Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Interview with Security Researcher. Show all posts

Seasides Conference: Interviewing Prashant Kv and Parveen

1) Could you please start by telling us a bit about yourself and your background? 

Prashant: Hi, my name is Prashant KV. I have been working in information security for more than 15 years. I started my career as a developer and then transitioned into application security. Over the years, I have managed and led many penetration testing, source code review, and other InfoSec tasks. and led many penetration testing, source code review, and other InfoSec tasks. 

I was a part of the null and OWASP Bangalore chapter until 2013. In 2013, I moved to the USA, and I have been living here ever since. Presently, I also manage the OWASP Bay Area chapter. 

Parveen: Parveen, who possesses over 12 years of experience, currently serves as a Product Security Analyst at an Organization specializing in bug bounties. His expertise spans various areas, including Web application testing, Network penetration testing, Thick Client Testing, security assessment of Large Industry printers, Red Teaming, and Mobile Application Testing. In addition to his professional role, Parveen is the co-founder of the OWASP Seaside Conference in Goa and the founder of Bug Bounty Village. He has also presented at both the C0c0n and Seasides Conference. 

2) What inspired you to start the Seasides Conference? Maybe share a story of how you came up with the idea for the Seasides Conference.  

Prashant: Barring a few exceptions, I have attended almost all Nullcon events to date. During the Nullcon training days, we used to simply roam around on the beaches. At that time, we thought, "Why not do something useful?" The idea came to us: "Why not organize some free events that provide quality education to individuals from humble backgrounds?" Hence, the idea of Seasides was born. We were fortunate that Bugcrowd was our first sponsor, and then we secured good sponsors all along the way. If it weren't for the generous sponsorships and our enthusiastic team, we would not have been able to sustain this event.  

Parveen: The Seasides conference's motto is to offer free cybersecurity training to the community, aligning with the ethos of the hacking culture that believes knowledge should be freely accessible to all. We aim to foster the growth of the cybersecurity community without imposing the burden of conference fees on individuals seeking to expand their knowledge in this field. 

3) What were the major challenges you faced in the early stages of establishing the conference? 

Prashant: Finding a venue within our budget was a major challenge. The first event we organized took place at a location with false partitions and no air conditioning. Nevertheless, people showed up with great enthusiasm, and the event was a huge success. We only determine our expenditure after we have estimates of sponsorship, which helps us keep ourselves in check. 

Parveen: The major challenge we faced was figuring out how to initiate the conference and garner support from sponsors, especially given our limited experience in conference management. Initially, our plan was to provide training to only 30-40 students. However, as things progressed, the cybersecurity community in India expressed significant interest in our event. Consequently, we had to transition from a limited number of students to an open-ended approach while still maintaining our commitment to free access and ensuring the quality of the training materials. 

Over time, sponsors began to place their trust in our initiatives, and they started providing sponsorship. Last year, our conference saw tremendous growth, with more than 500 attendees participating. 

4) What are the primary objectives and goals of the Seasides Conference? Perhaps you can elaborate on the main themes of the Conference. 

Prashant: The main objective of the conference is to provide premium quality training to attendees free of cost. We consider the event a success even if we are able to change just one life. Our event primarily consists of training sessions, the topics of which can help students and professionals enter the field of cybersecurity or master certain subjects. This year, we have each day dedicated to specific skill levels. For example, the first day is for advanced training, the second day is for basic level, and the third day focuses on enterprise security-related topics. 

One of the major fun aspects of the conference is our memes and informational posts. We are fortunate that our core group of volunteers has grown from single digits to more than 50 today. Our volunteering team thoroughly enjoys creating memes and blending humor with technology. 

Parveen: We have consistently adhered to the principle that our conference should revolve solely around the sharing of knowledge. Our traditional sessions on topics such as application security, blockchain security, and car hacking will remain a staple. As always, training sessions, meals, and social events will continue to be free and accessible to all. 

We proudly organize Seasides (https://www.seasides.net), a no-cost Infosec conference in India. The conference's primary goal is to provide high-quality cybersecurity training to everyone, free of charge. Furthermore, we extend a scholarship opportunity of 5,000 INR to underprivileged students, enabling them to participate in this event. 

5) How does the conference contribute to the cybersecurity and technology community? 

Prashant: The main objective is to expose students and professionals to various domains in information security. In addition to raising awareness, our events have also assisted many young students in securing jobs. Our sponsors actively seek out talented individuals, and we have successfully recruited some excellent candidates from the event.  

Parveen: In our own modest manner, we are contributing to the growth of India's cybersecurity ecosystem. Last year, several organizations conducted recruitment activities at our conference and even extended job offers on the spot, including many of our scholarship recipients. We are optimistic that more organizations will recognize the talent pool at Seasides and choose to recruit skilled individuals from our event in the future. 

6) There are several renowned cybersecurity conferences like DEFCON, BlackHat, and our own Indian NULL. How does Seasides Conference differentiate itself from these events which is to mean what unique features or offerings does the Seasides Conference bring to the table that sets it apart from other similar conferences? 

Prashant: We aspire to be among the list of conference names you mentioned. Nullcon has done a fabulous job of attracting top-quality researchers from all over the world to India. Nullcon is widely regarded as the best conference in Asia, and many of us have grown and learned through our experiences at Nullcon. 

Our primary focus is on students and young professionals who wish to enter this field. Many students face financial constraints when it comes to covering travel, accommodation, and conference fees. We aim to provide them with the opportunity to experience the atmosphere of world-class conferences without worrying about the cost. 

Parveen: Most of the conferences mentioned above serve as excellent platforms for connection, learning, and networking. However, attending these conferences often comes with substantial financial expenses, which not everyone in India can readily afford. In contrast, Seasides offers high-quality training completely free of cost, making it accessible to anyone on a first-come, first-served basis. 

7) How has the Seasides Conference fostered a sense of community among attendees, speakers, and participants? 

