Happy new year everyone!
One of our new year’s resolution is to promote the security community in different ways – sponsoring security conferences, publish new vulnerabilities and to write blog posts about leading security researchers that work and strengthen their local community.
One of the best things of being part of the cyber security community is that you get to meet great and interesting people along the way. In every conference we attend, and we sponsor quite a few throughout the year, we get to know new and talented researchers.
Recently, we decided to write a series of blog posts on individuals who are part of the community and promote their local community.
We have the honor to interview Orange Tsai, a security researcher from Taiwan, for our first blog post!
Orange (Cheng-da Tsai) is 24 years old, and recently finished his Master degree in Information Security from the University of Taipei. Orange works in a security consultancy company called DEVCORE Taiwan, is a well known CTF player, a CTF organizer among the many other things he does.
Q: I saw you found quite a lot vulnerabilities during the last few years, in Facebook / Uber / Apple / Google etc, just to name a few. Why did you decided to specialize in vulnerability research? What was the motivation to get into the security field?
A: My motivation to get into the security field was from watching the news – I saw a news piece on day, about a hacker who hacked our [Taiwan] presidential’s website on TV, and thought that it was so cool, and wanted to be hacker like him.
When I stepped into the “hacking” world, the more I learned, the more I found that I was attracted to vulnerabilities research.
- How do you find vulnerabilities that others can’t find?
- What makes it possible for a vulnerability to exist?
- Why can a few harmless bytes cause a server to be compromised?
- How can an one-null-byte overflow lead to remote code execution?
Not just vulnerability research, but also exploitation intrigues – I believe it is an art form.
Q: What was the first vulnerability you found?
A: The first vulnerability I used, when I was still learning the field, was a very old vulnerability in Microsoft’s ASP language, basically you could use /foo/..%5cview.asp to obtain the database file and download it to your computer.
But the first vulnerability reported by me was MS12-071 (CVE-2012-4775), a use-after-free in Microsoft Internet Explorer. At that time, I was interested in fuzzing and thought IE was a good target to break 😛 and fuzz.
Q: How did you feel when you found the vulnerability?
A: One word in Chinese “成就感”, 3 in English – sense of accomplishment.
When you find a serious vulnerability that no one has found so far, it makes you feel good, like unlocking a top level achievement in a game.
Q: What is your vulnerability research strengths? (web / binary / Windows / Linux etc)
A: My expertise are in Web Security and Penetration Testing, I know most people think Websec is easy to learn, but if you stick around and dive deep into it, you will learn that the Websec world is very complex. There are many different types of architectures; of technologies; and many tricks and combos.
You need to learn a lot of different skills:
- Reverse engineering in order to pentest CGI-BIN website
- Cryptography in order to break ECB/CBC/OFB/CTR mode cipher
- Binary exploitation even kernel exploitation in order to privilege escalation
In addition, I am vivid CTF player and CTFs are full of pwning (binary exploitation). I had to learn different types of vulnerabilities exploitation techniques, especially binary exploit. So I learned “how to write shellcode”, “how to exploit stack overflow”, “how to arrange the heap”, “how to bypass ASLR/DEP/RELRO/Stack Canary”, etc.
Moreover, I do penetration testing, which is another interesting part of what I do – it is like a puzzle, every part is important and everything you learn about is a crucial piece to the solution – putting it all together is the only way to solve it.
Q: As you mention, besides being a vulnerability researcher, you are one of the core team members of HITCON CTF team. When did you join the team?
A: HITCON is known as the “Hacks in Taiwan Conference”, which organizes the largest security conference in Taiwan.
Initially, there were several Taiwanese CTF teams, a few years ago we joined forces and created the HITCON CTF team in order to create the best team that will take part in DEFCON CTF Qualifications.
HITCON CTF team is a joint team from all the top CTF team in Taiwan, a joint venture by CHROOT, 217 from NTU, Bamboofox from NCTU, and NCU. At the moment HITCON CTF team, has 18 members.
Q: I saw HITCON CTF team was ranked 4th in DEFCON CTF 2016, how was it to compete with the strongest teams in the world and to win 4th place?
A: We felt like we had magic powers!
It was a pleasure, Orange, to talk to you and get so much information on the local Taiwanese community