Live hacking the U.S. Air Force, UK Ministry of Defence and Verizon Media in Los Angeles at h1-213


On November 6th, over 60 hackers descended on the City of Angels for the final HackerOne flagship live hacking event of 2019, h1-213. For the first time ever, a specific UK Ministry of Defence asset was included in a bug bounty engagement via Defense Digital Service’s Hack the Air Force 4.0. The second day of hacking focused on another HackerOne partner and frequent client of live hacking, Verizon Media.

Nearly 700 vulnerabilities were submitted over the course of two days, hackers were paid over $600,000, with over 60 hackers participating, and over 47% of all bounties paid were for high and critical findings. Hackers came from over 18 countries and almost 25 individuals from local cybersecurity organizations attended Community Day, all of whom received LA-inspired skate decks to customize.

Hacking in the City of Angels

Defense Digital Service

Hosted at the Cross Campus, in Downtown LA, hackers arrived to array of custom swag that epitomized the LA Vibe. Check out these custom skate decks:

h1-213 swag

To kick the day off, we were welcomed by Alex Romero, Digital Service Expert, Defense Digital Service and Dr. Michael Parker, Chief Information Officer and Deputy Director, Plans and Integration for the U.S. Air Force as they gave an overview of the Hack the Pentagon program, how imperative collaboration with the researcher and hacker community is, and a little bit about recruitment within the US Air Force.

Bringing a total of 16 teams and over 60 hackers together, day one of h1-213 resulted in 460 individual bounties paid, earning a total of $288,236. Almost 60% of the bounties paid were for high and critical findings. The U.S. Air Force and UK Ministry of Defence also brought in their security teams to the event collaborate and get to know the hacker community.

Team Photo
Team “StraightOuttaLA” winning the Vigilante Award – skate decks will be customized with team handle and award title!

 

Team high five
Members of the US Air Force working with team “Buffer Broverflow”

This impressive first day concluded with a much loved HackerOne staple — Show and Tell. During Show and Tell, selected hackers shared with their peers the most impactful or most creative attack flow and the most unique or interesting findings. The details of the presentations are not shared outside the room and recording is not permitted; the following hackers were selected to present their findings:

  • 0xacb
  • meals
  • cablej
  • rijalrojan

Verizon Media

Verizon Media kicked off the event by welcoming hackers, Defense Digital Service and US Airforce teams, and HackerOne, to their offices in LA for food, drinks and a special treat: hackers presenting additional Show & Tells from earlier program submissions.

s&t

Verizon Media provided a unique scope for this event and tried out some new and interesting bonuses; Since there had been a Big Lebowski theme throughout the entire event, Verizon Media gifted custom-embroidered bowling shirts to hacker, as well as their own staff, “ The Paranoids”, and HackerOne.

With 99 individual bounties issued, Verizon Media paid over $325K in total, with over $121K rewarded for high and critical reports.

holt and luke
Chris Holt, Bug Bounty Operations Lead for Verizon Media rocking the Big Lebowski themed bowling shirts.

Event Show & Tell:

  • Intidc
  • Ralamosm
  • Cache-money
  • Intidc
  • Bull
  • Bugdiscloseguys
  • STOK
  • Dki
  • None_of_the_above

Presented with “super bowl”-esque rings, Verizon Media chose three teams that brought the most severe vulnerabilities of the event:

VzM Team Awards:

Mala Fama : none_of_the_above, kcho

Team Name — : ta8ahi, bull, bugdiscloseguys, ralamosm , JR0ch17

Dupe-Day : ris, inhibitor181, ngalog, anshuman_bh

Team Photo
Hackers: ta8ahi, bull, bugdiscloseguys, ralamosm , JR0ch17 won one of the best team of the day awards from Verizon Media.
Team Photo 2
Hackers from team Dupe-Day : ris, inhibitor181, ngalog, anshuman_bh won one of the best team of the day awards from Verizon Media.
dki
Hacker dki won the “Exterminator” award for best bug of the day.

Furthering the spirit of collaboration, the Community Day and Mentorship program brought in participants from local organizations for hands-on training, career panels, and a fully encompassed educational workshop. Partnering with the Women’s Society of Cyberjutsu and OWASP LA, Community Day participants first enjoyed a Hacker Panel with:

  • Lisa Jiggetts (@cyberjin), founder and president of Women’s Society of Cyberjutsu
  • Dawn Isabel (@dki), mobile hacker and full-time pentester
  • Katie Paxton-Fear (@insiderphd), PhD student, hacker, former HackerOne Mentee

Moderated by HackerOne Community Manager for Live Hacking, Jessica Sexton, panelists discussed how they got started in cybersecurity, how they approach targets and their individual focus areas/skillets, managing burnout and not only explained how to succeed as a women in tech, but also gave advice to employers on how to source talent and keep women in tech.

panel

Immediately following a full lunch spread, Community Day participants dove into a hands-on workshop led by Ben Sadeghipour (@nahamsec), HackerOne’s Mgr. of Hacker Education. Ben walked participants through all phases of a Hacker101 CTF teaching them how to get started in hacking, how common vulnerabilities function and how to take it to the next level. Participants left with more knowledge and the next steps in their journey. Several attendees left with their first private program invitations! We cannot wait to see them grow and enhance their skills.

community day

Here’s to Hackers —

Congratulations to:

DDS Day Winners:

The Exalted – most rep earned: johnny

The Exterminator – best bug: meals

The Assassin – highest signal: spaceraccoon

The Vigilante – MVH of the Night: johnny

Verizon Media Day Winners:

The Exalted – most rep earned: intidc

The Exterminator – best bug: dki

The Assassin – highest signal: intidc

The Vigilante – MVH of the Night: none_of_the_above

Event Winner

h1-213 Event MVH: spaceraccoon

spaceraccoon



Source link