How to Hack Systems & Still Make Money
Who is a hacker? Most people who are far from programming are a vicious criminal. Who breaks into bank security systems to steal money? Something like Hugh Jack man’s character from Swordfish Password. Who breaks the Vernam cipher to steal $ 9.5 billion from the government fund? Here we will focus on the legal side of hacking. If your ideas inspired by films. We have prepared a detailed. Overview of the profession of a cyber-security specialist for you can be a hacker. Legal hackers called pentesters, or “ethical hackers.” You need to know well what can do during system penetration testing, and what not. Otherwise, you can get quite real problems with the law. We recently launched the ethical hacker course. So, in this article, we’ll talk about how to hack, make good money, and still have no legal problems.
What heartens a Hacker Under the Law of the Russian Federation
First, let’s talk about the problems that a hacker can face. Almost all offenses related to hacking systems. So gaining access to them relate to three laws
- On personal data (No. 152-FZ).
- On information, information technology and information protection (No. 149-FZ).
- On copyright and related rights (No. 5351-1).
Violation of these laws can face administrative and criminal liability.
According to Art. 13. Administrative Code of the Russian Federation.
(Administrative offenses in the field of communications and information). This for disclosing information with limited access, violation of the procedure for storage. Use and dissemination of personal data may face a fine of 300 to 20,000 rubles. This is for individuals. For legal entities, the amount of the fine is much higher. It concerns people who have access to such information. So the organizations that collect personal data from customers.
For example, an online store collects a customer base with names, phone numbers and emails. And the cunning manager decides to collect the database and copy it for further sale on the side. If such an action did not cause serious damage. The manager did not receive complaints to law enforcement agencies. Then the offense may qualify under Art. 13.11, clause 8 of the Code of Administrative Offenses of the Russian Federation. The punishment for him is a fine in the amount of 30,000 to 60,000 rubles.
As for the criminal law. The following articles of the Criminal Code of the Russian Federation. That is in most cases threaten a hacker-malefactor.
- Art. 146 of the Criminal Code of the Russian Federation. “Infringement of copyright and related rights.” Computer programs are protected by copyright. Thus, any change in the program code, editing functionality, creating. Or using a cracked version fall under this article as well.
- Art. 272 of the Criminal Code of the Russian Federation. Illegal access to computer information”. The main article by which a hacker can attracted. After all, hacking a security system is illegal access to computer information.
- Art. 273 of the Criminal Code of the Russian Federation. Creation, use distribution of malicious computer programs.” Wrote “Trojan” – hello, article 273.
A small digression pentesters also use third-party programs to hack security systems. So to gain access to classified information. There are no legal hacking programs. So the company. That orders penetration testing must give voluntary consent in writing to. The use of third-party programs. Pentesters also usually sign a nondisclosure agreement for information obtained during attacks.
- Art. 274 of the Criminal Code of the Russian Federation. Violation of the rules for the operation of storage, processing. Or transmission of computer information and information and telecommunication networks. There is an article, but there is almost no real judicial practice on it. Since 2010, no more than 20 cases have initiated in Russia.
- Art. 274.1 Of the Criminal Code of the Russian Federation. “Unlawful influence on the critical information infrastructure of the Russian Federation.” The situation is the same as with Art. 274. There is no court practice on it.
According to Art. 272 and 273 you can get a fine of up to 500,000 rubles and a real term of up to 5 years. And in special cases – up to 7 years. Moreover, to start a case, find a vulnerability and try to use it even without criminal intent.
Pentester: Differences from a Hacker
A pentester is a hacker who works completely and within the framework of the law. The essence of his work is to search for vulnerabilities in security systems. But there are a few major differences:
- Developers are aware of the actions of a pentester. All actions to search for vulnerabilities carried out. Either under a special agreement or using Bug Bounty programs. We’ll talk about them a little later.
- The pentester is only looking for vulnerabilities, not going to exploit them. There is a subtle point here. Finding a hole in the storage system is okay. But trying to download confidential data by testing this hole is already a deadline. The pentester should point out. The hole to the developers and point out the opportunity how you can use it. But not try to do it yourself.
- Penetration tester’s earnings are completely white. Bug Bounty payments or contract payments are completely legal. So, there is no need to be afraid of visits from the tax office.
In essence, a pentesters distinguished from a hacker by a set of rules by which he guided. Pentesters works only on Bug Bounty programs. Or after signing a contract with the company. Due to the fact. That the process of penetration testing itself. It associated with breaking the protection, the procedure is much formalized.
