WEBVTT

00:00:00.000 --> 00:00:03.240
JACK: I used to work for this company, and I worked on the overnight shift,

00:00:03.240 --> 00:00:07.020
and they had a parking garage. But the best parking spots were all assigned to

00:00:07.020 --> 00:00:10.860
management. Not only that; you had to have a special parking garage badge to get in,

00:00:10.860 --> 00:00:14.880
so I always had to park far away. What really bugged me is that I was on the night shift,

00:00:14.880 --> 00:00:18.300
and there were only three of us on the night shift. So, it was like the whole parking

00:00:18.300 --> 00:00:21.900
garage was empty. Well, one day I brought my skateboard to work and was just rolling around

00:00:21.900 --> 00:00:26.040
in the parking garage during my break, and I rolled up to the mechanical arm that blocked

00:00:26.040 --> 00:00:31.020
you from getting into the garage, and to my surprise, it opened as I rolled up to it. What?

00:00:31.020 --> 00:00:36.360
I waited for it to go down and I tried again, and it opened when I got near it again. What I

00:00:36.360 --> 00:00:41.460
discovered was that there was a little electronic eye which detected when a car was trying to exit

00:00:41.460 --> 00:00:46.500
the parking garage, and it would lift the gate to let the car out. Well, I pinpointed exactly

00:00:46.500 --> 00:00:51.840
where that eye was and just tried to do something like take my shoe off and place it in front of the

00:00:51.840 --> 00:00:56.880
sensor, and sure enough, that was enough to get the gate to lift up until I moved my shoe. Well,

00:00:56.880 --> 00:01:01.200
naturally I hopped in the car, drove up to the gate, got out of the car, took my shoe off,

00:01:01.200 --> 00:01:05.700
put it on the exit sensor, and it raised the gate, and I got back in the car and was able

00:01:05.700 --> 00:01:09.480
to get through the gate and grab my shoe on the way through, and just park wherever I wanted.

00:01:09.480 --> 00:01:21.120
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m

00:01:21.120 --> 00:01:31.620
Jack Rhysider. This is Darknet Diaries.

00:01:31.620 --> 00:01:34.267
[INTRO MUSIC ENDS]

00:01:34.267 --> 00:01:39.300
JACK: In this episode,

00:01:39.300 --> 00:01:42.300
we’re gonna hear some stories from Jason Haddix.

00:01:42.300 --> 00:01:46.980
JASON: I’ve always been into computers. I think I had my first computer when I was eleven or twelve.

00:01:46.980 --> 00:01:51.360
I think my parents got it for me for Christmas. It was a 486. Kinda just taught myself ‘cause

00:01:51.360 --> 00:01:57.780
I was curious about how it worked. A little bit of programming, HTML, and stuff like that.

00:01:57.780 --> 00:02:03.480
JACK: Any dark stuff you were looking into back then or anything that was –

00:02:03.480 --> 00:02:05.400
maybe your parents wouldn’t be happy you were seeing?

00:02:05.400 --> 00:02:12.300
JASON: Yeah, yeah. So, I mean, when I was in my early, early twenties,

00:02:12.300 --> 00:02:18.180
a friend of mine wanted a fake ID. We were all, you know, very young and impressionable

00:02:18.180 --> 00:02:24.060
at the time. So, I went out and a friend of mine was selling fake IDs, and I bought one.

00:02:24.060 --> 00:02:28.560
Back then it was a hundred and twenty bucks or something like that for a fake ID. I got

00:02:28.560 --> 00:02:33.120
it eventually. It took a long time for him to get me one. Then when I got it,

00:02:33.120 --> 00:02:40.140
it was really crappy. I was really upset and I figured hey, I could probably do a better job

00:02:40.140 --> 00:02:44.940
than this if I just learned it, ‘cause I figured I knew computers and I knew stuff like that. So,

00:02:44.940 --> 00:02:49.380
I just started Googling – back then it wasn’t really Google, but I just started looking on

00:02:49.380 --> 00:02:55.140
the internet for resources. So, one of the resources that I fell upon was ShadowCrew,

00:02:55.140 --> 00:03:00.900
which was probably one of the first darknet forums that was mainstream before the darknet actually

00:03:00.900 --> 00:03:09.300
existed. It was still the regular web, but it was forums. I started learning how to do everything

00:03:09.300 --> 00:03:15.600
to do with fake IDs; bought printers and learned how to make my own, and probably a couple for my

00:03:15.600 --> 00:03:21.660
friends. But it involved asking a lot of questions with the underground then, which was ShadowCrew.

00:03:21.660 --> 00:03:26.880
JACK: Okay, yeah, so Jason was on ShadowCrew, and if you aren’t familiar with ShadowCrew,

00:03:26.880 --> 00:03:31.020
just go back and listen to the episode just before this, called Gollumfun. While Jason

00:03:31.020 --> 00:03:36.105
was on ShadowCrew, he was focused on making fake IDs, but he really didn’t sell that many.

00:03:36.105 --> 00:03:41.220
JASON: [MUSIC] I mean, I would say I only sold a handful. It was more of a obsession for me

00:03:41.220 --> 00:03:48.720
to do it better than what I got. I’d say maybe three or four really good ones and a whole bunch

00:03:48.720 --> 00:03:53.460
of failed ones for my personal use, like just for my friends, really. I wasn’t a distributor

00:03:53.460 --> 00:03:59.400
even on the forums or rated, but I had shared a couple with people and they were like oh, these

00:03:59.400 --> 00:04:05.460
are getting really, really good. Mine usually passed, so it wasn’t rocket science, right?

00:04:05.460 --> 00:04:12.780
It was just having access to the printers, the templates, understanding all that kind of stuff.

00:04:12.780 --> 00:04:16.980
So yeah, it wasn’t like I was a criminal enterprise that was making a lot of money

00:04:16.980 --> 00:04:22.140
or anything like that. It was just that I found it really interesting.

00:04:22.140 --> 00:04:26.580
You could fall into anything; you could fall into a video game or you could fall into some

00:04:26.580 --> 00:04:33.000
kind of obsession like finishing a project. I had to figure out how to do it, and I did.

00:04:33.000 --> 00:04:37.920
JACK: Then one day he goes onto ShadowCrew’s website and sees it’s been shut down.

00:04:37.920 --> 00:04:39.660
JASON: The picture that they put up there with

00:04:39.660 --> 00:04:44.160
the dude behind the bars – and said the Secret Service is coming for all of you

00:04:44.160 --> 00:04:47.640
and a whole bunch of your – and then the indictment came out and a whole bunch of people

00:04:47.640 --> 00:04:52.980
who – I really only knew their screen names, but had been arrested in multiple countries.

00:04:52.980 --> 00:04:57.480
JACK: Well, this really spooked Jason. People were getting arrested for selling

00:04:57.480 --> 00:05:01.320
fake IDs on this site, and he was one of the people selling fake IDs there.

00:05:01.320 --> 00:05:07.320
JASON: The bust happened and then the next day I gathered – so, in the process of printing stuff,

00:05:07.320 --> 00:05:14.100
you have three – usually three different printers, you have laminates, you have stencils, you have

00:05:14.100 --> 00:05:19.440
powders, you have all kinds of crazy stuff; you have inks. As soon as I had it, I just

00:05:19.440 --> 00:05:24.286
dumped it in a black trash bag, a couple black trash bags, threw it in my trunk, and drove.

