Enjoy the Interview.
Could you tell me which his your technical background and when you started hacking? Which are your motivations?
My technical background in terms of education is that I have a degree in Computer Security and also my OSCP and a few other certs. I started ‘hacking’ from a fairly young age and was around 12 or 13 when I pulled off my first defacement (in around 2006) – as for my motivations, many would have assumed I was politically motivated as I was one of the core members of TeaMp0isoN and the majority of our attacks were for political reasons, but for me it was never about politics and was more about the challenge of seeing whether I could actually figure out how to gain access to high-profile sites, and the learning curve from attempting to do so. I wasn’t expecting an eventual legal response, but oh well.. I’m just glad I was still a minor when it happened.
What was your greatest hacking challenge? Which was your latest hack? Can you describe me it?
My greatest hacking challenge was probably gaining access to Facebook after Anonymous declared their entire ‘OpFacebook’ thing – they made promises of DDoS that were never fulfilled, whereas we actually managed to do what they couldn’t and gain administrative access to Facebook… I’d say that was one of my greatest challenges because we really had to think outside of the box for that one. In addition to that, I’d say some of the targets in TeaMp0isoN issue #3 (which was never actually released) were some of my greatest challenges – issue #3 of our zine was focused on targeting the security industry, so we ended up gaining access to the boxes of some pretty high-profile white hat security experts which took way more effort than it would to gain access to a typical website.
As for my recent hacks, I tend to avoid blackhat stuff but i’ve been doing bug bounties to make cash legally lately. I have also been identifying client-sided bugs in sites that don’t necessarily offer bounties. Some examples of my recent work include finding vulns on sites such as: eBay, Microsoft, Google, Sony, Adobe, United Airlines, Western Union, FBI, CIA, US Department of Defense, US Army/Navy/Marines/Airforce, and many, many more – for a full list of examples see my profile here: https://www.openbugbounty.org/researchers/MLT/ – One pretty funny recent hack of mine was while looking for bugs in the Department of Defense and US Army, I ended up finding some fairly critical vulnerabilities, one which was a GET-based SQL injection in a flawed java servlet which could potentially reveal the personal details of many DoD employees, and another was in the US Army which was Local File Disclore – the funny part about that last one is that the script which they were using to get the files (which accepted user-supplied inputs) was running with root privs so it was possible to disclose the contents of any file on the server, in my example I disclosed /etc/shadow and they were using $1 hashes which are easily crackable – I did a port scan of the server and they had their SSH daemon running on the default port. An attacker could have simply cracked the shadow hash and SSH’d into a US Army server as a root user. You can read more about that here: https://motherboard.vice.com/read/researcher-finds-several-serious-vulnerabilities-in-us-military-websites
What are the 4 tools that cannot be missed in the hacker’s arsenal and why?
This is a rather difficult question to answer, and I’m assuming you’ll probably get some mixed responses to this – the only tools I use personally are for the reconnaissance stages of hacking. I’d say tools for recon are pretty much crucial when looking for vulnerabilities in a relatively secure target. I use Nmap for port scanning and to fingerprint services, something such as recon-ng for subdomain discovery (to widen my potential attack surface), and of course my browser along with some form of debugging tool to monitor HTTP requests (I generally just use Live HTTP headers as a Firefox addon but stuff like burp suite or fiddler2 are good non-browser-based alternatives, I find fiddler2 to be especially useful for socket-based programming whereas burp is more geared primarily towards pentesting).
I also sometimes use Wireshark if I need to perform deep packet analysis (generally if I’m pen testing something like an interactive flash application) – The most valuable tool in a hacker’s arsenal is Google for sure though, you can use it to perform all kinds of reconnaissance, for example, specifying site:target.com filetype:ext (with ‘ext’ being the file extension you’re looking for) in order to map out what kind of technologies they are using on their site, allowing you to better focus your efforts.
Generally I think you’ll find most of these kids advocating the use of vulnerability scanners and automated web-based exploitation tools such as Sqlmap are generally pretty clueless – the issue with scanners is that in addition to generating a ridiculous number of false positives which have to be manually verified, there is also the risk that scanning is noisy in the sense that any competent sysadmin will instantly know their site is being scanned for vulnerabilities and will be capable of identifying and vulns picked up by the scanner and patching them before an attack can take place. Scanners will only find low-hanging fruits and will never bear the same results as that of someone who knows what they’re doing testing manually. As for things like sqlmap, they use outdated methods that are not suited for modern and realistic SQL injection scenarios, for example running Sqlmap with the –os-shell flag will attempt to use into_outfile() function to spawn a shell (which will NOT work in like 95% of cases)
I think the tools that hackers use honestly depend on which specific branches of hacking they’re into – what I listed above is for web-based hacking, the tools could vary massively if you got into hacking of embedded devices or kernel-based exploitation / reverse-engineering.
Which are the most interesting hacking communities on the web today, why?
Some of the VXing communities which are still around are pretty interesting, along with a few private forums that i’m not willing to name. There are many decent IRC networks too. As for groups, I’d say the majority of groups that aren’t completely worthless are not the same kind of groups that you’ll be able to easily find on sites like twitter. 99% of the groups around today are just a bunch of kids looking for attention with no real knowledge or passion for the scene. There are a few skilled groups still out there, but i’m not going to start namedropping them.
Did you participate in hacking attacks against the IS propaganda online? When? How?
All I’m willing to say regarding this is that I can confirm I remained in contact with Junaid Hussain (TriCK / Abu-Hussain Al-Britani) while he was in Syria.
Another thing I will say is that I disagree with the methods being used by many of these OpISIS people used to target ISIS – While I certainly don’t disagree with their morals and what they’re trying to achieve, I do have a problem with the way in which they are attempting to do so. DDoS attacks and getting sites/twitters mass suspended isn’t going to have much of a negative effect on ISIS at all, and i’d go as far as saying that its massively counter-intuitive and is simply making the job of the authorities much harder than it should be. I’m sure if they sat back and kept ISIS affaliated websites online rather than DDoSing them, then some more skilled hackers would be more than capable of gaining access to those sites and using any intel gained from those sites in order to further disrupt the communications of ISIS. How are the authorities supposed to gather intel if the sites they’re investigating are constantly being knocked offline? Many participating in OpISIS need to seriously reconsider their strategies because right now it seems they’re doing more harm than good. Just my two cents.
Where do you find IS people to hack? How do you choose your targets?
They find me 😉
We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? Thanks a lot again, send me a picture to use as your avatar.
I think attacks on national critical infrastructure are a real threat, and that this threat is growing bigger by the day. SCADA bugs have been around for years, and it’s usually pretty trivial to gain access to a SCADA system (when it reality it should be ridiculously secure) – I remember in 2012 when mass scanning for SCADA we found an online control panel for the national power grid of India. that’s a really scary thought. Sure, it was password protected – but they hadn’t properly implemented rate limiting and it could be easily brute forced. I’d say we are witnessing true cyber war already and that this will continue to emerge over the coming years – remember that national critical infastructure doesn’t necessarily have to be something like an electricity grid or a power plant… it can be something less obvious in many cases. Take the recent DNC hacks which Russia are being blamed for as an example… while at first this may not seem like a target against national critical infastructure, just consider the fact that if Russia was behind this, then it was a co-ordinated attempt from a foreign government to disrupt an election. If our voting system doesn’t constitute critical infastructure, then what does? In my opinion, this recent attack WAS an attack against critical infrastructure by a foreign gov, and therefore is cyber-warfare in its truest definition.
Thanks a lot!
(Security Affairs – MLT from TeaMp0isoN, hackers)