BSides Prishtina 2023 - Live

foreign good morning messages I'm going to switch to English given that we have in audience and speakers who do not speak Albanian so first and foremost good morning everyone and welcome to the second edition of uh besides Christina my name is and I'm truly honored to be your host for the next two days we have incredible lineup of speakers and also some amazing workshops and today and also tomorrow but first and foremost I would like to express our gratitude to organizers Mustafa and flask flask is a local NGO who have put a countless hours and effort in organizing this event for the second time I would also like to express our appreciation to University of Pristina for hosting this year event thank you it's great to be back here last time that I was here was probably in 1997 1998. foreign of course uh I would like to thank our sponsors as well uh without their support we want to be here today but most importantly I would like to thank our esteemed speakers some of which flew from different parts of Europe and some of them also like flew from across Atlantic and we are looking forward to your speeches to learn from your experiences and so on last but not least I would like to thank each and every one of you for those that are for the first time welcome to besides for those that are for the second time returning thanks for attending this event before we dive in just some housekeeping rules please take a moment to turn your mobiles into a silent mode please we kindly ask you to maintain a quiet atmosphere so we don't deserve our speakers and also your your fault uh colleagues as well and in order to minimize disruptions during the presentation as you can see there's only one entrance going in and out if you need to move if you can wait during the breaks that would be great so and then lastly some logical details emergency exits or only through this door there's no emergency exit up there if you need to use your restrooms just across the door there's another door and then the restrooms are to your left and then last but not least there's a Wi-Fi access I believe it's a free use it at your own risk so without further Ado it goes without saying that this is a fantastic opportunity to meet like-minded colleagues professionals so I encourage you to network during breaks and then at the end we will have a network session so once again welcome to besides Pristina let's get started and have an amazing day I'm gonna pass the floor to Professor Razer of University of Christina as well for this yours thank you [Applause] dear vice Dean Professor krasniche dear colleagues as team guests uh dear students it's my real pleasure to welcome you all to the information security conference besides Christina 2023 as faculty of electrical and computer engineering part of the University of Pristina we are hosting this very important event which brings together professionals experts enthusiasts students related to the information security uh in today's world in today's world in the interconnected World information security is becoming very important it's becoming a concern not only for individuals organization but also for Nations and therefore taking measures at tackling this issue is becoming more and more important at our University at our faculty of electrical and computer engineering we offer several courses related to information security and Bachelor master and PhD level preparing the next generation of professionals tackling the challenges of information security uh I think besides Christina 2023 will be a great event bringing together experts and sharing is going to be a point to sharing our knowledge our approach to information security we will have inspiring talks and will bring together and have a partnership with industry Academia and so on last but not least on behalf of the dean of the faculty Professor Shabani I would like to thanks organizers especially dardan and his team all guests coming from different parts of the world and making this happen and I wish you all a fruitful and enjoyable conference thank you foreign I just want to thank you everyone for showing up and some people are still sleeping so they will show up later and most likely and uh I would like to thank valmir and Japan for really helping out a lot with the organization of well this event and uh without forgetting our sponsors so I would like to thank bonka economica omotza or AMC the the ones that have built up the leading system and then uh and they have uh well uh Intrigue Jonathan cran so he's uh supporting us for the second year and then we have Salinas again supporting besides Christina for second year without forgetting Sentry they are back again and uh lost but not least permisso so it's a new company we have blown here that started working there and we have our dear friend Daniel Bohannon that couldn't join us this year and uh I would also like to thank pentaster lab for offering vouchers for the CTF tomorrow and uh hack the box or hdb which also offered several vouchers so I would like to well to announce it again that tomorrow from 9am until 5 PM we have the CTF or the capture the flag going on we already have plenty of teams registered so if you haven't and you want to win some amazing prizes like flippers are zeros vouchers for pentaster lab and uh Hagler books just do it and well win and uh we also have a little surprise so we have our raffle game so basically you need to go to the registration desk and get a number and at the end of the day today and tomorrow we will uh randomly pick winners so we have probably about 14 prizes in the raffle raffle game so seven will be announced today at the end of day and then the other September so thank you again and uh yeah have fun and yeah never stop hiking [Applause] okay with that being said thanks Jordan uh thanks Professor Reza uh or keynote speaker it's Mr Yasin a book here he's a white hacker and principal security consultant coming all the way from France after each speech there's gonna be a five minute q a session so I encourage you to engage and to learn and to make questions Yasin the floor is yours [Applause] test test sorry change batteries okay so test test yeah it's working man it's working yeah hello everyone uh thank you so much for being here uh thank you for showing up and thanks for the b-sides organizing theme for organizing everything making sure everything is working and running smoothly uh [Music] perfect thank you uh so basically this is my second time here in Pristina I was here in 2019 for a different conference so it's always uh great to be back here and just uh enjoy the city uh so