00:05:24.286 --> 00:05:32.580
JACK: [MUSIC] He was driving as fast as he could to another city far, far away. His plan was to

00:05:32.580 --> 00:05:37.080
just throw it all into a dumpster nowhere near where he lived just to get rid of everything.

00:05:37.080 --> 00:05:42.240
JASON: On the way to do that, I actually got pulled over.

00:05:42.240 --> 00:05:49.500
JACK: Jason’s heart was pounding so hard. He didn’t know why the cop pulled him over. Maybe

00:05:49.500 --> 00:05:55.440
it was for the fake IDs, and all that evidence was in the trunk of his car. The cop walked up to his

00:05:55.440 --> 00:06:01.980
window and said he was speeding. This was somewhat of a relief, but Jason was still really worried.

00:06:01.980 --> 00:06:06.180
JASON: I just thought he’s gonna ask me to pop my trunk and see all my stuff in the trunk.

00:06:06.180 --> 00:06:12.720
JACK: But the cop didn’t. He just gave Jason a ticket and let him go. Whew, close call. So Jason

00:06:12.720 --> 00:06:17.940
continued to drive to the next town, this time going a little slower, to get rid of his stuff.

00:06:17.940 --> 00:06:25.800
JASON: Dumped it in the next city in a dumpster with some lighter fluid and lit it all on fire.

00:06:25.800 --> 00:06:28.980
Yeah, that was probably one of the scariest moments of

00:06:28.980 --> 00:06:31.320
my life. Like I said, it scared me straight.

00:06:31.320 --> 00:06:36.600
JACK: Hm, that’s interesting, eh? That intimidating post that the Secret Service

00:06:36.600 --> 00:06:43.800
put up on ShadowCrew’s site was enough to make Jason quit the fake ID scene forever.

00:06:43.800 --> 00:06:49.380
It’s kind of hard to leave something like that behind. With ShadowCrew, it was like he was let

00:06:49.380 --> 00:06:55.380
into some inner circle of people, almost like a family. It’s hard to build up something like

00:06:55.380 --> 00:07:01.560
that and earn that trust just to walk away from it all and start over somewhere else.

00:07:01.560 --> 00:07:05.520
Well, by this point, Jason had enough knowledge of computers that he knew

00:07:05.520 --> 00:07:09.660
he wanted to make a career of it. He really liked the challenge of hacking into things,

00:07:09.660 --> 00:07:15.180
too. So he took some classes and then got a job fixing computers, then became a junior

00:07:15.180 --> 00:07:21.480
penetration tester. He did that for two years and then got another job doing penetration testing at

00:07:21.480 --> 00:07:26.070
HP. This is where he was tasked at hacking into companies to see if they were secure.

00:07:26.070 --> 00:07:32.280
JASON: So I started there as a staff penetration tester, did

00:07:32.280 --> 00:07:36.892
probably a couple hundred pen tests for the Fortune 500, a lot of…

00:07:36.892 --> 00:07:38.580
JACK: A couple hundred; that’s a lot.

00:07:38.580 --> 00:07:45.960
JASON: Yeah, I mean, I’d say I’ve probably done over my career maybe three hundred pen

00:07:45.960 --> 00:07:53.940
tests – or a little bit less than three hundred pen tests, probably, over the years. But yeah,

00:07:53.940 --> 00:08:01.020
we did one-week assessments. You had one week for the assessment, one week for the reporting.

00:08:01.020 --> 00:08:05.880
It was really easy for HP to get those contracts because they already had these big ins through

00:08:05.880 --> 00:08:10.500
their IT group with these companies. They were selling them printers, they were selling them

00:08:10.500 --> 00:08:15.600
enterprise software, and then everybody at that time needed – if they were subject to any kind

00:08:15.600 --> 00:08:20.640
of compliance, they needed a pen test for clients to satisfy compliance. So, they would just go with

00:08:20.640 --> 00:08:25.380
the people they already had a contract with, which was us. So, I got exposed to a ton of the big,

00:08:25.380 --> 00:08:33.960
big banks, a ton of big tech companies, big enterprises. I pen tested a lot of stuff.

00:08:33.960 --> 00:08:39.480
JACK: Ah, yes, compliance. I believe to be PCI compliant, it requires that

00:08:39.480 --> 00:08:44.700
you have to have a penetration test. PCI is Payment Card Industry, so, like MasterCard,

00:08:44.700 --> 00:08:49.980
American Express. They won’t let you process their credit cards unless you’re PCI compliant,

00:08:49.980 --> 00:08:54.660
which means you have to have an auditor that comes to your company and analyses your security

00:08:54.660 --> 00:09:00.420
practices and conducts a penetration test. I guess HP was one of those auditors and offered

00:09:00.420 --> 00:09:06.000
this service, which is where Jason really honed his skills as a hacker. Now for the most part,

00:09:06.000 --> 00:09:11.820
Jason focused on network hacking. There’s a few types of penetration testers; there’s physical

00:09:11.820 --> 00:09:15.840
penetration testers where they physically try to get into a building to see what they can access,

00:09:15.840 --> 00:09:20.580
but there’s also application pen testing. This is where maybe a software-maker gives

00:09:20.580 --> 00:09:25.800
their application to you and you try to find a bug with it. Then there’s network penetration testing,

00:09:25.800 --> 00:09:30.780
and this is where you try to break into a network using a computer, over the internet or whatever.

00:09:30.780 --> 00:09:34.860
You might try attacking it from the outside world or you might be actually given permission

00:09:34.860 --> 00:09:39.540
to come into the network and see what you can get to from inside the company. For instance,

00:09:39.540 --> 00:09:44.040
the people who work in marketing shouldn’t be allowed to just see everyone’s passwords,

00:09:44.040 --> 00:09:49.800
right? Someone should test that to see if it’s truly secure. Jason did a few physical pen tests

00:09:49.800 --> 00:09:54.180
and there’s one he told me about, which is actually hilarious. [MUSIC] Okay, so you

00:09:54.180 --> 00:09:58.860
know when you work somewhere, you get to know the security mechanisms that they have in place? Well,

00:09:58.860 --> 00:10:02.160
Jason worked for this place for a while and he was pretty familiar with the layout of the

00:10:02.160 --> 00:10:07.380
office and knew exactly how the doors worked in the building. Well, later on when he went to work

00:10:07.380 --> 00:10:13.500
for another company, he was given the task of breaking into this previous employer. Since he

00:10:13.500 --> 00:10:19.080
already knew the place well, he knew exactly what to bring. Okay, we need to get into this building.

00:10:19.080 --> 00:10:19.560
JASON: Yeah.

00:10:19.560 --> 00:10:21.960
JACK: Let me pack some equipment for this.

00:10:21.960 --> 00:10:25.980
JASON: [LAUGHING] Yeah.

00:10:25.980 --> 00:10:28.380
JACK: What do you throw in your bag?

00:10:28.380 --> 00:10:30.600
JASON: Yeah, I mean, you throw your lockpicks,

00:10:30.600 --> 00:10:34.140
you throw your USB keys that have malware on them, and you throw your blow-up doll.

00:10:34.140 --> 00:10:39.840
JACK: Yeah, a blow-up doll. He knew there was a certain door that had a magnetic lock.

