BreachAlarm was contacted this week by a hacker going by the handle ‘Desert Bandit’, who shared some breach data with us. If you’re an Email Watchdog user, you may have been notified of this breach. We thought our customers might be interested in a hacker’s perspective, and we were delighted when Desert Bandit agreed to answer some questions here on the blog.
BA: Please paint a picture of yourself for our audience. What’s your age, gender, location?
DB: I’m just the regular neighborhood kid, I’m under 18, I’m male and I’m from Europe.
I’ve got a girlfriend, I’m a straight A student, and I speak 4 other languages. I live in a regular neighbourhood. I would classify myself as a curious person: I want to know how everything works.
BA: How old were you when you started hacking? How did you get into it, and what would you consider your first successful ‘hack’?
DB: I believe I was around the age of 12, so a long time ago. My step dad is an IT specialist himself. He got several visits from antivirus companies, wanting to get him to sign up for deals and stuff.
It got me interested in how virtual things worked, such as websites and antivirus programs. I became pretty interested in programming, and now I’m good with HTML, CSS and a bit of PHP.
After that, basically groups like Anonymous and LulzSec started getting popular, which got me interested in website security. I learned more and more about SQL Injections & XSS attacks.
Later on, I got involved in a job on a stress testing service (a website which allows you to take another website/server/home connection offline), so I’ve learned a lot from the owner.
During that time, I met loads of other hackers like me, just working at the stress testing service and using the community forums.
My interests shifted towards cracking, specifically password cracking. Later I got involved with a Skype group that was focused around brute forcing & stealing accounts.
My most successful SQL attack: Arsenal.com, British professional football club. I don’t believe they’ve patched it yet.
My most successful XSS attack: Probably just when PayPal sandbox got released. I never received a bounty, but it still felt pretty awesome.
Besides that, I was once offered a role as an IT specialist for my local police, which I had to refuse due to distance and age.
BA: I understand that you classify yourself as a white hat hacker. For readers who may be unfamiliar with the term, what does it mean to you to be a white hat hacker?
DB: There are 3 different shades of “hats”, white, grey and black, which range from good to bad.
White: You don’t steal accounts, you report vulnerabilities, stuff like that.
Grey: You sometimes steal accounts, you sometimes report vulnerabilities, depending on how you feel.
Black: You steal everything, it doesn’t matter if it’s bank details or not. You don’t report vulnerabilities, you just basically exploit everything you can.
Personally, I would never steal bank details, nor will I ever steal in my life. That’s something I’m totally against – messing up someone else’s life for your own gain.
BA: Are you part of a group, or do you work primarily alone?
DB: I primarily work alone, yet, I “teach” people the basics of brute forcing. These people mainly come from hacking related forums.
BA: Has your hacking ever found you in trouble with the law?
DB: No. Though, there are periods where if I got arrested, I’d probably be in a lot of trouble.
At around the age of 15 or so, I ran a small Botnet (network of “zombie” computers that forward transmissions to other computers) of around 500 people. I just ran silent crypto-miners on them.
But on the other hand, if I found something disturbing on one of the computers which was infected, I would always inform the authorities.
For instance, there was this one dude – I assumed he was around 43 – and he was like regularly playing online multiplayer games for children (specifically Habbo Hotel).
I could see it was him, since I was able to control his webcam and stuff like that. One time, I was just “observing” him, and he decided it was a good time to open up his child porn folder.
So, I took some screenshots, took his credit card details, IP address & location and sent it in as an anonymous tip. I made sure I removed my virus from his computer so I wouldn’t be traced back.
I’ve got loads of stories like that.
BA: When you come up against strong security on a website, do you see this as a challenge or just move on to weaker targets?
DB: Depends. I personally attack websites ‘in bulk’, and I use this thing called Google Dorks in order to gain massive amounts of site URLs.
I check if they’re vulnerable to injections and if so, I check their databases out.
BA: Are there any simple tests you do that indicate that a website might be vulnerable to giving up user’s data?
DB: I just use simple characters in parameters, such as: product.php?cat_id='
& product.php?cat_id=/
If one of those gives out an error, I’ll proceed. If not, I won’t even bother.
BA: How much time do you spend hacking?
DB: Not much, I have a server which I use for 24/7 scanning & attacking. Daily, it’s around the 2-3 hour mark. I’m also a gamer, so that takes my time as well.
BA: What’s the most common type of exploit you come across on the average business website?
DB: Probably SQL errors. If someone finds them, your website’s database is going to be public soon.
Also, just regular XSS errors and a non-existing CAPTCHA. I think you should even protect your mobile app login URL, as well.
BA: What should webmasters be putting in place to prevent their users’ data being breached and shared?
DB: Encryption & salting the encryption. At least use a 8+ random-generated salt. Just try to encrypt as much as possible.
BA: What kinds of responses do you usually get when you notify a company that their website is vulnerable to hacking?
DB: Usually none. Most website and company owners don’t take me seriously. One time, there was this company owner and he wasn’t too happy about me telling him about it.
I’ve also had a couple of positive replies, but generally most company owners remain silent. I also try to tweet to random site owners/sites if I can find the owners.
BA: As far as you know, when less scrupulous hackers get access to a site’s password database, what usually happens to the data?
DB: It gets used in brute force attacks. Those details get sold, and if they hit an account with stolen details (names, DOBs, etc.), they’ll sell it too.
Personally, I’ve run one of those online shops for around 2 weeks, and I earned around $500 all up.
If you use the same password for everything, be aware: one day your accounts could be gone.
Payment details usually get sold on the Deep Web. I’m not really familiar with it, but I’ve heard about a team from the same country as me who sells PayPal accounts, all with active balances.
BA: On a personal note, do your parents know about your pastime?
DB: They are aware. They also know that I’m fully white hat and would never become a black hat.
BA: I believe you’re still in high school. What do you want to do as a profession or for study when you leave?
DB: Indeed I’m still in high school. I want to study Architecture or Structural/Civil Engineering when I’m done.
What questions would you like to ask a hacker like Desert Bandit? Tweet us @breachalarm.