In 2017, an 18-year-old hacker found. A security vulnerability in the Hungarian transport company. The bug was simple with the help of the developer tools in the browser. The guy changed the source code of the page, adding his own ticket price (20 cents instead of 30 euros). The price was not validated either on the server or on the client side. So the hacker was able to buy a ticket for that price. After that, he turned to representatives of the company. Disclosing all information about the vulnerability. But I received not a gratitude, but a criminal case. The transport company was “offended” and sued him. The guy arrested. The story ended well. It received a great response in the media users brought down. The company’s Facebook rating. And with the company allegedly. They spending over a million dollars on data protection every year. So, finding such a stupid bug that anyone could exploit destroyed its reputation
The guy had noble intentions – he wanted to point out the hole in the ticket sales system, demonstrating it. But at the same time, his actions can still qualify as a security breach. And this is a criminal case. The company was completely correct in bringing the charges against him. Whatever the guy’s intentions, he broke the law. And only public outcry saved him from the real term.
Bug Bounty: How to Take Part
Most large companies run Bug Bounty special programs in. Which software or website development companies offer rewards for vulnerabilities found. It is more profitable for companies to pay for the bugs they find. Than to deal with the consequences of exploits and vulnerabilities. Most of these programs hosted on the Hacker One and Bug Crowd site. For example, here are Bug Bounty programs from Google API , Nginx , PayPal , GitHub , and Valve.
The average premium for each bug found in these programs is $ 1,000. There are a huge number of smaller companies that offer $ 50- $ 100 per error. Even the Pentagon launched Bug Bounty! It’s a dream for a hacker to hack into the Pentagon’s security system, and even get money for it from the US government. But even the published Bug Bounty does not mean that you can break and look for holes anywhere. In the description of the program, the owners prescribe which vulnerabilities will considered.
For example, Uber gives a very detailed explanation of. What included in their Bug Bounty program and what is not? The company wants to find vulnerabilities in data access. The storage systems, phishing, payment and billing opportunities, unauthorized actions. They are on the part of the user and company employees. But the program does not include general application bugs, fraud reports, and bugs. So, in working with social networks & email newsletters. But with a sense of humor, everything is fine with them. Because among the unpaid actions there are the following:
Entering the Uber offices, throwing crisps everywhere unleashing a bunch of hungry raccoons. And hijacking an abandoned terminal on an unlocked workstation while staff distracted Entry into Uber office, scattering everywhere chips, releasing the bunch hungry raccoons. And seizure free terminal or workstation, while employees confused.
The more detailed Bug bounty described. The easier it is for a pentester to understand what can be “tried and tested” and what should not do. At the same time, there are general rules that cannot violated. For example, if vulnerabilities found in user databases. You cannot try to download any personal data. Even if you take part in the program, this can regard as a violation of the law. Because here the rights of users violated, to whom Bug bounty has nothing to do.
The Russian penetration testing market is also developing. It already has some major players working with large corporations. For example, Digital Security, STC Vulkan, Group-IB, BI. ZONE, Kaspersky Lab. But the competition in the market is still quite low, so you can work quiet. Some large companies like Gazprom or banking organizations. Create separate internal divisions of pentesters. So as not to disclose confidential data to third parties. Thus, there are several possibilities for a pentester.
- Join one of these big companies. The main plus is a stable salary and the absence of even hypothetical problems with the law. But at the same time, making a lot of money, as many pentesters strive, will not work.
- Open an individual entrepreneur or work under a contract. The main plus is that the specialist sets the price himself. But at the same time. You will have to work with lawyers in the framework of labor relations to insure from the legal side. And competitors are not asleep.
- Work only for Bug Bounty. The main plus is the freedom of the schedule and the opportunity to earn a lot. But there is always a risk that a specialist will not paid to find a bug. But, no one forbids working both under the contract and in the Bug Bounty programs.
Participating in Bug Bounty is easy. Indeed, in fact, a message about the start of a program is an open offer that can accepted by any user. You can start working right away. No more consent required for your participation. To hedge against dishonest companies. We recommend working through the sites Hacker One and Bug Crowd. Just register and submit bug reports through them. The only rule is to read the program description in great detail. If a company writes that it pays for database vulnerabilities, then you only need to search there. Even if you find a bug somewhere else, you won’t get paid for it. So, problems may begin.
Wesley Weinberg found one of the biggest security holes in Instagram in 2015. During penetration testing, he discovered a Ruby vulnerability. That allowed him to launch remote playback of arbitrary code. This allowed him to read the configuration files. That contained the PostgreSQL database accesses.