00:10:39.840 --> 00:10:46.440
Nobody was allowed in or out unless the magnet was disengaged. Well, to get in, you need your badge,

00:10:46.440 --> 00:10:50.760
which disengages the magnet, but to get out, you didn’t need your badge. You could just

00:10:50.760 --> 00:10:56.040
open the door by pushing it from the inside. So how does the magnetic lock disengage for

00:10:56.040 --> 00:11:02.880
people leaving? Well, it unlocks when it senses someone leaving. It had a little electronic eye

00:11:02.880 --> 00:11:07.740
and could see when something got near the door on the inside, and it would unlock the

00:11:07.740 --> 00:11:12.600
door. This was one thing he noticed, but he also noticed something else about this door.

00:11:12.600 --> 00:11:18.420
JASON: The gap, the small, small gap between the door and the ground,

00:11:18.420 --> 00:11:20.506
you could slide something under there.

00:11:20.506 --> 00:11:24.720
JACK: [MUSIC] So when he was given this assignment, he packed a blow-up doll and

00:11:24.720 --> 00:11:28.680
went right up to the door, pulled it out, which it was deflated and flat,

00:11:28.680 --> 00:11:32.760
and he put it on the ground and slid it under the door. The whole doll was on the other side

00:11:32.760 --> 00:11:36.900
of the door except for the part that you put your mouth on to blow it up, so he laid on the

00:11:36.900 --> 00:11:41.460
ground and began blowing up the doll, which was inflating on the other side of the door.

00:11:41.460 --> 00:11:44.220
JASON: That’s exactly what it is, just face on the pavement,

00:11:44.220 --> 00:11:47.040
blowing up the blow-up doll. Yeah, for sure.

00:11:47.040 --> 00:11:49.860
JACK: Then you hear the click of the door and you jump up and grab it.

00:11:49.860 --> 00:11:53.460
JASON: Yeah, we had two people with us, so the other person would apply some slight pressure

00:11:53.460 --> 00:11:58.500
as soon as a mock walked through the door, do the same thing – it was a man-trap door,

00:11:58.500 --> 00:12:02.520
two sets of doors, so did the same thing on the other one and then walk

00:12:02.520 --> 00:12:06.300
into the physical premises. Once you’re in there, you have access to everything.

00:12:06.300 --> 00:12:12.120
JACK: I love this because to me, this is something I never would have expected someone to bring on a

00:12:12.120 --> 00:12:18.660
physical pen test. To take pictures of it and to put it in the report must have been hilarious.

00:12:18.660 --> 00:12:22.320
There was this other physical pen test that he did that also had an interesting bit to

00:12:22.320 --> 00:12:26.340
it. His objective in this one was to break into the building and see if he could get

00:12:26.340 --> 00:12:30.240
into the server room. It was him and two others on this assignment. Now,

00:12:30.240 --> 00:12:33.240
these server rooms are typically more secure than the rest of the building.

00:12:33.240 --> 00:12:37.200
It usually has a different kind of key to get in and cameras pointed at the door,

00:12:37.200 --> 00:12:42.600
and more security layers. Well, step one was to get into the building, and there was

00:12:42.600 --> 00:12:47.040
a locked door to get into the building, so they simply waited until someone was going

00:12:47.040 --> 00:12:51.600
in and they just went in right behind them and just tailgated them right in through the door.

00:12:51.600 --> 00:12:55.800
[MUSIC] That worked; they got in the building. They scoped the place out and they figured out

00:12:55.800 --> 00:13:00.420
where the server room was, and they didn’t see an immediate way in, but they had some

00:13:00.420 --> 00:13:04.680
ideas. It just wasn’t gonna be easy. The blow-up doll trick was not gonna work here,

00:13:04.680 --> 00:13:10.560
and you could try picking the lock to get in, but that takes a while, maybe ten minutes or longer,

00:13:10.560 --> 00:13:15.420
and it’s just too much time to be standing there, probably on camera, trying to force

00:13:15.420 --> 00:13:21.480
open the door. So, they got an idea to just hide in the office somewhere and wait for everyone to

00:13:21.480 --> 00:13:26.100
go home for the night. So they ducked into a little room and just waited for a few hours.

00:13:26.100 --> 00:13:29.760
JASON: Until everybody was out, and then the objective was to get

00:13:29.760 --> 00:13:37.740
into the server room. The server room was segregated from some of the other offices

00:13:37.740 --> 00:13:41.940
basically with a locked door. We didn’t have the correct technology to clone a card. We weren’t

00:13:41.940 --> 00:13:45.900
successful to clone a card of an employee to – the right kind of employee to get into the

00:13:45.900 --> 00:13:53.640
server room, so we were kind of at our limit of trying to reach the objective for the test. So,

00:13:53.640 --> 00:14:00.480
what we had noticed is that the ceiling tiles – if you look at any building, their ceiling tiles

00:14:00.480 --> 00:14:06.720
allow some space to run wiring and air conditioning up above. There was a small

00:14:06.720 --> 00:14:12.960
table outside of the door of the IT server room, which had some flowers on it. So we

00:14:12.960 --> 00:14:19.020
were like, I wonder if we – if there’s any gap to try to crawl over the wall boundary.

00:14:19.020 --> 00:14:25.500
[MUSIC] I was probably the lowest on the totem pole at this point with the company I was working

00:14:25.500 --> 00:14:31.740
at, and so they convinced me to climb up into the ceiling tiles. Climbed up, pulled myself up

00:14:31.740 --> 00:14:41.460
through the beaming part into the crawlspace above the door divider, and crawled over. I had been

00:14:41.460 --> 00:14:48.720
pretty careful to keep on the metal divider parts that hold the ceiling tiles on, and those are more

00:14:48.720 --> 00:14:54.240
stable. They hold a little bit of weight. But on one of them – once I was over into that area,

00:14:54.240 --> 00:15:01.860
I put my knee down on the wrong area and promptly fell through the ceiling into the server room

00:15:01.860 --> 00:15:06.720
flat on my stomach. Knocked the air of me. I kinda thought I was gonna die. It’s like,

00:15:06.720 --> 00:15:13.020
catch my breath, kinda make sure nothing was broken. Luckily nothing was.

00:15:13.020 --> 00:15:15.300
JACK: Did anybody shout, like, you okay over there?

00:15:15.300 --> 00:15:22.020
JASON: Yeah. I mean, yeah. After, I think the response was ‘oh shit’ as

00:15:22.020 --> 00:15:29.400
soon as they heard the cracking – or the tile crack through.

00:15:29.400 --> 00:15:32.820
I can’t really remember ‘cause I was falling and still on the floor kinda dazed, but

00:15:32.820 --> 00:15:38.820
I’m sure one of them cared about my safety at the time. Then they were wondering if I could open the

00:15:38.820 --> 00:15:43.680
door from the inside, which I could. Reached the objective in the end, which was nice. So, yeah.

