For many years, Edwin van Andel has been working to help people and companies improve their online security. It's not an easy battle, that's for sure, as his work at Yafsec, a company he founded, or at Zerocopter, where's he's now CEO, has shown.
Zerocopter, like many other similar platforms, tries to bring hackers to the "good side," where ethics matter and they can help companies improve their products, rather than take advantage of the bugs they found through nefarious ways. The ethical hacking community is growing and that's something we should all be happy about.
We wanted to find out more about ethical hacking, bug bounty programs, and the right way to steer your curious kids on the right path, so we thought who better to ask about this than Edwin van Andel, Zerocopter CEO. Here is our interview!
TechNadu: Tell me about yourself a bit. How did you get into ethical hacking?
Edwin van Andel: When I was about 13, My dad got the first PC from his office. I played Prince of Persia on it, but it crashed a lot. When it crashed it showed me a computer factory test menu but I couldn’t play with that because it had crashed. I wanted to get to the working menu, so I went to a library and got a book on how computers worked, and later one about assembly language. I tried to get in the menu by writing simple assembler programs and finally succeeded. I could access the menu at will. From there it grew. I bought a zx81 and broke it. I got a modem (300 baud) and connected to BBS-es and learned a lot.
On the BBS-es I came in contact with other like-minded people, later called hackers. What I later on in life wanted to do is to get all those good hackers I met in the past all in one room. Then bring in a car, a washing machine or a website, and their combined brains will break it. And that's basically what I am building now with Zerocopter.
TechNadu: There are now numerous bug bounty programs, both through the likes of Zerocopter where you're the CEO, but also in-house at big names like Google, as companies are showing more interest in having outside help. How much has the "industry" grown in the past few years?
Edwin van Andel: A lot. But this is mostly contributable to the ‘new’ development cycles (scrum/agile). In the old days, you would build software, test it via a pentest, and release it. Then a year later, you would do a version 1.1, have that tested and that was it. Now development teams release updates, patches, and new features every week, and some of our clients even do that multiple times per day. You can’t do a pentest every week. So you need some form of continuous testing.
In addition, a pentest is usually performed by two or maybe three pentesters, for a limited time (a week mostly) and then they have a week to write the report. With bug bounties, you will get the help of the hacker community. Not just three, but maybe a hundred brilliant hackers will test and look at your product. And when you have a Responsible Disclosure (or Coordinated Vulnerability Disclosure) Policy the whole world can test and take a look at your product. More eyes, more experts, and the result is not just a report, but actual bugs you can fix.
TechNadu: What are the advantages for companies to get involved in such a program? Besides, having someone else dig out issues they hadn't found themselves, of course.
Edwin van Andel: The advantages for companies are that they can leverage the skills of many hackers instead of two or three pentesters. And if you use our platform, all your bugs are in one place. Whether the info is coming from a researcher (as we call the Zerocopter hackers), via Responsible Disclosure or from a scanner, all the reports are in one place. Your team can work immediately with them, but they can also communicate with the reporters to get more detailed info. And as we triage (validate) every finding, all the noise is taken away. You only receive valid reports. We take care of the payments for the reporters, so you will not have to worry about how you can pay a researcher on the other side of the world. You can also easily integrate with your in house ticketing systems like Jira, and you can invite consultants on specific reports, which is very handy if some of your products come from another vendor.
Also, a big plus is the speed at which you can start a program. If you plan a pentest, it can take months before the actual testing starts, whereas a bug bounty program can be started in an hour, and within a couple of hours reports can be coming in. We see our clients appreciating this part of the solution very much.
TechNadu: Is there a downfall to the rise of bug bounty programs? Are companies seeing fake reports?
Edwin van Andel: Well, not with us. As said, we triage every finding, so only legit reports go to our customers. We also check for duplicates, so if a scanner or a researcher submitted something and someone else submits the same bug, it’s a duplicate and you don’t have to pay for it.
What we do see is that as a company, you have to play with budgets and bounties to keep the programs active. When a company first starts, their programs mostly (depending on scope) run fine, but if you run the same program over and over, researchers will lose their interest, as looking for rewarding bugs takes much more time, while the rewards stay the same. So if you play with that - e.g. up the budget, or increase the bounties and/or scope- you will have a more steady stream of findings coming in.
TechNadu: Kids are now more tech-savvy than ever and many try to flex their muscles in their early teens, way earlier than others before did. What should kids know about this? How should parents guide their children in the right direction?
