fbpx
Wikipedia

John Jackson (hacker)

May 04, 2024

John Jackson (born 1994 or 1995)[1] also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.

John Jackson
Born1994 or 1995 (age 29–30)
Other namesMr. Hacking
Occupation(s)Hacker and security researcher
Known forSakura Samurai
Website
Military Career
AllegianceUnited States
Service/branchU.S. Marine Corps

Early career and education edit

Jackson served in the United States Marine Corps from 2012 until 2017, where he was a petroleum engineer and logistics manager. He was discharged from the military after suffering an injury, and began attending the LeaderQuest Colorado certification bootcamp. After studying at LeaderQuest and learning on his own, he earned several cybersecurity certificates including ITIL, CompTIA A+ and Security+, and EC-Council Certified Network Defender (CND) and Certified Ethical Hacker (CEH).[2]

Career edit

Jackson's first cybersecurity job was for Staples as an endpoint detection and response engineer. Jackson then became an application security engineer at Shutterstock from 2019 until 2021, where he was involved with maintaining the security of their web applications, managing their bug bounty program, and managing their static and dynamic application security testing tools. While employed with Shutterstock, he also worked as a penetration tester with 1337 Inc. and did bug bounty hunting in his spare time.[2]

Independent research edit

In March 2020, Jackson published a blog post about a vulnerability he had discovered with the Talkspace mental health app, after he told the company about the issue and was dismissed. Talkspace sent him a cease and desist letter shortly after the post was published, in what TechCrunch described as "just the latest example of security researchers facing legal threats for their work".[3]

In November 2020, Jackson and researcher Sick.Codes discovered two vulnerabilities in TCL brand televisions. The first would allow attackers on the adjacent network to access most system files, potentially leading to critical information disclosure. The second would allow attackers to read and write files in vendor resources directories, which could allow arbitrary code execution or enable attackers to compromise other systems on the network. After Jackson and Sick.Codes reported the vulnerability to TCL, TCL deployed a patch—however, Jackson and his researcher partner said the fix raised further concerns, as there had been no notification that the software had been updated, and TCL appeared to have full control over the device.[4][5][6] The vulnerability came to be described in media as a "Chinese backdoor".[5] In a December 2021 speech to The Heritage Foundation, Acting Department of Homeland Security Secretary Chad Wolf said his agency was investigating the vulnerability due to concerns that the Chinese manufacturer may have "expos[ed] users to cyber breaches and data exfiltration".[7]

Also in November 2020, Jackson found a server-side request forgery vulnerability in private-ip, a popular JavaScript library published on npm.[8][9] In March 2021, Jackson and other researchers discovered a similar bug in netmask, a package used by around 278,000 software projects. The bug had existed for more than nine years.[10][11] In April 2021, the group discovered the same flaw existed in the Python ipaddress standard library, and more broadly was affecting other languages such as Perl, Go, and Rust.[12][13][14]

In December 2020, Jackson and Nick Sahler reported that they had gained access to a large quantity of sensitive data associated with the children's website Neopets. The data included database credentials, employee emails, and website source code.[15]

In September 2021, Jackson and Sick.Codes disclosed a vulnerability they had found in Gurock's test management tool TestRail, in which improper access control would allow access to a list of application files and file paths, which could then potentially expose sensitive data such as hardcoded credentials or API keys.[16]

Sakura Samurai edit

See also: Sakura Samurai (group)

In 2020, Jackson founded Sakura Samurai, a white-hat hacking and security research group. Other current and former members of the group have included Robert Willis, Aubrey Cottle, and Higinio Ochoa.[1]

In January 2021, Jackson and other members of Sakura Samurai publicly reported that they had discovered exposed git directories and git credential files on domains belonging to two groups within the United Nations. The vulnerability exposed more than 100,000 private employee records.[17][18]

In March 2021, Jackson and others in the group publicly disclosed vulnerabilities that affected 27 groups within the Indian government. After finding exposed git and configuration directories, Sakura Samurai were able to access credentials for critical applications, more than 13,000 personal records, police reports, and other data. The group also discovered vulnerabilities relating to session hijacking and arbitrary code execution on finance-related governmental systems.[19] After the issues reported to India's National Critical Information Infrastructure Protection Centre went unaddressed for several weeks, Sakura Samura involved the U.S. Department of Defense Vulnerability Disclosure Program, and the issues were remediated.[20][19]

Jackson and other Sakura Samurai members found a vulnerability in Pegasystems' Pega Infinity enterprise software suite, which is used for customer engagement and digital process automation. The vulnerability, which was first reported to Pegasystems in February 2021, involved a possible misconfiguration that would enable data exposure.[21] The vulnerability led to the researchers breaching systems belonging to both Ford Motor Company and John Deere, incidents which were publicly disclosed in August 2021.[22][23]

Jackson and other members of Sakura Samurai have also reported notable vulnerabilities related to organizations and software including Apache Velocity, Keybase, and Fermilab.[24][25][26]

Publications edit

  • Jackson, John (December 1, 2021). Corporate Cybersecurity: Identifying Risks and the Bug Bounty Program. Wiley. ISBN 978-1119782520.

References edit

  1. ^ a b Jackson, John (January 22, 2021). "Episode 200: Sakura Samurai Wants To Make Hacking Groups Cool Again. And: Automating Our Way Out of PKI Chaos". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
  2. ^ a b Jackson, John (October 31, 2020). "United States Marine to Application Security Engineer, with John Jackson". Hacking into Security (Podcast). Interviewed by Ricki Burke.
  3. ^ Whittaker, Zack (March 9, 2020). "Talkspace threatens to sue a researcher over bug report". TechCrunch. Retrieved September 26, 2021.
  4. ^ Roberts, Paul (November 12, 2021). "Security Holes Opened Back Door To TCL Android Smart TVs". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
  5. ^ a b Wagenseil, Paul (November 16, 2020). "TCL Android TVs may have 'Chinese backdoor' — protect yourself now (Update)". Tom's Guide. Retrieved 2021-09-27.
  6. ^ Vincent, Brittany (November 18, 2020). "Report: Researchers Find 'Backdoor' Security Flaw in TCL Smart TVs". PCMag. Retrieved September 26, 2021.
  7. ^ Wagenseil, Paul (December 23, 2021). "Department of Homeland Security: China using TCL TVs to spy on Americans". Tom's Guide. Retrieved September 26, 2021.
  8. ^ Bennett, Jonathan (December 4, 2020). "This Week In Security: IOS Wifi Incantations, Ghosts, And Bad Regex". Hackaday. Retrieved September 26, 2021.
  9. ^ Roberts, Paul (November 25, 2021). "Exploitable Flaw in NPM Private IP App Lurks Everywhere, Anywhere". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
  10. ^ Bannister, Adam (March 29, 2021). "SSRF vulnerability in NPM package Netmask impacts up to 279k projects". The Daily Swig. Retrieved September 26, 2021.
  11. ^ Speed, Richard (March 29, 2021). "Sitting comfortably? Then it's probably time to patch, as critical flaw uncovered in npm's netmask package". The Register. Retrieved September 26, 2021.
  12. ^ Sharma, Ax (May 1, 2021). "Python also impacted by critical IP address validation vulnerability". BleepingComputer. Retrieved September 26, 2021.
  13. ^ Sharma, Ax (March 28, 2021). "Critical netmask networking bug impacts thousands of applications". BleepingComputer. Retrieved September 26, 2021.
  14. ^ Sharma, Ax (August 7, 2021). "Go, Rust "net" library affected by critical IP address validation vulnerability". BleepingComputer. Retrieved September 26, 2021.
  15. ^ Roberts, Paul (December 28, 2021). "Update: Neopets Is Still A Thing And Its Exposing Sensitive Data". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
  16. ^ Toulas, Bill (September 22, 2021). "Researchers Discover Remotely Exploitable Flaw Resulting in File Exposure on Gurock TestRail". TechNadu. Retrieved October 8, 2021.
  17. ^ Riley, Duncan (January 11, 2021). "United Nations data breach exposes details of more than 100,000 employees". SiliconANGLE. Retrieved August 12, 2021.
  18. ^ Spadafora, Anthony (January 11, 2021). "United Nations suffers major data breach". TechRadar. Retrieved September 26, 2021.
  19. ^ a b Sharma, Ax (March 12, 2021). "Researchers hacked Indian govt sites via exposed git and env files". BleepingComputer. Retrieved September 26, 2021.
  20. ^ Majumder, Shayak (22 February 2021). "Government-Run Web Services Found to Have Major Vulnerabilities: Reports". NDTV-Gadgets 360. Retrieved 16 August 2021.
  21. ^ "NVD – CVE-2021-27653". nvd.nist.gov. Retrieved 12 August 2021.
  22. ^ Sharma, Ax (August 15, 2021). "Ford bug exposed customer and employee records from internal systems". BleepingComputer. Retrieved September 26, 2021.
  23. ^ Bracken, Becky (August 10, 2021). "Connected Farms Easy Pickings for Global Food Supply-Chain Hack". ThreatPost. Retrieved September 26, 2021.
  24. ^ Sharma, Ax (15 January 2021). "Undisclosed Apache Velocity XSS vulnerability impacts GOV sites". BleepingComputer. Retrieved 16 August 2021.
  25. ^ Osborne, Charlie (23 February 2021). "Keybase patches bug that kept pictures in cleartext storage on Mac, Windows clients". ZDNet. Retrieved 16 August 2021.
  26. ^ Sharma, Ax (May 6, 2021). "US physics lab Fermilab exposes proprietary data for all to see". Ars Technica. Retrieved September 26, 2021.