There were 60 Instagram and Facebook employee accounts. According to Weinberg, it was not difficult to crack them. Most of the passwords were weak – like “password” or “Instagram”. He then gained access to several Amazon Web Services keys that associated with 82 S3 buckets. These buckets were a real treasure for a hacker.
Instagram source codes, SSL certificates, API keys, email server data. Signature keys for iOS and Android apps. We can say that the pentester has full access to all Instagram classified materials. He reported this find to representatives of Facebook. For one bug, he was actually paid $ 2,500.
But he also received a charge of unauthorized access to employee accounts. A ban on Facebook’s Bug bounty program, and a threat of criminal prosecution. Although no criminal case opened, the pentester’s nerves were pretty frayed.
So, following the prescribed Bug bounty points is a must. Otherwise, you can get not a bonus, but an accusation.
What a Pentester Should be Able to Do
The Pentester is both a “Universal Soldier” and a specialized specialist. He needs to have a broad knowledge of many areas of programming and at the same time deep skills in one or more areas. In general. It believed that the Junior Penetration Tester should have the following knowledge.
- administration of Windows, Linux;
- knowledge of HTML;
- basic network protocols (TCP / IP, ICMP) / network services (Proxy, VPN, Samba, AD);
- protocols: HTTP, FTP, DNS, SSH;
- SQL databases (DDL, DML, etc.), MySQL, SQL Server, PostgreSQL, Oracle.
It is not necessary to know everything. But you need to have at least basic knowledge of the above PL, protocols and databases. You also need to learn how to use penetration testing programs. Like BurpSuite, SqlMap, Nmap, IP Tools, and Acunetix. Actually, this is why. It recommended to go to penetration testing for those specialists. Who already have a certain background in development or testing? Because even for the junior level, the amount of knowledge required is enormous.
Where to Study as a Pentester
Finally, we have collected several popular resources. Where you can get all the information you need for the pentester profession.
And a few more sites where you can improve your practical skills.
- HackThis !! – Here you can upgrade your hacking skills in game mode and learn how to do it at the same time.
- Root me – over 380 practical tasks for a pentester: from beginner to pro.
- Try2Hack is one of the oldest resources for pentesting practice. For the basic level – the very thing.
- Webgoat is a realistic tutorial environment. Where you can learn the basics of penetration testing. Immediately put the knowledge into practice.
- Google Gruyere – Looks like a regular site, but it leaves a lot of security holes. Great for those who are starting to learn penetration testing.
- OverTheWire is one of the top sites for learning penetration testing in game mode. 50 difficulty levels and an active community to ask for advice.
According to the study inside the mind of hacker. Penetration testing is now considered even more profitable than malicious hacking. Companies pay well to those. Who find vulnerabilities in their systems? Many hackers don’t need to dive into the Dark net, if and quiet, you can earn no less. If you want to become a pentester, the way is open. But becoming a good pentester who makes tens of thousands of dollars a month is much more difficult. It looks more like an art than a craft. Are you ready for this? Then go ahead! And the HABR promo code will give you an more 10% to the discount indicated on the banner.
2022 is Set to be a Huge Battle to Safeguard Information
The cyber security industry will be on the move from ransom ware threats to misinformation about elections to scams targeting consumers.
Security threats are expected to grow in 2022 as cybercriminals improve their tried-and-true ransom ware techniques and seek to exploit the technology’s vulnerabilities that connect with the web. US elections also provide an ideal opportunity for spreading fake news.
The prospect of a surge in hacks, attacks, and data theft follows the massive increase in ransom ware attacks – taking over inaccessible computers until the ransom is paid – which impacted people’s lives in 2021. Cyber-attacks that stopped the oil transportation company Colonial Pipeline and Meatpacking Company JBS USA contributed to temporary increases in gas prices and shortages of meat in some parts of the US.
The November discovery of the Log4j vulnerability, which is a serious flaw in software for logging widely used on the internet, gave an insight into the supply chain for software vulnerabilities that had already taken the brunt of this year’s Solar Winds attack. Security experts warn that hackers are likely to be looking for ways to make use of Log4j and other vulnerabilities in the interconnected systems that we depend on.
The feared attacks are set against the background of a never-ending virus that can cause additional problems. With many working at home, hackers exploit remote connections to penetrate corporate networks. Certain scammers take on everyday people who are spending increasing amounts of time on the computer screen to steal bank information, passwords for personal accounts, and other information that could be used to attack accounts.
