Interview: Aaron Bugal, field CTO at Sophos – large bug bounties are ‘plague’ on ethical hackers

Here’s what he had to say on how ethical hackers operate, how one becomes one, and why bug bounties matter.

Cyber Security Connect: So, while ethical hacking fascinates me, I’m not a coder myself, so could you tell me a little about how they operate? Are they using the same tools as threat actors, but just for good?

Aaron Bugal: Ethical hackers very much all use the same tools. There’ll be a lot of commonality, a lot of crossover, and a lot of shared tooling that ethical hackers would be using. Their objectives, though, are very different to those of maliciously disruption-intended individuals or what we commonly call cyber criminals.

Those quote-unquote black hats … Well, I call them cyber criminals wherever I possibly can because the activity that they engage in is exceptionally illegal in most states, countries and jurisdictions, right? You’re utilising a telecommunication service to disrupt and cause wanton destruction – it’s not looked at nicely in this day and age.

So, the ethical hackers – the good guys and girls of the world. They are using a lot of the same tooling. And a lot of the same open-source knowledge on how to test different applications, services, and software, but also using other technologies to explore new applications and services and look for those potential vulnerabilities that could be exploited by somebody who has bad intentions. Before they’re commonly exploited in the wild.

So, I think, from an ethical-hacker perspective, it’s a fantastic industry. It’s here to stay, and anything that I can do to promote the rise and uptake of ethical hacking ... I think it’s going to be better as we sort of forge our way into the future.

CSC: Possibly dumb question: is there a Venn diagram overlap between penetration testing and ethical hacking? Or are they two separate things?

Aaron Bugal: I do believe that they’re two separate disciplines – penetration testing is very much tightly scoped, though it is founded in ethical hacking. So you know – powers for good. Use your powers in a directed and focused manner so that you can arrive at an objective that is within expectation – what I mean by that is, typically, for a penetration test, an organisation or someone will have commissioned a penetration tester to evaluate a small little pigeon-hole of exposure, and they don’t really sort of … spread out from that too far.

VIEW ALL

The ethical hacker, on the other hand, though, is sort of based on that – you know, my intent is good and pure. They could, in fact, have a lot larger scope. Perhaps they’re not being commissioned to look for issues, but they may stumble across them. They may be doing it for research or educational purposes. And then when they do find something that is unwanted, for example, a vulnerability, then they disclose this to the maintainers or the owners of the application or the service.

CSC: How does one get into the field? I do not imagine there are courses … It just seems like something that you kind of pick up, almost like a hobby, at first.

Aaron Bugal: You know what, this is where the industry came from. This is back in the olden days, I mean, back and back, you know, a decade or two ago, with the internet in all its exploding glory, when websites were becoming a lot more popular and people were turning to online technologies like email and so forth.

It’s looking into the origin stories of people like Julian Assange, even Kevin Mitnick – from his perspective, a lot of what he was just fascinated by was like a small little thread in the stitch that was of the fabric that he was wearing … So it’s only just a small little piece of what he was interested in, but he just kept at it. He kept enumerating, testing, futzing trial and error, until he could crack that magic code. Quite literally to give him free international long-distance calls. Totally fraudulent, right, and well documented – and he paid the price for it.

But then you’ve got ethical hackers that have risen up from looking at … Some of them love reverse-engineering applications and will look at just binary files because that’s what they’re good at. But if they tried to do that from a networking communications side of things, they get totally lost.

So from a “how do people get into it” angle? Typically, they fall into it because of an interest. And then because they’re good at, say, one little thing, but then they’ll quickly expand their horizons and their capability because it is a well-paying vocation. And they’re in high demand these days because of that sudden inter-connected explosion; people are using the internet day in and day out, and we can use it from anywhere.

So from my perspective, most people get into it because they’re either good at programming, or they’ve got a good fundamental understanding of information technology and computers, which in a roundabout way can lead them to testing the boundaries of what something should be doing and then, “Oh, I wish I can work out that this is doing,” or something that it shouldn’t be doing. Therefore, I found a vulnerability, which typically leads to people exploiting it, but hey, if your intentions are good, you want to disclose it and get the kudos for it.

CSC: And getting paid can’t hurt, either – how important are bug bounties when it comes to rewarding the work of ethical hackers?

Aaron Bugal: Yeah, I mean, that’s the thing – software testers, you know, these ethical hackers, penetration testers, security researchers, security researchers, whatever you want to call them … People are turning this into their full-time type of employment because as I said, they’re very good at doing it. And new applications and services are popping up on a daily basis, which need to be evaluated.

The point, though, is that I think the industry overall – and I think as business owners, in particular – do need to look at their use and their adoption of technology and ensure that if they also have an online presence, they should make sure that those online presences and the systems and services and couplings that they use between the back office and other systems are evaluated on a regular basis, which they might be doing themselves. Or they might be using penetration testers; they might be using a consulting firm to evaluate this.

