Recently we’ve had a great guest visit HackenProof team all the way from Dubai. It is our long time friend – Yasser Ali. He has been a speaker at our HackIT conference in 2017, you can check his presentation here. He is currently a part-time triage specialist at HackerOne. We’ve chatted with Yasser Ali about his job, his hacking background and what he likes to do in his spare time 🙂
- Tell us a bit about yourself?
I am working as a full-time cybersecurity consultant in Dubai. I have been hacking since I was 17 years old. I am also a part-time triage specialist for HackenOne.
- How did you start hacking? What is it about hacking that excites you?
You know, a hacker is “a state of mind”. I was born with it. I’ve always wanted to know “what’s behind the scenes”, how stuff looks on the “inside”, what is “hidden”. I like to explore, I like complicated problems that don’t have a straight answer.
There’s a big difference between penetration testers and hackers. It’s in the mindset.
Hackers are incredibly curious by nature and love to explore new things.
As weird as it may sound, I’ve started hacking even before I knew any programming. I was simply surfing the web and reading hacker forums to find how I could break into applications. In order to do that, you had to learn how to code and hence I’ve started learning programming languages. I’ve studied systems, networks, how Linux works, how windows works, how the internet works in general. All of that I’ve been studying by myself because I was incredibly passionate about hacking. It was like a snowball effect, the more I was reading about it, the more I wanted to find out.
As I’ve been meeting people online, I wanted to meet them in person, so I started attending security conferences around the world to exchange my experience with white hat hackers and find out more about how white hat hackers could help enterprises be more secure.
- What types of bugs do you like to hunt? what are your favorite hacks in your career so far?
I like business logic flow vulnerabilities. Because once you deeply understand the business logic of an enterprise application you can find vulnerabilities that scanners can never detect. I also like to hunt for remote code executions and SQL injections.
Favorite hacks in my career would have to be the eBay vulnerability that I’ve found in 2014. No web scanner could have ever detected that type of vulnerability. You had to really understand the whole application (the logic behind the “password reset” process at eBay).
Also, that same year I’ve found a vulnerability at PayPal. The weird thing is – I’ve literally imagined it in my head (that’s what happens when you think hard about a certain problem for a long time 🙂
- Do you have any hacker mentors? Are there any hackers you follow personally?
Nir Goldshlager – cybersecurity head at Salesforce. His findings have been very creative, I’ve learned a lot from him. I enjoy reading his posts.
Mark Litchfield – he is a founder of Bug Bounty HQ. He is very good at describing the way he is looking for vulnerabilities.
- How do you choose which Bug Bounty Programs to work with?
I was taking part in bug bounty programs that were hosted by large companies, like Facebook, eBay, PayPal, SONY, etc. Because when I was an active bug hunter, bug bounty platforms were not yet around! So the bug bounty programs were hosted by the companies themselves. You had to send vulnerabilities via email sometimes 🙂
But now, sometimes, I participate in private programs. The most important thing for me is to avoid work on programs where I can get duplicates – those really demotivate me.
- What do you do when you’re not hacking?
As you know, I am also a triage specialist for HackerOne, so when I am not bug hunting I do triage work from time to time. If I am not triaging or hacking, I drive around the desert or go to the sea. I don’t have any other activities in my life (laughs).
- Do you use social engineering at work?
Yes, sometimes I am using social engineering. We do security awareness and phishing tests. We try to manipulate employees to bypass the physical security control a client might have.
- Does social engineering have synergies with hacking? Does it help?
Of course, hacker, in a sense, is a social engineer by nature. Because he has to manipulate things around him (people, programs, etc) to break into systems.
- What are the best social engineering educational resources out there? How can one get into “social engineering”?
“Art of Deception” – one of the best books I’ve ever read. It’s not technical, it’s easy to read. That’s a great start if you want to learn about social engineering.
Another thing is – practice. I constantly train myself. You have to practice obviously if you are seriously interested and you have to constantly experiment. Because once a certain social engineering “trick” has been publicly explained – you can’t use it anymore. It’s like a publicly disclosed hack 🙂
- What advice would you give other hackers just starting out?
If you are just entering the field, but you don’t have the passion for it – you should stop right there, turn around and find something that you truly enjoy doing 🙂
The ones who have the true passion and have this “hacker mentality”, you have to figure out what are the things that you are most interested in. For example, if you like the “web” then you need to study HTML, Windows, Linux servers, Mac servers, how the apache servers work etc. Then pick a relevant programming language, PHP for example and study that. Really, today there are a lot of courses about web hacking, so push hard and you’ll be successful.
- How AI will impact hacking in the future, will it give more opportunities to black hat hackers to hack companies?
It’s too early to say, actually. Until now, I haven’t seen any AI tools that pose any real threat. Offensive side – it didn’t work. At least I haven’t seen anything.
The same story for the defensive side, I haven’t seen anything special. We’ll have to wait and see.
Thank you very much, Yasser Ali, it’s been a great pleasure talking to you 🙂