Prashant: As mentioned earlier, our core group of volunteers has grown from single digits to more than 50 today. Even after the conference, team members stay in touch and are always on the lookout to take the conference to the next level. In that way, we are a close-knit community.  

Parveen: Fortunately, all of our speakers have generously offered their training services free of charge up to this point, sharing the same goal of educating and nurturing young minds in the field of cybersecurity. This year, we are introducing a change by compensating our workshop trainers for their dedication and hard work. Additionally, we are bringing in renowned experts from outside India to share their experiences and provide valuable insights to our attendees. 

8) What opportunities does the conference provide for networking and collaboration within the cybersecurity field? 

Prashant: Seasides parties are always legendary, and as much as people look forward to the training, they also eagerly anticipate the Seasides parties. This is a crucial aspect of our networking. In addition to that, we have WhatsApp groups and social media interactions that facilitate collaboration among attendees. 

Parveen: Our conference draws a diverse audience, including both professionals and students, creating a valuable opportunity for mutual connection and learning. To further enhance the experience, we are introducing a Career Booster session at the conference. In this session, esteemed professionals will review resumes and assess aptitude through interviews, providing students with a unique opportunity to gain real interview experience. 

Furthermore, this year, we are introducing a distinctive element by bringing in an English teacher. This instructor will focus on teaching effective communication and interview skills, equipping attendees with essential abilities to excel in their careers. 

9) How do you ensure a balance between technical depth and accessibility for a diverse audience? 

Prashant: We have wCTF, a dedicated Capture The Flag (CTF) competition, to encourage more women to participate in playing CTFs. We consistently have a good number of women trainers and attendees. With a wide range of training sessions, we strive to ensure that people of all skill levels can attend the event and derive value from it. 

Parveen: To create a well-rounded conference experience, we implement several strategies. First and foremost, we curate a diverse speaker lineup that caters to a wide range of expertise levels and backgrounds. This ensures attendees have a plethora of options, from deep technical talks to more accessible introductions. Additionally, we organize the conference into distinct tracks, separating highly technical sessions from those more suitable for beginners. To further enhance the learning experience, we offer workshops and training sessions tailored to various skill levels.  

Our panel discussions provide high-level insights and encourage engaging conversations for a broader audience. Session descriptions are meticulously crafted to indicate the intended audience and technical depth, empowering attendees to make informed choices. Moreover, we foster networking opportunities, enabling knowledge exchange between beginners and experts. Q&A sessions following talks allow attendees to seek clarification and bridge the gap between technical depth and accessibility. Lastly, we highly value attendee feedback, using it to refine future conferences and strike the perfect balance between technical depth and accessibility. 

10) As the founder, where do you envision the Seasides Conference in the next few years? Any plans for expansion or evolution?  

Prashant: We aim to introduce more hardware hacking sessions and invite more researchers who specialize in hardware hacking. This is one area where we aspire to make a contribution and encourage the growth of hardware hacking expertise within India. 

Parveen: As the founder of the Seasides Conference, I am fully dedicated to charting a dynamic and promising course for our event's future. To begin, we are committed to extending the conference's influence well beyond the borders of India. This will be achieved through the inclusion of virtual components and the organization of satellite events across diverse regions, aiming to attract an international audience eager to engage with our vibrant cybersecurity community. Additionally, we will introduce specialized tracks dedicated to emerging trends within the field. These tracks will explore cutting-edge topics such as AI and machine learning security, IoT security, quantum computing, and revolutionary technologies like blockchain. This forward-looking approach ensures that our attendees remain at the forefront of the ever-evolving cybersecurity landscape. 

11) Is there anything else you'd like to share with the CySecurity News audience about the Seasides Conference or your journey as its founder? 

Prashant: A tremendous amount of effort goes into the planning and execution of this event. Beyond the goodwill it generates, we don't expect much in return. All we ask from attendees is to share some kind words on their own accord. Particularly, we appreciate it when they express gratitude towards our sponsors and hardworking volunteers. 

Parveen: My journey as a co-founder of the Seasides conference is undoubtedly rewarding and heartwarming. The stories of students receiving scholarships and job opportunities through Seasides, and how it positively impacts their lives and families, are incredibly fulfilling. It's a testament to the valuable work our team is doing to support and empower the cybersecurity community. The sense of making a meaningful difference in people's lives and contributing to the growth of the industry is a source of great pride and satisfaction.  

12) Lastly, how can interested individuals learn more about the Seasides Conference and get involved? 

Prashant: Certainly, I encourage anyone interested in volunteering for Seasides to check out the website at www.seasides.net and follow their social media handles. You can also reach out to them via direct message (DM) as they are always on the lookout for new volunteers with diverse backgrounds and skills. 

Interview with Waylay: Power of Automation to Everyone?

 

On 8th January, E-Hacking News conducted an interesting interview with Waylay. The guest speaker for the interview was Mr. Veselin Pizurica, CTO & Co-Founder, Waylay. The company helps to connect IoT solutions to IT systems, empowering them to build new applications faster and better than ever before.

Q1. Can you please tell us about “Waylay” as a company? 
Waylay is a technology company that builds automation software for the Internet of Things. Our platform is used by enterprises to develop new digital solutions with IoT, IT, and OT data in the most flexible way. We have about fifty enterprise customers from Australia, Japan, Europe to the US. We are expanding to the US with a physical presence because we’ll like to get better support for our US customers. Today we are more focused on OEM technology meaning we work as an invisible layer, where other companies can buy our software that integrates our automation technology with their solutions. 

Q2. In what industries Waylay is useful for? What type of customers may be interested? 
In the context of IoT, one has two approaches – either go for a vertical approach or being a platform-neutral player where other customers create their own solutions based on automation technology. In this regard, we are the latter case. Our customers are either in the smart buildings or HVAC connected appliances or even B2C. Our technology is used mostly in manufacturing spaces, smart buildings as well as HVAC. The reason for customers being interested in Waylay is because we are a cloud-capable platform as well. We have built a unique set of interfaces that work on top of all other cloud technology in a way that the bigger automation players can replicate the same use case in different clouds. 

