Hacking of a security system is a criminal offence. The activity only exists because vulnerabilities still exist in computer systems. It is virtually impossible to create a 100% secure or bug free technology. Zero day exploits are a constant problem. A newly released system may have been tested to extremes but criminal or state sponsored hackers will look to exploit gaps in this testing. By rewarding reporting of security issues system owners can swiftly fix issues with security patches. There is also a lesson to system users to update promptly to minimise the chance of data loss.
‘Bug Bounty’ organisations pay hackers to detect and report vulnerabilities in computer systems. Big players include HackerOne, Bugcrowd and Synack. The hackers themselves are motivated by the bounties paid by the owners of compromised systems for the confidential disclosure of the hacker’s findings.
An example payment through HackerOne was $1,500 for an SQL injection vulnerability report; a relatively well known problem with websites relying on poorly secured or outdated databases. Reported vulnerabilities will not always pay a bounty; where this is the case it will only be to the first reporters. Working to secure income from ethical hacking is a competitive field. Thankfully there are so many systems and users that there are plenty of opportunities available.
This model differs from the penetration test service offered by companies like Kindus in that the owner of the system has not specifically asked for an investigation of its security.
The ‘Bug Bounty’ payers only publish full details of disclosed vulnerabilities. Other bugs may have been discovered and reported but kept hidden by the system owners; the vulnerabilities may or may not have been fixed. We do however have access to summary data that provides details of the vulnerabilities found and trends in activity from within their community of hackers
In February 2021 HackerOne have published their 2020/21 Hacker report.
The HackerOne report concentrates on relative changes in activity between 2019 and 2020.
Technologies hackers are working on:
Websites; 96% (71% increase in hacker activities since 18/19)
APIs: 50% (694% increase)
Android: 29% (663% increase)
IoT: 11% (1000% increase)
The emphasis on websites is not surprising. They are by nature designed to share information but the data behind them may not be appropriately secured. Application Programming Interfaces (APIs) allow relatively easy (for a programmer anyway) transfer of commands or data from 1 code solution to another. These could be web based, hosted on a mobile device, desktop or server. Android concerns the applications running on Android more than the operating system itself. The Android market is less well regulated than the IOS equivalent. Android allows more interaction between applications and the host system than Apple which may lead to security loopholes. Internet of Things (IoT) is the major growth area for hackers in 19/20. IoT devices have relatively low computing power making them innately less secure than other computer systems.
The top 5 vulnerabilities
1 Cross Site Scripting (23% growth)
2 Information Disclosure (65% growth)
3 Improper Access Control (53% growth)
4 Improper Authentication (44% growth)
5 Privilege Escalation (54% growth)
At position 1 Cross Site Scripting (XSS) is an attack methodology targetting websites enabling the hacker to exploit data from a dynamic website. It is one of the means that item 5 (Privilege Escalation) can be implemented; hack the site, get admin access, do bad things. Note that the vulnerabilities in positions 2, 3 and 4 all rely on human error, all very hard to enforce within computerised systems. Information Disclosure would be the result of various social engineering efforts. Improper Access Control and Improper Authentication are a result of the system admin not setting appropriate checks and controls on its use.
Kindus Penetration Tests service provides confidential reporting on social and system vulnerabilities within your computer network and applications.