Andrew Useckas, chief technology officer and co-founder of cyber security firm Threat X, believes that a large part of the issue is that businesses aren’t aware of the extent of the issue due to the amount of data stored on corporate networks.
Many companies don’t know how vulnerable they are,” Useckas said.
A large number of cybercrimes, both large and small, aren’t reported, and it isn’t easy to keep track of all data. However, experts claim that some key indicators have increased in the last year, raising alarms.
Notably, the number of data breaches disclosed in the first three months of the year 2021 were more than the number reported in the entire year 2020, According to identity Theft Resource Center. Ransom ware-related suspicious payments reported from banks and other establishments were $590 million at the beginning of the year in October, according to a report from the Department of the Treasury. The number easily beat the $416 million of suspicious payments reported for the entire year of 2020.
The administration of President Joe Biden has taken action to limit ransomware and other cyber-attacks. It is reported that the White House recently held a worldwide online event against ransom ware and promised to impose sanctions on crypto exchanges and financial institutions that support ransom ware.
In the aftermath of the Log4j incident, Log4j’s security has been questioned by the White House plans to hold a gathering of executives from software companies in the coming months to discuss ways to increase software security.
Congressional elections during November could create changes to security priorities should the balance of power between both the House and Senate change. Elections will pose their security threats, and experts warn that an inundation of false information will flood social media as November. Eight approaches.
Cyber-attacks Continue to Come. However, is the Government Ready to be Able to Take Action?
Ransom ware-related attacks that only affect the back office of corporations often remain unnoticed by the general public. However, when hackers shut down businesses that consumers depend on the most, everyone is aware.
The Treasury Department said in September that it would begin sanctioning cryptocurrency exchanges and other organizations that facilitate ransomware payment. The reasoning behind this decision is to take action against illicit activity in the crypto market, which is the preferred currency for ransomware payment because it is largely undetectable and will deter ransomware hackers.
In the meantime, politicians in the US and other nations began making legislation that would require businesses to report any ransomware or other cyberattack that occurs. A lot of ransomware attacks are not reported. It is difficult for law enforcement agencies to keep track of the number of attacks occurring, which targets are being targeted, and the amount of money going to cybercriminals.
If the threats and demands for more are not stopped, the need for politicians to introduce legislation to prove they are fighting the problem, said Tony Anscombe, the chief security advocate at antivirus firm ESET. This legislation could be expanded to prohibit ransomware-related payments.
“This could then become a race around the world to enact legislation as cybercriminals will target those territories where paying is still permitted,” Anscombe stated.
Concerns about the Supply Chain
A vulnerability in Log4j, the most widely-used Java library that records errors in networks, has highlighted how dependent all government agencies and even the consumer-oriented internet of things are on freely downloaded software integrated into a myriad of other software applications.
The simplest exploit, which lets attackers take control of computers connected to the internet that run that software, is a prime instance of a vulnerability in the supply chain of software. It is often difficult to determine the exact devices operating the program. Like cars, the software is dependent on the supply chain. Engineers design software using prefabricated components typically composed of smaller components.
When a piece of software is done, it could be difficult to identify the individual components and the source they were sourced from.
Justin Cappos, an associate professor at the New York University’s Tandon School of Engineering, states that the present structure of the supply chain for software isn’t fully transparent since many applications rely on open-source code. Even if you purchase software from a large company, the source code that might be used to create it is not clear.
A vulnerability in Log4j, the most widely-used Java library that records errors in network applications, has highlighted how dependent every aspect of government to the internet for consumers of things is on freely utilized software integrated into a myriad of other software applications.
The simplest exploit, which allows attackers to gain control of computers connected to the internet that run this software a prime illustration of vulnerabilities in the supply chain for software. Sometimes, it is unclear the exact devices using the application. Like cars, the software is dependent on the supply chain. Engineers design software using prefabricated components, typically comprised of smaller parts.
After a piece is done, it could be not easy to pinpoint the individual components after a piece is done and from where they all were sourced.
Justin Cappos, an associate professor at the New York University’s Tandon School of Engineering, believes that the current structure of the supply chain for software isn’t clear because a lot of software products are built on open-source code. Even if you purchase software from a big company, it’s not clear the source code that could have been involved in its development.
The Spread of Misinformation increases ahead of Midterm Elections.
Misinformation is already a problem and will become more prevalent by 2022. False information, or misinformation that is spread, regardless of whether it’s designed to mislead, could be in various forms.
