14 DAY TRIAL // Hackers around the world, the interview series in which we try to dig deep into the minds of hackers worldwide, continues. This time we move on to the northern part of Europe, to Finland to be more precise, where we meet Janne Ahlberg, a product security professional with a passion for penetration testing.
During the past few weeks he has shared his insight into some interesting topics, including the MilitarySingles hack and the recent law enforcement operations that targeted hackers. Take a look at the interview below to find out what drives this white hat from Finland and what determined him to put more effort into his hobby in the first place.
Softpedia: When did you discover your passion for cyber security in general? Was there something specific that triggered your interest?
Janne Ahlberg: Back in the 1990's I was working on a security product which provided transparent file and folder level encryption. This product, which included a floppy-disk copy-protection system, triggered my interested for security in general.
Softpedia: When did you start putting more effort into your pentesting hobby?
Janne Ahlberg: Last summer after reading articles about how common the Cross-site Scripting vulnerabilities are. I wanted to see if that was the case.
Softpedia: How did you learn to find vulnerabilities in websites? Did you take specialized courses or did you learn on your own?
Janne Ahlberg: I have attended some courses, read the books and articles, but I prefer hands on approach. I started testing manually using common “XSS cheat sheets”. After a while I wanted to learn about SQL injection as well.
I wrote a vulnerable php-script on purpose and exploited it manually, because I wanted to understand each step. Now I'm using open-source tools for SQLi-testing.
Softpedia: What do you do if you find a vulnerability?
Janne Ahlberg: I believe in responsible disclosure. I always report the found vulnerabilities to the affected party. Sometimes this takes more time than the actual testing.
Softpedia: Most security researchers complain that administrators ignore them when they report website vulnerabilities. How do you collaborate with admins when reporting site flaws?
Janne Ahlberg: I'll try to identify good contact persons like the web-master and contact them via e-mail. Many web sites do not publish such contacts which can slow down reporting a lot. I do not prefer filling on-line contact forms, because in many cases the only thing you will get back is a short auto-response message.
If I manage to find a contact person who understands the issue technically, reporting is usually easy and welcomed. If the contact person does not understand the the report, it may get ignored.
This is why I usually write detailed reports with examples and screen shots. Then there are sites that do not publish any contact information or simply do not respond.
With sites like this, I'll try to approach the closest CERT. In Finland I would contact CERT-FI, for example.
Softpedia: Based on your experience and based on what you've seen so far, do the owners of hacked websites put more effort into security after a data breach?
Janne Ahlberg: Based on my experience, owners of the hacked web-sites do put more effort into security. There are exceptions: some site owners don't seem to know that they have been hacked or breached.
Softpedia: Recently you've offered some interesting insight into some data breaches. What were your findings?
Janne Ahlberg: When I hear about a new data breach or hack, I often want to understand how it was done. SQL injection seems to be the hacker's first choice in many cases.
Local and Remote File Inclusions and various 0day exploits are also used. Most of the breaches are based on common vulnerabilities and do not require any special skills from hackers.
Softpedia: Security solutions providers are in a head-to-head battle with hackers. Who do you think is in the lead and will things change?
Janne Ahlberg: With web-site security, hackers seem to lead mainly due to simple software issues. I cannot see how some security solution could fix a web-site that is already broken.
Things will change when web-site owners and developers take security into account during all phases of the development. In general, security cannot be added later as a feature.
Softpedia: What tip would you offer administrators on how to secure their sites?
Janne Ahlberg: Many web-sites are built with open-source software or components. It is important to keep all software up to date. This alone could help to keep the hackers at bay.
I would also recommend performing basic security testing if that is not done already. There are a plenty of good tools and guides available. One good starting point is OWASP: https://www.owasp.org/index.php/Main_Page
Softpedia: We know you have a website. Tell us a bit about it and its purpose.
Janne Ahlberg: I have a small web-site at pentest.planeetta.com or idash.net telling basic details about my hobby. I also use the site for Cross-site Script testing. “Idash” does not mean anything: I just needed a short domain name for XSS-tests.
Softpedia: What do you think about hacktivism in general? What do you think of hackers that claim to breach websites for a "noble" purpose?
Janne Ahlberg: Malicious attacks like web-site defacements, Denial-of-Service, data theft and disclosure are not the right tools for (political) protests. Perhaps some hackers do have important things to say, but at least I can't hear them. The noise of hacking is just too loud.
I do not support malicious or illegal hacking. Many hackers seem to break things just for fun or the “lulz”. Some hackers come up with a “noble purpose” as a justification for their actions.
Softpedia: Is there a data breach that impressed you in particular?
Janne Ahlberg: Not really.
Softpedia: Do you have an ultimate goal as a pentester?
Janne Ahlberg: This is a self-educational hobby. My simple goal is to raise and share awareness one report at a time.
Softpedia: Do you have any other hobbies besides pentesting?
Janne Ahlberg: I have a family and full-time job, but I do have other hobbies like astronomy and movies.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1