But there was nothing he could have done at that point—once he released the worm it was already too late, given that it spread all by itself. After around two hours the site went back up. His profile had been deleted.
Kunal Anand, who became director of security at Myspace a couple of months after the incident, says that at the time the Samy worm hit, the company had "almost no security team," and "had no idea what to do. No one had seen anything like Samy's worm. It was a "watershed moment for the industry," Anand tells me. Jeremiah Grossman, a web security expert and founder of the firm WhiteHat Security, says the Samy worm was "one of those moments that every expert in the industry was waiting for.
Kamkar's worm, despite its quick spread, was ultimately harmless: all it did was get him friends and add a few words to the infected people's profiles. But if Kamkar had been a criminal, or someone with more devious intentions, he could have taken over their accounts.
As Grossman puts it, Kamkar "had the ability to do whatever he wanted. The technique that the young hacker used is known as a cross site scripting attack , often abbreviated as XSS, where an attacker injects malicious code into a website, tricking the site, and the users' browser, to execute the code.
People who knew about web security were aware that it was possible to attack most sites the way Kamkar did, according to Grossman, but but no one had taken the threat seriously until the Samy worm. We knew every site had it, but no one had really demonstrated what could you could do with it," Grossman tells me over the phone. At the time of the Samy worm, 80 to 90 percent of websites were vulnerable to similar attacks, according to Grossman. Ten years later, only 47 percent of websites are likely to have the same vulnerabilities, according to data gathered by WhiteHat's Security in Without the attention that Kamkar's worm got, perhaps it would still be a more widespread issue.
In the years to come, websites and browsers beefed up their security against cross site scripting attacks, but there were still some notable attacks. In , for example, several Yahoo users' email accounts were hijacked thanks to a similar vulnerability. And last year, hackers found a XSS bug in Tweetdeck that allowed them to force annoying popups. Earlier this year, thanks to an XSS vulnerability, it was possible to take over a WordPress blog with a single comment.
Watch more Motherboard : All the ways your phone can be hacked. Despite his harmless intentions, and the blog post he published to explain why he launched the Samy worm, Kamkar did eventually get in trouble with the law. Authorities seized his laptop, three desktop computers and other electronic devices such as hard disks.
The Los Angeles District Attorney was going after him, accusing of computer crimes, in particular of infecting computer systems with a virus, according to California's penal code.
Computers were kind of the only thing I had. For a whole year, Kamkar's lawyer and the prosecutors went back and forth, negotiating a plea deal. Kamkar never got arrested, and ended up pleading guilty and was sentenced to three years of probation with practically no computer access.
He was only allowed to use one computer, registered with the authorities, with no access to the internet, Kamkar says. MySpace users suffered a similar assault over the summer, but they haven't been targeted again since new security measures were put in place.
Dave Marcus , a security researcher and communications director for software security company McAfee , in Santa Clara, said the worm affecting Facebook users poses a threat similar to other malware attacks over the years. He said that there have been cases of Facebook users having their identities stolen and that others have had their searches hijacked to search engines that they never intended to visit, so that its operators can collect on the advertising.
Who is behind the attack or where they are located is unclear, Marcus said. Victims are located across the globe. Facebook has warned users not to open suspicious messages and to verify that a friend intentionally sent a link before clicking on it. I think I know what it feels like to have that excitement over a discovery. To think, 'I found this bug. I found this thing. It's awesome,'" he said. Today, most major companies have bug bounty programs that allow people to get paid if they find and report vulnerabilities in the firm's code.
That provides the challenge — and a reward without the risk. I very much — I would say almost innately — have that personal belief. And I think my life has been a bit different than other people's lives as a result, so I see things in a different way," Kamkar says.
I think hackers want to see for themselves. That pursuit of truth may take you some interesting places. I don't necessarily apply any legal or illegal attribute to the word 'hacking. He wants to encourage young hackers to explore, with a conscience.
Understanding the difference between exploring and exploiting is important, he says. You can, you know, make a name for yourself by going into this area. The cybersecurity community seems to appreciate his guidance. After his talk at the Okta conference this week, a member of the audience posted in the chat "but most of all, Samy is my hero. For you. World globe An icon of the world globe, indicating different international options.
Get the Insider App. Click here to learn more. A leading-edge research firm focused on digital transformation. Good Subscriber Account active since Shortcuts. Account icon An icon in the shape of a person's head and shoulders. It often indicates a user profile. Log out. US Markets Loading H M S In the news.
0コメント