Education

What The Hack: This S'porean Was One Of 400 Who 'Hacked' Govt Websites For Bounty

What do we know about hacking and hackers?

For many of us, the terms bring up images of mysterious figures clad in hoodies fervently typing lines of code at their desks.

There’s also the notion that these hackers have devious motives – or at least, come from shady (no pun intended) backgrounds.

Gif Credit: Giphy

This isn’t the case for white hat hackers.

For those unacquainted with the term, they are also known as ‘ethical hackers’, and use their skills for the ‘greater good’.

While the hackers we read about in the news illegally access information and systems, white hat hackers do so with the permission of the owners, and hack only to find ‘security holes’ that could be exploited by unethical/black hat hackers.

According to an article by GovTech, white hat hackers “perform penetration testing, test in-place security systems, and perform vulnerability assessments for companies”.

There are even courses, training, and conferences that one can take to be certified in ethical hacking!

In fact, GovTech and the Cyber Security Agency (CSA) of Singapore recently partnered HackerOne, the world’s largest community of cybersecurity researchers and white hat hackers, and around 400 local and overseas white hat hackers on a Government Bug Bounty Programme (GBBP) – a first for the Singapore Government.

Out of the 400, a quarter of them were from Singapore, and the rest came from countries like India, Chile, Finland, and the US.

The GBBP happened from December 2018 to January 2019 and saw these hackers testing five Internet facing systems with high-user touch points – namely, the REACH website; Ministry of Communications & Information’s (MCCI) Press Accreditation Card (PAC) Online; Ministry of Foreign Affairs (MFA) website; and MFA eRegister.

During the GBBP, hackers managed to find 26 validated vulnerabilities and got a total payout of US$11,750 (S$15,996). Out of these vulnerabilities, seven were considered low severity, 18 were medium severity, and one was high severity.

7 out of the top ten awarded bounty participants were also from Singapore.

Samuel Eng, a 29-year-old security consultant at ST Engineering (Info-Security) and the top white hat hacker from Singapore at this year’s GBBP

Said Chai Chin Loon, Senior Director of GovTech’s Cybersecurity Group: “We are very encouraged by the level of participation from this bug bounty programme. We hope to partner the community of cyber researchers for future editions of the programme, so as to build a secure and resilient Smart Nation together.”

There are even plans for the next edition of the GBBP to include more Government ICT systems and websites.

How A MSN Messenger Prank Sparked An Interest In Hacking

One of the participants of this year’s edition of GBBP was George Chen (also known by his moniker ‘Oli’), whose first brush with hacking came when a friend sent him an executable file that was packaged as a game on MSN Messenger.

“I only found out a couple of years later that it sent my credentials over to him when I ran the file,” he mentioned in an interview with us.

George Chen aka ‘Oli’

The incident didn’t scare him away, however, and he later even found it “fun to trick [friends] via [keystroke loggers]!”.

“However, I started paying more attention to hacking when I discovered that my website was infected with a backdoor trojan.”

In trying to de-obfuscate the attacker’s code, I started reading up online and that further spurred my interest in cybersecurity.

“I eventually did my postgraduate programme in Information Security where I had assignments on basic hacking.”

On the difficulties he faced during his learning process, George shared that while he had some programming background, he was initially unfamiliar with machine instructions and networking.

“To overcome that, I did a networking certification and separately, an academic module involving buffer overflows where I could get good exposure and practice,” he said.

“Those helped tremendously.”

Signing Up “Right Away” For The GBBP

George works in a Security Incident Response team in a private company by day, running security incidents on a daily basis.

In the evenings, however, he takes the time to learn more about offensive security “because that’s really cool to [him]”.

Prior to joining the recent GBBP, he was a participant in the Ministry of Defence (MINDEF)’s Bug Bounty Programme, and found it “a meaningful way to contribute”.

“So when I heard about the GBBP by GovTech and CSA, I signed up right away.”

When asked about what his family thinks about his seemingly unconventional interests, he shared that his wife is actually supportive that he spends his free time “in such programmes to help companies and organisations uncover their cybersecurity blind spots”.

Image Credit: BusinessCircleKL

On his experience at GBBP, George shared that it was “very well-organised, and especially challenging because the scope wasn’t too big to start with, since there were only 5 systems”.

Chances to discover bugs also lessened with each submission by other bounty hunters.

The biggest lesson for me was to not stop at any initial finding, but instead to continue to explore deeper if the bug could result in a bigger impact. By exploring deeper, I managed to uncover a bug with a high severity.

“We All Need To Have A Higher Level Of Personal Cyber Hygiene”

George also expressed that he wishes that more would know that not all hackers or hacking activities are “dangerous [or] are intended to compromise people’s computers and accounts”.

“This is why I feel GBBP is useful in helping to raise public awareness that there are good hackers called ‘white hats’ in the community who help to keep cyberspace and computer systems safe.”

Ending off the interview, I asked George if he had any cybersecurity tips for the regular Singaporean:

We all need to have a higher level of personal cyber hygiene – start off with a secure password manager. Don’t short-change yourself just because you want convenience.

We’d like to thank George for this time, and GovTech for coordinating the interview!

 

Subscribe to Vulcan Post Newsletter

Stay updated with our weekly curated news and updates.