Know your community – Beist (SeungJin Lee)
On our last blog post “Know your community” we interviewed Ionut Popescu from Romania. Today we had the honor to interview Beist (SeungJin Lee)!
SeungJin Lee, known as Beist is a 32 years old security researcher from South Korea. Beist is the founder of GrayHash (pen-testing company) and highly regarded security research that found over 100 vulnerabilities.
Q: How many years have you been working in the security field?
A: I’ve entered this field in 2000. My first job at Cyber Research was to do pen-testing for big companies in Korea. Then, I spent more than 4 years in the military service. After that, I worked for 2 years as a freelancer and founded GrayHash.
Q: What was your motivation into getting into the security field in the first place?
A: I played an online game (text based multi user dungeon) a lot when I was young. But their service fee to play was horribly expensive and I was just a poor student. When the bill came to our home, my parents were always angry at me. However, I could’t stop playing the game. So, I wondered if there is a way to play the game for free. At that time, I didn’t know about computer security, I didn’t know TCP/IP, C language etc, so I searched the internet to know how MUD games works.
It turned out they had one or more IP address and port number that were used for connection to their server. I connected to the MUD game through a popular Korean BBS. The BBS was responsible for charging me according to how many days I played per month. I was thinking to myself “How the BBS calculates charges if I will connect to the MUD game directly and not through the BBS? There would be no way.”
So I gave it a try. I figured out the game’s IP address I was playing but I could not figure out what was their port number. So, I learned how to use telnet, it could have been much easier if I knew coding (Making an automatic script that tries to connect from 1 ~ 65535 ports), I literally typed myself ‘telnet target_ip [1-65535]’ in a way of total brute-forcing. I’d tried the poor brute force attack for days. One day, the connection message popped up and I was exhilarated.
The funny part starts from here. Right after the attack success, I realized this could be called ‘hacking’ even though it was super lame. So, I quit the game just right after that, and went to a library to read computer books. And I joined a wargame site called ‘hackerslab’ and I was getting knownto infosec guys in Korea. Eventually, one security firm called CyberResearch wanted to hire me when I was 16, and of course I took the offer.
Q: What was the first vulnerability you found?
A: I don’t exactly remember which one was my first finding. But I think it was from Zero-board that is popular web-board / CMS in Korea. It was a remote code execution vulnerability by bypassing file upload restriction feature of the program.
Q: How did you feel when you you found the vulnerability?
A: It was a great moment because Zero-board was the most popular web software at that time. That meant that my name could be spread all over the internet and reach many of the info-sec community. In addition, I really tried very hard to find bugs and I literally spent days/weeks to find one single bug in the program.
Q: Did someone help you?
A: Unfortunately, no. That was the first remote code execution bug in Korean info-sec community. It was a kind of high-profile target. So I was all alone on this journey.
Q: What is your field of expertise in vulnerability research?
A: Hard to answer. As nature of pen-testers’ duty, I’ve learned a lot of things so far. Web, mobile, game, embedded systems, browser, messengers, and so on. It’s not rare that pen-testers work on ‘A’ project this week and jumps on ‘B’ project the next week. But if I have to answer the question, I would say finding memory corruption style bugs by source review / reversing binary is what I’m good at and like doing.
Q: Where and when do you conduct your research (office / home / coffee shop)? On your free time? Late at night?
A: Of course I’m a researcher. But I can’t spend every night doing hacks anymore (Which I used to do!) because I’m now the CEO of a company. I meet people and write many emails every day. However, I still have chances to conduct research because our company provides pen-testing services to clients. I prefer doing the job at my office since it’s cozy and close to my apartment. I make effort to not conduct researching into the late hours quite as much, unless there is no meeting tomorrow’s morning.
Q: You are a very experienced researcher and you had the opportunity to participate in many security conferences both as a speaker and as an attendee. What is you favorite security conference?
A: Although I used to like big security conferences until a few years ago, I’m now moving to smaller ones. Am I getting old? I can’t name every conference I like here, but I love SYSCAN (Singapore), CODEBLUE (Japan), BREAKPOINT (Australia). Of course, there are awesome conferences in Europe as well.
Q: What kind lectures you like to attend? listen to?
A: I’d like to attend talks about hunting bugs and reverse engineering. They’re kinda old school but still my favorites. Also, I like entertaining talks by skilled hackers.
Q: How do you choose your lecture topics?
A: It’s getting harder to give technical talks publicly as I spend most of time to work for our company and they’re all NDA signed. But when I teach BoB students, I prefer talking about reverse engineering and how to find security bugs.
Q: What is BoB?
