Published on May 3rd, 2019 📆 | 8432 Views ⚑
0He Was One Of 400 Who ‘Hacked’ Govt Websites For GBBP Singapore
What do we know about hacking and hackers?
For many of us, the terms bring up images of mysterious figures clad in hoodies fervently typing lines of code at their desks.
Thereâs also the notion that these hackers have devious motives â or at least, come from shady (no pun intended) backgrounds.
This isnât the case for white hat hackers.
For those unacquainted with the term, they are also known as âethical hackersâ, and use their skills for the âgreater goodâ.
While the hackers we read about in the news illegally access information and systems, white hat hackers do so with the permission of the owners, and hack only to find âsecurity holesâ that could be exploited by unethical/black hat hackers.
According to an article by GovTech, white hat hackers âperform penetration testing, test in-place security systems, and perform vulnerability assessments for companiesâ.
There are even courses, training, and conferences that one can take to be certified in ethical hacking!
In fact, GovTech and the Cyber Security Agency (CSA) of Singapore recently partnered HackerOne, the worldâs largest community of cybersecurity researchers and white hat hackers, and around 400 local and overseas white hat hackers on a Government Bug Bounty Programme (GBBP) â a first for the Singapore Government.
Out of the 400, a quarter of them were from Singapore, and the rest came from countries like India, Chile, Finland, and the US.
The GBBP happened from December 2018 to January 2019 and saw these hackers testing five Internet facing systems with high-user touch points â namely, the REACH website; Ministry of Communications & Informationâs (MCCI) Press Accreditation Card (PAC) Online; Ministry of Foreign Affairs (MFA) website; and MFA eRegister.
During the GBBP, hackers managed to find 26 validated vulnerabilities and got a total payout of US$11,750 (S$15,996). Out of these vulnerabilities, seven were considered low severity, 18 were medium severity, and one was high severity.
7 out of the top ten awarded bounty participants were also from Singapore.
Said Chai Chin Loon, Senior Director of GovTechâs Cybersecurity Group: âWe are very encouraged by the level of participation from this bug bounty programme. We hope to partner the community of cyber researchers for future editions of the programme, so as to build a secure and resilient Smart Nation together.â
There are even plans for the next edition of the GBBP to include more Government ICT systems and websites.
How A MSN Messenger Prank Sparked An Interest In Hacking
One of the participants of this yearâs edition of GBBP was George Chen (also known by his moniker âOliâ), whose first brush with hacking came when a friend sent him an executable file that was packaged as a game on MSN Messenger.
âI only found out a couple of years later that it sent my credentials over to him when I ran the file,â he mentioned in an interview with us.
The incident didnât scare him away, however, and he later even found it âfun to trick [friends] via [keystroke loggers]!â.
âHowever, I started paying more attention to hacking when I discovered that my website was infected with a backdoor trojan.â
In trying to de-obfuscate the attackerâs code, I started reading up online and that further spurred my interest in cybersecurity.
âI eventually did my postgraduate programme in Information Security where I had assignments on basic hacking.â
On the difficulties he faced during his learning process, George shared that while he had some programming background, he was initially unfamiliar with machine instructions and networking.
âTo overcome that, I did a networking certification and separately, an academic module involving buffer overflows where I could get good exposure and practice,â he said.
âThose helped tremendously.â
Signing Up âRight Awayâ For The GBBP
George works in a Security Incident Response team in a private company by day, running security incidents on a daily basis.
In the evenings, however, he takes the time to learn more about offensive security âbecause thatâs really cool to [him]â.
Prior to joining the recent GBBP, he was a participant in the Ministry of Defence (MINDEF)âs Bug Bounty Programme, and found it âa meaningful way to contributeâ.
âSo when I heard about the GBBP by GovTech and CSA, I signed up right away.â
When asked about what his family thinks about his seemingly unconventional interests, he shared that his wife is actually supportive that he spends his free time âin such programmes to help companies and organisations uncover their cybersecurity blind spotsâ.
On his experience at GBBP, George shared that it was âvery well-organised, and especially challenging because the scope wasnât too big to start with, since there were only 5 systemsâ.
Chances to discover bugs also lessened with each submission by other bounty hunters.
The biggest lesson for me was to not stop at any initial finding, but instead to continue to explore deeper if the bug could result in a bigger impact. By exploring deeper, I managed to uncover a bug with a high severity.
âWe All Need To Have A Higher Level Of Personal Cyber Hygieneâ
George also expressed that he wishes that more would know that not all hackers or hacking activities are âdangerous [or] are intended to compromise peopleâs computers and accountsâ.
âThis is why I feel GBBP is useful in helping to raise public awareness that there are good hackers called âwhite hatsâ in the community who help to keep cyberspace and computer systems safe.â
Ending off the interview, I asked George if he had any cybersecurity tips for the regular Singaporean:
We all need to have a higher level of personal cyber hygiene â start off with a secure password manager. Donât short-change yourself just because you want convenience.
Weâd like to thank George for this time, and GovTech for coordinating the interview!
Gloss