00:15:43.680 --> 00:15:50.100
JACK: He was okay; bruised, shook up a bit, but okay, and he was lucky he didn’t fall onto any

00:15:50.100 --> 00:15:54.240
server racks or sharp objects. He landed just on the empty floor, and he was also lucky he didn’t

00:15:54.240 --> 00:15:58.800
land on any computers and pulled out cords or caused an outage or something. Anyway,

00:15:58.800 --> 00:16:03.300
after that, he was able to get into a bunch of those servers and prove how someone can get into

00:16:03.300 --> 00:16:08.400
their servers. If you step back and look at it, he essentially walked in off the street and got

00:16:08.400 --> 00:16:12.900
into the computer room and gained full access to their main systems there, and he only broke

00:16:12.900 --> 00:16:16.980
a few ceiling tiles doing it. The customer was happy to have this report. It wasn’t a big deal

00:16:16.980 --> 00:16:21.600
to replace the tiles, and this showed them the importance of having walls up in the ceiling to

00:16:21.600 --> 00:16:26.340
prevent people from getting in that way. Now, even though Jason has done a few physical pen tests,

00:16:26.340 --> 00:16:31.020
the majority of pen tests he’s done have been network-based. That is, trying to get into the

00:16:31.020 --> 00:16:37.080
main website or network by just using a computer. One time, he was tasked with hacking into a bank.

00:16:37.080 --> 00:16:45.420
JASON: [MUSIC] Yeah, absolutely. So, we were contracted to do a pen test on a large bank,

00:16:45.420 --> 00:16:52.500
a worldwide-present bank, and we had a big contract with this bank. When I say we,

00:16:52.500 --> 00:16:58.320
it was me and one other tester at the time working on this project, and one was the network and web

00:16:58.320 --> 00:17:03.840
portion of the penetration test, and the other was their new mobile app and their mobile application.

00:17:03.840 --> 00:17:08.760
JACK: He was tasked with examining the mobile banking app to see if he can get

00:17:08.760 --> 00:17:13.260
any customer information or sensitive information from the app itself.

00:17:13.260 --> 00:17:19.140
Have you tried using these mobile banking apps? Do you get a weird feeling about it like I do?

00:17:19.140 --> 00:17:26.400
Something about having my bank details in my pocket doesn’t sit right with me. It seems

00:17:26.400 --> 00:17:30.780
silly since pretty much everything else is in my pocket, but throwing my bank account in there too?

00:17:30.780 --> 00:17:35.280
I’ve always been very hesitant of this. It’s kind of the same feeling of when I was doing

00:17:35.280 --> 00:17:39.780
online shopping for the first time and I was asked to give my credit card into a website. I was like,

00:17:39.780 --> 00:17:44.220
no way am I doing that. Well, years later, that’s the main way I shop now. But my

00:17:44.220 --> 00:17:49.740
favorite definition of the term ‘information security’ is to enable business to be conducted

00:17:49.740 --> 00:17:54.780
safely in a hostile environment. The internet is a hostile environment,

00:17:54.780 --> 00:18:00.000
and clearly if a bank wants to come out with a mobile banking app, they better have someone

00:18:00.000 --> 00:18:05.820
securing this app so business can be conducted safely. Well, this is what Jason was tasked

00:18:05.820 --> 00:18:11.580
with doing. He was going to act hostile to the app to see if it exposed any data it shouldn’t.

00:18:11.580 --> 00:18:13.920
JASON: We started doing recon on them. We had found a whole bunch

00:18:13.920 --> 00:18:17.634
of web servers and stuff like that, and we had their mobile…

00:18:17.634 --> 00:18:21.960
JACK: So, I understand what recon is for a physical pen test, right? We’re going

00:18:21.960 --> 00:18:25.002
to Google Maps, we’re looking on LinkedIn, seeing what kind of employees there are.

00:18:25.002 --> 00:18:25.014
JASON: Yeah.

00:18:25.014 --> 00:18:30.540
JACK: But what kind of recon is there for a web app pen test or a mobile app pen test?

00:18:30.540 --> 00:18:35.340
JASON: Absolutely. So, this is kinda my specialty, I would say, inside of the hacking scene. I’m kind

00:18:35.340 --> 00:18:42.240
of the godfather of reconnaissance for web applications and I’ve written multiple talks

00:18:42.240 --> 00:18:46.680
about it. So basically you have to think about a company as – especially a big company like

00:18:46.680 --> 00:18:54.120
this one, like a bank, they have hundreds if not bordering on thousands of publicly-exposed

00:18:54.120 --> 00:19:00.540
web servers. You know of the one; you know of www.bank.com, right, that you log into

00:19:00.540 --> 00:19:07.260
and maybe a couple other ones. So, you have to basically find them. So, the act of recon

00:19:07.260 --> 00:19:12.600
for a bank or any big web entity is basically finding all of their assets that are connected

00:19:12.600 --> 00:19:17.160
to the internet. So, there’s a number of methods that you can use to do this.

00:19:17.160 --> 00:19:24.060
You can use search engines to find other sites of theirs that are online. You can do

00:19:24.060 --> 00:19:30.480
things like searches for their privacy policy in terms of service, you can brute-force subdomain

00:19:30.480 --> 00:19:39.000
names. So, if you’re looking at www.bank.com, you can check to see if admin.bank.com exists with the

00:19:39.000 --> 00:19:44.160
DNS registrars or just trying to resolve it. If you get a response, that means it resolves and you

00:19:44.160 --> 00:19:47.940
can go to that web page and possible check out sites like that. So, you can brute-force

00:19:47.940 --> 00:19:51.960
different names if you have a long list of different names that could exist, which we did.

00:19:51.960 --> 00:19:56.880
JACK: So, after finding all the domains, the next step is learning what you can do with

00:19:56.880 --> 00:20:01.200
those domains. Where are they hosted? What kind of applications are running on them? Do they have

00:20:01.200 --> 00:20:05.880
any default credentials or known vulnerabilities? A vulnerability scanner can pick up some of this,

00:20:05.880 --> 00:20:09.840
but it’s also good to kinda look through every domain individually and see if

00:20:09.840 --> 00:20:14.460
anything pops out at you. Jason was on this engagement with another person on his team,

00:20:14.460 --> 00:20:17.580
and they decided to split the work. Jason was gonna look at the mobile

00:20:17.580 --> 00:20:20.940
app while his coworker would continue to look at the domains they found.

00:20:20.940 --> 00:20:25.860
JASON: So, for the first week I was just kind of looking at the app,

00:20:25.860 --> 00:20:29.340
trying to figure out how it worked, and at that time there was a new feature of

00:20:29.340 --> 00:20:34.860
the mobile app for this bank that you could take a picture of a check and deposit it.

00:20:34.860 --> 00:20:39.600
JACK: [MUSIC] Oh yeah, I’ve seen this feature. Instead of running down to the

00:20:39.600 --> 00:20:43.920
bank to deposit a check, you can just take a picture of it on your phone and

00:20:43.920 --> 00:20:48.000
the app will deposit the check into your account. This feature always

00:20:48.000 --> 00:20:53.220
seemed suspicious to me. You just need a photo of the check, not the actual thing,

00:20:53.220 --> 00:20:57.660
and you have to enter the amount you’re depositing? What’s stopping you from depositing

00:20:57.660 --> 00:21:02.640
the same check twice or entering in whatever amount you like? There’s lots to test here,

00:21:02.640 --> 00:21:07.260
and there must be a whole slough of new attack vectors when a feature like this rolls out, right?

00:21:07.260 --> 00:21:12.000
JASON: I was looking at this app and I was capturing the traffic that went from

00:21:12.000 --> 00:21:16.560
the mobile app to the servers that took care of the processing of the image of the check.

