“Vulnerability hunters tend to be cut from a different cloth. They are naturally inquisitive”
So you want to be a hacker? Davey Winder shares some advice, before explaining why businesses need to stay up to date with zero-day exploits
When you’ve been around the information security business for as long as I have, more than 30 years now, it’s not surprising to get a lot of emails from desperate people looking for help. Sadly, I can’t respond to most of them, or I wouldn’t have time to do my job.
Some don’t deserve my guilt for not replying. I’m talking about the people who seem to think I will either hand out step-by-step instructions for accessing someone else’s email or social media account, or do the job for them. The reasoning behind these requests is often transparently bogus: “I’ve been locked out of my account and Twitter support won’t help me; my partner is critically ill/recently deceased and I need access to their email for
Wannabe hackers are the bane of my working life. Unless they wan want to become a hacker – an ethical hacker or vulnerability hunter, that is. Odd, then, that I receive very few of these genuine requests for guidance. The ones I do will be pointed in the direction of resources that can help them to help themselves. Teaching yourself to hack may seem a bit of a stretch, but it’s surprisingly common.
I am self-taught, not least as there tee were no accessible educational routes into the game when I started out. The latest annual report from Bugcrowd
( bugcrowd.com), a crowdsourced bug bounty and vulnerability disclosure platform, revealed that a staggering 79% of the hackers using the service were self-taught.
These days there are more educational pathways to becoming an information security professional than you can shake a stick at. If you did shake that stick I daresay a ream of certifications would fall out of the learning tree as well. But vulnerability hunters, the kind of hackers who love tracking down security problems, tend to be cut from a different cloth. They are naturally inquisitive, and the successful ones have an ability to approach problems from left field.
With this in mind, it’s no surprise to me that the Bugcrowd report found one in five of their hackers identified as neurodivergent. Obviously, a coding background – be that as a “hobbyist” programmer or someone who’s been through the system and come out with some qualifications – is a bonus for anyone beginning on the hacker journey. But, assuming you’re at least code-literate to some degree, where do you start? This is something I gave a fair bit of thought to recently and, with the help of hacker friends, infosecurity curity professionals and PC Pro readers, ders, I’ve come up with a “learning earning to hack” resource list.
Before I get onto the list, it bears mentioning that “hacking” is a broad church with multifarious specialisms. It is possible to decide in advance that you want to find vulnerabilities in apps, devices, web-based services, cars and so on. However, a grounding in the basics, knowing the essentials of hacking methodology, should be a given across all of these. Start to learn first, specialise later.
Bug bounty and vulnerability hunting platforms are often a good place to start. The Bugcrowd University ( pcpro.link/329bitbug) is one highly recommended resource. It’s free to use, open source, and has multiple content modules with slides, videos and labs, covering everything from introductions and tooling to recon and discovery. But it goes further in that it extends to other online resources on bug-hunting methodology, data-driven web hacking, social engineering and so on.
Doing is better than reading, at least for me. It’s how I started my journey decades ago, although largely driven by a lack of reading material (with the exception of the excellent Hacker’s Handbook series).
Anyway, with a practical learning experience in mind, it’s hard to ignore the gamified learning resource that is Try Hack Me ( tryhackme.com) or the browser-based and highly interactive Hack The Box Academy ( academy.
hackthebox.com), both of which cater for varying skill levels.
Talking of practicalities, the right tooling is one of the most important
parts of your hacking armoury, and Burp Suite is right up there. The PortSwigger Web Security Academy ( portswigger.net/web-security) is free and from the people who created Burp Suite. It features interactive labs, with the author of The Web Application Hacker’s Handbook leading the team of experts here.
A number of my hacking friends, including some who have successful careers in the bug bounty world, recommend scouring the web, conference presentations and
Twitter (#infosecurity), for walkthroughs and explanations of proof of concept (PoC) exploits.
These can be an informative way of understanding how the theoretical stuff works in practice once you’re far enough along the learning curve.
For example, bug bounty platform HackerOne has a community feed called Hacktivity ( hackerone.com/hacktivity) that showcases the latest hacking activity and enables users to search through the various reports for the ones they’re interested in. There’s even a Hacktivity Con, now in its second year, where hackers of all skill levels can learn from each other.
This is far from an exhaustive collection of hacking resources for the beginner, but it should provide food for thought, as well as, somewhere among these options, a place to start that suits your personality.
