Everything is hackable: The crowd is here to help

The cybersecurity industry at large is facing a massive skills shortage. Coupled with a growing attack surface and economically incentivized adversaries, this skills gap has made it more difficult than ever for organizations to shore up their defenses.

Security experts are in high demand, meaning they can command higher paychecks. It also means they have more opportunities and choices when it comes to how, when, and where they work. But how do we best build up the next generation of cybersecurity good guys and teach the skills necessary to defend our connected world?

A recent report found that 43 percent of white-hat hackers learned how to hack via online resources -- and 41 percent are self-taught. As such, it’s important to engage with hackers and up-and-coming professionals in the way they prefer to learn. After all, these hackers will go on to use these skills to hack organizations ethically, finding their weak spots before the bad guys do.

To give back to the community of hackers, we at Bugcrowd hosted our semi-annual LevelUp event -- a free, online hacker conference that we stream live on Twitch and YouTube. The virtual conference features presentations from some of the industry’s finest hackers, educators, and experts, all with the goal of leveling up the skills of today’s cybersecurity professionals.

Despite the numerous sessions and perspectives shared, one overarching theme carried throughout the conference: Everything is hackable, but we, as an industry, can protect it.

Let’s dive into some of the key conversations that came about throughout the day.

Security Industry Insights & Protecting Your Rights

It is no surprise that the current-day attack surface -- meaning what’s out there for folks to hack -- is exploding with the advent of IoT devices, advancements in technology, our aging infrastructure, and smart cars that soon will be driving everywhere. Remember: Everything is hackable and software is vulnerable.

Crowdsourced security can help here, by finding vulnerabilities and patching them before the bad guys exploit them. But before setting out on their hacking journey, it is important for organizations to understand current hacking laws.

As they stand now, ethical hacking laws are murky at best. Some vendors have dedicated bug bounty programs which give hackers an avenue to report security vulnerabilities directly, but some of those vendors become disgruntled when they’ve been ethically hacked, turning on the white-hat who was trying to help them be more secure. As a result, white-hat hackers and security researchers are hesitant to report vulnerabilities and weaknesses to affected companies for fear of facing legal retribution.

Vague hacking laws, or the lack of laws in general, have led to numerous white-hat hackers facing jail time. Just recently, an ethical hacker who discovered a security vulnerability in Magyar Telekom’s is being investigated by the Hungarian Prosecution Service. The company filed complaints against the ethical hacker, who now faces up to eight years in prison. This is just one of the many pending cases against ethical hackers.

Nate Cardozo of the EFF provides some good nips for hackers looking to navigate vulnerability disclosure and research in his presentation, “The Law and You.”

Disclose.io is the silver lining. This “safe harbor” framework was developed to assist white-hat hackers and companies running bug bounty and vulnerability disclosure programs with legal guidelines intended to remove the threat of criminal or civil prosecution of cybersecurity researchers.

Safe harbor language is the first step towards normalizing the crowdsourced approach to identifying and patching vulnerabilities. We encourage every organization running a bug bounty or disclosure program to first consider the need for safe harbor language for the good-faith hacker community and point your legal team to Disclose.io.

As mentioned during LevelUp 0x03, the DoD has found quite a bit of success in interacting with the researcher community through crowdsourced security and is expanding their efforts as a result using safe harbor language.

Web and IoT Hacking + Advanced Techniques

Successful white-hat hackers are always learning new techniques and methodologies to continue to refine their skillset. Back to the expanding attack surface, there are constantly new vectors to pen-test, especially in IoT.

In the news and on hacker forums, we often see these new hacking techniques bubble up. Luckily for novice white-hats, other white-hats typically love to share new attack methods and tools on hacking forums, at security conferences, and on video streaming services.

During the last LevelIp, Portswigger’s James ‘albinowax’ Kettle, shared his new Burp Suite extension ‘Turbo Intruder’ and a virtual security conference. As James describes it on the Portswigger blog, “Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. It's intended to complement Burp Intruder by handling attacks that require exceptional speed, duration, or complexity.”

In the IoT world, there are numerous opportunities ahead in the transportation industry in the advent of smart cars. If you’re a researcher looking to pick up new skills here, you’ll likely want to clear your calendar and be prepared to spend a solid couple of hours pen-testing -- but with companies like Telsa and Fiat Chrysler Automobiles, there will be a sweet reward if you uncover a vulnerability.

In the ethical hacking world, you are never alone. There are security companies that provide resources to hack confidently and there is a community of white-hat hackers to support and help educate each other. In today’s world, the amount of software and websites to pen test is increasing astronomically.

Everything is hackable. Through collective creativity, continued education and collaboration the Crowd continues to stay one step of the adversaries.

Jason Haddix, VP of Researcher Growth, Bugcrowd