Blog Layout

Teach Yourself To Hack: How This Self-Taught Hacking Team Saved Businesses $27 Billion

Mar 15, 2022

There’s a widely held belief that the presence of hackers in and around your systems is always a terrible thing. Widely held, but wrong. The presence of cybercriminals is bad, and while cybercrime does often involve hacking, that’s far from the whole story. All hackers are not cybercriminals and hacking itself can save your business money. Lots of money. What’s more, some of the most successful and legitimate hackers are self-taught.

So, how can you teach yourself to hack and become part of a $27 billion risk-reduction business?

Hacking is not a crime, but it can be a gratifying job

I’m a great fan of the  Hacking is NOT a Crime  movement, an awareness campaign on this subject. Conflating all hackers with crime is a confusion that your business doesn’t need and could damage your organization’s bottom line. Without hackers, the world would be a very much less secure place.

Hackers like those who participate in the crowdsourced bug bounty and vulnerability disclosure platform Bugcrowd, for example. The hackers track down the security holes in products and services, getting rewarded with financial bounties for doing so dependent upon the criticality of the vulnerability revealed.

According to the new Bugcrowd annual report,  Inside The Mind Of A Hacker , these hackers are mostly self-taught and have saved organizations a staggering $27 billion between May 2020 and August 2021.

That $27 billion is one of the headline takeaways of the Bugcrowd report, putting a financial figure on the cybercrime that has been prevented by hackers working on the platform across 16 months. I did, of course, ask Bugcrowd how the $27 billion risk-reduction total was arrived at.

“We calculated the number of valid priority one (P1) findings made on the platform multiplied by the average cost of a breach, according to IBM in 2021,” a Bugcrowd spokesperson says. This comes after analyzing millions of proprietary data points collected about vulnerabilities from a total of 2,961 programs. The annual report also analyzes survey responses and security research on the Bugcrowd platform and provides an intimate look at what makes a hacker.

 

Inside the mind of a hacker

This 34-page report is both accessible and informative, so I’d recommend it as an essential read to anyone contemplating a career as a hacker. Some of the key takeaways include that a majority of hackers on the Bugcrowd platform (54%) are Generation Z, 34% are Millennials, and just 2% are over the age of 45. In addition, most hackers on the platform live in India, 79% speak at least two languages, and 21% identify as being neurodivergent. Sadly, 96% are male, with only 3% female and those identifying as non-binary, gender fluid or pan-gender making up the remaining 1%. This has undoubtedly got to change, something that Bugcrowd recognizes. “The glaring gender gap is not simply an issue to address down the line,” the report states,” it poses a real, immediate threat to the diversity and multiplicity of perspectives that make crowdsourced cybersecurity such a powerful force today.”

Teach yourself to hack

One of the most positive statistics that caught my eye was that 79% of the hackers taught themselves to hack. Although there are plenty of courses available for those looking to take a traditional route to become an information security professional and plenty of certifications to take for those who want them, hacking can be a much more self-contained learning experience.

There are many variables when it comes to teaching yourself to hack; however, I asked hackers out there doing it already, along with infosec professionals, for advice on recommended educational resources to get would-be hackers started on their career journey. Do bear in mind this is far from a complete list, but hopefully, it will give you some food for thought if you are contemplating becoming a bug bounty hacker.

 

  • Bugcrowd University  offers a good starting point for web hacking, with a solid collection of learning links.
  • Try Hack Me  gamifies learning to hack through the use of real-world scenarios.
  • Hack The Box Academy  is browser-based, interactive and for every skill level.
  • PortSwigger’s Web Security Academy  is free and comes from the creators of the penetration testing tool Burp Suite.
  • Pentester Lab  has exercises ranging from basic bug-finding to tracking down advanced vulnerabilities.

 

Also, please don’t underestimate the power of both Google and YouTube when it comes to both finding answers to your questions and getting hands-on hacking help. Browsing through security conference talks that have been posted online, infosecurity Twitter and Google are your friends here, for proof of concept (PoC) exploits that are well explained can also help get your head around the practicalities once you’ve advanced enough on your learning journey.

One thing to bear in mind, please don’t try to hack live targets outside of those within an accredited educational resource, though, or you could soon discover that you’ve already crossed that line between being a hacker and a criminal.

