On his quest of getting to know the hacking community, Chris van ‘t Hof interviews a number of hackers. The first bug hunter he’s talking to in this series is Wietse Boonstra.
When I called him for an intake, he was sitting in a hospital with his little daughter, so I asked him if it was OK for him to talk. Wietse: “Sure thing, I’m bored sitting here so I hacked the hospital website. I had access to application letters and could see incubees via a webcam if I had wanted to do so. But I didn’t. I know the system administrator and informed him about the vulnerabilities. I always inform people about vulnerabilities that I come across.” So this guy not only hacks for money but also as a volunteer, strictly following the rules of the coordinated vulnerability disclosures. We continue talking about his background. Like me, he went to the secondary technical school and we agreed that this is the best place to thoroughly destroy all your interest in technical things. In the end his dad taught him most of what he knows, whilst putting together radio’s and trying things until it worked.
What did your first hack look like?
“It started by placing a single quote in a URL, right after the ID to see if that would generate an SQL error message. From that message you can derive if it’s possible to send commands to the MySQL-database, without actually doing so. And that’s how it started for me, from a webhosting point of view, by testing myself”.
It’s a fine line what you can and cannot do - where do you draw yours?
“I think it stops with submitting a vulnerability with the owner of the system. You’re not going to download or view tables.” Wietse worked at Isatis Cyber Security as senior security tester, as security engineer at I-Real and as system administrator at TotaalNet. His work as pen tester he already did as independent contractor by the name of WBsec, which his now his full-time job. He now also works as voluntary researcher at DIVD, the Dutch Institute for Vulnerability Disclosure. Wietse: “I used to work for a hosting company who’s server got hacked all the time. I wondered why and started to investigate myself. Later I worked for a company that owns SCADA-systems (Supervisory Control and Data Acquisition), which have to be secure by default. They said - let’s send Wietse to a training, which I happened to like a lot. It’s not only about breaking in, but also about seeing your own mistakes as a system administrator. Things that I considered to be completely normal back then are the things that I definitely wouldn’t do again now. Currently I only do the ‘breaking side’: breaking everything that can be broken. Honesty is the best policy: I always report vulnerabilities to the owner of the systems, even if they don’t have a responsible disclosure policy (yet).
The training Wietse mentioned are the CAST 611 Advanced Penetration Testing, of EC-Council Certified Ethical Hacker and the Offensive Security training: OSCP (Offensive Security Certified Professional, Prof as well as Advanced level) and the OSCE (Certified Expert). Wietse: “I think that the training of the Offensive Security are about the most respected ones to obtain. A real challenge: at OSCP you get 3 URL’s to hack within 24 hours. Especially the time pressure makes it hard. I’m now about to start on OSWE (Web Expert), which requires you to write exploits. Really next level.”
How did you discover that you could get money for vulnerabilities reported
“About 2 years ago I reported a vulnerability to a company and they asked me to write a report for them - and paid me 50 euros. They had a bug bounty program via Zerocopter for which I registered and that’s how it all started. I have done hundreds of reports by now.” Can you make any money with it? “O well, it’s results in a nice 13th month's payment, or a 14th, 15th…. What the heck, I made about 13.000 euros so far."
What hacks do you like most?
“Web applications! You push a number of buttons just to see what can go wrong. Recently I came across one that suddenly generated a whole lot of SMS messages. I was secretly using automated testing and each time the URL was called, a token was sent by SMS. That person received about 500 messages in the middle of the night. Was probably not his best night of sleep."
What is your advice to starting hackers?
“You have to have a bit of natural ability to do this, especially curiosity. And always act responsibly, after all: what goes around, comes around. Don’t start the conversation with ‘I hacked you guys, start paying me money’. Introduce yourself: who you are, what you do, and exactly what you have found on which IP-address.”
In the 2019 edition of Hâck the Hague, Wietse won first price for Most Sophisticated Hack. He can’t disclose what he found, but apparently it was something really special. In any case, he earned 2.000 euros. With all the media attention for the HTH event, he was also approached by the Department of Corrections for an interesting research assignment.
Source: “Cyberellende was nog nooit zo leuk” - Chris van ‘t Hof
Want to know more about Hâck The Hague? Visit the website for more information & registration!