Interviews

Hobby hackers: white hats help web security

by Mark Rowe

The BBC reported recently that a five year old had been added to Microsoft’s Hall of Fame for security researchers who find and privately report security vulnerabilities. Andrew Mason, co-founder and technical director of security vendor and pen testing company, RandomStorm (www.randomstorm.com), considers the contributions made to everyone’s online safety by people who are passionate about security testing. He believes information security has to be a passion not a nine to five.

A five year old boy became the youngest person to be named in Microsoft’s Hall of Fame after he found a way round the password security settings on his father’s XBox Live service. After his father notified Microsoft of the vulnerability, Kristoffer Wilhelm Von Hassel, was named on the March 2014 Microsoft Security Response Centre list of security researchers. These individuals help to make online services safer, by privately reporting security vulnerabilities, enabling web site owners and cloud service providers to improve site security.

Crowdsourcing security

The success of our most popular web services hinge on the public’s trust in them. This is why Microsoft is among a growing number of cloud service providers running bug bounty schemes to reward individual researchers and ethical hackers for privately disclosing vulnerabilities that could compromise users’ security. Bounty schemes help web companies to keep up with the latest cyber threats and remediate issues before they can be exploited by hackers.

Catching the bug

A number of our employees are involved in both voluntary disclosure and bug bounty programmes, as well as taking part in the Cyber Security Challenge, Google’s Pwn to Own and Capture the Flag events. RandomStorm researcher, Avram Marius Gabriel, has gained the top spot on PayPal’s Wall of Fame as well as being recognised for responsibly disclosing security bugs in the websites of Facebook, Google, Evernote, eBay Inc., and Twitter. All of these discoveries have been made outside of working hours. So what drives these researchers to spend every waking hour looking for bugs?

Playing by the rules

The law governing penetration tests is different in different countries. In the UK ethical hacking comes under the Computer Misuse Act (1990). Before any testing can be carried out, the pen tester must have written permission from the target organisation and any third parties that may be involved or impacted by the tests. A detailed scope of work has to be agreed. Testers need to be careful not to alter any files; block access; or cause a denial of service. Breaches of any of these guidelines could result in jail terms of between two and ten years.

Common bugs

The Open Web Application Security Project (OWASP) has acknowledged that XSS is the most common security flaw found in websites today. It is important to remove XSS vulnerabilities from websites, because they can be maliciously exploited to steal cookies, hijack user accounts, execute ActiveX and Flash content, or to redirect visitors to scam websites that launch phishing attacks.

Wherever I lay my hack

Web application testers initially look for the more common vulnerabilities such as XSS or SQL injection, just as a black hat hacker would. SQL injection is particularly dangerous because it can be used to compromise web servers, extract data and launch attacks on network hosts that are connected to them.

Once they have searched for the obvious flaws, testers look for more obscure bugs in web developers’ coding. Unusual hacks are more rewarding to discover, because of the sheer intellectual thrill of finding and running a proof of concept on a vulnerability that no-one else has spotted. It is this that keeps independent researchers fired up and searching for bugs well into the small hours and helps to make popular web services safer for users.

Passing the baton

In my view, as well as their willingness to play with technology, the key attribute that marks out white hats is their willingness to share what they’ve learned, so that websites and online payment transaction systems become safer for us all to use.

We share our learning with the community on Twitter, through OWASP events and via open source apps added to Linux Kali . For example, Ryan Dewhurst developed The Damned Vulnerable Web App (DVWA ), to help ethical hackers to hone their skills in a legal environment.

DVWA is a free PHP/MySQL web application that teaches how to test for XSS; SQL injection; brute force attacks; upload exploit vulnerabilities or file inclusion within web apps, without flouting the Computer Misuse Act. It can be used in a classroom environment as part of a cyber security course, but should never be uploaded to a live web server, as it will be hacked. DVWA is now being used by bluechip companies to train their web app developers about common programming mistakes that allow malicious code to be inserted into strings, making the application unsafe for users.

This willingness to pass on skills to develop the next generation of white hats is a core part of our company culture. One of our apprentice PCI security engineers, Scott Glossop, has been mentored by five members of our web testing and PCI DSS team. He has also increased his knowledge of web app testing through hacklabs, and reading other security researchers’ blogs in his spare time. Scott has already been publicly acknowledged in the Halls of Fame of Microsoft , PayPal , Rackspace , eBay ; Google ; Yahoo , Viadeo.com and CircleCI and won a $100 bug bounty. He tells me that he views web app testing and programming as a hobby as well as an exciting day job.

Conclusion

Information security has to be a passion, not a nine to five. The very best ethical hackers spend most of their waking hours reading up on the latest testing techniques and discovering exploits. The independent research undertaken by web security specialists also helps to keep their professional skills sharp, enabling them to perform more in-depth pen tests on behalf of clients.

Raspberry Pi founder, Eben Upton, has stated that he wants to use his Linux microcomputer to encourage iterative learning and coding. This is an important skill to foster in youngsters, as ethical hacking is all about discovering vulnerabilities through trial and error, so that they can be fixed. However, it is easier to code than it is to code securely. There are currently a great many more web application developers than there are security experts. As a result, even the largest companies rely on voluntary disclosure programmes and bug bounty schemes to identify and close vulnerabilities in their web-facing applications.

Through a combination of the work of organisations such as OWASP ; improved education of the developer community; voluntary security research and disclosure programmes and greater public awareness of hackers’ tactics, leading to safer user behaviour, we hope to see a gradual improvement in web security.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing