In his quest of getting to know the hacking community, Chris van ‘t Hof decides to interview a number of hackers. The second bug hunter in this series is Erik van Oosbree.
Erik is pen tester and does bug hunting via Bugcrowd since 2013. Erik: “Bugcrowd emerged right around that time. After 20 reports I appeared in the top 100 of the ranking.” His name also appears in many Halls of Fame, amongst others of Gamma, Yahoo, Sony, Deutsche Telekom, Erasmus Universiteit, NCSC and dating site OkCupid. What’s driving him to do bug hunting? Erik: “It’s a perfect combination of freedom to do what you want and gain some money at the same time. When I started, I had no idea what I was capable of. Bug hunting offered me a playground to try things and to check out the possibilities. It helps you grow, by seeing a broader range of applications and testing them. At the time there were banks that started with responsible disclosure. That taught me a great deal.”
I know Erik from our own hacking competition Lord of the Things in 2017. He participated in a team of Leiden University where he studied forensic IT. Erik: “Back then, this was pretty unique as we had never participated in a hacking competition as a school. The other members of the team were further along in their studies and I was in second grade. I responded to a call out and we met for the first time at Hack Talk.” The team won a prize for the Most Techy Hack. What did they find? “We were working on a scenario going from one vulnerability to another. It started with a configuration screen that was publicly accessible. We visited that page via our own WiFi access point that had a piece of JAVA script as a name. That same code was being executed on the page. You could not take over someone’s session, but you could pretend to be someone else. For example for a fishing campaign.” It occurs to me that students with this educational background often win at hack events. What’s his explanation? “Forensic IT teaches you to analyze traces to find out how hackers get access to certain areas. That teaches you to do this yourself. Hâck the Hague 2018 was another occasion where Erik got an award: 2nd place for Most Sophisticated Hack. This time on his own account. Erik: “Yes, that discovery was a bit haywire. Within a subdomain of the municipality I was looking for a specific application which was known to be vulnerable and instead I ended up at a reservation system of a sports location. When I submitted that hack, it appeared to be of another municipality.” Nevertheless Erik got the award.
At the secondary vocational training - Computer Networking and Security, he met Olivier Beg, who managed to secure a lot of bug bounties at a young age and is now Head of Research for Zerocopter. Erik: “Olivier and I were classmates and when he told me about hacking I was immediately interested. That was in 2012 which meant that I started at the age of 16. I must have seen all banks at the time, that’s also how I got my internship. Via a responsible disclosure I got a job in the Security Operations Center of ABN AMRO. I also discovered a leak in our online study environment. My teacher asked me to present what I found, which I did right there during class. Later I was called in for a chat with the program manager who had seen that I tried to break in… It was all very new at the time.”
What is it that he likes about hacking?
“You want to know how things work and want to show that something’s wrong. I like going to customers who give me access to their network and leave me to explore it. When I come across for example an open account, I take it from there. When I deliver my report at the end of the week, I can show them that I managed to get the highest security permissions within a day. I solely focus on security whilst they have to keep their company running. Security is not their highest priority. They have to release quickly which results in inaccuracies and errors. Or they outsource to a service organisation that uses their own company name as password. Nice and easy. Another tip for domain managers: please don’t put the password in the user manual. This still happens way too often.”
Source: “Cyberellende was nog nooit zo leuk” - Chris van ‘t Hof
Want to know more about Hâck The Hague? Visit the website for more information & registration!