Security Lapse by Microsoft Employees Exposes Internal Passwords

26 Apr, 2024
In continuation of Microsoft’s series of data security incidents, employees accidentally exposed internal data to the public. The leak exposed an unprotected Azure storage server containing code, scripts, and configuration files. Microsoft has announced that it has fixed a security breach that exposed internal company credentials and files to the open internet. The breach was first discovered by security researchers from cybersecurity firm SOC Radar. According to their report, an internal error resulted in an Azure storage server without password protection being given public access. The exposed data was primarily related to Microsoft’s Bing search engine, including configuration files, code, and scripts that employees used to access a range of internal systems and databases. Consequently, bad actors could identify and access locations for Microsoft's internal data. So far, it has not been made clear how long the data has been exposed. Anuj Mudaliar Assistant Editor - Tech, SWZD opens a new window opens a new window Anuj Mudaliar is a content development professional with a keen interest in emerging technologies, particularly advances in AI. As a tech editor for Spiceworks, Anuj covers many topics, including cloud, cybersecurity, emerging tech innovation, AI, and hardware. When not at work, he spends his time outdoors - trekking, camping, and stargazing. He is also interested in cooking and experiencing cuisine from around the world.

AT&T experienced data breach that impacted 51 million customers (No one is immune)

26 Apr, 2024
AT&T is notifying 51 million former and current customers, warning them of a data breach that exposed their personal information on a hacking forum. However, the company has still not disclosed how the data was obtained. These notifications are related to the recent leak of a massive amount of AT&T customer data on the Breach hacking forums that was offered for sale for $1 million in 2021. When threat actor ShinyHunters first listed the AT&T data for sale in 2021, the company told BleepingComputer that the collection did not belong to them and that their systems had not been breached. Last month, when another threat actor known as 'MajorNelson' leaked the entire dataset on the hacking forum, AT&T once again told BleepingComputer that the data did not originate from them and their systems were not breached. After BleepingComputer confirmed that the data belonged to AT&T and DirectTV accounts, and TechCrunch reported AT&T passcodes were in the data dump, AT&T finally confirmed that the data belonged to them. While the leak contained information for more than 70 million people, AT&T is now saying that it impacted a total of 51,226,382 customers. "The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," reads the notification. "To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier." BleepingComputer contacted AT&T as to why there is such a large difference in impacted customers and was told that some of the people had multiple accounts in the dataset. "We are sending a communication to each person whose sensitive personal information was included. Some people had more than one account in the dataset, and others did not have sensitive personal information," AT&T told BleepingComputer. The company has still not disclosed how the data was stolen and why it took them almost five years to confirm that it belonged to them and to alert customers. Furthermore, the company told the Maine Attorney General's Office that they first learned of the breach on March 26, 2024, yet BleepingComputer first contacted AT&T about it on March 17th and the information was for sale first in 2021. While it is likely too late, as the data has been privately circulating for years, AT&T is offering one year of identity theft protection and credit monitoring services through Experian, with instructions enclosed in the notices. The enrollment deadline was set to August 30, 2024, but exposed people should move much faster to protect themselves. Recipients are urged to stay vigilant, monitor their accounts and credit reports for suspicious activity, and treat unsolicited communications with elevated caution. For the admitted security lapse and the massive delay in verifying the data breach claims and informing affected customers accordingly, AT&T is facing multiple class-action lawsuits in the U.S. Considering that the data was stolen in 2021, cybercriminals have had ample opportunity to exploit the dataset and launch targeted attacks against exposed AT&T customers. However, the dataset has now been leaked to the broader cybercrime community, exponentially increasing the risk for former and current AT&T customers. Update 4/10/24: Added statement from AT&T about discrepancy in numbers. BILL TOULAS Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Home Depot Data Compromised Through Third-Party SaaS Misconfiguration

26 Apr, 2024
Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party SaaS vendor inadvertently exposing a subset of employee data. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. A Home Depot software vendor suffered a data breach leading to the compromise of an undisclosed number of employees. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party software vendor inadvertently exposing a subset of employee data. Reportedly, the breach was caused by a misconfigured software-as-a-service (SaaS) application.
More Posts
Share by: