While the hacker community represents a diverse set of talents from all corners of the globe, the one thing that unites them all together is the common goal of making the Internet safer. Out of all the years, 2020 has been a year that stands out the most. This year, hackers on the HackerOne platform crossed a major milestone, earning US$100 million in bounties for their fantastic work in finding security flaws in software. As a result, customers have fixed the holes, preventing cyber criminals from breaking in, thanks to the solid effort of ethical hackers coming together to harden our digital connected society.
But, there is something else that makes hacking unique in 2020, and that is that we’re all living through the COVID-19 pandemic. We recently polled hackers from across the globe to learn about their key takeaways from 2020 and what we might be in for in 2021. Here’s what they had to say:
On hacking during the COVID-19 pandemic:
Australian hacker Shubham Shah, a.k.a. @notnaffy notes that the increase in free time due to the pandemic has enabled hackers to team up with others to find more critical vulnerabilities:
“With an almost global lockdown, I’ve increasingly worked virtually with other hackers to collaborate on bug bounty programs in order to discover more critical vulnerabilities. When calculating security, two variables are normally taken into account: time and resources. At the moment, there is far more time to spend on breaking the security of any given target, meaning there is a higher chance of finding vulnerabilities.
Singaporean hacker Samuel Eng a.k.a @Samengmg also explains how hackers have been busy during the pandemic: “Due to the COVID-19 pandemic, I’ve seen an influx of bug bounty hunters in various programs. I noticed that many programs hardened really quickly at the start of the pandemic, especially common vulnerability classes such as XSS, SQL Injections and basic authentication bypasses.”
On what to expect for security in 2021:
Concerned about the impact that COVID-19 has on security as a result of businesses and schools having to speed up their digital transformation projects, German Hacker Julien Ahrens a.k.a @MrTuxracer, reflects:
“The COVID-19 pandemic has forced businesses to speed up their digital transformation in ways they weren’t expecting. As a result, I think that we’re going to see an influx of attacks, especially against those who have just begun digitising. One thing that particularly concerns me in Germany is the enormous speed of government institutions, like schools, that are moving everything online. Activities like homeschooling, which essentially didn’t exist pre COVID, are now the de-facto standard for almost all schools. They had to build systems and processes with very little time, which is never a good thing when it comes to security. I’m not even just talking about technical flaws that lead to security issues, but also the security awareness.”
On New Attack Methods for 2021:
In terms of trends in new attack methods we might see next year, James Kettle a.k.a @albinowax from the United Kingdom, warns that “As the classic attacks get mitigated and picked off by automated scanners, I think we’ll see a gradual trend of hackers embracing the obscure – business logic flaws, race conditions, timing attack and convoluted attack chains in general. We’ll see more people exploiting discrepancies between multi-server applications, through the likes of request smuggling, parameter pollution and path normalisation exploits.”
Social engineering will still be a concern for 2021. German hacker Julien Ahrens adds: “It’s inevitable that all kinds of attacks will increase in 2021 because more companies are moving online. But there is one type of attack I think will increase exponentially, and more than any technical attacks: social engineering. I think social engineering attacks against people who aren’t sufficiently guarded and aware will massively increase because companies won’t have had the time to sufficiently educate their employees about the threat.”
On the expanding attack surface as a result of Digital Transformation:
Australian hacker Shubham Shah comments that “As businesses recover from this pandemic and economies are rebuilt, I predict that there will be an uptick in application development and deployment. That means the rapid introduction of new assets, applications and networks; a growth that will be challenging to manage from a security perspective. I believe the biggest threat to both businesses and government agencies will be managing their attack surface and the respective security exposures as they rebuild and grow.”
And as companies embrace the cloud-first approach and, with the shift to the cloud, Shubham expects to see companies adopting newer technologies, such as Kubernetes, to orchestrate the deployment of critical applications and services. But, “with new technologies and methodologies being adopted, there are usually misconfigurations and missteps along the way that may lead to vulnerabilities.”