Ethical hacking: how to hack systems and at the same time earn legally

Who is a hacker? Most people who are far from programming are a malicious criminal who breaks into the security systems of banks to steal money. Something like Hugh Jackman's character from the movie "Password is a Swordfish", who breaks the Vernam cipher to steal $9.5 billion from the government fund. Here we will focus on the legal side of hacking, and if your ideas are inspired by films, we have prepared for you a detailed overview of the profession of a cybersecurity specialist.

You can be a hacker legally. Legal hackers are called pentesters, or "ethical hackers". That's just you need to know well what you can do while testing the system for penetration, and what you can't. Otherwise, you can get very real problems with the law. Most recently, we launched the course "Ethical Hacker", and in this article we will talk about how to engage in hacking, earn good money from it and at the same time not have problems with the law. Go.

Pentester: Differences from hacker

A pentester is a hacker who works completely legally and within the law. The essence of his work is the search for vulnerabilities in security systems.
But there are some serious differences:

The developers are aware of the actions of the pentester. All actions to search for vulnerabilities are carried out either under a special agreement or with the help of Bug Bounty programs. We'll talk about them a little later.
The pentester is only looking for vulnerabilities, and is not going to use them. There is a subtle point here. To detect a hole in the data storage system — everything is OK with this. But trying to download confidential data by testing this hole is already a deadline. The pentester should point out the hole to the developers and point out the possibility of how to use it, but not try to do it yourself.
The earnings of a pentester are completely white. Bug Bounty payments or contract payments are absolutely legal. So you don't have to be afraid of visits from the tax service.

In fact, a pentester is distinguished from a hacker by a set of rules that he is guided by.

The pentester works exclusively under Bug Bounty programs or after signing a contract with the company. Due to the fact that the process of pentesting itself is associated with hacking protection, the procedure is very formalized.

Bug Bounty: how to participate correctly

Most large companies run Bug Bounty - special programs in which software or website developers offer rewards for vulnerabilities found. It is more profitable for companies to pay for the errors found than to deal with the consequences that exploits and vulnerabilities can lead to.

Most of these programs are hosted on HackerOne and BugCrowd websites. 

For example, here are the Bug Bounty programs from Google API, Nginx, PayPal, GitHub, Valve. The average premium for each bug found in these programs is $ 1,000. There are a huge number of smaller companies that offer $50-100 per mistake. 

Even the Pentagon launched Bug Bounty! It's just a dream for a hacker to hack the Pentagon's security system, and even get money for it from the US government. 

But even the published Bug Bounty does not mean that you can break and look for holes anywhere. In the description of the program, the owners prescribe which vulnerabilities will be considered. 

For example, Uber gives a very detailed explanation of what is included in their Bug Bounty program and what is not.

The company wants to find vulnerabilities in data access and storage systems, phishing opportunities, payments and invoices, unauthorized actions on the part of the user and company employees. But the program does not include general application bugs, fraud reports, bugs in working with social networks and email newsletters. 

However, their sense of humor is fine. Because among the unpaid actions there are the following:

Entering the Uber offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted

Enter the Uber office, scattering chips everywhere, releasing a bunch of hungry raccoons and seizing an empty terminal or workplace while employees are confused.

The more detailed Bug bounty is described, the easier it is for the pentester to understand what can be "tried by the tooth" and what should not be done.

At the same time, there are general rules that cannot be violated. For example, if vulnerabilities are detected in user databases, you should not try to download any personal data. Even with participation in the program, this may be regarded as a violation of the law. Because here the rights of users are violated, to which Bug bounty has nothing to do.

Therefore, there are several possibilities for a pentester:

Join one of such large companies. The main plus is a stable salary and the absence of even hypothetical problems with the law. But at the same time, it will not work to earn a lot of money, as many pentesters strive to do. 
Open an individual entrepreneur or work under a contract. The main plus is that the specialist sets the price himself. But at the same time, you will have to work closely with lawyers within the framework of labor relations in order to insure yourself from the legal side. And competitors are not asleep.
Work exclusively on Bug Bounty. The main plus is the freedom of the schedule and the opportunity to earn a lot. But there is always a risk that a specialist simply will not be paid for detecting a bug. However, no one forbids working under a contract, and in Bug Bounty programs.

It's easy to participate in Bug Bounty. After all, in fact, the message about the start of the program is an open offer that any user can accept. You can start working immediately — no additional consent is required for your participation. 

To protect yourself from dishonest companies, we recommend working through the HackerOne and BugCrowd sites. Just register and submit applications with detected bugs through them. 

The only rule is to read the description of the program in great detail. If a company writes that it pays for database vulnerabilities, then you need to look only there. Even if you find a bug somewhere else, they won't pay for it. On the contrary, problems may begin. 

Wesley Weinberg found one of the most serious gaps in the protection of Instagram in 2015. During the pentesting, he discovered a Ruby vulnerability that allowed him to start remote playback of arbitrary code. 

This allowed him to read configuration files that contained PostgreSQL database accesses. Facebook Instagram and 60 employee accounts were there. According to Weinberg, it was not difficult to crack them — most of the passwords were extremely weak - like "password" or "instagram".    

Then he got access to several Amazon Web Services keys, which were associated with 82 S3 buckets. And in these buckets there was a real treasure for a hacker: Instagram source codes, SSL certificates, API keys, email server data, signature keys for iOS and Android applications. We can say that the pentester has received full access to all the secret materials of Instagram. 

He honestly reported this finding to Facebook representatives. He was actually paid $2,500 for one bug. But he also received charges of unauthorized access to employee accounts, a ban on the Bug bounty program from Facebook and a threat of criminal prosecution. Although no criminal case was initiated, Pentester's nerves were pretty battered.

So following the prescribed Bug bounty points is just a must. Otherwise, you can get not a bonus, but an accusation.