May 04, 2024
john, jackson, hacker, john, jackson, born, 1994, 1995, also, known, hacking, american, security, researcher, founder, white, hacking, group, sakura, samurai, john, jacksonborn1994, 1995, other, namesmr, hackingoccupation, hacker, security, researcherknown, fo. John Jackson born 1994 or 1995 1 also known as Mr Hacking is an American security researcher and founder of the white hat hacking group Sakura Samurai John JacksonBorn1994 or 1995 age 29 30 Other namesMr HackingOccupation s Hacker and security researcherKnown forSakura SamuraiWebsiteMilitary CareerAllegianceUnited StatesService wbr branchU S Marine Corps Contents 1 Early career and education 2 Career 2 1 Independent research 2 2 Sakura Samurai 3 Publications 4 ReferencesEarly career and education editJackson served in the United States Marine Corps from 2012 until 2017 where he was a petroleum engineer and logistics manager He was discharged from the military after suffering an injury and began attending the LeaderQuest Colorado certification bootcamp After studying at LeaderQuest and learning on his own he earned several cybersecurity certificates including ITIL CompTIA A and Security and EC Council Certified Network Defender CND and Certified Ethical Hacker CEH 2 Career editJackson s first cybersecurity job was for Staples as an endpoint detection and response engineer Jackson then became an application security engineer at Shutterstock from 2019 until 2021 where he was involved with maintaining the security of their web applications managing their bug bounty program and managing their static and dynamic application security testing tools While employed with Shutterstock he also worked as a penetration tester with 1337 Inc and did bug bounty hunting in his spare time 2 Independent research edit In March 2020 Jackson published a blog post about a vulnerability he had discovered with the Talkspace mental health app after he told the company about the issue and was dismissed Talkspace sent him a cease and desist letter shortly after the post was published in what TechCrunch described as just the latest example of security researchers facing legal threats for their work 3 In November 2020 Jackson and researcher Sick Codes discovered two vulnerabilities in TCL brand televisions The first would allow attackers on the adjacent network to access most system files potentially leading to critical information disclosure The second would allow attackers to read and write files in vendor resources directories which could allow arbitrary code execution or enable attackers to compromise other systems on the network After Jackson and Sick Codes reported the vulnerability to TCL TCL deployed a patch however Jackson and his researcher partner said the fix raised further concerns as there had been no notification that the software had been updated and TCL appeared to have full control over the device 4 5 6 The vulnerability came to be described in media as a Chinese backdoor 5 In a December 2021 speech to The Heritage Foundation Acting Department of Homeland Security Secretary Chad Wolf said his agency was investigating the vulnerability due to concerns that the Chinese manufacturer may have expos ed users to cyber breaches and data exfiltration 7 Also in November 2020 Jackson found a server side request forgery vulnerability in private ip a popular JavaScript library published on npm 8 9 In March 2021 Jackson and other researchers discovered a similar bug in netmask a package used by around 278 000 software projects The bug had existed for more than nine years 10 11 In April 2021 the group discovered the same flaw existed in the Python ipaddress standard library and more broadly was affecting other languages such as Perl Go and Rust 12 13 14 In December 2020 Jackson and Nick Sahler reported that they had gained access to a large quantity of sensitive data associated with the children s website Neopets The data included database credentials employee emails and website source code 15 In September 2021 Jackson and Sick Codes disclosed a vulnerability they had found in Gurock s test management tool TestRail in which improper access control would allow access to a list of application files and file paths which could then potentially expose sensitive data such as hardcoded credentials or API keys 16 Sakura Samurai edit See also Sakura Samurai group In 2020 Jackson founded Sakura Samurai a white hat hacking and security research group Other current and former members of the group have included Robert Willis Aubrey Cottle and Higinio Ochoa 1 In January 2021 Jackson and other members of Sakura Samurai publicly reported that they had discovered exposed git directories and git credential files on domains belonging to two groups within the United Nations The vulnerability exposed more than 100 000 private employee records 17 18 In March 2021 Jackson and others in the group publicly disclosed vulnerabilities that affected 27 groups within the Indian government After finding exposed git and configuration directories Sakura Samurai were able to access credentials for critical applications more than 