Hacking the Singapore Government: A Q&A With A Top Hacker & MINDEF 2.0 Results
On Friday, HackerOne announced the results of the second bug bounty challenge with the Ministry of Defence, Singapore (MINDEF). The three-week challenge ran from September 30, 2019 to October 21, 2019, and saw participation from over 300 trusted hackers from around the world — 134 local Singaporean-hackers and 171 international ethical hackers.
During the challenge, hackers were invited to test 11 government-owned targets, including websites and public digital systems belonging to MINDEF, the Singapore Armed Forces (SAF) and other agencies in the defense sector. Over the course of three weeks, 20 valid vulnerabilities were discovered resulting in a total bounty payout of $16,000. Overall, the vulnerabilities found during this challenge were more impactful compared to previous challenges, even if they were fewer in number, which allowed the government agency to better secure its web assets to protect its citizens. None of this would have been possible without the help of a very talented local Singaporean hacker.
Eugene Lim, a 24 year-old better known as @spaceraccoon, is one of the ethical hackers who participated in this second MINDEF bug bounty challenge on HackerOne. Of the 305 white hat hackers that participated, Eugene discovered the highest volume of vulnerabilities and walked away with the biggest bug bounty payout. In addition to uncovering eight unique vulnerabilities and earning the single highest bounty, Eugene was presented with the ‘Top Bug Hunter’ and the ‘First Reported Bug’ awards.
This wasn’t the first government program Eugene has participated in. Organized by the Government Technology Agency (GovTech) and Cyber Security Agency of Singapore (CSA), Eugene also took part in the second Government Bug Bounty Programme (BBP) earlier this fall. He found nine vulnerabilities and was awarded $8,500 in bounty, making him the top hacker for the program.
What is even more remarkable is that Eugene is completely self taught and only started less than a year ago. We interviewed Eugene to find out more about his success in ethical hacking and what tips he might have for new hackers.
Q. Hey Eugene! Congratulations on being the top hacker on the recent GovTech and MINDEF Challenges! How do you plan to spend the bug bounty money?
A: I am donating $10,000 to the Community Chest, a non-profit organisation that channels resources to the social service sector in Singapore, and saving/investing the rest!
Q. Was it difficult finding these vulnerabilities?
A: Bug hunting is about 80% reconnaissance and discovery and 20% exploitation. This is because most targets are black-box, meaning you can't see or analyze the source code, requiring bug hunters to figure out how the applications work from the outside. In most cases, once you have found the vulnerability, exploitation is relatively straightforward and requires just a little bit of creative thinking to get past certain defenses. Most of the work is spent analyzing web traffic and Javascript code to discover the vulnerabilities.
Q. How long (on average) do you spend your time hacking weekly?
A: I am a weekend hunter, so I spend about 10 hours weekly.
Q. What made you want to be an ethical hacker?
A: I wanted to learn more about cybersecurity and get some practical experience on live targets. Since I started, I've realized just how much more I need to learn! From mobile to native app exploitation, every time I pick up something new, I find out there's something greater out there that I need to learn.
Q. When did you start getting into hacking? What was it like?
A: I am fairly new to ethical hacking and just started around the beginning of this year (2019). This was when the Singapore Government announced their first Government Bug Bounty Programme (GBBP). I was really excited by the opportunity to test government systems and help contribute to my country's cybersecurity defense. However, I only had two weeks to prepare and I didn't know anything about hacking, even though I had a computer science and web development background. I was only able to identify one duplicate bug on the Government BBP, which was pretty disappointing. I missed it by about one hour. However, that experience motivated me to get better at hacking and learn even more. I learned by reading HackerOne’s e-book about web hacking and I joined Hacker101’s Mini-Capture the Flag (CTF) exercises and Discord, which is where I found a community that helped me learn and grow as an ethical hacker.
Q. At what age did you earn your first bug bounty? How did it feel?
A: This year, at the age of 24. It was two months after I started on HackerOne and it was great to finally feel like my studies had finally paid off. Additionally, my first bounty was from Grab, a Singaporean company, which made it even sweeter!
Q. What is your motivation?
A: I am motivated by the thrill of finding a bug and learning something new. Every time I read an article on new exploitations or discovery techniques, I'm itching to try it out. I love thinking of clever ways to bypass a defense or apply a novel attack.
Q. What do you think of bug bounty programs? Should all companies have bug bounty programs?
A: I think bug bounties are a great way for companies to get many pairs of eyes looking for vulnerabilities. Often times, a single hacker will specialize in certain attacks or look only for certain vulnerabilities. With many researchers, you get a lot more coverage. At the very least, companies should have a clear vulnerability disclosure policy. It is better to know what you don't know rather than to leave these "unknown unknowns" to fester and blow up at a later time.
Q. What advice would you give to aspiring ethical hackers?
A: I would say first, join a community! There are tons of great online communities like the Hacker101 discord, live streams, and so on, where you get to compare notes and encourage one another on your learning journeys. Next, keep persevering! Bug hunting can be frustrating, especially when you don't find a bug for months, but keep in mind that there is a learning curve, and the more time you put into it, the easier it gets in the long run. As long as you are willing to learn and keep growing, you are on the right track. Don't let bounties or material rewards be your marker for success.
# # #
The 8th Annual Hacker-Powered Security Report