14 DAY TRIAL // Earlier this week, we had the opportunity to do an interview with 21-year-old Ibrahim El-Sayed, one of the members of Vulnerability Lab.
Ibrahim received his Bachelor of Science in Computer Engineering degree from the American University of Cairo, Egypt, in 2012, but he has been passionate about information security since 2007.
Since then, he has identified security holes in the systems of numerous organizations, including ones from the government and military sectors. As a security researcher, he specializes in web application penetration testing and vulnerability research.
Softpedia: Tell us a few things about the vulnerabilities you’ve identified over the past period.
Ibrahim El-Sayed: The last period I was able to identify different vulnerabilities, many of them were very interesting, like the ones in PayPal, Dell and Manage Engine.
The main reason behind most of the vulnerabilities is the lack of filter and sanitation. Usually, developers believe that the user will always enter the right input.
Softpedia: Which are the most common types of vulnerabilities you’ve identified and which ones are the most difficult to discover?
Ibrahim El-Sayed: I usually discover cross-site scripting (persistent and non-persistent), SQL Injection, Cross Site Request Forgery, redirection vulnerabilities and different overflows vulnerabilities. The one that are most difficult for me to find are the overflows ones.
Softpedia: How well did you collaborate with the vendors whose products you found to be vulnerable?
Ibrahim El-Sayed: Our contact is usually done through vulnerability-lab system. We use our method by notifying the vendor first, wait until the vendor responds, confirms the vulnerability and then we wait until the vendor fix it and finally we publish the vulnerability after it is fixed.
We always try to help the vendors to fix the vulnerabilities they have but unfortunately some of them just don’t care.
Softpedia: You have reported some vulnerabilities to smaller companies. From your experience, have smaller vendors begun to understand the importance of proper bug bounty programs? Have more companies started launching such programs over the past period?
Ibrahim El-Sayed: Tell you the truth; smaller companies just don’t care about security at all. I think they believe it is luxury to have their products secure!! Maybe because they have different goals i.e., just to make their application works.
In reality, smaller companies usually don’t reply to our notification emails of vulnerabilities. However, we are still keen to help both the small and large companies.
Softpedia: More and more researchers have started privately selling their exploits instead of properly disclosing them to the affected vendors. What is the impact of such practices on the security industry? Will the safety of cyberspace be strongly affected?
Ibrahim El-Sayed: Both the vendor and the researcher are mainly responsible for this problem. To clarify, some vendors don’t value what the researchers do.
They don’t acknowledge their effort with bug-bounty or even hall-of-fame programs. In turn, this leads the researcher to sell his exploits privately. Also the researchers are not aware that they should never their vulnerabilities to gain money because this will harm the vendor and it is unethical.
Softpedia: We know you’ve recently taken part in the CTF (capture the flag) competition hosted by The Tunisian Association for the future of science and technology (ATAST). How was it and why are such competitions important for the cyber security industry?
Ibrahim El-Sayed: The competition wasn’t bad as first time ATAST hosts a CTF competition. We gained experience and knowledge by contributing to that competition. CTF’s are very important for cyber security industry. It helps to know new people in the cyber security community. It also plays a major role to help researchers to be in the white-hat side.
Softpedia: What was the goal of the competition? Tell us a few things about the challenge itself.
Ibrahim El-Sayed: According to The Tunisian Association for the future of science and technology, the main goal of the CTF-competition was to spread awareness of information security and its importance in Tunisia.
For us, the main goal of the CTF was to enhance our level, know more people in the security field and share ideas.
Softpedia: How many contestants were there? What countries did they represent?
Ibrahim El-Sayed: There were 6 contestants from different countries. There were a team from Ukraine, Russia, France, Tunisia, Egypt (our team), and Japan.
Softpedia: From your point of view, tell us a few things about the threat landscape from Africa. Do you agree with other experts who believe the old continent will become a safe haven for cybercriminals because there are enough resources, but not enough law enforcement action?
Ibrahim El-Sayed: Unfortunately, this is a true fact. In Africa, or in third world countries generally, they usually do not care about the cyber criminals. They don't have enough law enforcements to stop such attacks. That's why they are being used as a shield for cyber criminals to start different attacks.
Softpedia: Is there anything else you would like to tell our readers?
Ibrahim El-Sayed: Well, I just would like to tell anyone who is interested about security, keep reading, keep practicing, enjoy hacking but in the right way as a white hat hacker. There was always a war between the evil and good it still exists ... and here it is in information security field...
