Max Krupyshev, CEO of CoinsPaid, often refers in public speeches to the fact that security is one of the company’s top priorities. In practice, this concerns keeping customer money and personal data safe, complying with regulatory standards, and protecting user interests.
Several departments are responsible for security at CoinsPaid. A couple of months ago, the team was introduced to a new employee, an ethical white hat hacker. And we were, of course, eager to talk to such a unique specialist. The CP Media editors will keep the identity of the specialist secret upon their request.
Note: there’s a common belief on the web that the terms “white hat” and “black hat” originate from classic Western movies, where goodies often wore white hats and baddies wore black ones.
— How did you become interested in ethical hacking? What prompted you to start a career as a white hat hacker?
— It’s hard to say that I had a ready-made idea of ethical hacking or white hat in my head. When forums were popular, I noticed many times that threads were created on my behalf or some comments were posted. At first, I tried to figure out what was wrong, how it was even happening, and my interest developed since then.
I don’t consider myself to have a full-fledged career as a white hat right now. I guess that’s something people who are actively invested in developing tools for preventing or finding vulnerabilities can honestly boast about. Ones who do a lot of research and explore new attack vectors. Like James Kettle or Gareth Heyes, for example.
— Can you describe your approach to security assessment or penetration testing? How do you identify and prioritize vulnerabilities in order to address them?
— For the most part, the methodology and approach are described in these documents:
- OWASP Web Security Testing Guide — for the web part;
- OWASP Mobile Application Security — for the mobile part.
These documents list the main points to be addressed. On top of these approaches, security checklists are added that relate to the specific technology under investigation.
These are the standard things that form the basis of the main process, plus personal preferences for tools and automation — one writes their own scanner, another thoroughly automates a particular vulnerability, etc.
The first thing to check when studying a project is all evident and automated vulnerabilities, and then specialists test common bugs related to the type of system. The majority of vulnerabilities start with a bug or non-standard behavior.
— Can you give an example of a particularly challenging security issue you had to deal with as a white hat hacker?
— Well, there was a Java Deserialize vulnerability fixed by Acunetix (a vulnerability scanner). However, it doesn’t provide an open load, so it can just be removed or exploited further. At first, I had to fumble around with certificates and proxying for quite a while just to remove it and use it on its own. Then I had to write a separate script for load generation to figure out what gadget chain is used, i.e., the functionality chain that makes up the vulnerability.
There was a funny case that honestly describes the steps you have to face in the process. The examined host had a feature to pass the used database address as an argument, and the address referred to the internal structure of the test bed by default. There were several vulnerabilities in that functionality that could be tried, but in that case study, I wanted to remove the username and password used to access the database. Any exploitation had to be done from fixed addresses where I had a remote machine. Initially, I just set up a tunnel through the controlled machine, brought up the database container locally, and checked the settings — everything was perfect, the credentials were transmitted in the clear, and I could easily remove them when I did it locally, but I couldn’t do it remotely. I simply couldn’t establish a connection. I was pretty sure that authentication on the service side was going on well because I could see the requests coming in. I had to check every step of the chain and try all possible variations. Nothing helped, no result, and I seriously wanted to give up, but then I remembered the firewall I had installed in the morning, and everything fell into line 🙂
— How do you stay up-to-date on the latest security threats and ways to prevent them? Do you attend conferences, read industry publications, or participate in online communities?
— I’m subscribed to many security researchers on Twitter, and I actively post and discuss vectors that are gaining popularity and criticality there.
Conferences have lost a bit of relevance since watching recordings of them is much more profitable, especially as you can repeat them locally or calmly analyze the process.
Beyond that, there are chat rooms on Telegram and Discord and open reports on vulnerabilities. If there’s a critical vulnerability, everyone will hear about it.
— What is your experience of working with different software? What tools do you prefer to use?
— Of course, I can tell you most about the tools I’ve used myself. If we’re talking about the web direction, it’s BurpSuite, nuclei, and Acunetix among the big scanners and plenty of simply cool software like ffuf, SQLmap, httprobe, SSRFmap, assetfinder, and waybackurls.
There are many tools, each of which deserves separate attention and allows you to dig deeper into some type of vulnerability and perform quality scanning.
— What are some of the training programs or training materials that you have gone through related to ethical hacking or security?
— I took eLearnSecurity, PortSwigger, and a little bit of HackTheBox (HTB). In my opinion, PortSwigger and HTB are some of the best options for hands-on security training, and they’re also free.
For practical testing of any technologies or protection methods, I often use ready-made test beds, i.e., standard systems that contain vulnerabilities. This is always an opportunity to test a particular vulnerability and detail the understanding of its exploitation.
— Can you share any tips or recommendations for individuals or organizations looking to improve their security?
— That’s a very tough question for me. Perhaps the most important thing is not to turn a blind eye to even minor points because, when combined, they can make vulnerabilities much more critical. I can say that the OWASP-TOP-10 perfectly reflects typical mistakes.
— How do you see ethical hacking evolving in the coming years? What new challenges or opportunities do you anticipate?
— Any new system or technical idea is a potential target for hacker attacks, so there’ll be an uncountable number of them, I think. Therefore, it’s clear that ethical hacking will only gain momentum. There are now quite a few platforms that make it possible to monetize this process based on pre-agreed conditions and rules that benefit each party.