There are some “do nots” to be aware of, and they are important, so take heed. Don’t go using any of the readily available search tools that find open hosts and give you immediate root access and so on. You can practise using Kali (an advanced penetration testing Linux distribution) or whatever on your own stuff, but be absolutely sure that it’s only your own stuff and that you don’t stray into opaque territory when it comes to networks used and so on. Hacking any “live” target is a no-no, a big legal no-no, that could see you landing in very hot water indeed.
You’ll find there are plenty of targets to practise on and stay within the law if you use those practical learning tools. My personal recommendation is to stick to those resources if you want to be 101% sure you’re on the right side of the law.
Ransomware groups enter the zero-day exploit market
Last month I mentioned how a legitimate exploit acquisition platform had tweeted it was looking for Windows VPN zero-days. Specifically, remote code execution with information disclosure and IP leaking against ExpressVPN, NordVPN and Surfshark. The worth of these exploits wasn’t made clear at the time, but would likely be substantial given a customer base including both European and US “government institutions”. If you thought that was a potential cause for concern, and you’d be right, then wait until you get a load of this.
New research across the dark web forums inhabited by the most organised and seemingly wellresourced of cybercriminal groups has revealed a shocking change in the exploit market dynamic. The Digital Shadows report found that what you might call the top end of the market in zero-days and no-click exploits has opened up from being the hunting ground of state-sponsored actors alone. Putting the blame firmly on the success of ransomware over the past couple of years, these organised criminal groups now have real money and are looking to spend it on the exploits that can do the most harm.
Earlier in the year I’d seen chatter revolving around payments upwards of £300,000 to initial access brokers for credentials, and more, that enable ransomware gangs to get onto a network. That was worrying enough, but now it seems those dodgy pockets have got a lot deeper. Digital Shadows observed one criminal offering a staggering $3 million for a “working” Windows 10 no-click remote code execution zero-day, for example.
That’s not even the highest figure. Cybercriminals have been talking about paying as much as $10 million for the right zero-day vulnerability exploits. Of course, this is all chatter right now and there’s no evidence
I’ve seen that cryptocurrency has exchanged hands at the time of writing. It will happen, though, and when criminal organisations get their hands on the same type of exploits that are employed by three-letter agencies in cyber-operations, it’s hard not to feel just a tad worried.
My worries don’t stop there, either. The Digital Shadows researchers also discovered talk among the criminal fraternity regarding “zero-days as a service”. In the same way that other cybercrime resources are rented out already – think malware and DDoS – now it looks like schemes are afoot from zero-day developers to lease these exploits while waiting for the sale negotiations to complete.
This idea is being touted in a number of ways, from being a testing ground for the exploits in question to simply making money while waiting for the right deal to come along. I can understand this, as zero-days come with a time-limited sense of jeopardy. A zero-day is only a zero-day, and
“New research has revealed a shocking change in the exploit market dynamic”
only commands top-dollar prices, when it has yet to be discovered by the vendor involved or the cybersecurity industry. Every day it’s out there is another day when it could be found, get patched, become worthless.
Of course, I also find myself thinking that renting out your zero-day exploits is a huge risk as this surely increases the chances of discovery. Then again, I’m no criminal mastermind, so what do I know? I’ll tell you: I know that until and unless we can get a grip on the ransomware pandemic and dry up the seemingly endless resource pot it provides, cybercriminals are going to become even more dangerous as they embrace exploits that have the potential to cause so much damage to so many.
And finally…
Who doesn’t love a good statistic? I do, though love is maybe the wrong word when it comes to the latest bunch of cybersecurity stats I’ve been looking at.
Take, for example, research by Palo Alto Networks’ Unit 42, which involved a 320-node “honeypot” system. Honeypots, as I’m sure you know, are those established with the intent to attract bad actors. In this case, the honeypots included systems exposing the remote desktop protocol (please don’t do that) and server message block (ditto) and secure shell protocol (er, yep, you guessed it).
I can’t say I was terribly surprised to learn that within the space of the first 24 hours alone, more than 250 of the nodes (80%) were compromised. One threat actor was responsible for 96% of the Postgres instances that got hacked, and the SSH honeypots were compromised 26 times every day.
The takeaway from all this? Well, it’s pretty obvious, innit? Make sure that services that are exposed to the internet are properly secured, as misconfigurations can be very costly. Automated response and remediation rules are your friend if you want to stand the best chance of fixing such misconfigurations in good time. And time isn’t on your side as it can often take 24 hours or more, a lot more, to deploy security updates. The threat actors will exploit those exposed surfaces within hours.