Conspiracy theories about vaccinations, global plots, and the election’s saga have already inundated social media. Facebook and Twitter, as well as others, have attempted to understand the issue, but they’re not able to keep up with the never-ending game of Whack-a-mole. Fact-checkers from the media and other organizations have also attempted to block the stream of misinformation. There is no doubt that more misinformation is in the pipeline.
Advanced deep fakes, manipulated videos or audio recordings that alter reality to appear to be saying something that they weren’t is becoming more affordable and simpler to utilize. Although they’ve not been extensively used, other than for demonstrations, their presence alone may be enough to cause people to be skeptical of what they see online.
The problem is that, as the US gets more divided, the public is more inclined to trust information that is in line with their views on the world regardless of the information’s quality. The news media has become fragmented, and they sometimes ignore stories that don’t align with a plan, according to Cappos.
This could cause a fracture in the already divided America and further undermine trust in the federal government and democratic institutions ahead of the midterm elections.
“People believe all kinds of weird stuff that they want to believe,” Cappos declared. “In a lot of cases, they won’t listen to fact-checkers.”
Russia, China and other US adversaries are pleased to see the political polarization even if they’re not behind the political campaigns. Anything that creates tension and gridlock, reduces the American democratic process, or undermines trust in the democratic process can be to their advantage.
Jon Clay, vice president of threat intelligence for cybersecurity firm Trend Micro, said he anticipates disinformation attacks from Russia and other countries to increase up before the election of November. It’s up to the public to discern the truth from fiction. “People are going to have to be very critical about information and where they get their information,” said the expert stated, adding that this is going to be a challenge considering how quickly information is spread through social media, regardless of its reliability
The Scams are Getting More Frightening, so go Mobile.
COVID has forever altered our work habits. Even in the unlikely event that the virus can be controlled this year, many are likely to work from home for at least a portion or all of the time.
Cybercriminals are working as well. They’ll be looking for methods to exploit the internet connections and the devices workers utilize to dial in the remote.
COVID has forever changed how we work. Even in the unlikely scenario that the disease can be controlled this year, many people will continue to work from home for at least a portion during the day.
Cybercriminals are working as well. They’ll be looking for methods to exploit the devices and connections that employees use to connect from a distance.
Are You Using an “Activator” for Windows? Attackers can Steal Your Crypt
A fresh report from the IT company Red Canary reports on. A new virus that steals data from cryptocurrency wallets. Cybercriminals distribute it under the guise of an activator for Windows.
According to network security researchers. The infected KMS Pico utility contains an executable file that. If it gets on a computer, unpacks on its own and steals data from known crypto wallets. Also, the virus is capable of intercepting confidential information from
browsers. Experts note that users of pirated copies of Windows. Who use various activators to bypass the activation process, are at risk? It is also noted. That the virus uses a sophisticated masking algorithm from detection.
The Girl Sent the Smartphone for Repair Under Warranty & She was Hacked in Search of “Nudity”
Blogger and designer Jane McGonigal said on Twitter. That Google hacked her Pixel to gain access to candid photos. She discovered the breach by receiving many securities email alerts. Jane shares that she sent her Google Pixel 5a in the mail for repair. The company has partnered with FedEx and accepts devices for service. According to the tracking, the smartphone arrived at a service center in Texas a few weeks ago. After a while, Jane began to receive email notifications. They said that someone using her smartphone had reset. Their passwords and logged into her Google and Dropbox accounts. The girl says that according to the activity logs of the accounts. She saw what exactly they were looking for in her cloud storages. According to her, unknown persons “rummaged” in photo albums in particular. They looked through her pictures in a swimsuit, tight sportswear and dresses. As well as postoperative photos with seams. Notifications about actions in the account were “cleaned up” by them. Most likely, the burglars were looking for a photo with “nudity”, but, Jane did not have such photos. Jane McGonigal @avantgame
McGonigal tried to clean her Pixel 5a using Google’s Find My Device feature, but failed. The girl turned to her followers on Twitter. Asked to inform her about similar cases to file a class action lawsuit. By the way, at least one similar case has already found. A Reddit user sent his wife’s Pixel smartphone to the same service center in Texas. After which he discovered that their candid photos appeared on social networks. Also, an attempt made to steal money from the PayPal account. A Google spokesman has already reacted to the situation. He said that the company is investigating the incident. So recalled that Google recommends backing up your smartphone data. So, cleaning it before sending it for warranty service. It should note that, depending on the type of breakdown, it is far from always possible to do this.