Interview with Hacker-extraordinaire “Jarvis”, Cyber Security Engineer at Hacken
With all of the recent hacking attacks swirling around in the news, we tend to classify all hackers into one group of bad apples trying to steal users’ personal information, financial assets, government data and anything else they want to get their hands on. However, not all hackers have joined the “dark side” and are actually working to make sure that the vulnerabilities that exist in the government and commercial sectors are identified and remediated.
One such hacker is Jarvis, who is a security engineer at Hacken and a very well known ethical hacker. He regularly participates in bug bounty programs and has found vulnerabilities in the websites of government organisations such as the US Department of Defense, and multi-billion dollar blue chip companies such as Capital One, Badoo and many other organizations. Jarvis is also working on building HackenAI. His role in the project is to create a safe architecture for the app, suggest new useful features and constantly monitor the hacking community for the latest developments.
To understand the state of the cybersecurity industry and to learn the details and reasons why HackenAI is needed in today’s internet-connected world, we recently sat down with Jarvis to discuss his experiences in ethical hacking and advice he would give to businesses looking to defend their systems against data breaches.
Interview with Jarvis, Security Engineer at Hacken
Hacken: How hard is it to hack into some of the blue chip companies out there?
Jarvis: First of all, we have to understand that the most vulnerable points for any company will be the employees who are targets for social engineers. The human factor is very hard to defend against and the more employees a company has, the more options the hacker has in order to infiltrate the system with a phishing attack or something else. One small bad decision can lead to a complete shutdown of the production processes.
With HackenAI, we plan to implement features that will alert users that they might be subject to a phishing attack. The range of these will be regularly expanded to increase the level of user safety and improve “cyber hygiene”.
As far as the technology is concerned, businesses are hesitant to spend a whole lot of money on testing and security because it comes with added costs and does not bring in any money. The larger companies tend to have more robust security than small and medium sized businesses but this is something that has to be constantly kept up to date and monitored and this incurs additional expenses.
Hacken: You mentioned HackenAI, could you tell us a little bit about it and what was your role in the project?
Jarvis: HackenAI is a new product that will help keep an eye out for the users’ cyber security. My role in the project is to build a safe architecture for the app, test it for overall safety and recommend new useful features.
Hacken: Speaking of hackers, there’s quite a network of hackers out there. Do you guys share information and secrets over the internet?
Jarvis: You have to understand that there are different types of hackers out there and each of them has their own community. So white-hat hackers have their own community, black-hat has a separate community and so on. These communities rarely intersect because they simply have different interests. For example, white-hat hackers are looking to help companies find vulnerabilities and will therefore discuss something like new bug-bounty programs, recent vulnerabilities that were found and something of similar nature.
Black-hat hackers are looking to sell information that they stole from companies, perhaps declare that they are available for future hacking attacks and other illegal activities. This is not done openly, but rather through means of encrypted messages, the dark web or other methods of avoiding detection.
So to answer your question, information does get shared, but it will be done within the confines of one community who has similar goals and interests.
Hacken: You have found some vulnerabilities in government agencies in the US and other countries. How would you assess the level of security in the government sector?
Jarvis: Yes, I participated in several competitions involving US government websites. There were times when the hunt for vulnerabilities resembled a scene out of a science fiction movie because the attacks were multifaceted in its development until a certain goal was reached. I would constantly tweak or even rewrite the test scripts to see if this would detect something. While neither I nor other participants involved received any money for this, it was a very rewarding experience. I cannot go into too much detail because this is private information, but sometimes we uncovered very serious vulnerabilities via SQL injection, authentication bypass, IDOR, SSRF, access to S3, local file inclusion (LFI) and other methods.
I would like to share with you one interesting scenario I had to deal with. One time I reported several connected vulnerabilities. While the first one was being fixed, access to the other ones was blocked off, which it made them impossible to confirm. Even though I was initially denied points for discovering the second vulnerability, I was later able to bypass the fix made on the first vulnerability and was now able to once again exploit the second vulnerability.
However, I would like to say that the most critical assets concerning homeland security are very well defended. In comparison, I participated in similar hacking events involving the more ordiniary Ukrainian government sites and the situation was much more bleaker.
Hacken: But it is not possible to create a website, app or product that is 100% secure?
Jarvis: You are exactly right and if some company tells you that they are unhackable, they are lying. It’s like trying to name the highest number possible: whatever number you say, I will say something higher. In other words, no matter how smart you are or how great your team is, there will always be somebody smarter and better.
In fact, the advice that I give development teams is to develop the product with the assumption that you have already been hacked. This means that you must make it as difficult as possible for the hacker to get their hands on user data and otherwise wreak havoc inside your app or website.
Hacken: Recently North Korea has been in the news regarding hacking attacks on crypto exchanges. How can we combat this threat?
Jarvis: In order to prevent hacking attacks from North Korea and other rogues states, we need to understand how they operate. They have an elite team of hackers who are assigned a certain amount of crypto exchanges that they have to scan and try to find vulnerabilities.
The vulnerabilities that they find and exploit are things that can easily be detected even by automated testing. There is a reason why hackers do not target the cryptocurrencies themselves or even the wallets directly. Crypto simply need to do a better job of creating a more resilient platform, securing transactions and authentications and educating their users about security.
Hacken: What recommendations would you give to businesses who are looking to beef up their cyber defenses?
Jarvis: I think we should start with basic “cyber-hygiene”. This means simply rotating your passwords, two-factor authentication, anti phishing codes and educating employees about the types of cyber threats out there. As far as the IT infrastructure is concerned, it is important to make timely patches and upgrades. If you have physical serves, be sure that they are monitored with 24-hour surveillance.
If you are creating an application or other product, be sure to take into account the security standards of the SDLC. Like I said before, start with the assumption that you have been hacked.
Combating threats using HackenAI
Jarvis and other team members at Hacken are constantly working to combat new threats posed by cyber criminals. HackenAI, our upcoming 360° personal cybersecurity assistant as mentioned by Jarvis, will be of use for everybody looking to enhance their “cyber hygiene” and improve overall security. With the expertise and experience of Jarvis as a hacker, HackenAI will protect users more effectively.
Stay tuned for new updates about HackenAI, as it is scheduled to be released early next year.
Hacken Twitter: https://twitter.com/Hacken_io
Hacken Telegram: https://t.me/hacken_en
Hacken Reddit https://www.reddit.com/r/hacken/
Hacken Website: https://hacken.io
CREAM Twitter: https://twitter.com/CREAMethod
CREAM website: https://www.creamandpartners.com
VeChain Twitter: https://twitter.com/vechainofficial
VeChain Telegram: https://t.me/vechain_official_english
VeChain GitHub: https://github.com/vechain
VeChain Developer Telegram: https://t.me/VeChainDevCommunity
VeChain Developer Docs: https://doc.vechainworld.io
VeChain Reddit: https://www.reddit.com/r/VeChain