A: KITRI runs a special program called “Best of Best,” targeting talented students who could become security experts in the future. About 130 students from high schools to graduate schools are selected based on prior experience to be trained for six months. Programs include simulated cyber war with classmates.
Q: What do you love most in conferences? (conference events – CTF / hacking village / Hack the badge, drinking parties etc)
A: CTF is my favorite. If not for CTF, I would have not entered into the security field. I used to take part in many CTFs, DefCon CTF and wargame sites. I wish I could go back to those times. Also, I like meeting my info-sec friends at conferences. We usually hang out and have countless shots. I wish every conference talk started at like 1pm!
Q: What is the most exotic place you attended a security conference at?
A: Definitely, CCC (Germany). I can’t exactly explain why, but if I should guess; First off, I could’t speak English at all at that time and I’d never went to English speaking country before. The hacker culture at CCC was so exotic to me. Of course I enjoyed it a lot there.
Q: You also meet different security communities around the world. Tell me about the security community in South Korea How big is the community?
A: Considering South Korea is a small country, the security community is big enough. We have more than 300 security firms and the community is huge. Many middle/high/university students are very interested in working for IT security sector. There are more than 50 cyber security clubs at universities. More than 20 CTF per year. More than 10 security conferences each year.
Q: Do they help each other / new guys, with training?
A: The academy (university), community, industry, and the government help each other. Universities have special selection in the admissions system. For example, in many East Asia countries, if you want to go to top schools, you have to get really high SAT scores. But if you’re good enough at cyber security, you probably can get accepted.
The government supports the community in many ways. One best example might be BoB (Best of Best) which is a government-funded program. Its purpose is to make next generation cyber researchers. Many middle and university students apply to BoB and only talented students get into the training. There are top hackers as mentors and they teach those students.
Q: How do you contribute to this community?
A: I’ve participated in BoB since its first year. I advertise BoB program over the world and teach young students at the campus. We get about 130 new students every year and some of them are extremely skilled considering their age.
Also, I’ve joined other security related programs as a supervisor. Named to advisory council for Cyber Command in Korea and a member of information security committee for PyongChang Winter Olympics.
Q: In which country have you been surprised from the size / quality of the security community?
A: U.S., China and Russia the biggest communities in the world and everyone agrees with it. But I think Sweden has an amazing security community. It’s smaller than Korea but their skill set is awesome. I’ve asked my viking friends about it but no one told me the answer. I’ll figure it out one day!
Q: In your perspective, how did the international security community change in the past 5 years?
A: Full-disclosure has been decades. Today, less full disclosures from independent researchers, but more full disclosures from companies. And the notorious argument, “is full-disclosure good or bad to public?”, is never gone. The argument won’t be gone in the next 5 years, at least.
Q: As an offensive security researcher, how many times do you get “shady” emails / contacted by unknown companies asking about acquiring vulnerabilities? and what is your funniest story for someone who contacted you?
A: An unknown person asked me to sell a google chrome 100% remote code execution + sandbox escape. He said $10,000 should be enough according to the google bug bounty price range.
Another guy wanted me to teach him about how to find bugs in modern web browsers. $50 per hour rate he offered me.
Q: You are GrayHash’s founder, What was your motivation for creating it?
A: I had worked for 2 years as a freelancer before creating the company. I was having more and more contracts and it was almost impossible to finish them myself. Also, I wanted to work my previous co-workers. I spent many years at army before and i missed them. It’s a pleasure to do something with smart and good people. Finally, I managed to persuade them to join my company.
Q: What services does GrayHash provides?
A: Every company has its own products. It can be embedded systems, mobile applications, banking systems, and so on. We try to find security holes in their products and tell them how to fix. So, we’re a pen-testing company. Hopefully, we can globally expand our business in this year.
(By the way, we’re about to release our first security product to public. It’s a binary based obfuscator for iOS/Android/Embedded systems. It supports 32/64bit and native/java layers. Currently, it’s only able to work on ARM but we’re planning to support other CPU types such as MIPS and PPC.)
Q: How many members are part of it?
A: At the time of writing, we have 15 people. Most of them are engineers. I wish we had more engineers but it’s really hard to hire skilled security professionals.
Q: What’s the single piece of advice you would want to give for someone seeking out a career in the security filed?
A: Learn computer languages first. C/Python/Assembly. If you want a quick way to be a hacker, jump into CTF / wargame sites, they are probably one of the best means to get started. Do this every day. You may need to spend many of days. Always check out new security bugs published by other researchers. Try to understand and exploit it yourself. Now, you can go for finding bugs yourself.
It was a pleasure, Beist, to talk to you