TestIstanbul 2019 – Interview with Santhosh Tuppad about Ethical Hacking
Who is black hat hacker exactly? What does he/she do?
Imagine that someone (preferably a thief/burglar) gets into your home to steal/acquire your valuables without any authorization or permission. Now, this is a simple example where this can be called a “Crime”. Now, in the software industry, the same can happen where someone with a malicious intent wants to steal the sensitive data of customers or end-users without any permission from the software stakeholders or a company itself. This type of crime wherein someone stole or breached the infrastructure (physical or software) in an unauthorized way can be called as “Black-Hat Hacker”.
In a nutshell, blackhat hackers identify the security vulnerabilities and exploit them in order to benefit themselves in terms of money, goods, ransom activities, getting high on adrenaline, etcetera. Now, the question may be “Why?”. Well, there could be many reasons which include, “Just for Fun”, “Financial Affordability”, “Holding Grudge on some company” and many more reasons which we may not be aware of as it depends on the context of a black-hat hackers brain/psyche and lifestyle. The simplest reason why they do it could be, “Because they can do it”.
To help the readers understand better, I would love to showcase some of the examples where an activity performed by a hacker is called “Black Hat Hacking”.
- A malicious hacker with the intent of benefiting themselves breaching the Banking Application where they crack the account number and password in order to transfer the money from the genuine account holder to their (a hacker) account in a different country where the jurisdiction and laws don’t come into the picture. This is an activity of a black hat hacker.
- On McDonald's, someone may try to tamper with the payment gateway or Checkout page and pay $1 instead of the total amount $100 and get away with the burgers, french fries, chicken nuggets etcetera. This is a Black Hat Hacker as well because they want to get benefits out of a specific security vulnerability and this kind of hacker exploits the vulnerability in order to get away the food for cheaper or no price at all.
- Someone with a malicious intent performs a GET request of API to display user profile which includes the user's name, email address etcetera. and identifies that there is no authorization and better access control in place. This so-called “Someone” tries to tamper with different request body parameters and finds that there is “UserID” parameter which appears to be sequential IDs. Once this data is found, they try to replace the ID of theirs with someone else’s to see if the response body is displaying other user’s data which includes name, email address, country and other details based on the context of the web application business or service. Now, this data could be used for selling it or just uploading on Pastebin for fun to bring down the reputation of the company. What do we call this “Someone”? A Black-Hat Hacker.
I hope that you might have got an idea at the basic level about black-hat hackers activities.
Do companies hire black hat hackers? Why?
This is a challenging and interesting question. I am not sure if I can answer this question on behalf of the companies that exist, but what I can say is “I would always have a diversified skill set in my security team including those who have had black-hat hacking experience and then transformed to white-hat hacking”. Mixing up black-hat hackers and white-hat hackers are what I would call “The Team That Rocks” and strives to add business value.
Now the “Why” part?
BlackHat hackers bring in a different set of experience and their unconventional ways of thinking and plotting attacks on software. And if companies are really fighting black-hat hackers around the world and want to secure their software, then not having diversity which includes black-hat hackers in the team is like barking at the wrong tree. Mind you, I am not saying that white-hat hackers cannot do a great job, but I am saying that having a team with the diversified skill set and experience is absolutely a damn good bonus for any company in order to build better software with secure ingredients in their code.
In your keynote speech at TestIstanbul, you will talk about having fun while doing testing. How can we inject fun factor into our testing practices and especially into the DNAs of our testers?
Fun is only when we learn new things and try out testing in different ways with the generation of test ideas through a variety of thinking skills such as lateral thinking, critical thinking, cognitive thinking and more.
The only way to inject fun factor in your testing is to learn deeper and nurturing your inner child to learn better. As kids, we learned better through curiosity.
“Even though you're growing up, you should never stop having fun.”
~ Nina Dobrev
- Firstly, injecting happiness in your day to day work is the key factor (https://www.youtube.com/watch?v=aHVE46nHdLQ) When you are happy, you learn better as it also adds to “Quality of your Life”. Please remember that “Mental Health is very important and one of the top priorities”.
- Reading blogs, writing blogs, watching videos about any specific subject in Testing or Coding or Application Security/Hacking.
- Practicing to test everyday. When did you test an application that is not developed by your company? And when did you learn something new which is not part of learning from your project? Did you explore and learn?
- Doing something different every day in terms of testing.
- Picking up a Testing Book and questioning what the author says in the book rather than just nodding your head for everything the author says. “Learn from everyone” is a nice quote, but you also need to know the filtering mechanism where you disagree with some things and have valid reasons for your disagreement.
- Argue with your colleagues about why something is not better. Remember that the argument is on the subject and not on the person who is involved in the argument activity.
- Participating in discussion forums like the Ministry of Testing and other credible forums.
- Invest time and money in your learning. How about buying a course on Udemy, PluralSight, Lynda and more based on your context and subject of interest.