Q3. Do you integrate with the existing HVAC system? What if an end customer wants to integrate into your dashboard, how do they do it? Do they need to put a specific IoT controller for this? 
What we have done is to create a kind of convergence layer that integrates to other IoT clouds or IoT systems in such a way that we put in just data for a variety of different systems. In other words, we are just saying we’ll create a bridge layer that can integrate with our system. Secondly, many of these HVACs are not connected and they will never be connected. Our technology offers the opportunity to integrate with other IoT systems. We are not enforcing our connectivity on our customers; we are rather saying whatever we have already we’ll create a layer that will enable us to get data in our systems 

Q4. Do you directly work with OEM (Original Equipment Manufacturer)? If so, do you have a development kit for OEM? What are the types of OEM you work with? 
We do actually. If you have the HVAC suppliers/manufacturers they, face a couple of different problems and none of them are actually trivial. So, basically what we offer is a sort of total automation that enables experts from both sides of the story (machine learning builders and machine learning experts) to bring them on one platform to be able to do total automation. The next thing you could do is offer new services; people are actually renting machines as a service rather than actually selling them. For instance, if you like to rent a machine as a service then your absolute interest is that the machine operates with optimum settings. 

Q5. IoT awareness is so low in many countries, will Waylay contribute positively to increase awareness in the IoT space? 
There are various angles to answer this question. First, IoT is something that people have been talking about for a long time. In a B2C context, if you buy any device, one or the other way, it is connected, it’s just that people are not aware of that. In smart home automation, it is already happening. In industries, things are much more complicated as there is a lot of different technology. Now, awareness also depends on the countries, some people are more eager to try things than others. In industries, the very first problem is connectivity, it not only depends on the use case vertical but also on the country. The thing with IoT is, it’s already happening but not at the same pace (compared to other technologies). What makes our company very confident is eventually, everything will be connected, it’s just that the pace of adoption in some countries is slower than others. 

Q.6 Your blog talked about “Waylay’s Digital Twin Revolutionizes Provisioning in Industrial IoT.” Please tell us more about it. 
When we talk about Digital Twins, we are talking about the digital representations of the objects. It can mean different things to different people. “In an ideal world, all equipment would be connected. In reality, millions of legacy machines are locked out of Industry 4.0 solutions because of the prohibitive cost of retro-fitting them.” 

Q.7 How has Waylay helped to bring a change in Digital Industry? 
Our goal is to bring the power of automation to everyone. Waylay believes that automation liberates human intelligence, cuts down costs, and increases value creation.

An Interview with Mr. Dependent of Defencely.com : Tushar. R. Kumbhare

1. Introduce yourself:
Hello EHN readers and everyone else from the World Wide Web Community, I’m Tushar Rajhans Kumbhare from India. Probably, your next question would be related to my work, so here goes: I am pursuing a B.E Degree in Telecommunication & Electronics.

At the moment, I am awaiting my study completion, which is going to take a while. However, what I actually do right now and something that has become my destiny as of last few weeks, is my role as a Security Analyst and Pen Tester at Defencely.Com.

Am I too chatty, aren’t I? To cut it short, Defencely is India’s number one and upcoming online cloud penetration services company. Prior to joining their team, I was independently working as a security researcher, and got several awards of recognition from:

• Microsoft
• Apple
• Adobe
• RedHat
• PayPal
• ZenDesk
• Weraki
• Avira
• iFixit
That’s about it… I guess.

2. How did you get into Information Security Field?
Yeah, that is an interesting tale. Generally speaking, I belong to the modern generation, where kids are fascinated with the idea of computers, website hacking, security intrusion, whether good or bad, and reverse engineering. I guess it kind of gives them a sense of control and purpose in life.

However, there are hardly any cases when these “kids” grow up to pursue their dreams. I, for one, loved the idea of computer and website hacking. Not that I was a hardcore hacker, I did things ethically and wanted to become part of the good guys team :P

I just got my laptop 3 years ago. Before that, I was using computers at par level. It is unbelievable, right? It took me 3 years to get better at online security penetration related stuff. As the story goes, there I was in my 2nd Semester’s Programming class. They have that mandatory C language course for everyone.

The first day when I was in C language lab, I was the only student sitting in front of a computer that wasn’t even powered on. How so? I didn’t know how to turn that “darn PC” On. The snobbish teacher walked up to me, thinking that I was just wasting her time, and said, “Why don’t I see you writing any program like the rest of the class?”

I hesitated. By then the dialogue took a wild turn when I admitted to know nothing about powering on computers. Her words: “What” and “Get out of my class, young man” still echo in my head. Besides, I was the laughing stock of the entire university for about two weeks.

My parents were very supportive of me. They spent a chunk of their savings to buy me a laptop. Since then, I have been pursuing my fascination, which is computer and website hacking. From then on, I scavenged all kinds of knowledge about Hall of Fame security acknowledgements.

Hard work and persistence took the better of me, and there I was, trying to get listed on these company pages.

3. Why did you choose to become a Security Researcher?
Curiosity is the harbinger of dreams - (I just came up with this quote myself. Dibs on that) I already said that security research always inspired something in me. Therefore, I set off to develop my “how stuff works” mentality. My long term goal was to get listed in various websites’ Hall of Fame pages. They have these pages set up for security analysts; anyone who points out a vulnerability in the system.

But it wasn’t easy. Endless nights and countless hours were spent to achieve this dream. I worked diligently and was finally able to become a part of society that believes in making the internet a better place for all.



4. How did your first vulnerability report go? How did you find it and what did it feel like at that time?
I’m very glad you asked that question. No one forgets his first encounter with a big company. For me, it was Microsoft back then. After detecting a vulnerability in their network, I reported it without any hopes of seeing my name at their website’s Hall of Fame section. Time went on, and one day I got confirmation from the guys at Microsoft. They thanked me as their company’s custom goes.