00:21:16.560 --> 00:21:21.720
JACK: Okay, that’s a good place to start. When you send the bank a check pic, where does it go?

00:21:21.720 --> 00:21:27.120
JASON: I was proxing the web traffic between the phone and the web server with an interception

00:21:27.120 --> 00:21:32.580
proxy like Burp Suite. So, it’s a common tool for web hackers; it just lets you see the traffic

00:21:32.580 --> 00:21:38.640
between websites and your browser or websites and your mobile phone. So, what it did first is

00:21:38.640 --> 00:21:43.680
it took the image of the check and then turned it into binary representation of the image, and

00:21:43.680 --> 00:21:51.540
then sends it across an API which at the end was uploaded – was reconstructed and put on a server.

00:21:51.540 --> 00:21:57.420
JACK: The server that it went to was an AWS storage bucket. This is Amazon’s Cloud

00:21:57.420 --> 00:22:04.140
storage. So, check images were being sent to this storage place, and as Jason continued to watch

00:22:04.140 --> 00:22:10.020
the traffic, he was able to identify exactly which storage bucket on AWS these checks were stored in.

00:22:10.020 --> 00:22:15.360
JASON: So, you could just visit the back end and there was a whole bunch of images

00:22:15.360 --> 00:22:20.280
of checks just in this directory. So, that is a little bit more of a privacy breach, right?

00:22:20.280 --> 00:22:20.753
JACK: Yeah, so…

00:22:20.753 --> 00:22:21.120
JASON: Yeah.

00:22:21.120 --> 00:22:24.420
JACK: Are you talking about an open AWS bucket that anybody can visit?

00:22:24.420 --> 00:22:29.100
JASON: Yes, and because this was the first iteration of this feature and that was when AWS

00:22:29.100 --> 00:22:34.546
was still in its young years, yeah, absolutely it was an open AWS S3 bucket of check images.

00:22:34.546 --> 00:22:42.480
JACK: [MUSIC] Whoa, this is bad. An open AWS bucket means the entire contents of that storage

00:22:42.480 --> 00:22:47.760
bucket is available for anyone to see. They could see everything on there. Now, in some cases,

00:22:47.760 --> 00:22:53.340
this is fine. For instance, darknetdiaries.com is hosted on AWS, and the whole bucket is open

00:22:53.340 --> 00:22:58.500
and visible for anyone to see. But I don’t have any private data on there; there’s no user data,

00:22:58.500 --> 00:23:02.760
there’s no back end database. Everything is supposed to be visible to the world.

00:23:02.760 --> 00:23:07.980
But I don’t think it’s a good idea for a bank to store all their cashed checks

00:23:07.980 --> 00:23:13.500
through the mobile app in an open AWS bucket. Anyone can see all the cashed

00:23:13.500 --> 00:23:17.640
checks. Jason was looking at these checks and just couldn’t believe it.

00:23:17.640 --> 00:23:21.540
JASON: There was about two million checks in this instance. So,

00:23:21.540 --> 00:23:26.040
lots of checks, and each one has your address printed on it and your account number,

00:23:26.040 --> 00:23:31.080
which is considered somewhat private data, and the banks are supposed to protect that.

00:23:31.080 --> 00:23:37.260
If you’ve ever seen the gif of when Tiger Woods would score a good swing or something like that

00:23:37.260 --> 00:23:43.800
on a golf course, he does the little – closes his fist and it’s like a little fist bump in the air

00:23:43.800 --> 00:23:50.280
or whatever. That’s my default pen test move when I find something critical. In this case it exposed

00:23:50.280 --> 00:23:58.560
names, addresses, account numbers, and transaction history for users using this feature. So,

00:23:58.560 --> 00:24:04.380
it was a decent-sized finding. It wasn’t the most critical ever, but it was a decent-sized finding.

00:24:04.380 --> 00:24:08.640
Really, the first thing is you get kinda hot and sweaty and you’re like alright, sweet,

00:24:08.640 --> 00:24:14.700
I think I have something. This is really great. You get a little nervous because if you’ve been

00:24:14.700 --> 00:24:21.120
a pen tester for a long time, you know that they’re probably monitoring the network and

00:24:21.120 --> 00:24:24.300
at any given time you could lose access to something that’s good, so the first

00:24:24.300 --> 00:24:29.220
thing you do is take many screenshots of the traffic that you have and the vulnerability,

00:24:29.220 --> 00:24:35.160
and take – so you have images for your report at the end. So, I started doing all that,

00:24:35.160 --> 00:24:40.920
started making sure I gathered all the evidence in case I needed to prove out that it actually

00:24:40.920 --> 00:24:46.260
existed in case they ghost-patched it or something like that. So, yeah, those are the feelings. But

00:24:46.260 --> 00:24:53.820
when you hit a bank like this, especially one that has a big, big name, it’s pretty exhilarating.

00:24:53.820 --> 00:24:57.660
Yeah, that’s the whole reason you get into pen testing, is to find big finds like that.

00:24:57.660 --> 00:25:03.000
JACK: Okay, so that’s a big deal. He’ll want to tell them about that for sure and get them

00:25:03.000 --> 00:25:08.280
to lock down access to that. But he wasn’t done testing; this mobile app was for iPhone,

00:25:08.280 --> 00:25:13.380
so he grabbed the app off the phone and moved it to a computer to analyze. One of

00:25:13.380 --> 00:25:17.820
the first things he looked at was the PLIST file. This lists the properties of the app,

00:25:17.820 --> 00:25:22.860
and here you might find things like server names or information where data is stored on

00:25:22.860 --> 00:25:28.680
the phone. [MUSIC] But as he looked through the PLIST file, he found some hard-coded credentials,

00:25:28.680 --> 00:25:33.540
a username and password used to authenticate to something like an API or database.

00:25:33.540 --> 00:25:39.240
JASON: We had found a server that had a default install of Apache,

00:25:39.240 --> 00:25:47.400
and the manager console was open to the internet, so /manager, /HTML. So,

00:25:47.400 --> 00:25:51.720
we used credentials that we had found hard-coded in the mobile app, which happens all the time.

00:25:51.720 --> 00:25:59.400
People hard-code credentials in mobile app PLISTs even to this day and use it just as – on a whim,

00:25:59.400 --> 00:26:05.940
right? I normally wouldn’t have tried this, but I just tried it to make sure on this manager console

00:26:05.940 --> 00:26:10.380
to see if maybe the admin was the same of the service or whatever, and it turned out it was. So,

00:26:10.380 --> 00:26:14.340
we used these hard-coded credentials that were in the mobile app that we were able

00:26:14.340 --> 00:26:22.020
to reverse out on this website, and got into that. JACK: [MUSIC] A-ha; web admin access to the server

00:26:22.020 --> 00:26:27.720
had been obtained. Amazing. Now, this web server was running something called Tomcat, which as an

00:26:27.720 --> 00:26:33.300
admin you could upload stuff to it, so Jason just uploaded a payload using Metasploit to it, which

00:26:33.300 --> 00:26:38.640
gave him command line or operating-system-level access to this web server. It’s one thing to be

00:26:38.640 --> 00:26:42.840
able to log into a website as an admin, but you gain a whole new level of power when you

00:26:42.840 --> 00:26:47.520
can get into the operating system as an admin, which is what he was able to do at this bank.

