In the hacking world, it takes one to know one. For many corporations, the best defense against hackers is to actually hire a hacker and pay him or her to break into their sites or databases and expose weaknesses in a benign manner. There aren’t that many “white hat” hackers out there, and one of the most in-demand of these hackers is Israeli Shai Rod.
Now, add another feather to Rod’s cap. He was named one of the top ten hackers who have helped PayPal make its site more secure, with his name tacked onto PayPal’s virtual Wall of Fame.
This isn’t Rod’s first award as a “pentester” — a hacker who conducts a penetration test against a site, emulating a computer system in order to determine its vulnerabilities. He was also a “top pick” at PayPal in the first quarter of 2013 as well. In 2012, Rod was included in the Google Hall of Fame, the Twitter Security White Hats Awards Page, the Dropbox Special Thanks Page, Adobe Security Acknowledgements, and others. For each of these companies, Rod tested for vulnerabilities that “black hat” hackers — the bad guys — could take advantage of.
The techniques Rod uses to penetrate PayPal and other businesses’ systems are the same the hackers would use. Although Rod is doing the work with PayPal’s permission (and under its Bug Bounty program, he is getting paid for it), Rod is, as far as system administrators and security experts at PayPal are concerned, just another hacker.
For PayPal, Rod discovered an app (possibly still under development, he said) that he was easily able to exploit to reach administrator pages that would give a hacker control of a wide swath of the PayPal system. “I reported this issue to PayPal,” said Rod. “The application was removed immediately and is no longer available.”
In his day job, Rod works for Israeli security company Avnet, which provides information security services for over 300 customers worldwide, as well as for the Israeli government. In one recent case, Avnet teams consulted with police on a virus that had effectively shut down communications on police department servers. The virus forced administrators to shut down the computer network of the Israel Police for several days, as virus experts “cleaned house.” Nearly a year later, it still isn’t clear how the hack occurred or who was behind it, but Avnet head Roni Bachar said, “I think we can be fairly certain that it was sponsored by a nation-state, most likely Iran.”
“I really enjoyed poking around — with permission, of course — on the PayPal servers,” said Rod. “It’s a great challenge, especially because of the trust and responsibility PayPal has placed on the shoulders of those participating in the Bounty program. I am not only helping out one of the world’s biggest corporations, but I also have a great opportunity to participate in a unique and challenging project.”