It was the most wonderful moment of my life. I was ecstatic, speechless, happy and downright surprised at myself. The incident sparked confidence in me and motivated me to pursue cloud penetration professionally.

Here I’d love to tell all aspiring security analysts that you are your own boss. The so-called “experts” will not only laugh at you, but they’ll also refuse to help you. People hardly part ways with their knowledge in this field. Therefore, you have to work hard and one day you’ll overcome your dreams.



5. What's your research that makes you especially proud?

3 months ago was a “Bug Hunting and Reporting” season for me. I’m not talking about pesticides and actual insects lurking around; it was kind of a virtual online thing. Jokes apart, it took me a lot of time to cover the gaps. No one guided me, or helped me; all upcoming security researchers know this by heart.

The crux of my research is to manually scan any online resource for security threats, and then report it to the concerned authorities. Other than computer related stuff, I also submitted a research paper on Einstein’s Theory of Relativity in 12th Standard. They thanked me and gave me a certificate. I guess this “research” factor comes to me by blood :P



6. How do you feel after being part of Defencely?

How did I feel? I can’t give words to my feelings. First of all, Defencely is the only cloud penetration services company that purely hails from India. There are others too, but most of them are headed in the U.S of A, with some team members scattered around in India.

So it was a big deal for me to be a part of a network that belongs to my country. Defencely also inspired me to chase my dreams with due diligence. Besides that, my parents were damn proud of me… at last. I was kind of a lazy bum in studies, so my dad started doubting my future. I’m going to dedicate the rest of my time and effort to Defencely and brute force ethical standard hacking.



7. What is your advice for new bug hunters?

Dear brothers, I know it is quite easy to give advices but bear with me. As an upcoming security researcher of high caliber, you have to throw yourself at it. No one is going to teach you or hold your finger.

Keep in mind the high competition factor and make the internet your new teacher. On your way, you’ll meet all kinds of people. Some of them will vow to help you but they won’t. Others, though EXTREMELY rare, will give you in depth knowledge about hacking and security assessment. That’s about it. The rest of the stuff, you’re going to have to handle it on your own.

Stay motivated and don’t lose hope, no matter what kind of field you are interested in. By the way, start immediately with OWASP standards. Move your skills across WASC classes and learn anything that any online tutorial has to churn out.

Got it? Why are you still here, then? Go and start your work!

Here’s another one of my chin up speeches for you: To be successful in this field (or any field) you must have a positive and “can do” approach in life. Don’t let haters and their negative energy take you down. You will feel like a loser every now and then – this happens, but don’t give up on anything.

As a matter of fact, you can connect with me on:





8. What do you think about E Hacking News?

EHN is a great opportunity for anyone who is connected to the internet. Granted that you are contributing to someone or something and it is related to the scope of this website, talk to their super friendly admins. They will love to interview you; expose your skills to the world and help you meet fellow community members.

Already EHN has created buzz with its published content. I can only wish you guys all the best for your future endeavors.

9. Is there anything else you like to add?

I would like to add a few things here. First of all, a very special thank you note goes to Mr. Ritesh A. Sarvaiya, CEO and Founder of Defencely.Com. His character and role definitely bypasses as that of a CEO, which itself is a big responsibility these days.

Ritesh Sir (as everyone likes to call him that) has a knack for finding talent all over the world. One thing that I love about him is the fact that he is one of the very few people who would go to extremes to give your destiny a shape. As long as you have the talent to show for, and something that Ritesh Sir can work on, you’ll have it.

Atul Shedage. To me, Atul is like a brother and a great mentor. He is CTO (Chief Technology Officer) at Defencely. We have already heard a lot about him. He is the youngest Indian CTO to receive multiple awards of recognition from many online companies.

Lastly, I would like to thank Sabari Selvan; EHN website webmaster and owner. Without his unmatched support, I wouldn’t be here talking about my dreams and everything that you just read. Thanks Sabari, and good luck to you with whatever you are up against in life. A bunch of appreciation also goes to the entire Defencely and EHN panel. You guys rock.

Exclusive Interview with Security Researcher Prakhar Prasad

Today, E Hacking News had a chance to interview one of the Indian Security researcher, Prakhar Prasad, who recently received $5000 reward from Paypal for a file uploading vulnerability.

1. Introduce yourself
I'm Prakhar Prasad, 19 years old from Ranchi, Jharkhand.I love playing and breaking Web Applications' Security. I've found critical vulnerabilities in majority of popular websites like Google, Facebook, Twitter, PayPal, Adobe, Apple, Symantec, Nokia-Siemens Networks and etc.

Athough I'm also working on Exploit Writing, Anti-Virus evasion techniques and Malware Analysis.

2. How did you get into Information security field?

I got into Information Security when I was in class 10th, because of an incident. One fine morning I was reading my local newspaper and on the main page of newspaper it was a screenshot of my state government's website showing - "Hacked by Ashiyane Digital Security Team". This incident facinated me completely like - How someone can change the website's homepage with his own message. I started Googling around and then learnt how websites and stuff worked from security point of view.

Then the love for information security took me to a whole new level. Sleepless nights, with a burning desire to learn as much as possible.


3. When did you start Bug hunting?

I started bug hunting back in July 2012.


4. What is your first finding , how did you feel at that time?

My first finding was a clickjacking bug in Google Website Translator Toolkit, that allowed me to add arbitrary "Admin/Editor" on someone's account by redressing page.

5.What is the favorite vulnerability found by you?

Umm.. My favorite one is the Blind SQL Injection bug I found on PayPal's Notifications website. But I also like a permission bug I found in a PayPal acquisition that allowed me to unsubscribe any user of my choice from their mailing list.

6. How much have you earned so far from Bug hunting?

I'd keep it private :) But it's more than enough !

7. You're hunting bugs for fun, for profit, or to make the world a safer place?

I hunt bugs, basically for fun and keeping world a safer place. But now various bug bounty programs have started that allows me to earn alongside with the points I mentioned.

8.What is your future plans?