13 000 personal records police reports and other data The group also discovered vulnerabilities relating to session hijacking and arbitrary code execution on finance related governmental systems 19 After the issues reported to India s National Critical Information Infrastructure Protection Centre went unaddressed for several weeks Sakura Samura involved the U S Department of Defense Vulnerability Disclosure Program and the issues were remediated 20 19 Jackson and other Sakura Samurai members found a vulnerability in Pegasystems Pega Infinity enterprise software suite which is used for customer engagement and digital process automation The vulnerability which was first reported to Pegasystems in February 2021 involved a possible misconfiguration that would enable data exposure 21 The vulnerability led to the researchers breaching systems belonging to both Ford Motor Company and John Deere incidents which were publicly disclosed in August 2021 22 23 Jackson and other members of Sakura Samurai have also reported notable vulnerabilities related to organizations and software including Apache Velocity Keybase and Fermilab 24 25 26 Publications editJackson John December 1 2021 Corporate Cybersecurity Identifying Risks and the Bug Bounty Program Wiley ISBN 978 1119782520 References edit a b Jackson John January 22 2021 Episode 200 Sakura Samurai Wants To Make Hacking Groups Cool Again And Automating Our Way Out of PKI Chaos The Security Ledger with Paul F Roberts Retrieved September 26 2021 a b Jackson John October 31 2020 United States Marine to Application Security Engineer with John Jackson Hacking into Security Podcast Interviewed by Ricki Burke Whittaker Zack March 9 2020 Talkspace threatens to sue a researcher over bug report TechCrunch Retrieved September 26 2021 Roberts Paul November 12 2021 Security Holes Opened Back Door To TCL Android Smart TVs The Security Ledger with Paul F Roberts Retrieved September 26 2021 a b Wagenseil Paul November 16 2020 TCL Android TVs may have Chinese backdoor protect yourself now Update Tom s Guide Retrieved 2021 09 27 Vincent Brittany November 18 2020 Report Researchers Find Backdoor Security Flaw in TCL Smart TVs PCMag Retrieved September 26 2021 Wagenseil Paul December 23 2021 Department of Homeland Security China using TCL TVs to spy on Americans Tom s Guide Retrieved September 26 2021 Bennett Jonathan December 4 2020 This Week In Security IOS Wifi Incantations Ghosts And Bad Regex Hackaday Retrieved September 26 2021 Roberts Paul November 25 2021 Exploitable Flaw in NPM Private IP App Lurks Everywhere Anywhere The Security Ledger with Paul F Roberts Retrieved September 26 2021 Bannister Adam March 29 2021 SSRF vulnerability in NPM package Netmask impacts up to 279k projects The Daily Swig Retrieved September 26 2021 Speed Richard March 29 2021 Sitting comfortably Then it s probably time to patch as critical flaw uncovered in npm s netmask package The Register Retrieved September 26 2021 Sharma Ax May 1 2021 Python also impacted by critical IP address validation vulnerability BleepingComputer Retrieved September 26 2021 Sharma Ax March 28 2021 Critical netmask networking bug impacts thousands of applications BleepingComputer Retrieved September 26 2021 Sharma Ax August 7 2021 Go Rust net library affected by critical IP address validation vulnerability BleepingComputer Retrieved September 26 2021 Roberts Paul December 28 2021 Update Neopets Is Still A Thing And Its Exposing Sensitive Data The Security Ledger with Paul F Roberts Retrieved September 26 2021 Toulas Bill September 22 2021 Researchers Discover Remotely Exploitable Flaw Resulting in File Exposure on Gurock TestRail TechNadu Retrieved October 8 2021 Riley Duncan January 11 2021 United Nations data breach exposes details of more than 100 000 employees SiliconANGLE Retrieved August 12 2021 Spadafora Anthony January 11 2021 United Nations suffers major data breach TechRadar Retrieved September 26 2021 a b Sharma Ax March 12 2021 Researchers hacked Indian govt sites via exposed git and env files BleepingComputer Retrieved September 26 2021 Majumder Shayak 22 February 2021 Government Run Web Services Found to Have Major Vulnerabilities Reports NDTV Gadgets 360 Retrieved 16 August 2021 NVD CVE 2021 27653 nvd nist gov Retrieved 12 August 2021 Sharma Ax August 15 2021 Ford bug exposed customer and employee records from internal systems BleepingComputer Retrieved September 26 2021 Bracken Becky August 10 2021 Connected Farms Easy Pickings for Global Food Supply Chain Hack ThreatPost Retrieved September 26 2021 Sharma Ax 15 January 2021 Undisclosed Apache Velocity XSS vulnerability impacts GOV sites BleepingComputer Retrieved 16 August 2021 Osborne Charlie 23 February 2021 Keybase patches bug that kept pictures in cleartext storage on Mac Windows clients ZDNet Retrieved 16 August 2021 Sharma Ax May 6 2021 US physics lab Fermilab exposes proprietary data for all to see Ars Technica Retrieved September 26 2021 Retrieved from https en wikipedia org w index php title John Jackson hacker amp oldid 1217775712, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.