- Tweeting your testing thoughts on Twitter and experiencing the amazing responses you get from testers, programmers and anyone across the globe who is interested in the subject.
- Lastly, if you are not having fun; it just means that there is amazing potential you can unleash in yourself.
Practice takes effort and time. Be aware of it and keep practicing. Do not give up!
Should a tester change her mental model while switching from functional testing to security testing? If so, what should the mental model of a security tester include?
I would rephrase the word “change” to “practice” and the word “switching” to “transforming” in the question. Every role requires a different kind of mindset, but not necessary demand to “switch”. A software tester who has been testing for functional aspects can extend their mindset and surely a passionate functional tester can use their experience in order to extend the mindset to the security aspect and practice it in order to nurture it well.
Now, let’s speak about “Mental Model” or rather a “Mindset” of a Security Tester/Ethical Hacker/White-Hat Hacker/Security Researcher/Information Security Specialist (Well, as long as you are working on securing your software or your infrastructure or valuables, these role tags at times are used interchangeably).
The Core of adding a new mindset is practicing a lot. There is no other secret ingredient to any profession or a skill if you want to master it. I will just share a quick experience of mine.
- I was a great liar during my childhood and I used to lie like I am telling the truth.
- I used to steal chocolates from the shop during my childhood days through social engineering attacks (Build the Trust and then Break it)
- I started to steal the internet of someone else in the town I used to live because I couldn’t afford to pay for the internet.
- I became an IRC addict and made friends with hackers from countries across the globe.
- I started to crack the username and password of email addresses using the software as a keylogger. This used to get me some pocket money.
- I started hacking IRC chat rooms by cracking the password for IRC registered nicknames.
- And then I moved to hack the server boxes through the known vulnerabilities in the FTP (File Transfer Protocol) Software with the help of Google Dorks.
- Web Application Security and Mobile Application Security was my deep learning phase where I started to identify vulnerabilities and started to exploit them for fun.
- Finally, during adulthood, there was a great transformation to the white-hat hacker and helping the software world around the globe.
This was my fun experience which happened subconsciously and it’s been more than 16 years of thought process on hacking and my mindset towards security has grown deeper and wiser. My opinion is it will take a lot of time to practice the mindset, but starting up and passionately investing time in the practice may take you higher in a quicker way. Now, those who did not have that experience can still start practicing the mindset with the below tips.
Tip #01: Think like a Criminal while you don’t commit one. By this I mean watching crime movies, investigation movies, watching the documentary about thieves and more.
Tip #02: Read the stories which have landed many folks in the prison for not understanding the laws and abiding by them.
Tip #03: Hack your friend's account who is really very close to you and knows that you are just doing it for practice sessions.
Tip #04: Interact with Hackers who were malicious and now they have transformed into ethical hackers.
Tip #05: Bypass a Physical Infrastructure. Be careful to seek consent to experiment with this.
Tip #06: Practice Social Engineering Attacks and gathering information without letting the other person know that you are performing an attack.
Tip #07: Watch series like “Mr. Robot” and “The Scorpion”.
Tip #08: Read books and blogs by security leaders. Example: Kevin Mitnick, Troy Hunt, Scott Helme, and others.
I hope this answer helps you to understand how you can get started.
You’ll be delivering a Keynote speech at TestIstanbul, could you please provide some clues about it?
As of now, even I do not know what I will be speaking about in reality (This means that I will be doing probably more than what I am going to mention in this answer).
The best news is, I will be speaking about Hacking as a core. I shall speak about my experience as a hacker, how did I learn to hack since 16, how did I nurture my talent and skills. Moreover, the audience will witness some of the dangerous live demonstrations of hacking which showcases the way my hacker's brain thinks. I will also be focusing on differences between black-hat hackers and white-hat hackers in order to help the audience understand about bridging that gap and learning to train their minds like a black-hat hacker in order to be fabulous white-hat hackers to help the software industry move towards better security. The whole talk will be based around protecting the current generation and the next generation of humans from being hacked. I absolutely believe that we cannot totally heal the world from unethical hackers, but we can thrive to get closer to better security every moment.
To summarise, I will speak about the exciting things that exist in the Security World and Hackers World.
Any additional comments/information would be greatly appreciated…
I would love to provide a list of resources for the starting point and also learning deeper about “Security Testing”:
- OWASP - Open Web Application Security Project https://www.owasp.org/index.php/Main_Page
- PacketStormSecurity https://packetstormsecurity.com/
- HackThisSite - http://hackthissite.org/
- HackTheBox - https://www.hackthebox.eu/
- Hacking for Dummies by Kevin Beaver
- Ghost in the Wires by Kevin Mitnick
- Troy Hunt - https://www.troyhunt.com/
I wish everyone reading this for a great kick-start in the world of Ethical Hacking.