Can't say anything right now, I'm still learning things. But I want to do something really big for my country, India

9. How did you feel when you received $5000 from Paypal?

It was a huge surprise. When my bug got validated I was expecting some big amount. But when I was paid the exact, it was enormous.

10. What is your advice for new bug hunters?
Just use Google to learn everything from scratch, it is the most powerful tool to gain knowledge of ANY KIND.  Don't opt for some Tom, Dick and Harry Ethical Hacking courses, they teach half-baked concepts and suck your money. Google is the best thing to get things started, don't be like a spoon-feeding child. I'd recommend a book called the Web Application Hacker's Handbook, to start off.

One must watch Nir Goldshlager's HITBAMS2012 talk on Killing a Bug Bounty Program Twice. It's the best video out there regarding bug hunting.

Remember always, hunt bugs for fun, to learn more not just for money. If you are honest with your work, you'll get fame, money and all success. But if you just use automated tools, then you're gonna have a hard time finding bugs and success in InfoSec world.

Automated tools just can't find bugs in big websites, plus it kills the fun of finding bugs manually. Semi-automated/Manual tools are cool to work with like Burp Suite and Zed Attack Proxy.


11. What do you think about E Hacking News?

It's a very good news source, keeps me updated about happenings of InfoSec world. I appreciate the work done by the team.

BreakTheSecurity is also doing a great job, in providing tutorials and similar stuff.

Keep the Good Work Up !


12. Thank you, Is there anything else you want to add?

I'm very thankful to EHackingNews for providing me the platform to share my views and experiences !

If anyone wants to connect with me, then I'm on Twitter - @prakharprasad

My best wishes to all learners and EHackingNews.



An Interesting Interview with Security Researcher & CTO of Defencely.com : Atul Shedage

E Hacking News had an interesting Interview with Atul Shedage, a Security researcher and CTO of Defencely.com. Here we go,

1. Please Introduce yourself to EHN's readers

Hello EHN World let me take this fragment of a moment to thank you all for this interview. That being said, I’m Atulkumar Hariba Shedage from Maharashtra – Pune. But you can call me “Atul”, as I am mostly known for my short name in the online world.

I am currently assigned as the CTO (Chief Technology Officer at Defencely.) It is an online platform for detecting, reporting and fixing website vulnerabilities for clients from all over the globe. Nothing pleases us more than being able to render our skills for popular companies, such as;

  • Google
  • GitHub
  • ZenDesk
  • RedHat
  • PayPal
  • Apple
  • Zendesk
  • Zynga

At the moment, I am in the middle of pursuing my academic career in Masters of Computer Science from Pune University. Besides pushing in boring assignments and taking notes, hacking and critically analyzing online security vulnerabilities is my second passion.

2. Why did you choose to become a security researcher?

Hmmm… this security researcher field wasn’t really planned. I’d say it was my destiny to become known in the online security field. Upon enrollment in the Bachelor Degree program, I had hopes of being one of the best web designers or programmers for that matter.

Back in 2008, I met this guy: Anil, who, later on, befriended me. He gave me the idea of giving online security a shot. As they say, “You ain’t got nothing to lose if you are going to try.” I put my hunches ahead of me and started taking introductory tutorials from every possible source.

Before you know it, I was drenched in the passion of creating or doing something worthwhile in this field, which is why we are having this interview. Fate and hard work brought me here; destiny brought us face to face

3. Tell me something about www.Defencely.com

Defencely is completely different than any automated website scanning or monitoring service. That’s because we take steps to secure your website before something goes wrong, rather than trying to pinpoint and clean up the mess after the fact. Our security experts have been trusted by dozens of top corporations, Fortune 500 companies and small businesses around the world to provide flexible, lightning-fast responses to security threats the moment they’re found.
What really matters is how we operate and render our services – these two elements are the crux of helping us signify ourselves. Defencely believes that nothing on the Internet is secure, which is the first and the foremost rule of online security services.

Secondly, we not only detect vulnerabilities, but we also provide long lasting solutions / fixes to them. On common grounds, any web security company can detect vulnerabilities. They can get small time scanner software to take the sting out of “manual labor”, if you’d like to put it that way. Defencely team, on the other hand, is able to fix and detect vulnerabilities because of robust knowledge base and real life experience of dealing with such situations.

4. What's your research that makes you especially proud?

Something that has made me proud…? Hmmm <scratching my chin>. I can’t or maybe I don’t want to say for sure about what has made me truly proud… yet. I believe that one can only feel proud when he or she has indeed achieved a lifelong goal.

However, I did stumble upon moments of happiness and rejoice. For instance, being able to talk to big online companies about gaping holes in their security system, contacting big shots such as; “Adam” from Google’s security panel, getting acknowledgements from ZenDesk security team and vice versa – this is what is taking the Defencely team and myself to an unknown destiny in the skies above.

Overall, it is a killer experience.

5. What advice would you give a website admin to secure their site?

As stated a little while ago, there is no such thing as security. Once your product or website has gone live, it is always exposed to unknown threats from all over. I would implore web admins to secure their websites by hiring able security researchers to help stop any possible damages.

Yes, it is true that you can never secure anything to a 100% extent. But, if adequate steps are taken, you can prevent a great deal of hassle in the long run. Also, your security levels will reach a point where so called hackers would have a hard time breaching all the parameters.

6. How did you step in the Information Security field?

It was year 2008; I was freshly enrolled in the BSC 1st Year Degree Program. Within a few months of meeting new people, the subject of online security piqued my interest way too much. I had to do something about it.

I joined forums, read stuff at Google, trained myself through various web security tutorials and never looked back. It was those hours of sheer self-motivation, endless nights of reading, watching and self-mentoring, which eventually paid off in huge dividends.

I also followed a couple of security researchers at Twitter, and made friends with some very interesting individuals. I am thankful to everyone for believing in me and supporting me throughout those tumultuous times.

