John Jackson (hacker)

Last updated
John Jackson
John Jackson the founder of Sakura Samurai.jpg
Born1994or1995(age 29–30)
Other namesMr. Hacking
Occupation(s) Hacker and security researcher
Known for Sakura Samurai
Website
Military Career
AllegianceUnited States
Service/branch U.S. Marine Corps

John Jackson (born 1994or1995) [1] also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.

Contents

Early career and education

Jackson served in the United States Marine Corps from 2012 until 2017, where he was a petroleum engineer and logistics manager. He was discharged from the military after suffering an injury, and began attending the LeaderQuest Colorado certification bootcamp. After studying at LeaderQuest and learning on his own, he earned several cybersecurity certificates including ITIL, CompTIA A+ and Security+, and EC-Council Certified Network Defender (CND) and Certified Ethical Hacker (CEH). [2]

Career

Jackson's first cybersecurity job was for Staples as an endpoint detection and response engineer. Jackson then became an application security engineer at Shutterstock from 2019 until 2021, where he was involved with maintaining the security of their web applications, managing their bug bounty program, and managing their static and dynamic application security testing tools. While employed with Shutterstock, he also worked as a penetration tester with 1337 Inc. and did bug bounty hunting in his spare time. [2]

Independent research

In March 2020, Jackson published a blog post about a vulnerability he had discovered with the Talkspace mental health app, after he told the company about the issue and was dismissed. Talkspace sent him a cease and desist letter shortly after the post was published, in what TechCrunch described as "just the latest example of security researchers facing legal threats for their work". [3]

In November 2020, Jackson and researcher Sick.Codes discovered two vulnerabilities in TCL brand televisions. The first would allow attackers on the adjacent network to access most system files, potentially leading to critical information disclosure. The second would allow attackers to read and write files in vendor resources directories, which could allow arbitrary code execution or enable attackers to compromise other systems on the network. After Jackson and Sick.Codes reported the vulnerability to TCL, TCL deployed a patch—however, Jackson and his researcher partner said the fix raised further concerns, as there had been no notification that the software had been updated, and TCL appeared to have full control over the device. [4] [5] [6] The vulnerability came to be described in media as a "Chinese backdoor". [5] In a December 2021 speech to The Heritage Foundation, Acting Department of Homeland Security Secretary Chad Wolf said his agency was investigating the vulnerability due to concerns that the Chinese manufacturer may have "expos[ed] users to cyber breaches and data exfiltration". [7]

Also in November 2020, Jackson found a server-side request forgery vulnerability in private-ip, a popular JavaScript library published on npm. [8] [9] In March 2021, Jackson and other researchers discovered a similar bug in netmask, a package used by around 278,000 software projects. The bug had existed for more than nine years. [10] [11] In April 2021, the group discovered the same flaw existed in the Python ipaddress standard library, and more broadly was affecting other languages such as Perl, Go, and Rust. [12] [13] [14]

In December 2020, Jackson and Nick Sahler reported that they had gained access to a large quantity of sensitive data associated with the children's website Neopets. The data included database credentials, employee emails, and website source code. [15]

In September 2021, Jackson and Sick.Codes disclosed a vulnerability they had found in Gurock's test management tool TestRail, in which improper access control would allow access to a list of application files and file paths, which could then potentially expose sensitive data such as hardcoded credentials or API keys. [16]

Sakura Samurai

In 2020, Jackson founded Sakura Samurai, a white-hat hacking and security research group. Other current and former members of the group have included Robert Willis, Aubrey Cottle, and Higinio Ochoa. [1]

In January 2021, Jackson and other members of Sakura Samurai publicly reported that they had discovered exposed git directories and git credential files on domains belonging to two groups within the United Nations. The vulnerability exposed more than 100,000 private employee records. [17] [18]

In March 2021, Jackson and others in the group publicly disclosed vulnerabilities that affected 27 groups within the Indian government. After finding exposed git and configuration directories, Sakura Samurai were able to access credentials for critical applications, more than 13,000 personal records, police reports, and other data. The group also discovered vulnerabilities relating to session hijacking and arbitrary code execution on finance-related governmental systems. [19] After the issues reported to India's National Critical Information Infrastructure Protection Centre went unaddressed for several weeks, Sakura Samura involved the U.S. Department of Defense Vulnerability Disclosure Program, and the issues were remediated. [20] [19]

