There is an aura of mystery when it comes to hackers. We live in a digital society and most everything we do, we do online. There are people who can bend the system to their will, and that is a scary thought. Today we meet with one of the hackers from HackerOne, Ben Sadeghipour and beg him to give us a hacking 101 course!
Hacking 101: This Is The Way
BC: First off, thanks for taking the time and meeting with me today. Can you tell me a little bit about yourself?
BS: Hi! My name is Ben Sadeghipour, but I am better known as @nahamSec. I am a hacker, or security researcher, and I also work fulltime for HackerOne. I have reported on over 500 valid security vulnerabilities to companies like General Motors, Rockstar Games, Snapchat, Airbnb and the U.S. Department of Defense. I am also a founder of the Bug Bounty Forum, a community of bug bounty hackers.
BC: Bug bounties? So, you guys are like the Boba Fetts that companies hire to fight against other hackers or use to find flaws in their systems? That’s pretty badass!
BS: Some companies do offer money in return for reporting security vulnerabilities or “bugs.” Bug Bounty Forum is a community of ethical hackers that help companies improve their security by reporting bugs and are then rewarded in turn for their work. Companies don’t necessarily hire us, but they offer incentives to hackers to look for flaws in their systems.
Laying the Groundwork
BC: How did you first get into hacking?
BS: I first started hacking when I was pretty young. My older brother had a computer, and I liked to play games on it. One day he locked me out. I quickly learned to hack to get back into my games. From then on, I taught myself to hack games, and then I went on to hack websites and webapps, among other things, with bug bounty programs. I also studied computer science in school, which helped me to understand the process of developing applications.
BC: That’s crazy. So, did you have some natural ability to see flaws in the system or was it something you researched to get back into your computer?
BS: I have always loved breaking things (literally) so that came to me naturally, I suppose, but it was mostly out of curiosity and hearing about people getting hacked. I wanted to learn more and I started using my brother as a target. Then, I eventually learned that you can also hack websites, so I started looking for web applications that were available to download for free, and I would install them on my machine to try to find vulnerabilities.
The Organization
BC: Tell me about HackerOne.
BS: The HackerOne platform is a place for companies to host their bug bounty or vulnerability disclosure programs and safely receive vulnerability reports directly from ethical hackers. With over 100,000 registered hackers, HackerOne has the largest global hacker community in the world. HackerOne also allows researchers to disclose their findings based on an agreement. This allows hackers to share ideas and learn from one another.
BC: That is awesome. So, you guys have hackers working for you from all over the world?
BS: Exactly! The community is made up of people from all over the world (over 100 countries), with varying backgrounds and skills.
Bug Bounties
BC: Explain to me the concept of “white and black hat hackers” and their general philosophy.
BS: This all goes back to intent. Bug bounty hackers or ethical hackers might also be called white hats. These hackers work with companies to help them improve their security. They look for issues and report them directly to the company so they can be safely resolved. White hat hackers on HackerOne have earned more than $23 million for making the internet more secure. Black hats, on the other hand, are usually what someone thinks of when they hear about criminal hackers. Hackers are not, by definition, criminals. But criminals can be hackers.
BC: I guess with great power comes great responsibility. I suppose ethical hackers are not in the limelight as much as black hat hackers are. It’s as if you guys are more like the silent protectors of these massive companies. I guess it’s unfortunate that whenever most people think of the word “hacker,” they automatically think of criminal hackers.
BS: I think that the “criminal hacker” generalization is starting to become a less common stereotype of hackers. At the end of the day, it becomes a choice hackers make. They can do the same exact thing legally without causing themselves any trouble and make a few extra bucks, instead of always look over their shoulders. There are far more white hat hackers in the world than black hats.
Set-up and Security
BC: Run me though what people should do when first setting up their computers, internet or phones so that they are less likely to be hacked.
BS: If you buy a device that comes with a default password like “password” or “admin,” please do us all a favor and change it. Keep things updated; companies don’t just send out updates for their products for fun, there is a reason they are there. Also, don’t believe every screen and phone call you receive that tells you that you have a virus or you have been “compromised.” There are also a lot of connected devices out there that don’t need all the functionality they come with. If you don’t think you’re going to use an internet-enabled feature, go to the settings and turn it off. This can lessen your vulnerability.
The Sixth Sense
BC: OK. Basically, hackers have a better understanding of how digital things are created and work. For example, instead of seeing a website they will see the series of programs that were used to create the website. This allows them to find flaws in systems and exploit those flaws. Is this skill something that can be taught, or does it require some sort of crazy sixth sense?
BS: Hacking is absolutely a skill that can be taught. But all the best hackers have a few things in common. They are curious, creative, understand how software works and are dedicated to looking for ways to use technology that were not intended by its creators. Hacking is taught at universities, at conferences and hackers learn from their peers and colleagues. Like anything, you need to work at it. HackerOne recently published the “2018 Hacker Report” based on a survey of nearly 2,000 hackers. In the report, 58 percent of hackers reported that they are self-taught, and 67 percent learned tips and tricks through online resources, such as blogs and e-books or through their online communities.
The Mystery Revealed
BC: There is such a mystery about hackers. It is often thought that all hackers are naturally gifted and can sit down on a computer and understand what they are doing automatically — on a level beyond what a normal person could — like someone understanding another language instantly. It’s pretty cool to know that a lot of hackers actually studied to become good at what they do.
