We chat with some serious talent from HackerOne; Co-founder and CTO Alex Rice on his recent visit to Singapore to discuss security, software and building consumer trust and the young winner of the second bug bounty challenge with the Ministry of Defence, Singapore MINDEF2.0, Space Raccoon.
Previously at Facebook, where he founded its product security team, built one of the industry’s most successful security programs, and introduced new transport layer encryption used by more than a billion users, HackerOne CTO Alex Rice needs no introduction to the Hacker community.
On his recent visit to Singapore, we asked his thoughts on the impact of ethical hackers and hacker-powered security programs on reducing risk in the financial services ecosystem and which industry sector may be ripe for a massive breach in 2020.
According to Rice, to the kind of tech coming out in 2020 around identity authentication in banking services still has a way to go in terms of resolving authentication challenges.
“There is no light at the end of the tunnel in 2020 to solve all our authentication woes. Despite meaningful improvements, with growing adoption of technology like FIDO Security Keys and WebAuthn, we are still not seeing the level of innovation across authentication to eliminate account take-over as the predominant security risk to financial end users. We are still in need of innovation that brings about a paradigm shift in usability and accessibility of these technologies to protect the most at-risk end user. You are unlikely to see me celebrating new authentication technologies until we can finally say goodbye to the password,” says Rice.
In terms of vulnerability, Rice says every industry sector is ripe for a massive breach, which is largely due in part to all industry increasingly being underpinned by software.
“Software is eating the world and software has bugs. All organizations — financial institutions, healthcare organizations, e-commerce companies, big box stores, media companies, practically anyone – are going digital and are equally at risk to these data breaches. We’re all in this together and are more alike than we realize. On the bright side, the number of hacker-powered security programs is rapidly growing all over the world. Based on HackerOne’s 2019 Hacker-Powered Security Report, Latin America saw record growth of 41% over the previous year and Asia Pacific grew 30%. The federal government sector grew an impressive 214% and financial services organizations, which are responsible for some of the most sensitive information, realized a 41% increase this year. Hackers are here to help,” says Rice.
According to Rice, consumers should not be resigned to accept breaches as a way of digital life. Aafter a massive public security breach, building consumer trust is paramount, and, can only be achieved with transparency around existing security practices.
“Trust is the most fickle and valuable asset any of us possess. Most organizations today struggle to earn and maintain trust, and a public security breach doesn’t help. All paths toward earning trust share one essential element: transparency. You can never earn true trust without transparency. The biggest obstacle to consumer trust is not the existence of security breaches, it is the complete absence of transparency with regard to security practices. The organizations most worthy of our trust have developed the maturity to openly discuss vulnerability and risk. The days of ‘trust us, security is our top priority’, are long gone. Don’t tell us, show us,” says Rice.
According to Rice, building consumer trust involves collaboration between public and private sector partners, often working hand-in-hand with ethical hackers. To this end, Rice argues that ethical hackers have become an invaluable player in trusted security teams.
“Security vulnerabilities are a fact of life. For this reason, technology start-ups, e-commerce conglomerates, governments around the world, and financial services giants are working with friendly hackers who have one key advantage over traditional security methods: they can think like an attacker. Hacker-powered security is any technique that utilizes collaboration with the hacker community to find unknown security vulnerabilities and reduce security risk. Popular examples include bug bounty programs and vulnerability disclosure policies. Hackers have become an invaluable extension of the most trusted security teams, on a mission to find what others may have missed or could not see,” says Rice.
One such example of a successful bounty program is the bug bounty challenge with the Ministry of Defence, Singapore (MINDEF). The three-week challenge in October 2019 saw participation from over 300 trusted hackers from around the world — 134 local Singaporean-hackers and 171 international ethical hackers.
During the challenge, hackers were invited to test 11 government-owned targets, including websites and public digital systems belonging to MINDEF, the Singapore Armed Forces (SAF) and other agencies in the defence sector. Over the course of the program, 20 valid vulnerabilities were discovered resulting in a total bounty payout of USD 16,000.
Overall, the vulnerabilities found during this challenge were more impactful compared to previous challenges, even if they were fewer in number, which allowed the government agency to better secure its web assets to protect its citizens.
According to reports, none of this would have been possible without the help of a talented Singaporean hacker, Eugene Lim, a 24 year-old whom is also known as @spaceraccoon.
Of the 305 white hat hackers that participated, @spaceraccoon discovered the highest volume of vulnerabilities and walked away with the biggest bug bounty payout. In addition to uncovering eight unique vulnerabilities and earning the single highest bounty, Lim was presented with the ‘Top Bug Hunter’ and the ‘First Reported Bug’ awards.
What is remarkable is Lim is completely self taught and only started less than a year ago.
We asked Lim whether it was difficult to locate vulnerabilities across systems.
According to Lim, he spends about ten hours per week honing his hacking skills. Given his extraordinary success, we were surprised to learn he only had two weeks to prepare for the bug bounty program.
“I am a weekend hunter. I wanted to learn more about cybersecurity and get some practical experience on live targets. Since I started, I’ve realised just how much more I need to learn. From mobile to native app exploitation, every time I pick up something new, I find out there’s something greater out there that I need to learn. I am fairly new to ethical hacking and just started this year. I was really excited by the opportunity to test government systems and help contribute to my country’s cybersecurity defence. However, I only had two weeks to prepare and I didn’t know anything about hacking, even though I had a computer science and web development background. That experience motivated me to get better at hacking and learn even more. I read HackerOne’s e-book about web hacking and I joined Hacker101’s Mini-Capture the Flag (CTF) exercises and Discord, which is where I found a community that helped me learn and grow as an ethical hacker,” says Lim.
For other young wannabes, Lim encourages others to join a hacking community and never give up.
“Join a community! There are tons of great online communities like the Hacker101 discord, live streams, and so on, where you get to compare notes and encourage one another on your learning journey. Next, keep persevering! Bug hunting can be frustrating, especially when you don’t find a bug for months, but keep in mind that there is a learning curve, and the more time you put into it, the easier it gets in the long run. As long as you are willing to learn and keep growing, you are on the right track,” says Lim.