7. What vulnerabilities have you discovered so far in your career as a Security Researcher?

I have gone through the OWASP Top 10 vulnerabilities, ClickJacking incidents, WASC 26 Vulnerability Classes and etc. Practically speaking, I don’t limit my knowledge to a particular set of vulnerabilities, as I try to learn and discover something new each day.

These days, I’m mostly focusing on collaborating with Defencely and 0 Day Vulnerabilities. So far, the result and the feedback have been quite good. We also reported some vulnerabilities in WordPress Plugin and a Gallery Project that was patched right after we sent notifications to the developers.

8. Where do you see Defencely in a few years?

Right now, it is still too early to say where Defencely would be in a few years. Things look very bright and there are no worse case scenarios to foresee. The reason being is that Defencely excels where others don’t. We are all backed up by very supportive individuals and a set of minds that are extremely proficient in their relevant fields.

Like I said before, it takes knowledge of the unknown and vast experience to report those vulnerabilities that aren’t even discovered yet. We don’t work a lot with scanners. Manual man hours and lots of hard work are going to take Defencely to new heights of stardom in the tech niche industry. The next few years are absolutely going to be rewarding, and awesome.

I have strong faith in Leadership of Ritesh Sarvaiya, who is CEO of Defencely.com & with his vision I look forward to see Defencely growing leaps and bounce in coming years to come.

9. What is your advice to newbie who interested in PenTesting field?

Newbie testers and ethical hackers are strongly advised to stay motivated. As a friend, I am telling you guys to never give up on your dreams. Keep learning and keep looking for answers. I know it is very easy to partake in words of wisdom but I have experienced adversity in my life.

The key to remaining successful in online security field or anything is to believe in what you’re doing. Believe in your goals wholeheartedly as if your entire life depends on them. By the way, join forums, engage in talking to security panel members and start by reporting vulnerabilities for the sake of helping other individuals on the internet.

Soon you will start getting recognition.

If you guys need any kind of extended support from my end do not hesitate to connect with me on FaceBook, Twitter & LinkedIn

10. It is nice to talk to you. What do you think about E Hacking News?

I think that with a staggering 18K + Facebook users, a constantly updated content database and lots of interesting information, ‘E Hacking News’ is aggressively doing the right thing. You guys are one of the few who believe in creating a buzz with actual reports and not just filler articles.

I’d love for ‘E Hacking News’ to go beyond the horizon and get more recognition from the entire World Wide Web Community. Thank you Sabari and two thumbs up to you for undyingly pursuing your goals on the internet.

11. Is there anything else you like to add?

I’m glad you asked this question. Without mentioning a few names, I would be feeling ethically impugned, which is why I need to give credit where it is due.

Let me thank Mr. Ritesh A. Sarvaiya; CEO and Founder of Defencely. With his ingenious thinking skills and a drive to find new talent, Ritesh is always at the verge of creating something new. I believe that he has a brain of a whizz kid because of the way he has been creating teams and helping people discover their true potential.

Followed by that, I’d like to thank Mr. Rahul Varshneya. He is Defencely Advisory Board Member. But trust me; Rahul’s position goes beyond as that of an advisor. He has more than a decade of pure entrepreneurial skills, a knack for mentoring and aiding startup businesses get up on their feet.

Rahul is currently administering several ongoing projects and businesses. There is Arkenea Technology, a partner to entrepreneurs and clients, who seek professional help concerning mobile apps and businesses. Then there is his invite only membership to the ‘YEC – Young Entrepreneurs Council’, which he is using to guide bright minds.

Mr. Rahul Varshneya is also a writer, and a pretty good one at that. He is a published author at ‘Under30CEO’, Entrepreneur.Com and VentureBeat. His experience is indeed enlightening way for digital marketers and various internet based brands.

Finally, there’s Bilal Malik, who is designated at Defencely as our ‘Lead Content Manager’. Mr. Ritesh scooped him up after believing in his talents at the break of their first online encounter.

Anything that needs to go down in written form, it is always run by this guy. Be it documentation, haphazard survival guides for security service seekers, PRs – I mean anything. Merely calling Bilal: a writer, would probably be unnerving for us.

All other members of Defencely; and people from technical departments are equally acknowledged. Without you guys, and without an amazing team, I wouldn’t have been here today working together as brothers in arms.

Sabari, it was fun answering all your questions. My regards to you and your loved ones. Have a great day

E Hacking News Exclusive Interview with Aditya Gupta, co-founder of XY Security


Today, E Hacking News interviewed Aditya Gupta, one of the Famous Indian Security Researcher and co-founder of XY Security.  He got listed in a number of Hall of fame pages for hunting bugs.

*. Hi, Please introduce yourself to EHN readers.

Hello I'm Aditya Gupta. I'm a security researcher and also the co-founder of a security firm named as XY Security. I also like hunting for bugs, whenever i get time, and have found serious vulnerabilities in websites such as Google, Microsoft, Facebook, Apple, Adobe, Paypal, Webkit, iOS (webkit and iOS patch yet to be released) and so on.
I've also developed the mobile exploitation framework, Android Framework for Exploitation (AFE) along with my partner Subho Halder. That, i think says much about me.

*.How did you stepped in this InfoSec field?

Well, i stepped into this field few years back when i was preparing for my IIT-JEE in Kota.

So, instead of attending my classes in Bansal Classes, Kota, I ended up having nightouts in cyber cafes there, and learning more and more about hacking.

Even when i got admission to my college KIIT, Bhubaneswar in Electronics, most of my time went into Exploit Writing, Programming and finding new ways to break security of various devices and platforms.

It just started as a curiosity, and for fun experience, but now it has turned into my full time profession.

And you know, you should always do what you love. Thats what i recommend to everyone.

*. cool, you are ECE student?!
Yep. Mainly because apart from hacking, i am also interested in Electronics. And it turns out, that if you combine hacking and electronics, its an amazing duo.

you get to learn about the internals of everything, and it becomes more interesting to find security holes.

