A New Mexico man admitted in court this week to launching distributed denial of service (DDoS) attacks against the websites of former employers, business competitors, and public services.
The culprit, John Kelsey Gammell, 55, pleaded guilty to one count of conspiracy to commit intentional damage to a protected computer, admitting to launching DDoS attacks on websites in the United States, from at least in or about July 2015 through in or about March 2017. He also pleaded guilty to two counts of being a felon-in-possession of a firearm.
The DDoS attacks were aimed at numerous websites, including domains operated by companies Gammell used to work for or of those that declined to hire him. He also targeted competitors of his business and websites for law enforcement agencies and courts, among others.
Gammell admitted to using programs on his own computers and to purchasing the services of "DDoS-for-hire" companies to launch the DDoS attacks.
He purchased the services of companies such as VDoS, CStress, Inboot, Booter.xyz and IPStresser, the Department of Justice reveals.
Some of the victims he targeted include Washburn Computer Group, the Minnesota State Courts, Dakota County Technical College, Minneapolis Community and Technical College, the Hennepin County Sheriff's Office, among others.
To avoid detection, he used IP address anonymization services, paid for the DDoS-for-hire services using cryptocurrency, used spoofed emails to conceal his conduct, and employed encryption and drive-cleaning tools to conceal digital evidence. To circumvent his victims' DDoS attack mitigation efforts, Gammell amplified his attacks by using multiple DDoS-for-hire services at once.
Gammell is a convicted felon prohibited from possessing firearms or ammunition. He also admitted to possessing multiple firearms, ammunition, and parts for use in the building of firearms and ammunition.
His sentence is scheduled for a later date.
A researcher has conducted an analysis of Jenkins servers and found that many of them leak sensitive information, including ones belonging to high-profile companies. London-based researcher Mikail Tunc used the Shodan search engine to find Jenkins servers accessible from the Internet and discovered roughly 25,000 instances. The expert analyzed approximately half of them and determined that 10-20% were misconfigured.
He spent weeks manually validating the issues he discovered and notifying affected vendors. Jenkins is an open source automation server used by software developers for continuous integration and delivery. Since the product is typically linked to a code repository such as GitHub and a cloud environment such as AWS or Azure, failure to configure the application correctly can pose a serious security risk.
Some of the misconfigured systems discovered by Tunc provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account. Some Jenkins servers used a SAML/OAuth authentication system linked to Github or Bitbucket, but they allowed any GitHub or Bitbucket account to log in rather than just accounts owned by the organization. Tunc said a vast majority of the misconfigured Jenkins servers leaked some type of sensitive information, including credentials for private source code repositories, credentials for deployment environments (e.g. usernames, passwords, private keys and AWS tokens), and job log files that included credentials and other sensitive data.
One of the exposed Jenkins instances, which leaked sensitive tokens, belonged to Google, but the tech giant quickly addressed the issue after being informed via its bug bounty program. The researcher also named several major UK-based companies, including Transport for London, supermarkets Sainsbury's and Tesco, credit checking company ClearScore, educational publisher Pearson, and newspaper publisher News UK. Some of these companies allegedly exposed highly sensitive data, but Tunc said he often had difficulties in responsibly disclosing his findings.
"I want to make it absolutely clear that I did not exploit any vulnerabilities to gain access to Jenkins servers - I simply walked through the front door which was visible to the world, then told the owners to close said front door," the researcher noted in a blog post. While Tunc received products, vouchers and thanks for his work from the companies he alerted, misconfigured Jenkins instances can be highly problematic and some vendors have paid significant bug bounties for such security holes. A few months ago, two researchers reported earning a total of £20,000 from Snapchat after finding exposed Jenkins instances that allowed arbitrary code execution and access to sensitive data.
- ^ blog post (emtunc.org)
- ^ £20,000 from Snapchat (www.securityweek.com)
- ^ Critical Flaw Patched in Jenkins Automation Server (www.securityweek.com)
- ^ Misconfigured Google Groups Expose Sensitive Data (www.securityweek.com)
- ^ Researchers Find 1PB of Data Exposed by Misconfigured Databases (www.securityweek.com)
Companies have become more open in the past year to receiving vulnerability reports from security researchers, according to ethical hackers surveyed by bug bounty platform HackerOne. According to HackerOne's 2018 Hacker Report, which surveyed nearly 2,000 white hat hackers across 100 countries, companies are somewhat more open (38%) or far more open (34%) to receiving vulnerability reports. Only less than 10% of respondents said firms are less open.
On the other hand, nearly a quarter of respondents said they had not reported vulnerabilities due to the fact that the affected software's developer had not provided a channel for responsible disclosure. When it comes to motivation, money is not the most important - as it was in the previous year. There are more researchers hacking to learn new techniques (14.7%), for fun (14%), and for the challenge (14%) than ones who do it for the money (13.1%).
Nearly one-quarter of respondents said they donated money earned from bug bounties to charities. A majority of HackerOne users named websites as their favorite target (70%), followed by APIs (7.5%), Android apps (4.2%), operating systems (3.1%), and IoT systems (2.6%).
Burp Suite is the favorite tool of nearly one-third of hackers, but more than 15% claim they use their own tools to find vulnerabilities. Other popular tools include web proxies and scanners, network scanners, fuzzers, and debuggers. A vast majority of the white hats who have signed up on the HackerOne platform, which hosts the bug bounty programs of more than 1,000 organizations, are under the age of 35, and many of them learned how to hack on their own.
Most of them either work in IT (software or hardware), consulting, or they are students. Roughly 66% spend less than 20 hours per week hacking, and only 13% spend 40 hours or more. More than 71% have less than 5 years experience, and only 10% have been hacking for more than 10 years.
Over £23 million have been paid out through HackerOne, with more than £4 million paid to researchers in the U.S., £3 million to India, and £1.3 million each to Australia and Russia. The largest chunk came from companies in the United States (£16 million) and Canada (£1.2 million). In some places, bug bounty hunters earn far more than they would as a software engineer in their country.
For example, in India and Argentina they earn roughly 16 times more than the median annual wage of a software engineer, while in Hong Kong and Egypt they earn 8 times more. A quarter of respondents said bug bounties represent at least half of their annual income and 14% said they represent 90-100% of their income. Three percent reported making more than £100,000 per year from bug bounty programs, and 1% make more than £350,000.