NSF bug hunter wins big

https://www.mindef.gov.sg/web/wcm/connect/pioneer/5c1ec963-722c-4bcb-92a1-6acdb9ec1461/1_DSC_8464+copy.JPG?MOD=AJPERES&CACHEID=ROOTWORKSPACE.Z18_1QK41482LG0G10Q8NM8IUA1051-5c1ec963-722c-4bcb-92a1-6acdb9ec1461-mUFNTe. /web/wcm/connect/pioneer/5c1ec963-722c-4bcb-92a1-6acdb9ec1461/1_DSC_8464+copy.JPG?MOD=AJPERES&CACHEID=ROOTWORKSPACE.Z18_1QK41482LG0G10Q8NM8IUA1051-5c1ec963-722c-4bcb-92a1-6acdb9ec1461-mUFNTe. /web/portal/pioneer/article/regular-article-detail/technology/2019-Q4/02nov19_news1
02 Nov 2019 | TECHNOLOGY

NSF bug hunter wins big

// Report by Thrina Tham

// Photos by Kenneth Lin

English 华文
3SG Lim beat 304 white hat hackers around the world to emerge as Top Bug Hunter in MINDEF’s Bug Bounty Programme.

For three straight weeks, 3rd Sergeant (3SG) Eugene Lim would spend 10 hours a week searching for "bugs".

The Full-Time National Serviceman (NSF) would use his nights off hunting for system vulnerabilities in the Ministry of Defence’s second Bug Bounty Programme which ran from 30 Sep to 21 Oct this year.

His typical weekends saw him "hunting" from 11am to 6pm, followed by a quick meeting with his family or girlfriend, before hunting again until 2am in the morning.

His efforts paid off.

The 24-year-old topped a total of 305 white hat hackers, or ethical hackers, to emerge as the "Top Bug Hunter".

Defence Cyber Chief Brigadier-General Mark Tan (right) presenting the Top Bug Hunter award to 3SG Lim in a ceremony on 1 Nov.

The programme saw 134 local and 171 international white hat hackers invited to search for vulnerabilities (or bugs) in 11 of MINDEF's Internet-facing systems.

Participants reported 52 vulnerabilities, of which 20 were valid. 3SG Lim uncovered eight out of those 20 valid and unique vulnerabilities reported, which put him squarely in the lead among the hackers.

He also received an award for "First Reported Bug", which he found within the first hour of the programme opening.

His interest in cybersecurity was piqued when he took part in the first Army Cyber Defence Exercise last October. During the exercise, he would work with other cyber defenders to respond to online threats to defend simulated training networks.

3SG Lim (seated, third from left) taking part in the Army Cyber Defence Exercise last year. Chief of Army Brigadier-General Goh Si Hou (standing, third from left) also observed the exercise. [Photo: Singapore Army Facebook].

He then joined two Government Bug Bounty Programmes – this January and July – where he emerged as the top hacker in the second edition.

The self-taught hacker, who is a Supply Supervisor at the 12th Command, Control, Communications, Computers and Intelligence Battalion, said that it takes creativity to bypass protection tools (such as firewalls) that are set up by system administrators.

"They'll put a lock on the front door so you have to find another way – a window, an unlocked back door – to get yourself into the 'house'."

And it's a "thrill" to be able to get in, said 3SG Lim, who goes by the moniker SpaceRacoon online.

"It's a rush when you finally 'pop the shell', which is to be able control the server. There's a huge sense of achievement."

"For us white hat hackers, we would then submit proof (for the system administrator) to reproduce the bug themselves," said 3SG Lim, who graduated from Yale University last year with a Double Major in Computer Science and History.

3SG Lim, who will work as a civil servant after he completes his National Service on 31 Dec, is not shy about the fact that cybersecurity is his "primary hobby".

Earlier this year, he built a web app for scanning malicious packages, which he presented at Black Hat Asia (Arsenal), a convention on open source tools.

When asked on how he got into white hat hacking, he said: "I wanted to contribute to Singapore's cyber security and testing government systems was interesting to me."

"Being able to find vulnerabilities for MINDEF, as an NSF, was also a big motivation."

He added that his hobby has helped to foster a positive attitude: "If I meet an obstacle, I'll always think of ways around it.

"These problem-solving skills will be useful in any role I take on (in the future)."