00:26:47.520 --> 00:26:52.560
JASON: Then once you have a foothold like that, we were able to start scanning

00:26:52.560 --> 00:26:57.660
internal – some internal IPs that connected to that server on more internal IP space of theirs,

00:26:57.660 --> 00:27:05.700
so inside their company, as well as see a whole bunch of transaction data and customer data on

00:27:05.700 --> 00:27:11.700
this server that we had exploited. So, it was a second really big finding. It had – I can’t

00:27:11.700 --> 00:27:14.820
really talk about too much of it ‘cause it’s – a lot of this stuff’s covered under an NDA,

00:27:14.820 --> 00:27:20.580
so – but it had client names, transaction data, a whole bunch of stuff on there as well. So,

00:27:20.580 --> 00:27:26.040
we had two ways to really breach customer data on their network.

00:27:26.040 --> 00:27:31.740
JACK: This was quite the report they submitted to the client. The bank was pretty happy that Jason

00:27:31.740 --> 00:27:36.900
found all these problems, and they got the entire mobile development team on the call and had Jason

00:27:36.900 --> 00:27:42.600
explain to them exactly what he found and how to fix this. They were surprised, but they all

00:27:42.600 --> 00:27:48.180
agreed this is very important stuff to fix. We have one more penetration test story from Jason,

00:27:48.180 --> 00:27:53.940
and you’re gonna want to hear this one, but we’re gonna take a quick break first, so stay with us.

00:27:53.940 --> 00:27:57.840
Jason Haddix has pen tested hundreds of websites in his professional career,

00:27:57.840 --> 00:28:00.540
and one stands out as particularly interesting.

00:28:00.540 --> 00:28:10.380
JASON: Okay so, this one’s one of the ones that is interesting. A buddy of mine had taken on some

00:28:10.380 --> 00:28:17.760
pen test contracts and he had taken on one too many. He basically had hit me up and said hey,

00:28:17.760 --> 00:28:22.920
do you want to do a moonlight test? A moonlight test is basically I already have a job,

00:28:22.920 --> 00:28:30.300
but he can give me a contracting gig on testing a site. I said yeah, sure, why not? So, he forwarded

00:28:30.300 --> 00:28:37.140
me the info for the site and it turned out to be a pornography site. But not just a pornography site;

00:28:37.140 --> 00:28:45.060
it was a site that had a store for items related to sex toys and stuff like that. It had private

00:28:45.060 --> 00:28:56.580
cam access to view live workers doing their thing, and then also prerecorded videos. It had messaging

00:28:56.580 --> 00:29:01.980
systems for you to chat with the cam people and all kinds of stuff. So, it was a big site.

00:29:01.980 --> 00:29:09.660
So, he sent over the contract and I took it. The funny parts about this are the first thing I did

00:29:09.660 --> 00:29:14.280
was I had to go to my wife and be like hey, you’re gonna – you might see some weird stuff

00:29:14.280 --> 00:29:21.720
on my computer if you walk by. It’s for work, I swear, because there’s just a lot of graphic

00:29:21.720 --> 00:29:28.560
stuff in the nature of testing this site. So, I had to give her a disclaimer upfront.

00:29:28.560 --> 00:29:36.540
But yeah, so, I went through my normal methodology starting out, and I registered to the website.

00:29:36.540 --> 00:29:43.200
[MUSIC] The client had really set a goal of getting access to this one account

00:29:43.200 --> 00:29:48.000
on the site, and so that was the goal of the majority of it, was to get access to this one

00:29:48.000 --> 00:29:51.780
account which had a private picture in it. If you get access to the picture, he would have

00:29:51.780 --> 00:29:57.060
considered that a success because no one was ever supposed to have access to that picture.

00:29:57.060 --> 00:30:00.240
JACK: So this was a user account or a camgirl account or…?

00:30:00.240 --> 00:30:05.880
JASON: It was a camgirl account with messages and pictures associated to it. So, the way the

00:30:05.880 --> 00:30:11.700
site worked is you could watch live cams, and then pictures that you had taken – kind of like

00:30:11.700 --> 00:30:18.540
Patreon or any of those other services, you could pay to access specific pictures, too. So, he had

00:30:18.540 --> 00:30:22.620
set up a picture in the picture section that he wanted us to access, and it would show that we

00:30:22.620 --> 00:30:29.160
had unauthorized access for one of his – I don’t know if it was a real or a fictitious camgirl.

00:30:29.160 --> 00:30:32.400
JACK: So, it sounds like

00:30:32.400 --> 00:30:37.433
security so that nobody steals our – nobody gets unauthorized access to the paid content…

00:30:37.433 --> 00:30:37.920
JASON: To the content, yeah.

00:30:37.920 --> 00:30:39.360
JACK: Like, don’t…

00:30:39.360 --> 00:30:40.500
JASON: He was really worried about that.

00:30:40.500 --> 00:30:44.220
JACK: It’s kind of a funny objective ‘cause it’s not like, make sure our stuff’s secure.

00:30:44.220 --> 00:30:44.640
JASON: Yeah.

00:30:44.640 --> 00:30:46.680
JACK: It’s hey, make sure no one’s stealing…

00:30:46.680 --> 00:30:47.454
JASON: I guess you could see it…

00:30:47.454 --> 00:30:48.480
JACK: …like, going around the paywall.

00:30:48.480 --> 00:30:51.600
JASON: I guess you could see it either way, right? You could see it like he wanted to

00:30:51.600 --> 00:30:57.240
protect the integrity of the workers and he cared more about the workers than the

00:30:57.240 --> 00:31:05.160
– or the content creators or – more than the users of the site. But no, no, absolutely,

00:31:05.160 --> 00:31:07.980
you could see it in the dark way of just like he’s trying to protect his bottom line,

00:31:07.980 --> 00:31:14.820
for sure. Yeah. So yeah, so I started creating an account, [MUSIC] just my own account to be

00:31:14.820 --> 00:31:22.320
a content creator on the site. I uploaded some – just random photos into the photo storage area.

00:31:22.320 --> 00:31:27.240
There was the store as well, so I purchased an item, I sent some DMs, and I’m – this whole time,

00:31:27.240 --> 00:31:33.660
I’m capturing all this web traffic through a proxy and seeing what calls get made and then just

00:31:33.660 --> 00:31:42.540
noting down how each one happened. So, the first thing that I noticed was that when you set up your

00:31:42.540 --> 00:31:46.740
account – and it’s common for some sites to not really care about this – was that the password

00:31:46.740 --> 00:31:53.760
policy was pretty much whatever you wanted it to be. So, for this site, when you basically

00:31:53.760 --> 00:32:00.120
signed up to be a user or a creator, it was five characters minimum and no special characters or

00:32:00.120 --> 00:32:03.240
numbers required. You could just make it whatever you want as long as it was five characters.

00:32:03.240 --> 00:32:08.700
JACK: Okay, so a five-character password minimum is pretty weak.

00:32:08.700 --> 00:32:14.880
But that’s only a suggestion to improve at this point. It’s like a theoretical issue, and it

00:32:14.880 --> 00:32:20.280
would be nice if he could demonstrate how that’s a real problem. If he had a list of user accounts,

00:32:20.280 --> 00:32:24.060
he could try to brute-force their passwords and see if anyone had a five-character password.