Thats why, i have recently published a research paper on ARM Exploitation titled "A Short Guide to ARM Exploitation" along with my friend Gaurav Kumar

*. You have discovered security flaws in a number of high profile websites, what's the most memorable vulnerability you've discovered?
You know, the most interesting vulnerability i discovered was the Facebook one.
It allowed the hacker, to remotely and silently record videos from victim's webcam and post it to his timeline, without the victim even knowing about it.
And one more interesting one was, on Google +. It wasn't much severe, but it allowed the hackers to trick victims to update their status. That was when Google+ had just started. And I think, I may have saved it from a lot of spam campaign, which you used to see on other social networks like Facebook earlier.

*. what is favorite part of InfoSec ,  WebApp Pentesting or Mobile Hacking?
I would say that WebApp sec is surely the most interesting one, and you get a lot of satisfaction when you find high level bugs in a client's website or get bugs in a website offering bug bounty.

But my personal opinion would be Mobile Hacking. And i believe that mobile would be one of the most growing areas in security soon. And you know, thats why i started working on AFE, and i plan to make it really big in the coming future, one of the de-facto for mobile exploitation.

For that, will need a lot of contribution from the infosec field. That is one of the things i'm looking forward for.

I would also like to point out one of the upcoming features of AFE, if you don't mind, which will be included in the next update on March 5th, is exploitation of vulnerabilities in applications.

So, it would be like, you just specify the name of the application - say Facebook Android app, and it would show you, if there is any available exploit for it, and boom, the next second, you will be exploiting the vulnerability.

Also, one could find a lot of vulnerabilities in android apps using the framework, so that i believe is one of the reason the infosec community would be interested in it.

*. Really interesting one , is AFE open source ,where can i find futher details?

Its completely open source. You could find it at github here http://github.com/xysec/

Also, you could have a look at some details : http://afe-framework.com


*. Tell me something about your company XY Security

Its a company i've co-founded with two more of my friends : Subho Halder and Gopinath Danda.

We provide services like Penetration Testing, Application Audits and especially trainings.

We also present our research and give trainings at international security conferences such as BlackHat, Toorcon, OWASP AppSec, SysCan, Nullcon, Clubhack and so on.

We are based in Bhubaneswar right now and we have a small and amazing team with people who are really passionate about security.

*.Recently, you conducted Advanced Android and iOS Hands-on Exploitation Course at OWASP AppSec AsiaPac2013,How is your experience with AppSecAsiaPac2013 ?

Well yeah, i had a training over there. Its a nice conference, after all its OWASP AppSec.

They are more of a global conference, with international speakers, so i got in touch with other security researchers in person and its a nice experience overall.

Unlike my earlier trainings, this one was more of a hands-on one, for which we provided virtual labs and code samples for all Android, ARM and iOS.
Also, Jeju Island (the place where this conference was held) is an amazing place.

*.What's your research that makes you especially proud?
Well, I think i have contributed and researched more than anything else, on Mobile Security, especially Android.
That is one of things i'm really proud of have done.
But, you know one has to keep doing new stuffs, and trying out new things everyday.
That is how i keep myself busy all the time. But yea, its fun.

*.What is your advice for newbie who interested in infosec field?
All i would say them is to be really passionate and dedicated about whatever you are trying to achieve.

Keep learning something new everyday, through blogs, forums, articles and websites.

Don't settle for using tools to find vulnerabilities, unless you will learn manual hacking methods, you won't learn anything new.

A tool is really helpful, but only when you understand the functionality behind it.
And yeah, My best wishes to all the ones who are new in this field. Just work hard, and nothing is impossible.

One last thing, you'll surely get criticised at some point or the other in whatever you're doing, just don't give up, and prove yourself!

*.Students used to ask me how to become ethical hacker and get jobs related to information security, so can you give me some advice to them?

To become an ethical hacker, i would suggest you to learn about hacking and exploitation, and try it out on various vulnerable targets such as Webgoat, Mutillidae or Metasploitable.

And then one could always go for certifications such as OSCP, SANS and so on.
The only thing that matters if you apply for job, is how much knowledge you have. Also, choose a language of your choice, be it Python, C++ or C#, anything, and code in that language. It will help you a lot if you're looking for jobs.

Because,
Good Programmer + Good Hacker >> Good Hacker

*. It is nice to talk to you. What do you think about E Hacking News?
Well, its a great website and keeps me updated with all the security news all over the world.

Also, a media partner of most of the top conferences in the world, its surely one of the websites i would recommend to everyone.
Really a nice job.

*. EHN really thank you for spending your precious time. Is there anything else you like to add?
I think i told most of the things i wanted to, with my really long answers.
Thanks a lot for your time as well.

An Interview with Bug Bounty Hunter M.R. Vignesh Kumar ,from TamilNadu


Hello E Hackers, today E Hacking News interviewed One of the Best Bug Bounty hunters, Vignesh Kumar, who got listed on all Hall of Fame pages that includes Google, Twitter and rewarded by lot of companies for his findings.

1. Introduce yourself
Hi, I am Vignesh Kumar from TamilNadu, INDIA. I hold a Bachelor of Engineering in Electrical Engineering and in addition an Information Security Enthusiast, budding Bug Bounty Hunter.

2. You are an Electrical Engineer, How did you get interest in Information security field?
Yes, I am. But I am more obsessed with Electronics and Networking. Also I have a huge passion for Information security too. I was introduced and inspired into "Bug Bounty Hunting" by one of my close friend Ahamed Nafeez(@skeptic_fx).

3. When did you start Bug hunting?
Around 5 months ago. But started in full swing from the last 3 months.

4. I have seen your name in lots of Hall of Fame, I am really proud to have you as my friend. How did your Parents/Friends react when you got rewards?
Thank you so much for your compliments. At the outset, I would like to thank my Family and all my Friends for all their support and encouragement. Well, when i received my first Bug Bounty (Cash reward), I told my friends about it and they looked at me like I was a Cyber Criminal. After I explained about “Bug Bounty Program” to them with “Proof of Concept”, I could see smiley faces. . No wonder!! Even many IT Geeks aren’t aware of the term “Bug Bounty”. Awareness is necessary.

5. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
The vulnerabilities categorized by The OWASP Foundation.

6. What is your first finding, how did you feel at that time?
I can barely remember the exact first one. But whatever it was, it really had driven me to dig more deeply into it.

7. What is the favorite vulnerability found by you?
Each and every one of the vulnerabilities I found in Top Ranked Sites which includes Facebook, Twitter, is my favorite. As you know, finding bugs in Top Internet Giant sites like Google, Facebook, Twitter would be really hard in upcoming days since thousands of researchers are into it. I would like to rephrase a nice quote said by some researchers. “Not only Ninja Skills, but also you must have an Eagle Eye to hunt for Bugs”. Well said.

8. You're hunting bugs for fun, for profit?
Actually, bit of both. Beyond those you could gain more knowledge from around and develop your own skill set which is primary. Also I am glad that I have earned good friends around the world from this Bug Bounty program.

9. What are your future plans? Electrical Engineer or Information Security Researcher?
Obviously, Electrical/Network Engineer it is. And I believe I have the potential to handle multitasks. So I would continue my InfoSec Research too, either as an Independent or as a Team.

10. What is your advice for new bug hunters?
Well, that question is for Experts which I am not. I am a Beginner too. But from my experience, I may have few things. “Bug Bounty Hunting” is totally competitive. You shouldn’t jump into this one just by aiming on money. Have thirst of gaining knowledge which will fetch you HOFs, money and all. Don’t feel depressed when you fail for the first few times. Learn to the core and keep hunting which will definitely fetch you the rewards. Follow the InfoSec experts in Twitter /Facebook and try learning new hunting methodologies from their personal blog. Moreover, patience is highly recommended if you are a beginner. Once you jump in, you will get used to it.

11. What do you think about E Hacking News?
E Hacking News (EHN) is doing a great job and it is one of the Best IT Security/Hacking News Portal I have ever come across. I must appreciate your efforts in bringing up the real news on IT Security from around the world to all the Readers. Also must mention BreakTheSecurity.com which is with a hand full of Tutorials on Penetration Testing & Ethical Hacking for Beginners. Kudos to your efforts!! I would suggest continuing the publication of monthly Security Magazine from EHackerNews.

12. Is there anything else you want to add?
Nothing else I have. I wish all Bug Hunters very Good Luck for their hunting and have a bright future. Thank you, Mr.Sabari Selvan for this opportunity to share my experience with all. Thanks everyone!!

An Interview with Rafay Baloch - Security Researcher and Famous Bug Hunter

Today, E Hacking News interviewed a Security Researcher and Famous Bug Hunter Rafay Baloch who got listed on a number of Hall of fame and received rewards from Google, PayPal, Nokia and more companies which conduct Bug Bounty programs.

1. Introduce yourself

Well, Name is "Rafay Baloch", I am the admin of http://rafayhackingarticles.net, My primary interests include Security Research, Penetration Testing and Blogging. Right now i am doing my bacehlors in computer science from Bahria University karachi.

2. How did you get into Information security field?

Well, From my childhood days i was interested in Information security, however if you are asking about the serious part, it has been around 3 years. Since I have started researching in this field.

3. When did you start Bug hunting?

I started bug hunting at the end of July 2012, when I saw Microsoft's resposnible disclosure page, that's where i started hunting bug.

4. What vulnerabilities have you discovered so far in your career as a Bug Hunter?

There are so many i cannot remember as i hunt for them every day, Almost all vulnerability types related to web application security i.e. RCE, LCE, RFI, LFI, Arbitary file upload, SQL Injection, XSS etc.

 Usually, i find zero days and keep it private for testing purposes, however, i do release some of them periodically, you can check out my packet storm profile.

5. What is your first finding , how did you feel at that time?

I really don't remember, but my first big finding was an XSS vulnerability inside Microsoft India. I also reported Http parameter pollution vulnerability along with it.

6.What is the favorite vulnerability found by you?

My favorite vulnerability was a the remote code execution vulnerability i found last year inside paypal, i had access to very sensitive stuff, the paypal subdomain was behind a JBOSS server, I was able to bypass the authentication and upload my backdoor to execute commmands, Paypal paid me 10,000$ for it, though if i had found it inside Google they would have payed me 20,000$.

Along with it they offered me a job as a senior security Pentester. I was not able to go there due to my studies as i mentioned before that i am still doing bachelors.

7. How much have you earned so far from Bug hunting?

I would prefer to keep it confidential. But it's some where between 5 digits.

8. You're hunting bugs for fun, for profit, or to make the world a safer place?

Well, honestly, Little of every thing, First of all, I don't only hunt vulnerabilites on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.

9.What is your future plans?

I am currently working on http://services.rafayhackingarticles.net, where i would be launching my own Penetration Testing company, along with it, I would be soon conducting some workshops related to Ethical hacking and Penetration testing, From educational perspective, i am planning to give my CCNP Switch paper this month.

10. What is your advice for new bug hunters?

For new bug hunters, i would say that the competition now is very high, almost every site having a bug bounty program has been researched by lots of researchers, so therefore you won't be lucky with tools automated tools like acunetix, netsparker. Therefore, try to look for the acquisitions and subdomains and go into places where no one has probably been before and try to do some unexpected things. You would have much much more chances of

11. What do you think about E Hacking News?

E Hacking News brings up with good content, however, what i would suggest you is to be more frequent with the website, it seems that you are alone doing the work, Any successful news website would have tons of authors to write the content, In this way, more people would subscribe to you.

12. Thanks for the advice , Is there anything else you want to add?

Just one thing that lots of companies have came up with responsible disclosures and hall of fames attracting security researchers to look at their websites for free, however, this would be decreasing the scope of Paid Penetration tests hence it would de-value it. Hence, i think we should all come up with a thing called "No-FREE BUGS".