Know your community – Yasser Ali

Today we have the honor to interview Yasser Ali! “Hall of Fame” member in PayPal / Ebay / Microsoft / Sony / Facebook and more, Security Manager at BugBountyHQ ‏(Bug Bounty Platform company), Senior Security Specialist at Deloitte and well known researcher.


Questions
Q: How many years have you been involved in the security field, what was your motivation to get into it the first place?
A: I started exploring hacking 13 years ago and have been focusing on the security field since 5 years now. I come from Luxor, a very traditional city and being able to have an access to technology made me feel proud and I knew that I could achieve so much more with it. I saw that as a chance, and I always tried to make the best out of it.
Q: What is your field of expertise?
A: I would say Web App & Network Pentesting, Social Engineering and Red Teaming exercises.
Q: What was the first vulnerability you found?
A: The first vulnerability I have found in bug bounty programs, was in the eBay website. I was able to takeover any user’s account and therefore that vulnerability allowed me to “Hack eBay accounts in 1 click”
Q:How did you feel when you found the vulnerability?
A: It was a mix of emotions, I was excited yet challenged to discover more.
Q: Did someone help you?
A: No, I am bad in asking for help.
Q: Is there some security research field that you always wanted to learn but never had a chance?
A: IoT (Internet of Things) Hacking and Malware Analysis are two fields that I find very interesting however, I have started to focus on the first one lately.
Q: What would be your dream job? pure research? exploit development? relaxing at the beach?
A: I guess what I love most is sharing knowledge, so I aspire to be the Information Security Leader in the UAE, if that could be monitored from the beach I wouldn’t mind :).
Q: In the past few years there are a lot of security conferences in Dubai, How big is the Dubai security community?
A: The Dubai Security community is “under construction” but the gatherings are always great and very friendly. I would say couple of thousand.
Q: How has the security community changed in Dubai in the past 5 years?
A: Dubai is becoming the hub of security community, and the launch of SIRA (Security Industry Regulatory Agency) is a proof that the UAE is looking at becoming a major key player worldwide and especially in the MENA region. The new law governing the Emirate’s security industry shows a will to legislate and define a framework for all concerned entities.
In the last 5 years, Dubai has been the first city worldwide to launch the strategy for a smarter city aiming at offering to the citizens of Dubai: a smart life, smart transportation, smart society, smart economy, smart governance and smart environment.
His Highness Shaikh Mohammad Bin Rashid Al Maktoum, Vice-President and Prime Minister of the UAE and Ruler of Dubai, launched the strategy of “SMART DUBAI” via 100 initiatives in order to transform 1,000 government services into smart services.
Shaikh Hamdan added “Mohammad Bin Rashid not only wants to develop services … but wants to change the way people live in Dubai.”
In this context the security is becoming one of the toughest challenges.
Q: Are there special programs for students that want to get into the security research field?
A: A lot of universities are now offering special programs for students interested to follow a career in the security research field. I was very surprised to see how many young girls and ladies are enrolling and registration in those programs.
Q: In your opinion, does the security community in Dubai open to the international community?
A: Dubai is always open to international initiatives and the security community has not been spared. Intersec, the leading Security and Safety exhibition takes place in Dubai and attracts every year more than 30,000 visitors from across the globe. The last edition was two months ago in January.
Q: What is you favorite security conference?
A: BlackHat & Defcon
Q: What kind lectures you like to attend? listen to?
A: I love listening to any “Technical” security related lectures.
Q: What do you love most in conferences? (conference events – CTF / hacking village / Hack the badge, drinking parties etc)
A: Definitely the Hacking Village.
Q: What is the most exotic place you attended a security conference at?
A: I once attended a conference at a very well known resort in Dubai, with the beach and palms as a background.
Q: In which country have you been surprised by the size / quality of the security community?
A: When I started hacking, well known Russian hackers fascinated me. But the Moroccan community really impressed me with the size and quality of their hackers. I guess what surprised me is how far ahead they were equipped and trained compare to the rest of Arabic/African countries.
Q: What you don’t like in today’s international security community?
A: I guess some hackers are never invited to international conferences/gathering, which is very sad. Few Security professionals are monopolizing the conferences and that gives less space to the new comers. Also, I get very irritated to see how many Security in charge have a little knowledge on how to handle vulnerabilities disclosure.
Q: As an offensive security researcher, how many times do you get “shady” emails / contacted by unknown companies asking about acquiring vulnerabilities? and what is your funniest story of someone who contacted you?
A: I get plenty of mails everyday. I would say the funniest stories are always girlfriends/boyfriends checking.
Q: You found and reported quite a lot vulnerabilities and you are “Hall of Fame” member in PayPal / eBay / Microsoft / Sony / Facebook etc. Did you ever report vulnerability to a vendor and got a hostile response?
A: Well, most of them welcome my initiatives as it works in their best interests. But still some just choose to ignore it.
Q: What is the longest period of time it took for a vendor to patch a vulnerability you reported?
A: Surprisingly Facebook, it took them almost 6 months to fix a vulnerability I have reported to them, they then rewarded me with a generous reward 😉
Q: What was the silliest reward you got for reporting vulnerability to a vendor?
A: A leading Telecommunication and Internet provider invited me to test their online app.
I was able to get all the sensitive data of their 30 million customers and fully control their voicemail/SMS/Call Forwarding. The reward offered afterwards was a sim card loaded with 100 MB data package which I didn’t even have the time to go pick up.
Q: Do you think the vendors made progress in the past few years of how they handle vulnerabilities reports from the security community?
A: Yes, definitely, they feel less threatened nowadays and use us more as consultants.
Q: Do you think the rewards security researchers get from report vulnerabilities are fair?
A: Not really if you compare it to the damage that can be caused in case the vulnerability is not fixed on time.
Q: Have you noticed a lot more non-traditional companies and organizations showing interest in bug bounty programs?
A: Yes, we have seen a rise in demands of launching bug bounty programs at different sectors, i.e. the “Hack the Army” program
Q: What industries or business sectors would you like to see more involved in the bug bounty business?
A: ICS systems, IoT systems, Government Sectors, Banking Services.
Q: What are the best companies to work with when hunting for vulnerabilities? What traits do they have in common?
A: I love to work with ZeroCopter at the moment.
Q: You are Security Manager at BugBountyHQ ‏(Bug Bounty Platform company) and Senior Security Specialist at Deloitte. What services does BugBountyHQ provide?
A: BugBountyHQ offers a number of platforms for companies to start their own BugBounty Programs. That allows them to quickly identify their existing security posture with a crowd sourced pentest (bug bounty), all, provided by registered security researchers of BugBountyHQ.
Q: How is BugBountyHQ different from other bug bounties platforms? (HackerOne for example)
A: BugBountyHQ has developed a number of platforms which makes is more flexible and adaptable to suit to different requirements and budgets.
Q: How big is the community participating in BugBountyHQ?
A: The community has about 700 Security Researchers.
Q: Are you still looking for vulnerabilities on your free time?
A: Yes, it’s a passion…
Q: What type of products do you like most looking into vulnerabilities in?
A: Web and mobile apps
Q: What are the projects you are promoting today?
A: I am performing Pentests on some financial institutions.
Q: What’s the single piece of advice you would give to someone seeking out a career in the security field?
A: Be curious and hands on…
Q: What are your hobbies?
A: When I am not hacking I like to travel and test new cuisines, I guess hacking makes you feel hungry 🙂
It was a pleasure, Yasser, to talk to you
You’re welcome.