trinity of why companies fear bug bounty programs in one post:

Their development cycle wasn’t fast enough for the researcher.
Is six months a “more than reasonable time frame”? On the surface sure but unless you go to their planning games, know their regulatory commitments, roadmap and backlog you can not say that for sure.Most companies have enough internal and contractual pressure on their development cycles to have a researcher who is “helping” add another source.

The researcher involved the press:Companies do not want to be in the press for having poor security. So sure when he contacted the press they fixed the issue but it didn’t win him or security researchers any friends at United.Companies do not want to manage a bug bounty program as a fire fighting exercise. They want to intake the bugs into their regular development cycle and work them in their normal process.

The researcher went “rogue”:
He wasn’t going to get compensated for his work since it was a duplicate so the only kind of compensation he could still get was to go public. Companies cant pay for every duplicate bug found and it only takes one researchers to go rogue to sour a bug bounty program for a company.

While I do not fault Randy for his blog post or thought process a company gives up a lot of legal cover by running a bug bounty program. If they do not perform to a researchers expectation and they get called out in this manner is a reason for them to think twice about their program and if it is worth it.

Make Your Own Cranberry Sauce

Tags cooking, Cranberry Sauce, thanksgivingNovember 22, 2015743 Views

I love Thanksgiving dinner.
I hate the omnipresent canned shaped cranberry sauce:

Especially since making your own is this easy:

Ingredients
1 cup sugar
1 cup Orange Juice.
1/2 Teaspoon Ground Cinnamon
One 12-ounce bag cranberries
Directions
Combine the sugar, orange juice, cinnamon, and cranberries in a medium saucepan.
Bring up to a simmer over medium heat and cook for 15 minutes.
Let cool completely before serving.
Enjoy!

DigiCert Security Summit

Tags digicert, hacking, secur, tls, vegasNovember 14, 2015596 Views

I was invited to attend the 2015 Digicert Security Summit this week in Las Vegas. For a one day conference it had some really amazing talks by some of the smartest people in the industry.
Gary McGraw gave an amazing talk on security software development life cycle and the Building Security in Maturity Model (BSIMM).
Emily Stark talked about the future of HTTPS everywhere and demoed the new security tab in the developer menu in chrome:

Dan Kaminsky did Dan Kaminsky stuff.

Runa Sandvik gave an amazing humorous, thought provoking and informative talk on protecting press sources on the internet.

Digicert also gave me this iOS controlled drone which seems to be amazingly hackable:

Turn Off Shadows From OSX Screenshots

Tags osxNovember 8, 2015443 Views

I take a lot of screenshots in OSX (⌘+shift+4) to share and for the longest time I just lived with the 2003-era super cool shadow:
Screen Shot 2015-11-08 at 6.37.49 PM
I finally got tired of it and found the solution to turning it off is these two terminal commands:
defaults write com.apple.screencapture disable-shadow -bool true killall SystemUIServer
Now my screenshots look like this:
If for some reason you would want to re-live 2003 you can re-enable the drop shadow with these commands:
defaults write com.apple.screencapture disable-shadow -bool false killall SystemUIServer

Censys.io Python Script

Tags censys.io, scanning, securityNovember 6, 20151665 Views

I have been using censys.io a lot lately to do network reconnaissance and noticed they just released a new API that didnt have a CLI frontend so I spent sometime writing a python based one. You can grab a copy here.
Usage is: python censys.py -f (search term)
censys
It is still pretty rough and I will be making more updates as I get time.

LetsEncrypt.org TLS Certificate With Nessus

November 4, 20153343 Views

Letsencrypt.org is a new project that offers free TLS certificates to allow people to encrypt their traffic.
The project is in a limited beta so I decided that a good test would be to install one of their certificates on to a Nessus scanner I host in AWS.
The install wasn’t complicated and only took about 15 minutes and 9 commands:
cd ~ git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth sudo service nessusd stop sudo cp -i /etc/letsencrypt/live/scan.jerrygamblin.com/fullchain.pem /opt/nessus/com/nessus/CA/servercert.pem sudo cp -i /etc/letsencrypt/live/scan.jerrygamblin.com/privkey.pem /opt/nessus/var/nessus/CA/serverkey.pem sudo cp -i /etc/letsencrypt/live/scan.jerrygamblin.com/chain.pem /opt/nessus/com/nessus/CA/cacert.pem sudo service nessusd start
Now my padlock is green and my traffic is secure:

Bluetooth Recon

Tags bluetooth, hacking, reconNovember 3, 2015410 Views

I have been working on a Bluetooth hacking project recently and couldn’t really find a good bluetooth recon tool so I wrote btrecon to do what I need done.
Here is a quick demo:

I still have some work to do on this project as I would like to add some logging and menus but it isnt a bad start. If you have any suggestions or problems please reach out to me on twitter @jgamblin.

A Selfie With Michael Dell

Tags Dellworld, SelfieOctober 28, 2015466 Views

No Common SSIDS

October 24, 2015261 Views

I wrote nocommonsssids to quickly remove the top ssids (from wigle.net) from the preferred network list in OSX so that it does not auto connect to them.

Running this will help stop you from being caught by an EvilAP attack along the line of the Mana Common demo I put together earlier this month. You should also run a VPN anytime you connect to a public wireless network.

Using Mana To Spoof Common SSIDs.

October 16, 2015323 Views

I had the opportunity to speak at a “micro- conference” yesterday for the Midwest Cyber Security Alliance with the state auditor Nicole Galloway.

I wanted to use this opportunity to make a bold statement since I knew there would be influential people in the audience who wanted to listen Nicole talk about her new cyber security auditing initiative.

I wrote Mana-Common that builds on Dominic White’s amazing Mana project.

My project used in conjunction with a Ralink 5370 Chipset USB Wireless Card broadcasts 7 of the most popular SSID’s according to wigle.net. Protip: It is easily modified to target smaller audiences who may have saved corporate SSIDs on their devices.

Here is a demo of the terminal output:

Mana Demo

Here is a screenshot of my iPhone picking up the networks:

If you have any questions please reach out to me on twitter @jgamblin.

Older Posts

Newer Posts

Blog Posts