00:32:24.060 --> 00:32:30.600
But he didn’t have that. Next, what he did was he tried to see how the site handled password resets,

00:32:30.600 --> 00:32:36.000
so he initiated one. What the site did was it reset his password and then e-mailed him

00:32:36.000 --> 00:32:42.600
this new password. [MUSIC] But he noticed the password that the site created for him was a

00:32:42.600 --> 00:32:49.740
five-character password, and every time he’d reset the password, it was always five characters. Well,

00:32:49.740 --> 00:32:56.160
to a hacker like Jason, he started thinking how he could use this to his advantage.

00:32:56.160 --> 00:32:59.640
JASON: Basically you could start a password reset for any user on the site,

00:32:59.640 --> 00:33:02.700
any e-mail address, and I had – he gave us the e-mail address for the

00:33:02.700 --> 00:33:08.100
account he wanted us to target. Then you could brute-force the five characters

00:33:08.100 --> 00:33:12.900
that it was using, because it was minimum five characters and the password reset would only set

00:33:12.900 --> 00:33:19.560
a five-character password. You could brute-force that in about fifteen minutes. So, I went through

00:33:19.560 --> 00:33:24.840
every character in about fifteen minutes. There was a small rate limit required, but it

00:33:24.840 --> 00:33:30.480
wasn’t overly complex to bypass the rate limit. Eventually, right away on the test, broke into

00:33:30.480 --> 00:33:35.340
the account with the image that he wanted through the password reset and the weak password policy.

00:33:35.340 --> 00:33:37.680
JACK: What’s the tool you used to do that?

00:33:37.680 --> 00:33:41.940
JASON: I did it in Burp Suite, which is a interception proxy.

00:33:41.940 --> 00:33:44.520
JACK: But what you’re doing is you’re going to the website,

00:33:44.520 --> 00:33:50.083
logging with that e-mail address, and then typing in a random five-character password…

00:33:50.083 --> 00:33:50.094
JASON: Yep.

00:33:50.094 --> 00:33:51.540
JACK: …and then again and again and again?

00:33:51.540 --> 00:33:56.340
JASON: Yep. So, every combination of 1,

00:33:56.340 --> 00:34:06.420
0 – or 00000 through 99999 and trying every combination between

00:34:06.420 --> 00:34:10.920
that number, and basically keep on trying over and over again once I did the password reset, because

00:34:10.920 --> 00:34:16.920
it reset it from what they had chose originally. So, that was the first really easy one.

00:34:16.920 --> 00:34:21.630
JACK: So, Burp – I didn’t know Burp Suite did that, just keep trying passwords.

00:34:21.630 --> 00:34:27.480
JASON: Yeah, so you can – in Burp Suite they have a tool called Intruder, and Intruder

00:34:27.480 --> 00:34:32.580
basically can capture a web request and then you can highlight a section you want to edit

00:34:32.580 --> 00:34:41.880
and load a list or a rule to try a whole bunch of different requests. So,

00:34:41.880 --> 00:34:46.740
basically I captured the request for a regular login, or – yeah, a regular login,

00:34:46.740 --> 00:34:52.800
and then highlighted the area where the password was and then told it to try everything between

00:34:52.800 --> 00:35:00.840
00000 and 99999. It just ran all over those requests, added a small little wait in-between

00:35:00.840 --> 00:35:06.960
each one, and then eventually you know which one hits when there’s a difference response

00:35:06.960 --> 00:35:11.040
time from the server. So, you just wait until you see the different response time from the server.

00:35:11.040 --> 00:35:16.500
JACK: Well, that was easy. He was able to gain access to the account that he was asked to try

00:35:16.500 --> 00:35:21.600
to get into. This is fascinating to me because by and large, this is the top thing I get people

00:35:21.600 --> 00:35:27.180
asking me to help them hack. I am constantly getting hit up on my DMs of people wanting me

00:35:27.180 --> 00:35:30.840
to help them hack into something, and I’m like ooh, what are we gonna do, hack into a bank or

00:35:30.840 --> 00:35:37.620
free someone from prison? They’re like oh no, sir, I need you to hack into my girlfriend’s account on

00:35:37.620 --> 00:35:46.140
social media. There’s always a ton of people who are trying to get into someone else’s account.

00:35:46.140 --> 00:35:51.840
Here’s a rather easy way to just get into anyone’s account on this porn site; reset their password,

00:35:51.840 --> 00:35:57.180
then brute-force it. It’s just a five-character password and it’ll take fifteen minutes to do.

00:35:57.180 --> 00:36:01.440
Imagine taking over the accounts of the top earners on this site.

00:36:01.440 --> 00:36:07.920
JASON: What’s interesting is that password complexity is a really touchy topic for websites,

00:36:07.920 --> 00:36:13.140
right? Your bank obviously has password complexity and makes you add special characters

00:36:13.140 --> 00:36:20.400
and a minimum number of characters and stuff like that. But content sites that basically –

00:36:20.400 --> 00:36:29.880
they don’t deem access to your account super-private, or they deem it private

00:36:29.880 --> 00:36:33.180
but they want the least amount of friction for users to get into their account. Sometimes they

00:36:33.180 --> 00:36:39.840
choose this on purpose. When we talked to the guy on the out-call, which is several steps ahead

00:36:39.840 --> 00:36:45.060
‘cause we did many other things to this site, but when we talked to this guy on the out-call,

00:36:45.060 --> 00:36:48.840
he knew that the password complexity was weak and he had kept it weak on purpose because it

00:36:48.840 --> 00:36:55.020
offered less friction for his users to get into their accounts. So it was like a personal thing.

00:36:55.020 --> 00:36:59.640
So, he ended up having to change the complexity of the password requirement for users and for

00:36:59.640 --> 00:37:04.140
content creators, and then also had to change the flow for the Forgot Password

00:37:04.140 --> 00:37:09.540
as well so it wouldn’t just set one; it would give you the link like normal sites do and

00:37:09.540 --> 00:37:13.860
then send you to a page to change your own password to something you want to set it to.

00:37:13.860 --> 00:37:19.380
JACK: Okay, so if you could reset the password and take over any user account on this site,

00:37:19.380 --> 00:37:22.740
which user should you take control over next?

00:37:22.740 --> 00:37:31.800
JASON: We found our guy’s admin account as well. [MUSIC] It was literally admin@thecompany.com,

00:37:31.800 --> 00:37:37.860
and we reset his password and logged into his account, which had superuser access as well.

00:37:37.860 --> 00:37:45.060
So, we could see pretty much the back end of the site as well from a management point of view,

00:37:45.060 --> 00:37:50.460
which was really interesting ‘cause he had way more functions available to him than anybody else.

00:37:50.460 --> 00:37:55.500
JACK: I mean, he would see that his password was reset. That’s strange; I didn’t do that.

00:37:55.500 --> 00:37:57.560
JASON: Not if you do it at 3:00 AM his time.

00:37:57.560 --> 00:37:59.387
JACK: Is that what you did?

00:37:59.387 --> 00:38:05.280
JASON: Yeah, yeah. Yeah, so you do it – we waited until late at night. So, yeah.

00:38:05.280 --> 00:38:06.180
JACK: Tricky.

00:38:06.180 --> 00:38:07.920
JASON: Yeah.

00:38:07.920 --> 00:38:09.060
JACK: But that’s what you gotta do.

