Feeds

Man banished from PayPal for showing how to hack PayPal

Some hacking tools more equal than others

SANS - Survey on application security programs

PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor.

"Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law," company representatives wrote in an email sent to the hacker, Moxie Marlinspike. "Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience."

The email, sent from an unmonitored PayPal address, makes no mention of the item that violates the PayPal policy. The suspension effectively freezes more than $500 in the account until Marlinspike submits a signed affidavit swearing he has removed the PayPal logos from his site.

Since 2002, Marlinspike has included a yellow donate button on the download page for a hacking tool he calls SSLSniff, and more recently he released a program called SSLStrip, which also includes the button. But it was only after someone published counterfeit SSL certificate on Monday that PayPal took action against the account.

"This is not something I had anything to do with, and they responded by suspending my account," Marlinspike told The Reg. "I've been the one trying to warn them of this in the first place."

The account suspension is troubling because it penalizes an independent security researcher whose discoveries have already yielded important insights into secure sockets layer, one of the web's oldest and most relied upon measures for preventing man-in-the-middle attacks. It's the latest action to demonize hacker tools that can be used by security professionals for good because they can also be used by criminals for bad.

It also flies in the face of the tacit approval of PayPal and its parent company, eBay, give to groups distributing dozens of other hacking tools. No doubt, the Wireshark packet sniffer is used regularly to reveal the passwords of unsuspecting victims, and yet its purveyors accept payments by PayPal. The same goes for the Cain & Abel and l0phtcrack password recovery tools and Remote-Exploit.org, a group whose tag line reads: "Supplying offensive security products to the world."

A PayPal spokeswoman said the company's privacy policy prevented her from discussing Marlinspike's case. But in general, she said hacking tools are allowed in certain cases, such as when they can be used to legitimately help administrators assess the strength of user passwords.

"We do not, however, allow PayPal to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information," the spokeswoman, Sara Gorman, wrote in an email. "We consider whether there is any legitimate use in helping to strengthen the defenses of one's site when determining violation of our policy."

She said PayPal relies on a dedicated team with "extensive experience in information security, law enforcement, financial services and risk" to make such decisions. She didn't explain how they determined programs such as Wireshark and Cain & Abel have legitimate uses and the tools offered by Marlinspike do not. She also didn't explain why Marlinspike's banishment came less than 24 hours after the release of the bogus PayPal certificate.

According to a note included with the certificate's release, Marlinspike distributed it during a training session at the Black Hat security conference in July. The hacker confirms he offered a class to penetration testers that taught them everything they'd need to test and carry out attacks on SSL certificates, and as part of that, he included a proof-of-concept certificate. But he never distributed the certificate and each student signed an agreement stating the material was for evaluation purposes and was not be be publicly released, he said.

And in any event, he never used PayPal to accept payment for the class. What's more, the only items being distributed on the PayPal-adorned pages are SSLStrip and SSLSniff. Bogus certificates were never available anywhere on the site, he said.

So if you're a hacker who relies on PayPal, the not-so-subtle message is to make sure your projects steer clear of your online payment processor. It doesn't matter that you speak at the same conferences attended by the rest of the security world. As PayPal well knows, hacker tools can be used for good or for bad, and the company has the sole discretion to choose which is which. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.