Project Insecurity
Project Insecurity is a Computer Security organization founded by Matthew Telfer which has a primary focus as an education resource, a vulnerability identification and remediation team, and an Exploit Development Team. Unlike most Ethical Hacking organizations, Project Insecurity takes the non-conventional approach of hiring former cyber-criminals in attempt to give them a chance at exhibiting reformed behavior. The Founder and CEO is also a former cyber-criminal himself. Some other notable members who have a history of malicious criminal activity include Dominik Penner from NullCrew and Kane Gamble from Crackas With Attitude, a group responsible for hacking the CIA, US Department of Justice, and the FBI. Matthew Telfer's stance on this is that those who have hacked maliciously have a deeper understanding of such concepts, and that their talent should not be put to waste.
Project Insecurity have released a number of noteworthy security flaws since their formation in 2017. These flaws were disclosed to the affected software vendors in a responsible manner, and some examples of large sites that were vulnerable include Google, Twitter, PayPal, Bank of America, Kaspersky, AT&T, Tesla, Verizon Media, and Sony, among many other websites.
Project Insecurity are known by their company slogans, "Security is an illusion", and "We're in security to prevent insecurity
Formation
Project Insecurity first entered the public sphere in 2017 and shortly after, they became a registered Limited Company within the United Kingdom. During 2017 and 2018, Project Insecurity released a large number of Computer Exploits and Educational Tools and ResourcesTimeline of Released Work
In a two-year period from 2017 until 2019, Project Insecurity released a large number of Private Exploits.When the organization originally surfaced, an assortment of security exploits were publicly disclosed; primarily exposing flaws in Content Management Systems and Forum Board Software. Some examples of these include XenForo, MyBB, phpBB, X-Cart, OsCommerce, concrete5, and Invision Power Board. Project Insecurity also released the exploit code for Hangzhou XiaongMai Technologies CCTV Cameras, demonstrating how it was possible for hackers to take control of over two million vulnerable devices and use them as part of a Botnet. These devices were believed to have been used to partially power the Mirai Botnet, resulting in what was the most powerful Denial of Service attack in the history of the internet.
In late 2017, Corben Leo of Project Insecurity published several exploits affecting the Pulse Connect Secure VPN client developed by Juniper Networks, this client is primarily used within intranet environments, but many sites used this and were affected, notably Twitter. Around this same time period, Project Insecurity released several exploits affecting popular plugins for WordPress and Joomla.
In April 2018, Project Insecurity released two exploits affecting live chat systems used by various Internet Service Providers and Financial corporations around the world. Nuance Communications and LiveChat were the affected software vendors, both of which appeared to be vulnerable to bugs of a similar nature. These bugs allowed a malicious hacker to glean information on employees relating to the affected companies, such as the name, email, and employee ID of the chat agent, alongside other information such as the backend systems in use, allowing a malicious hacker to potentially gain a foothold within these networks. Some of the affected companies included Google, PayPal, Bank of America, Verizon, Sony, Tesla, Orange, Kaspersky, BitDefender, AT&T, and many other large corporations
. One of the founders of this exploit was Kane Gamble, who was convicted and given a two-year prison sentence shortly after these exploits were disclosed. Kane's sentencing was unrelated to any activities involving Project Insecurity and was instead due to his involvement with Crackas With Attitude, a group responsible for purportedly hacking the CIA, FBI and Department of Homeland Security. Prior to his sentencing, Kane Gamble had been attempting to show that he had reformed his character, not only working alongside Project Insecurity to help secure the above affected systems, but also by reporting vulnerabilities to companies such as T-Mobile USA of his own accord.
In May 2018, Project Insecurity member Six gained access to an administrative portal for EE, the largest telecommunications provider in the UK. This allowed him to view more than two million lines of their source code, including private developer API keys and Amazon Web Services secret keys.
In August 2018, Project Insecurity released a series of critical exploits for OpenEMR, the most popular Electronic Medical Record system in existence. There was over 25 vulnerabilities released in total, some of which would allow a malicious hacker to obtain full access to any machine running OpenEMR. This meant that such a flaw could be leveraged to expose the personal information of more than 100 million people worldwide, including 30-million US Citizens. This information was very sensitive in nature, and it included details about particular medical conditions that people are suffering from, alongside personally identifiable information such as their names, addresses, photographs, social security numbers, and more.
Also released in August 2018, Project Insecurity published an "APT-Ready" flaw affecting almost every Internet service provider in Canada, along with many in the United States. Project Insecurity pointed out that such a flaw could have been used by a rogue government to possibly manipulate the 2019 Canadian General Elections, and stated that the vulnerability could have potentially revealed the personal details of almost 80% of Canada's entire population. This issue was made possible through a flaw in SOLEO IP-RELAY. Some of the affected sites included Bell Canada, SaskTel, Rogers Communications, Telus, Shaw Communications, EastLink, and a number of other websites.