Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws.

Facebook's Bug Bounty debit card for security researchers who report security flaws in its site and applications.

I first read about this card on the Polish IT security portal Niebezpiecznik.pl, which recently published an image of a bug bounty card given to Szymon Gruszecki, a Polish security researcher and penetration tester. A sucker for most things credit/debit card related, I wanted to hear more from researchers who’d received the cards.

Like many participants in Facebook’s program, Gruszecki also is hunting bugs for other companies that offer researchers money in exchange for privately reporting vulnerabilities, including Google, Mozilla, CCBill and Piwik. That’s not to say he only finds bugs for money.

“I regularly report Web app vulnerabilities to various companies [that don't offer bounties], including Microsoft, Apple, etc.,” Gruszecki wrote in an email exchange.

The bug bounty programs are a clever way for Internet-based companies to simultaneously generate goodwill within the security community and to convince researchers to report bugs privately. Researchers are rewarded if their bugs can be confirmed, and if they give the affected companies time to fix the flaws before going public with the information.

As an added bonus, some researchers — like Gruszecki — choose not to disclose the bugs at all.

“My rule #1 as participant of bug bounties: Don’t tell details about reported bugs,” he replied, when asked about the details behind his most recent Facebug find. “This is my personal decision, but perhaps in the future I change my mind. So I prefer to fix the bugs silently, but it’s nice that they can mention about me by putting my name on their White Hat list.”

Gurszecki said that as cool as the White Hat card is, he has asked Facebook to send his earnings another way, saying that using the card carried too many fees in his country.

“I have found the card is too expensive to use in Poland, and chose another way to get my reward,” he said. “The Facebook team sent me the card only as a souvenir.”

Neal Poole, a junior at Brown University, has reported close to a dozen flaws to Facebook, and also recently received a White Hat card. Poole has earned cash reporting flaws to Google and Mozilla, but unlike Gruszecki he blogs about each vulnerability he finds after they are fixed, detailing every step of his discovery and interaction with the affected vendor.

Poole’s research and diligent write-ups eventually caught the attention of Facebook’s recruiters: Next summer, he’ll be interning at Facebook, working directly with the company’s security team.

The New York native welcomed the bug bounty card, which makes it a bit easier to get paid. Initially, he’d asked to be paid via Western Union, but he ended up having the payment sent via PayPal. Now he just takes the card into JP Morgan Chase (the issuer of the card) and has them dump the cash into his bank account. “It was a little confusing at first for the people at my bank. They’d never seen one of these cards before.”

The young researcher said although the White Hat card definitely carries some geek cred, he won’t be flashing it at security conferences to buy drinks for his contemporaries anytime soon.

“I don’t think I’d want to use card like that at [hacker conventions like] Black Hat or DefCon,” Poole said. “It’d probably get cloned, or I’d feel like if you pulled out the card it you would immediately become a target.”

You’re out and about, and your smartphone’s battery is about to die. Maybe you’re at an airport, hotel, or shopping mall. You don’t have the power cable needed to charge the device, but you do have a USB cord that can supply the needed juice. Then you spot an oasis: A free charging kiosk. Do you hesitate before connecting your phone to this unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware?

A DefCon attendee using the charging kiosk.

The answer, for most folks, is probably not. The few people I’ve asked while researching this story said they use these charging kiosks all the time (usually while on travel), but then said they’d think twice next time after I mentioned the possible security ramifications of doing so. Everyone I asked was a security professional.

Granted, a charging kiosk at an airport may be less suspect than, say, a slightly sketchy-looking tower of power stationed at DefCon, a massive hacker conference held each year in Las Vegas. At a conference where attendees are warned to stay off the wireless networks and avoid using the local ATMs, one might expect that security experts and enthusiasts would avoid using random power stations.

But some people will brave nearly any risk to power up their mobiles. In the three and a half days of this year’s DefCon, at least 360 attendees plugged their smartphones into the charging kiosk built by the same guys who run the infamous Wall of Sheep, a public shaming exercise at DefCon aimed at educating people about the dangers of sending email and other online communications over open wireless networks.

Brian Markus, president of Aires Security, said he and fellow researchers Joseph Mlodzianowski and Robert Rowley built the charging kiosk to educate attendees about the potential perils of juicing up at random power stations. Markus explains the motivation behind the experiment:

“We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data,” Markus said. “Anyone who had an inclination to could put a system inside of one of these kiosks that when someone connects their phone can suck down all of the photos and data, or write malware to the device.”

To make their charging station more attractive to passersby, Markus and his pals equipped it with a variety of charging cables to fit the most popular wireless devices. When no device was connected, the LCD screen fitted into the charging station displayed a blue image with the words “Free Cell Phone Charging Kiosk.” The screen switched to a red warning sign when users plugged in any devices. The warning message read:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

Markus said the comments from those who chose to juice up their phones at the kiosk were the most rewarding part of the project.

“One guy that clearly seemed stressed and in a hurry to get his phone topped off said, ‘I don’t care, take my data, I need my phone charged to make a phone call!’” Others said they planned to wipe their phones after leaving the hacker conference anyway.

“One attendee claimed his phone had USB transfer off and he would be fine.  When he plugged in, it instantly went into USB transfer mode,” Markus recalls.  “He then sheepishly said,  ‘Guess that setting doesn’t work.’”

Another DefCon attendee remarked, “This freaked my boss out so much he sent an email across the entire company stating employees are now required to bring power cables and/or extra batteries on travel, and no longer allowed to use charging kiosks for smart devices in open public areas.”

Inside the charging kiosk.

The safest route for charging your device on-the-go is to use the supplied power cord that plugs into a regular electrical outlet (assuming you can find an available outlet). Battery-powered mobile charging devices also work well in a pinch and are available at many airports. If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.

“One thing we discovered: On certain devices, if you power them completely off, then charge them, they don’t expose the data,” Markus said.

This past week, I was reminded of a conversation I had with an ethical hacker I met at the annual Defcon security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant and reliable trick I’ve seen to crash the Internet Explorer 6 Web browser.

If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):

ms-its:%F0:

or just click this link with IE6.

Here’s a short video example of the crash that results from typing that text above into an IE6 window:

The “ms-its” bit is a reference to one of the helper extensions built into IE6. Alex Holden, the Wisconsin based researcher who showed me this crash, said the bug is the result of a pointer overflow in IE. The crash does not appear to work in newer versions of IE.

Holden said he notified Microsoft about his finding back in 2004. An e-mail thread Holden shared with krebsonsecurity.com indicates that Microsoft engineers believed there were no severe security consequences of this bug, and that it would probably be fixed in a future service pack. Obviously, it never was.

One way XP users might encounter this would be if the short code above or something like it were included in a link sent to a targeted user via instant message or e-mail. Indeed, one could imagine a computer worm that went around and changed the victim’s default home page to this short bit of code. The victim would be no longer be to get online….with IE6, anyway (although a registry hack could almost certainly fix the swapped home page).

There is one interesting possible use for this tiny snippet of crash-inducing code. Maybe someone you know and care about insists on using IE6 or refuses to upgrade to IE7 or IE8. Install Firefox or some other browser alternative, and then change their IE home page to “ms-its:%F0:” Chances are good they will never be able to open IE6 again.