Edwin van Andel: The most important thing to teach your kids is ethics. Let’s say your kid stole some candy at a local shop. The shop owner will talk to them, maybe the local police, the school will steer them and you as parents will also correct them. All this steering is not there when your kid is sitting behind his or her laptop in the attic. No control. So how do you know what they do? You don’t. And that’s fine, as long as they’ve learned the ethics: when you find something, report it. Seek help. Don’t download too much. Don’t sell to criminals. Companies are more than willing to pay for a bug that they’ve missed so you can use your skills, have fun, and still make money and fame without being drawn to the criminal side of the internet.
TechNadu: What are, in your opinion, the best ways to learn your way through the world of ethical hacking?
Edwin van Andel: Be curious. Try to find out why things are working the way they do, and also how you can make them do different things than intended. Learn. Watch hacking talks on youtube. Try to specialize in something. And try to find people with the same interests as you. Go to a local hackerspace, or visit a hacking event, and just be amazed and learn, try, fail, learn some more, try again, and succeed.
TechNadu: What skills does someone who wants to get involved in ethical hacking have? What is your advice for those who are just starting out in this industry?
Edwin van Andel: Haha, basically the same as above. Skills you develop. And in my opinion, it is better to go for something you really like, than just learn all the hacking skills. I sometimes see companies ask for a ‘hacker’ that knows all the different skills. It’s almost impossible. Some are excellent in Web application hacking, or API hacking, but don’t know how to mount a disk in Linux. I have friends who can break almost every access card and lock out there but know nothing about API’s. And that’s fine. Do what you like and become good at it. And there are tutorials and talks on youtube to last you a lifetime, so start there. But don’t download ‘hacking tools’ and just try without knowing what you are doing. Those will get you in trouble.
TechNadu: We have criminal hackers and ethical ones. How's the balance leaning these days? Are we also seeing hackers changing hats?
Edwin van Andel: Yes, we do. Mostly because they get hired by companies who want a ‘well known’ hacker working for them. What we also see is that young convicted hackers are offered a coaching track. Where they have to present what they did, get explained what went wrong and work with ethical hackers to show them the right path. In the Netherlands, this is for instance done via the Hack-Right campaign. We as Zerocopter also work actively with the Dutch prosecutors and police to help young hackers find the right path again.
TechNadu: Can someone live off ethical hacking or should this be more of a "side job"?
Edwin van Andel: What we see at the moment is that it’s still mostly a side job. Most of the hackers in our platform work in security during the day and hack via our platform at night. But if you are really good, it can be a day job as well. Last year someone made more than a million dollars in Bug bounties, so it is possible. But it takes a lot of dedication, and you have to be on top of your game.
TechNadu: Let's discuss the cybersecurity world a bit. What are the biggest threats you see nowadays?
Edwin van Andel: Time to market. We see a lot of examples where someone has a brilliant idea, gets an investor on board, and just gets some stuff off the shelf, assembles the products and ships it out with a big marketing campaign. Because you have to be the first on the market. And then, when there 2 million devices out there, maybe someone thinks about securing them. But you are too late. How are you gonna update? What can you do to reinstall them better, more secure, remotely? And those devices are easily hacked, taken over, used in attacks or used to attack your own network.
Next to that, people still don’t take patching seriously, and still, don’t think that they are interesting enough to be hacked. WAKE UP. You have an IP address, you will be hacked. When they have access to your data, that is when criminals decide if you are interesting enough….
TechNadu: IoT is a growing industry and yet the security side is seriously lacking. What is your take on this?
Edwin van Andel: Haha, again I’ve mostly already answered this one just above here. But it’s tricky. IOT has to be fast shipped, cheap, and flashy. Security comes last. And sadly we still see no shift in securing it more. Sure, governments could maybe enforce some rules to get stuff more secure, but I guess what you will then see is that people still tend to buy the cheaper, less secure options. Because they don’t care, until it goes wrong...
TechNadu: How about you? As a person who knows the risks of IoT and the general cybersec field, what are some safety steps you take online? Are there devices you'd never bring into your home?
Edwin van Andel: Well, that last one is a difficult one. If I see a device that might not be safe, I want to examine it. Tear it open, find vulnerabilities, and learn. So I do bring them home. But I have a separate network to which I connect them, so I guess I’m a bit safer there than most. And regarding my online presences, I do what I can, but don’t go to extremes. 2FA on my email, encrypted drives and yubikeys, but that is about it. We have to be out in the open because I’m on stage a lot. So I do what I can, but I’m sure I can do more, or that I’m sometimes lacking. We can all be hacked. But let’s hope it’s by ethical hackers, that will then help you to fix your vulnerabilities. For the good. A safer world. Let’s go for that.
What about you, readers? What do you do to stay safe? What do you think of ethical hacking? Let us know in the comments section below, and please share the interview online if you have the time. Follow TechNadu on Facebook and Twitter for more interviews, tech news, guides, and reviews.