Jackson and other Sakura Samurai members found a vulnerability in Pegasystems' Pega Infinity enterprise software suite, which is used for customer engagement and digital process automation. The vulnerability, which was first reported to Pegasystems in February 2021, involved a possible misconfiguration that would enable data exposure. [21] The vulnerability led to the researchers breaching systems belonging to both Ford Motor Company and John Deere, incidents which were publicly disclosed in August 2021. [22] [23]

Jackson and other members of Sakura Samurai have also reported notable vulnerabilities related to organizations and software including Apache Velocity, Keybase, and Fermilab. [24] [25] [26]

Publications

Related Research Articles

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

<span class="mw-page-title-main">Dan Kaminsky</span> American computer security researcher (1979–2021)

Daniel Kaminsky was an American computer security researcher. He was a co-founder and chief scientist of Human Security, a computer security company. He previously worked for Cisco, Avaya, and IOActive, where he was the director of penetration testing. The New York Times labeled Kaminsky an "Internet security savior" and "a digital Paul Revere".

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

A smart TV, also known as a connected TV (CTV), is a traditional television set with integrated Internet and interactive Web 2.0 features that allow users to stream music and videos, browse the internet, and view photos. Smart TVs are a technological convergence of computers, televisions, and digital media players. Besides the traditional functions of television sets provided through traditional broadcasting media, these devices can provide access to over-the-top media services such as streaming television and internet radio, along with home networking access.

<span class="mw-page-title-main">H. D. Moore</span> American businessman

H. D. Moore is a network security expert, open source programmer, and hacker. He is the founder of the Metasploit Project and was the main developer of the Metasploit Framework, a penetration testing software suite.

npm JavaScript package manager

npm is a package manager for the JavaScript programming language maintained by Microsoft's npm, Inc. npm is the default package manager for the JavaScript runtime environment Node.js and is included as a recommended feature in the Node.js installer.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS, and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.

<span class="mw-page-title-main">Rafay Baloch</span>

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, The Express Tribune and TechCrunch. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award. In 2021, Islamabad Hight court designated Rafay Baloch as an amicus curia for a case concerning social media regulations.

Checkmarx is an enterprise application security company headquartered in Atlanta, Georgia in the United States. Founded in 2006, the company provides application security testing (AST) solutions that embed security into every phase of the software development lifecycle (SDLC), an approach to software testing known as "shift everywhere."

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

<span class="mw-page-title-main">Sakura Samurai (group)</span> Hacker group

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

<span class="mw-page-title-main">Robert Willis (hacker)</span> Ethical hacker and publisher of comics

Robert Willis, also known as rej_ex, is an American hacker and comic book writer. Willis is known for his work with the Sakura Samurai white-hat hacking group, and his contributions to the Wiley Tribe of Hackers book series. In 2015, he helped build a platform and strategy for news syndication for his client Natural News, a fake news website. The site was ultimately used to promote the candidacy of Donald Trump against Hillary Clinton across hundreds of sister websites; the pieces would reach over 30 million people a week prior to the 2016 election.

<span class="mw-page-title-main">2021 Epik data breach</span> 2021 cybersecurity incident

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

<span class="mw-page-title-main">Aubrey Cottle</span> Webmaster

Aubrey Cottle, also known as Kirtaner or Kirt, is a Canadian website forum administrator who claims to be an early member of the hacktivist group Anonymous. Cottle was involved with Anonymous during the late 2000s and in its resurgence beginning in 2020, in which the group attempted to combat the far-right conspiracy movement QAnon.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

peacenotwar is a piece of malware/Protestware created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for node-ipc, a common JavaScript dependency.