BS: Honestly, I think a lot of hackers are just really nosy. We want to know how things work and even more so, how can we break them. To help with this, HackerOne has launched “Hacker101”; it’s free curriculum for learning either how to start hacking or how to get better at it. That type of study is important, since hackers need to be able to understand the basics of whatever they are hacking. For example, if you wanted to hack web applications, you would need to understand how they work. Often, hackers will start with an approach called “reconnaissance” or “recon.” This is the process a hacker uses to gather information about the application or the company that created it to understand the technology they want to find vulnerabilities in.
Corporate Takeover
BC: There have been instances where hackers have gained access to super-powerful corporations and government agencies. How is that even possible? It seems that we live in a mobile world. We deposit checks, swipe to pay for stuff and take photos of our children with our phones, and yet there have been instances where celebrity phones get hacked and clouds get their information stolen. How does that happen, given the resources corporations and governments have to prevent it?
BS: We have yet to create perfectly secure code. So today, all technology has vulnerabilities. This is not new, but with everything going online, the risks are just higher and we hear about breaches more often. At the end of the day, we are all human and humans tend to make mistakes — a lot of them. This is why thousands of companies work with hackers to help find vulnerabilities before they are exploited by criminals. Security is a complex problem, and the more people you have on your side, the better. HackerOne customers alone have had over 60,000 security vulnerabilities — or systems flaws — resolved and have awarded hackers more than $24 million in bounties.
Household Hacks
BC: Recently, there have been instances of hackers gaining control of electric cars. What other upcoming technology could be at risk of being hacked?
BS: You name it, it can be hacked. It is not an “if,” but a “when.” That said, this is not as scary as it sounds. The companies you want to trust think about security from the very beginning and build security into their products and systems. They also know that security is never done and are always updating their products to make them more secure against the latest threats. It’s the companies that act as if they are unhackable that are the ones you want to be worried about. There has been some impressive hacking, or security research, done lately on smart home devices, and we will continue to see more of this as companies launch new products that make our lives easier.
BC: Smart home devices such as Amazon Alexa, Google Home and Wi-Fi-enabled security systems are definitely becoming quite popular. What kinds of things are hackers doing with these devices?
BS: Hackers are already finding vulnerabilities in these devices, and Google and Amazon are prime examples of companies that are working with the hacker community to resolve them. I haven’t personally found a vulnerability in an Amazon Echo, Google Home or smart-home security system that I can talk about, but I’ll let you know when I can!
Protection
BC: How can we better protect ourselves? Is there an easy plug and play gadget you would recommend?
BS: I recommend a password manager like LastPass or One Password. Strong, unique passwords can do a lot to keep you safe online. And don’t ever use the same password in more than one location. Ever. Don’t do it. Also, update all your technology when new versions are available. This means your iPhone, your internet browser, Microsoft Outlook, your apps, anything that prompts you to update — do it. This is because many times, these updates include fixes for known security issues. If you don’t update your software, you won’t be protected. Additionally, if you are super paranoid like me and want to have an extra level of protection, enable 2FA (two-factor authentication) so that each time you login to your account from a new device that isn’t recognized, it’ll send you a confirmation text or use a third-party app to verify it.
BC: What about in foreign countries? I know that in many countries the phone lines are all tapped. Are there countries or cities that are notorious for cybercrime? How would you suggest we protect ourselves while traveling?
BS: While traveling there are three rules I follow:
- Use a VPN (virtual private network) that encrypts your data while you are browsing the internet.
- Turn off your Wi-Fi and make your phone “ask to join networks,” so it doesn’t randomly connect to “previously known” Wi-Fi networks.
- Do not connect to random Wi-Fi networks just because they’re there and are free.
What’s in it for me?
BC: Awesome advice! If someone has some hacking ability, how would you suggest that person start a career in this field? Also, how’s the pay?
BS: Well, now I have to plug HackerOne. If you want to start hacking, try your hand at the over 1,000 programs on HackerOne. Hackers are earning six figures hacking full time or doing bug bounty programs. Another cool way to learn to hack is to check out HackerOne’s “Hacktivity” (hackerone.com/hacktivity). This is where thousands of real security vulnerabilities are shared online. The top reports are upvoted by the community. Like any other line of work, it takes a few months to learn the ropes and to get started, but look at it as an investment. You are investing your time in return for hacking on some of the biggest and best companies in the world — and getting paid for it in return.
BC: Sounds like a sweet gig! And I suppose you could work from anywhere in the world where there is an internet connection. Sign me up!
BS: Yeah, that’s what makes it so great! There have been times my wife and I were traveling and I found some time to hack, so I pulled out my laptop and went online to find vulnerabilities. I didn’t need anything other than some coffee (or beer), a decent Wi-Fi connection and some good music!
User Input
BC: To wrap up, how do I get ATMs to spit out a bunch of money for me like in “Terminator 2.” Just joking! Many of us who are in their 30s and 40s remember those days where you could make free payphone calls with the Captain Crunch whistles or from recording the sound the pay phone makes when inserting quarters. What cool, “legal” hacking tips and tricks could you share with us today?
BS: If you ever get stuck looking for the password to a computer, look for a post-it note. It’s usually attached to the bottom of the screen!
BC: Thanks Ben! Hack the Planet!! (I’m not even remotely sorry for the cheesy 90s “Hackers” movie reference.)
BS: Ha-ha — I love it!