basically uh to today we're gonna talk about a topic that is very dear to me that some industry that I've been involved for a decade uh we're gonna talk in a we're gonna be talking about like bounties uh and I'm gonna share with you some insights that are and lessons that I've learned from my experience doing backbone is as a hacker hacking different companies like high profile companies say Facebook Google Apple Etc so I'm gonna be sharing some lessons some insights that I've learned from that experience and I'm also going to be sharing the lessons that I learned actually managing those back money programs for some of the biggest companies uh so but before we start I just want to have an idea how many of you here are familiar with the concept of back bounties can you raise your hands uh all right that's good how many of you have earned a back boundary before a boundary payment all right I think this is a good start all right so we're gonna we're gonna talk about it but before we dive into the topic I just want to introduce myself uh so my name is Yasin abukir I'm originally from Morocco I'm currently based in France uh so I hold two Master degrees uh both of them are in management and business basically which is very irrelevant to what I'm doing now as a career it just goes to say that it doesn't really matter what you studied before as long as you have the passion to pursue what you really like and what you're really passionate about so right now I'm doing cyber security apparently uh I do application security Consulting so basically I work with companies to provide them with uh consultant Services say penetration distance security assessments and whatever uh from 2017 to 2019 I worked as a security analyst for a company called hacker one it's a back mounting platform I worked as uh through Azure so basically I tried for back money programs belonging to some of the biggest companies where so I'm going to share that experience later on the on the presentation uh currently this year I actually joined the hacker one hacker Advisory board so basically my role is just to ensure that the hacker Community is well represented and that the hacker feedback is Incorporated in their products and services and I've been doing back bounties since 2013 so basically it's been a decade 10 years and I am one of the hacker one top 20 hackers all-time top 20 hackers and last year I actually won one of the live hacking competitions back in Denver as you can see in the picture I'm holding the image belt I look like a UFC fighter I know uh so I won the first place we which was quite an achievement because like it was very competitive so yeah that's it but so now we're gonna start by just like for the people who are not very familiar with the what the concept of the bounty program so a bank money program is basically when a company uh seeks the help of the security and research community help so basically see a company like Facebook Google they want the help of ethical hackers to find security vulnerabilities on their services and products so they set up uh what we call a backbonnet program which has all the kind of roles uh that you should know before participating and once someone like a hacker an ethical hacker or a security researcher finds a security vulnerability they get paid what we call a bounty which is a monetary payment as you can see in this screenshot here this is an example of PayPal backbone program which is hosted on the hacker one platform so this is basically how it looks like and every back Bounty program has a set of roles or sections uh so a background program they have what we call a bounty table as you can see here in this screenshot there's a bounty table so what is a boundary table is just like how the the monetary reward that you can expect when you find the security vulnerabilities security vulnerability on their product so if it's like a low severity bug you can expect this much if it's like a high severity bug you can expect like 10K uh US dollars or if it's a critical this is how much you're gonna expect uh and every program has an in-scope vulnerabilities these are the security bugs that the company is interested in they want to hear they want to hear about they want you to find those so they have a list of those in-scope bugs and just like in scope there are out of scope bugs like the company has a list of bugs that they're not really interested in either because they are informative or they are low severity or it's just basically they are false positives so as a hacker you don't want to look for those bugs you just want to avoid them because they're going to be a waste of time and every program has Rules of Engagement it's like roles that you should abide by if you're gonna start hacking on PayPal these are some of the rules that you should respect some of the rules for example is just like to avoid heavy automation just do not run heavy automation on the on the on their products because you're just gonna bring it down these kind of rules that you have to respect and then there is this service level agreement the the acla is just like the times that you're gonna expect like time to acknowledge your report or your bug how much time are you gonna have to wait to get paid and how much time are you gonna wait to have the bug get fixed or resolved and there is a safe harbor close which is optional which is started recently talking about it the Safe Harbor Clause is basically a legal Clause that the company is basically stating that as long as you act in good faith like you have good faith and you we're not gonna prosecute you we're not going to pursue any illegal action against you as long as you act in good Faith which is very important because uh a lot could go wrong so as you can see I'm pretty sure you guys are very familiar with these logos these are the companies some of the Fortune 500 companies that are running their back money program so these companies they're basically working with ethical hackers to find all those security vulnerabilities that may be affecting their own products so basically we have sales for Snapchat slack Facebook Apple Google so all these companies they have what we call a pack money program so if you have the skill set that it requires and you can find security vulnerabilities on their products you could get paid a bounty in exchange so how I got into background is just want to share with you in my story how I started doing back bounties so basically before uh when I was in my teenage years uh uh I was very passionate about hacking I loved finding security bugs in random software so basically I just go on the