References

  1. 1 2 Jackson, John (January 22, 2021). "Episode 200: Sakura Samurai Wants To Make Hacking Groups Cool Again. And: Automating Our Way Out of PKI Chaos". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
  2. 1 2 Jackson, John (October 31, 2020). "United States Marine to Application Security Engineer, with John Jackson". Hacking into Security (Podcast). Interviewed by Ricki Burke.
  3. Whittaker, Zack (March 9, 2020). "Talkspace threatens to sue a researcher over bug report". TechCrunch . Retrieved September 26, 2021.
  4. Roberts, Paul (November 12, 2021). "Security Holes Opened Back Door To TCL Android Smart TVs". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
  5. 1 2 Wagenseil, Paul (November 16, 2020). "TCL Android TVs may have 'Chinese backdoor' — protect yourself now (Update)". Tom's Guide . Retrieved 2021-09-27.
  6. Vincent, Brittany (November 18, 2020). "Report: Researchers Find 'Backdoor' Security Flaw in TCL Smart TVs". PCMag . Retrieved September 26, 2021.
  7. Wagenseil, Paul (December 23, 2021). "Department of Homeland Security: China using TCL TVs to spy on Americans". Tom's Guide . Retrieved September 26, 2021.
  8. Bennett, Jonathan (December 4, 2020). "This Week In Security: IOS Wifi Incantations, Ghosts, And Bad Regex". Hackaday . Retrieved September 26, 2021.
  9. Roberts, Paul (November 25, 2021). "Exploitable Flaw in NPM Private IP App Lurks Everywhere, Anywhere". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
  10. Bannister, Adam (March 29, 2021). "SSRF vulnerability in NPM package Netmask impacts up to 279k projects". The Daily Swig. Retrieved September 26, 2021.
  11. Speed, Richard (March 29, 2021). "Sitting comfortably? Then it's probably time to patch, as critical flaw uncovered in npm's netmask package". The Register . Retrieved September 26, 2021.
  12. Sharma, Ax (May 1, 2021). "Python also impacted by critical IP address validation vulnerability". BleepingComputer . Retrieved September 26, 2021.
  13. Sharma, Ax (March 28, 2021). "Critical netmask networking bug impacts thousands of applications". BleepingComputer . Retrieved September 26, 2021.
  14. Sharma, Ax (August 7, 2021). "Go, Rust "net" library affected by critical IP address validation vulnerability". BleepingComputer . Retrieved September 26, 2021.
  15. Roberts, Paul (December 28, 2021). "Update: Neopets Is Still A Thing And Its Exposing Sensitive Data". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
  16. Toulas, Bill (September 22, 2021). "Researchers Discover Remotely Exploitable Flaw Resulting in File Exposure on Gurock TestRail". TechNadu. Retrieved October 8, 2021.
  17. Riley, Duncan (January 11, 2021). "United Nations data breach exposes details of more than 100,000 employees". SiliconANGLE. Retrieved August 12, 2021.
  18. Spadafora, Anthony (January 11, 2021). "United Nations suffers major data breach". TechRadar . Retrieved September 26, 2021.
  19. 1 2 Sharma, Ax (March 12, 2021). "Researchers hacked Indian govt sites via exposed git and env files". BleepingComputer . Retrieved September 26, 2021.
  20. Majumder, Shayak (22 February 2021). "Government-Run Web Services Found to Have Major Vulnerabilities: Reports". NDTV-Gadgets 360. Retrieved 16 August 2021.
  21. "NVD – CVE-2021-27653". nvd.nist.gov. Retrieved 12 August 2021.
  22. Sharma, Ax (August 15, 2021). "Ford bug exposed customer and employee records from internal systems". BleepingComputer . Retrieved September 26, 2021.
  23. Bracken, Becky (August 10, 2021). "Connected Farms Easy Pickings for Global Food Supply-Chain Hack". ThreatPost. Retrieved September 26, 2021.
  24. Sharma, Ax (15 January 2021). "Undisclosed Apache Velocity XSS vulnerability impacts GOV sites". BleepingComputer. Retrieved 16 August 2021.
  25. Osborne, Charlie (23 February 2021). "Keybase patches bug that kept pictures in cleartext storage on Mac, Windows clients". ZDNet. Retrieved 16 August 2021.
  26. Sharma, Ax (May 6, 2021). "US physics lab Fermilab exposes proprietary data for all to see". Ars Technica . Retrieved September 26, 2021.