00:38:09.060 --> 00:38:10.080
JASON: That’s what you gotta do, yeah.

00:38:10.080 --> 00:38:15.420
JACK: He also found a pretty clever bug about uploading images. This site allowed users,

00:38:15.420 --> 00:38:21.300
especially camgirls, to upload content. Jason made an account and uploaded an image and watched

00:38:21.300 --> 00:38:27.180
how the server handled it. Well, it tagged him in the upload request. So, he tried to upload

00:38:27.180 --> 00:38:32.520
another image, but this time tagging another user to see if that did anything. The server took that

00:38:32.520 --> 00:38:39.240
as another user has uploaded this. So, he found a way to upload images to other users’ accounts

00:38:39.240 --> 00:38:44.940
on the site, which is interesting; you could deface someone else’s account this way, putting

00:38:44.940 --> 00:38:50.700
all kinds of images and stuff on their account that others would see when they visited it.

00:38:50.700 --> 00:38:58.020
JASON: We had found a couple of cross-site scripting bugs, and then we had also managed to

00:38:58.020 --> 00:39:04.020
accomplish seeing the paid streams for the users without paying for them. You could look at the

00:39:04.020 --> 00:39:09.960
source code of the HTML when you were attempting to look at somebody’s paid stream. Normally you

00:39:09.960 --> 00:39:14.160
would click a button and pay with your credit card to access the paid stream. There was a parameter

00:39:14.160 --> 00:39:19.680
in there called debug that was set to False. When you set it to True, you were able to access the

00:39:19.680 --> 00:39:28.140
stream without paying for it. So, that was another way that we could bypass the paid nature. So at

00:39:28.140 --> 00:39:32.460
this point, we could reset anybody’s password and take over their account. We had access to the back

00:39:32.460 --> 00:39:38.880
end admin site, we had cross-site scripting, we could view streams without paying for them.

00:39:38.880 --> 00:39:44.400
We pretty much had everything that we kinda thought, but then also in the store – we had

00:39:44.400 --> 00:39:48.240
been working on the store and towards the end of the week, we had found that there was an SQL

00:39:48.240 --> 00:39:54.300
injection bug that allowed us to dump the complete database, purchases and credit card data for

00:39:54.300 --> 00:40:00.240
everything that had been ordered on his store that was associated to the site, which is not only just

00:40:00.240 --> 00:40:04.260
sensitive ‘cause you have credit card data, but also sensitive because these are very sensitive

00:40:04.260 --> 00:40:12.120
purchase of a very sensitive nature. So, we had all that transaction data as well. So, that was

00:40:12.120 --> 00:40:18.540
that test, and there’s a lot of things I learned from that test about that

00:40:18.540 --> 00:40:21.060
industry and stuff like that. It was really interesting and cool.

00:40:21.060 --> 00:40:27.720
JACK: Huh, sounds like this site had a lot of security problems. You might not immediately

00:40:27.720 --> 00:40:32.280
think of why it’s so important to secure a porn site, but one of the other things that

00:40:32.280 --> 00:40:38.580
this site allowed users to do was hook up with each other. It’s reminiscent of this scandal.

00:40:38.580 --> 00:40:42.720
HOST: A major hack tonight is threatening to expose embarrassing information on millions of

00:40:42.720 --> 00:40:46.200
people around the world. They all signed up for a website named Ashley Madison,

00:40:46.200 --> 00:40:49.380
which helps married people find people who want to cheat with them.

00:40:49.380 --> 00:40:55.020
JACK: This was a news clip from CBS Los Angeles. The site Jason worked on was a competitor to

00:40:55.020 --> 00:41:01.200
Ashley Madison, and he did this pen test just before Ashley Madison had their breach. If it

00:41:01.200 --> 00:41:06.840
wasn’t for Jason finding these security issues, this site could have easily been the story on

00:41:06.840 --> 00:41:11.820
everyone’s nightly news. The reason why that story was so scandalous was because it was

00:41:11.820 --> 00:41:17.820
very embarrassing for a lot of high-profile people who were found to be users on the site. In fact,

00:41:17.820 --> 00:41:22.140
I believe two people committed suicide for having their details exposed in the Ashley

00:41:22.140 --> 00:41:28.500
Madison breach. So, it’s wild to think how Jason may have really saved not only the reputation of

00:41:28.500 --> 00:41:34.140
this company by detecting these bugs before someone else did, but also potentially saving

00:41:34.140 --> 00:41:40.380
the lives of some of its users. Maybe that’s a stretch. If you were Jason at the early 20’s

00:41:40.380 --> 00:41:44.220
on ShadowCrew and you saw – you looked into the future, a crystal ball, and you saw Jason

00:41:44.220 --> 00:41:48.900
doing that sort of stuff when he’s older, I wonder what young Jason would have thought.

00:41:48.900 --> 00:41:55.920
JASON: I mean, he would have thought it was pretty cool, honestly. He hadn’t had years of

00:41:55.920 --> 00:42:02.628
professional experience, though, to temper his excitement and do bad things. So, yeah, I mean…

00:42:02.628 --> 00:42:04.260
JACK: Yeah, it’s an interesting perspective.

00:42:04.260 --> 00:42:04.974
JASON: It is.

00:42:04.974 --> 00:42:08.400
JACK: You looking back at that young Jason, young Jason doing dumb stuff,

00:42:08.400 --> 00:42:11.400
but young Jason looking up at older Jason;

00:42:11.400 --> 00:42:16.427
older Jason’s doing really cool stuff, yet young Jason thinks he’s doing cool stuff.

00:42:16.427 --> 00:42:18.600
JASON: Yeah, yeah. Yeah, so…

00:42:18.600 --> 00:42:23.040
JACK: And it’s weird to think that young Jason thinks young Jason is cool and

00:42:23.040 --> 00:42:27.060
old Jason is cool, but old Jason thinks old Jason’s cool but young Jason’s not.

00:42:27.060 --> 00:42:35.040
JASON: Yeah. That was a lot of Jason, but yeah, absolutely. Absolutely true. I’m lucky I have

00:42:35.040 --> 00:42:43.320
that perspective now, though, right, and got paid well for that test. So, yeah, it is really

00:42:43.320 --> 00:42:49.020
– I hate to be a shill, right, but penetration testing and security testing nowadays and having

00:42:49.020 --> 00:42:53.760
all of the protection we have and being able to do it as a job is one of the most coolest fucking

00:42:53.760 --> 00:43:02.220
jobs that you can have. I’ll never get over it. A lot of people talk about oh, you graduate out

00:43:02.220 --> 00:43:08.760
of it. I don’t think I will ever graduate out of be – wanting to pop systems in some way. So, yeah.

00:43:08.760 --> 00:43:19.800
(OUTRO): [OUTRO MUSIC] A big thank you to Jason Haddix for coming on the show and telling us

00:43:19.800 --> 00:43:26.460
these stories. You can follow him on Twitter; his name there is @JHaddix. This show is made by me,

00:43:26.460 --> 00:43:30.420
the slow poker, Jack Rhysider. This episode was assembled by Tristan

00:43:30.420 --> 00:43:34.500
Ledger and mixing done by Proximity Sound. Our theme music is done by the abnormie,

00:43:34.500 --> 00:43:40.380
Breakmaster Cylinder. The only dates I get these days are updates. This is Darknet Diaries.