internet find the random software and just poking around and find bugs on that software I I was just doing it for free because I liked it I enjoyed it but uh what I what I did is that when I find a bug I just basically write the details and I publish it online without even coordinating with the vendor without notif notifying them to get it fixed or anything uh as you can see here it was back in 2011 2014 2013 these are some of the bugs that I posted on the exploit databases uh if you if you guys are familiar with millworm for example the exploit DB so I find a bug and I just post it online without even getting fixed which is which is bad because this is not how responsible disclosure works you have to record in it with the vendor to like responsibly modify them of the bug so that they can get it fixed and then you can publish your your bug publicly but I was doing it the wrong way which I call the Aries irresponsible disclosure phase as opposed to responsible disclosure so because if you're a familiar we when we're doing back bounties or just vulnerability disclosure in general we have what we call in 90 days rule so basically when you find a bug you have to report it to the vendor you have to report it to the company so they can get it fixed and the company has 90 days to get it fixed if they don't get it fixed in 90 days then and then you can actually publish it with the security communities you can make them aware uh if they get it fixed in a timely manner then you can share the details but you you're not really allowed to share the details publicly before it's fixed otherwise it's an Uday it's going to be exploited nauseously uh so fast forward to 2013 I was just scrolling uh some art reading about some news articles and I uh I stumbled upon an article that is about a platform called hacker one and that now you can actually work with companies you can hack companies legally and actually get paid for it because I was doing it for free back then so that was an intriguing idea and I I just went straight on hackeron platform and I signed up in 2013. so I started poking around and what I found is they have uh a lot of Open Source projects like python Django rubion reels so basically they want you to find bugs on those projects but back then I don't have I didn't have really the right skill set I did not have much code review skill sets so I couldn't find anything in 2013 I was just poking around but no luck at all uh so fast forward to 2014 like one year later I found my first bug my first bug and I earned my first Bounty it was the dumbest bug I ever found honestly so it was a it was on Yahoo and what I found it on Yahoo uh so basically the bug was just like resetting the vote so Yahoo they have this board this suggestion board where users they can post suggestions on other users they can upvote and downvote the suggestion so I was just poking around and I when you upvote the suggestion there is a parameter called vote value it just increments by one right so this is like thinking what what can I do here and I change the value of the vote value to 1600 which is a long number and I just clicked on upvote and what happened next is just I reset the votes to zero if you can see here it was like 300 350 57 and then zero this is the dumbest plug I ever found it was a low bug bot fortunately I got paid for it I submitted it to Yahoo was back in 2014 and I got my very first boundary which was like 400 bucks and always let's I did not believe delivery because I I was doing this this for free and now I get paid for it and I can do it legally I can hack a company and get paid for it which is which is awesome and I I couldn't really believe you so I was like is this real and I was still in University and the next summer I just spinach is looking for bugs I spent the whole summer just hacking companies because I this is this is too real for me to so let's talk about some common bug hunting mythologies like when you're approaching a Target what can you do like how can you approach a Target like from my experiences from talking with other bug hunters from with other hackers there are busy I I realized that there are basically four methodologies when you're hacking there are some people when they're looking for bugs when they're looking for security vulnerabilities they automate everything they basically automate everything they don't do anything manual like they've built their automation that they deploy to servers and the automation just continuously looking for bugs and they don't do any manual work which is awesome but there are other people they do full manual the full manual methodology is when you're actually going deep on the on the application and you're doing the manual hacking without any automation without any tools apart from some necessary tools like a whip proxy for example uh so there are some people who likes to who like to do full manual hacking which is cool and there are some other people who do what I called 50 50. this is my methodology which is basically the the first phase of hacking you do with with Auto with automation I mean you use a lot of tools to collect data like do some reconnaissance fight some sub-domains DNS data fingerprinting all that stuff and then once you click that data then you can do the manual uh hacking then you can use that data to actually start manually hacking and looking for security vulnerabilities on that data so this is my methodology and there are some people they do what I call the zero day all the things so basically these people they they go and look for bugs on software there that are widely used by the the companies for example WordPress they go and look for a bug on WordPress a zero day and then once they find this bug on WordPress they look for all the companies that use WordPress and then they submit those reports to them so they basically do security research and they find zero days and then they find all the companies that use that vulnerable software or technology sorry guys perfect I don't know what happened there uh so the question here is which one of these mythologies actually best that is the natural question which one should you go for actually uh the thing is that all these methodologies are have proven to be effective they have proven to be successful as you can see here on each category there is a successful Bug Hunter who have made Millions just using that methodology for example the full automated we have Eric today is new he's one of the best hackers he he's a very successful in the million dollar Bounty he doesn't do any manual hacking he basically built an automation machine that is contin