But typically, they’re looking for problems and issues that are, from a risk standpoint, unknown. The glorious thing with ethical hacking and security evaluation, by effectively people being in the right place at the right time, is they typically uncover things that are unknown unknowns. Things that people don’t expect: “Oh, I didn’t know you could do that with that product”, which is typically something that you hear from somebody who’s reading up on a vulnerability, “I did not know that was possible”. And then going, “Right, I need to declare this.”

I think from a bug bounty standpoint – getting to my point – organisations need to employ these. I think it’s very important as we move into the future that if you are running some form of online presence, especially if it’s a merchant-style facility, or a shopfront, which is taking information and or payment information, it’d be very good and worthwhile to provide insight and advertise to anybody who happens to stumble across your environment, that if they do find a vulnerability, that there is a responsible way of disclosing that to the people that need to know – typically the business owners, somebody who’s responsible for security so that that organisation can then do something about it.

Google posts large bounties for anything found in their code, but you know, they have the advantage of scale. What about small operators? How would you expect a small business to deal with that issue? Who might have information [that] is just as valuable to protect but may not have the scope to say, “Hey, If anyone finds a flaw, here’s X amount of dollars”.

Troy Hunt, who runs Have I Been Pwned, has a very strong opinion on bug bounties. It’s those big bounties that are starting to sort of plague this ethical-hacker space, where there are the people that have got good intentions. They’ve got some good skills in an area, they find issues, they responsibly disclose them, and sometimes, if they got a couple of bucks out of it, they’d be happy. They just want to have their name against the CVE.

But there are some people that are using automated tools; they’re not doing the right work – they’re the fraudulent type of people that are saying, “Hey, I’ve found a couple of problems on your website, pay me money, and I’ll tell you about it,” which really sort of is going against the grain of responsible vulnerability disclosure in the first place.

So from my own perspective, and from my own belief, I think organisations need to adopt things like a security.txt file. So in the root of your domain or your online presence, you have a simple text file, which is called security.txt. And it describes how you can contact them to responsibly disclose information, but also what you’re willing to provide them if they do find something of an exploitative nature, whether it’s just kudos or a smaller payment, merchandise … I mean, some organisations give out stickers and hoodies if you find vulnerabilities in their software and services.

Some organisations can’t afford it. The smaller businesses, I don’t think they can sort of afford it. I think if a smaller organisation is approached by a third party who says: “I have found a vulnerability in your system, but I’m awaiting your payment before I provide any details” ... In my opinion, that’s extortion. And if they’re a foreign national of any type, they should be going to ASIO or cyber.gov.au to actually report that interaction so that those organisations can investigate that threat. Perhaps provide them with some insight on potentially where that vulnerability could be, if it’s easy to spot, right? Now these big bounties are causing a big problem and are starting to jade the good work that ethical hackers are doing.

CSC: Wow, that’s a fascinating angle – I’d only ever seen the bounties as a good thing. But before I let you go, one last question: What keeps you, as a security professional, awake at night?

Aaron Bugal: Right now, it’s artificial intelligence – I’m not gonna lie. AI has risen to … it’s almost cataclysmic in essence, where artificial intelligence is being adopted at an absolutely mad rate by good people and bad people.

And it’s interesting from our own experiences here at Sophos. We saw such an uptick in people using, for example, ChatGPT to help with the writing of emails and stuff like that. But then we started to see people submitting code, asking “Why isn’t my code working?”. We had to put a policy-stop to it, or more so to articulate just make sure you’re not pushing any personally identifiable information from potentially anything we do internally, especially any code and products, and push it to OpenAI for being assessed by ChatGPT.

So we’ve written a nice little policy articulating how you can and how you cannot use ChatGPT, because it could be quite detrimental to privacy.

But on the other hand, we’re starting to see things like WormGPT, an automated system for users to effectively say, “I want a remote access Trojan, I want it to call back to this address. I want it to do this, go and write me a piece of malware that can’t be detected, quote-unquote, by virus total. And I want it now.”

And where that might have taken, you know, a few days to get done through maybe some unscrupulous programmers in some sort of faraway country, it’s done in a matter of seconds. And then, your executable is compiled and given to you, and then you can run it, and most static anti-malware products might not actually detect it.

That’s the sort of stuff that worries me is that we’re now entering this, dare I say, cyber arms race using artificial intelligence, because the bad people are now employing it to write their phishing emails. And then the likes of Sophos, and many other third-party security vendors, are implementing AI to help us defend and spot things before they become a problem.

So there’s always going to be humans involved, but gee, how far and wide and deep will AI go in cyber space? Who knows?

CSC: Thanks a lot for your time.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.