Hacking his way to the top: Singaporean shines in defence ministry’s bug-bounty programme
Cybersecurity manager found nine vulnerabilities in the ministry’s public-facing in just under a month
By Kenneth Cheng
From as young as 14 years old, Mr Darrel would hack websites, games, as well as online contests, netting himself prizes and in-game items.
The IT fanatic, who declined to give his full name but goes by the moniker Shivadagger, has fashioned this into a career — moving on to hacking not just websites, but networks and mobile applications in the initial years of joining consultancy firm Ernst & Young Advisory.
The 30-year-old cyber-security manager on Wednesday (February 21) emerged tops among 264 local and foreign “white-hat” hackers who took part in the Ministry of Defence’s (Mindef) first-ever bug bounty programme.
From January 15 to February 4, hackers were invited to put eight of the ministry’s public-facing systems — including the National Service (NS) Portal — to the test to expose vulnerabilities. In return for uncovering valid bugs, hackers were given cash rewards.
Mr Darrel unearthed nine unique vulnerabilities, scoring him a bounty of US$5,000 (about S$6,600). This was about one-third of the total bounty of US$14,750 doled out by Mindef to hackers.
Nearly 100 vulnerability reports were submitted in total. However, only 35 bugs uncovered by 17 hackers were deemed valid.
Mr Darrel, who has a degree in digital systems security, uncovered one high-severity bug, for which he was rewarded US$2,000. The other bugs earned him between US$250 and US$750 each.
He had learned of the bounty programme shortly after it was announced last December from his company, which broadcast the news via WhatsApp. The firm regularly encourages staff members to join similar activities, such as hacking competitions, he said.
On why he joined the Mindef programme, Mr Darrel said he wanted to pit himself against a big pool of hackers to gauge where he stands, and also to rake in some extra income.
He started out by combing Mindef’s websites by clicking on every possible link, creating a log in his computer’s Internet history.
He later injected malicious characters into the forms to see if they triggered an error message or a reaction on the server, altering the “payload” — the actual data being transmitted — based on the server’s responses. He then crafted payloads to penetrate the system.
He declined to share the nature of the vulnerabilities he exposed, but said his first vulnerability was approved within the first week of the programme, which was run by the US-based bug-bounty firm HackerOne.
Hackers submit reports of bugs via HackerOne’s reporting system, where they include a summary of a vulnerability and its impact, and steps to replicate it, among other things. Bugs are first verified by HackerOne. Once they are deemed legitimate, the company informs Mindef, which tests and validates the vulnerabilities.
He spent an average of one or two hours each day after work to put the systems through the paces.
“I learned a lot of things,” he said. “Bug bounty programmes (allow organisations to be) exposed to more (hackers). You’ve 300 ethical hackers. For (commercial) projects, you probably have (only) five consultants on the job. So what you could miss (with) five people, compared with 300 people, would be significantly more.”
Not all of Mr Darrel’s attempts at white-hat hacking away from work have been stellar. Last year, he took part in a “capture-the-flag” competition, where participants hack into systems, and his team managed to crack only two or three of the 20 to 30 systems. Asked how he would spend his bounty from Mindef’s programme, he said with a laugh: “A bulk of it will go into my house loan. The rest of it, I actually bought a Nintendo Switch and a PS4 (gaming console).”