Beyond the Endpoint: My Adventures in API Security Research

[Music]

hello everyone can you hear me first of all I want to take a picture of you like that's for my mom she never believes that people come and hear me talk and and the worst thing is that she doesn't have a smartphone so I have to print this and show it to her that all those people came to hear me someone is looking there okay cool so as the SSID password says third third time is the charm this is my third time that I talk in beside sopia one of the two besides that is within driving distance to me and my talk is beyond the endpoint my adventures in API security research uh this is the first talk that

uh I'm doing and has no exploit no vulnerabilities no anything this is an esoteric talk about my uh adventures in security research and how the I'm going to curse a lot if you have an issue with that please raise your hand no one okay so it's a trip of how the [ __ ] I became what the [ __ ] I am right now come on change no he decided not to change give me a second come on cool that's me back when my son thought that not having a lot of hair was cool uh I'm the CTO at atropos a penetration testing firm mostly uh focusing on Maritime apis iot and other triple Lal stuff I'm an independent

security researcher my research interests are there drop me a follow uh on Twitter I'm not going to call it X because [ __ ] Elon mask and if you want to read about my research it's on stickers.com when it's not on atropos AI because reasons how it ALS started 7 years ago I together with Mike uh son who is a really good uh researcher have created track magedon it was some really small GPS devices that had no security in mind so just by changing a number I was able to track and follow uh 12 million locations uh starting ping stuff for fun no okay I'm going to be there because my clicker is not working what is the security research

when you're a security researcher you can find vulnerabilities in anything you can uh hope that some of them will pay bounties spoiler alert most of them don't and you can get some internet Fame security researcher can be using threat intelligence they could do reverse engineering and you should have lots and lots and lots of time this is my arbitrary uh categories of research one is the dumb one what I'm doing API web low hugging fruits HTP knowledge and you're looking for where the developers are cutting orders the one the other one is software you need to understand the software you need to find where someone is cutting corners and possibly do a lot of reversing and the third one is

Hardware is those ninja guys that you don't really understand what they're doing you're doing assembly you need to understand Hardware you need to understand reversing and you need to understand a lot of things that I don't so I'm not going to talk about them when perian talked to me a couple of uh months ago he said can you do a talk about uh if you can become a security researcher do a whole trip of what you should do and how uh we can interact with them and find your internal stuff and understand everyone in here if they can be a security researcher this is a totally absur question and requires a lot of thinking no the answer

is come on the answer is yes that's it full stop you can all be security researcher no no you think you're lucky how do we get started also all my Graphics are being SB generated because I'm bored I'm cheap and I wanted to see how good it is it's scaringly good but yeah how do you get started how did I get started I was 12 13 years a developer I became a junior senior lead became a CTO and then said [ __ ] all this I don't like being a manager I took a huge pay cut and I never looked back how you want to go into security researcher learn the basics get a soil a

solid understanding of computer science look at operating systems look at database and networks and at least learn the web application fundamentals learn your tools your tools are the things that are going to help you are going to find what you cannot understand and they're going to be the extension of your hands so familiarize with your tools what got you here might not get you there so if for me thearch got me somewhere I would have to switch to burp or ffuf or other tools so don't uh get overly attached to your tools but always learn them and don't always follow the wave back in uh 2020 everyone was doing blockchain and they're like oh that's

going to be here for the next decade well four years later nobody really cares about blockchain everyone is we need to go ai go with the communities go to conferences besides besides sopia besides Athens besides whatever uh go to all the conferences follow interact on Twitter as said Twitter not X never to use x Mastodon Blue Sky find people that are close to your knees and interact with them and you will have to uh continue use continuous learning forever security is ever evolving you have to stay updated you have to follow all all the trends and you have to keep moving if you want to succeed in this uh industry this is a tricky one I had a

talk with my friend Omar in here about uh the hly certifications it seems that the certification is the way to go for most of the people it was never the way to go for me but I'm not the typical uh go to guy so go take some certifications makes you if makes you feel uh better go with all the certifications that you feel like but if you want to go on security uh back in uh 2018 I found out that I didn't like building stuff I like breaking them that's the Monumental moment that I understood that I wanted to be a security researcher and not a developer CTO or whatever else how do we find our targets that's a

tricky one or isn't don't go around hacking random stuff don't break the low I cannot stress this enough I know that you can find the vulnerability somewhere don't break the law and by don't breaking the law I mean don't go around getting others people data unless you know what you're doing and if you know if you want to be security researcher you will going to need the lawyer come on computers are hard sorry regular research is what I do no that's one back bound is it's not what I do because I was like enough to have sold a couple of companies so back bounds were not a big uh thing for me it can pay some money

but uh nowadays the scene is saturated and automated and you will probably be disappointed unless you are really really good in that because most of the payments are going to go to some random peoples that are massing up all the payments regular resarch is what I do you have to buy the equipment you have to buy the iot you have to buy the licenses it's rarely paid but it could drive a lot of traffic to your company or the company that you are working for so we're going to see later how we going to approach that and this is not a proper way of research but I I had to add it it's common penetration testing it's

paid and the third one is one of the biggest pains in the world you might find a zero day that you are not going to be able to publish it and believe me if you find a zero day in a payment company that would pay you a couple of million ion for that zero day and you just burnt it for 30k of a penetration test it's a huge Furious moment for you no come on build your personal brand I cannot stress that enough create a blog speak at conferences create videos I'm not doing uh videos because you see me I'm I'm not the best looking guy in the world and social media is the way to go two Asters

in here one before you create your social media and your wave try to become an actual hacker don't be just an internet hacker have something to show when you create the social media and also the number of followers is not connected directly to how good a hacker uh is how good a security researcher is one of the best security researchers that I know uh a four time Defcon speaker and a really good Hardware hacker has 400 followers in Twitter I know of people who I don't respect that have hundred of thousands of followers in Twitter so yeah keep that in mind what the personal brand will give you increased visibility a lot of opportunities and unfortunately trust

and credibility that doesn't mean that whoever has uh a personal Brad should be credible but this is how it works speaking and this was my first talk for and a half years ago 2019 besides Athens uh this one is my first keynote so I wanted to have the whole trip of a random speaker that was mostly accepted because I was also Greek to becoming a keynote speaker which is something big I guess it may not seem obvious to you but I don't like speaking to people I'm an introvert getting to speak is different than speaking to random people the introverts are accepted in here uh of course it's outside your comfort zone and you have to learn to

tell stories which is also a really nice thing if you have kids because I'm using most of my speaking to put them to sleep I hope I'm not putting you to sleep though it will greatly influence your personal brand it will enhance your reputation and it will increase your visibility as a security researcher disclosure how many of you understand Greek no one okay I'm going to use a universal word I hope you you understand it this is the global rule of

disclosure when you're disclosing something reports should be able to replicate the issue you should be as detailed as possible you should give enough time for them to fix it you should also don't never be a malakas I know that you found it this A a huge thing and you can take over all the servers this doesn't mean that you have to bully the person that oh go fix it he will fix it he knows that this is an issue but PR be prepared for a fight don't be a back boundy when you report something you report something because you are a security researcher not because you want money yeah I get it it would be nice if if he gives you some

money and also be prepared not to closure to uh couple of years ago I have found an issue in a medical device that medical device was not patchable it meant that if I disclosed I would literally be disclosing a remote kill switch for a couple of thousand people I didn't do it because one I'm okay out of of jail and two I didn't want to kill people that's for the companies not for the people when you're uh responding to a disclosure vulnerabilities will happen I know that you feel that your uh product is the best product in the world it might be but vulnerabilities are there and are going to happen when someone is giving you a disclosure

they're helping you even if he's being a dick and he's not that good he's helping you be kind be thankful understand that this disclosure probably uh made you some money because it could be a way worse save and give him some of them back don't press charges at him or force them to do illegal stuff like uh uh Uber did uh four years ago IP this is not the IP that you're thinking this is the intellectual property when you're doing some kind of uh intellectual property like research and everything is anyone here in Academia oh there are some happy I'm also somehow in Academia say I see much like Academia don't share it trust the

people but verify that they should be with your research uh in the scene there is a mixed band there are a lot of people that are will help you they are there to help you but there are also a lot of people that want to get that research from you and use it in their own Advantage so be smart and always use your name if you are on a company never accept your company to be like I don't know ex researcher or Z researcher you should always say evangelisticas offix did that if you're a company pay the freaking researcher don't remove the employees name he found it you paid for it he's going to say the researcher should say

that it's under your employment but it's him who found it and if you make some M uh money of it pay for it AI who's into Ai No One okay the past year here with SBT everyone is like that AI took our jobs AI took our jobs we don't like yeah don't worry or at least worry but adapt use it in your advantage have it do all the leg workor it can do a lot of thing it can do reporting it can summarize reporting it can get a lot of things and also if you are looking at SBT they're finding things that we found in the '90s that people found in the '90s I wasn't I was

a baby in the '90s okay okay I wasn't baby but yeah uh so find the web application stuff that were in the90s in the AI and get paid by at GPT a lot of people already did it ethics ethics anyone in uh the field of Ethics in cyber security it's a really interesting uh field what are the potential issues okayy accessing other people data and devices conflict of interest and by that I mean if you find and hacked someone then don't go and get paid for it to do a gig this is a conflict of interest overstepping legal boundaries this has a lot and I mean a lot of uh issues you're are going as high as you get you're

going to get a lot of pressure for both government and corporate you have to do responsible reporting and you have to decline disclosure from time to time can you think of a way that we need to handle all those ethics uh issues anyone it's again for the ethics part don't break the law again I cannot stress that enough you will be able to break the law really easily if you are like me and you want to break the law from time to time because you are a malakas take a calculated risk if you end up talking in Defcon about you breaking the law and then three letter agencies come talking to you cooperate with them I cannot stress that enough if

someone says three letters that you don't know and they say you need to talk to us cooperate with them talk with them listen to them and then become their friend I guess and we're getting to the difficult part let's talk about the elephant in the room uh back from 2020 and uh the pandemic and covid and everything a lot of people had a lot of mental health issues you have to if you are in the the me and the people who need me who have mental health issues you want to have someone to be there for you if you don't have mental health issues I was lucky enough to have a family to have a proper grid of help and

didn't have any mental health issues I had to be there for everyone I could not depend only on the company well-being treats and everything and piz and [ __ ] I had to be there for for everyone or for the people that I like and this is something that I really like saying we are all that we have we cannot depend on anyone else other than ourselves why do we have the mental health issues as I said we have a lot of ethical dilemas uh a lot of the things that we do like OT like uh nuclear plants like a lot of other stuff have high stakes most of us had imposter Syndrome from time to time and we have to be

constant vigilant for everyone else so we have to be vigilant for oursel we have to be also vigilant for other people because we are trying to defend or attack or do things for other people and we're getting to the Imposter syndrome The Imposter syndrome is something that we all have been there we will be there we were there and we probably are there from time to time this usually raises from new roles some of you are perfectionist I'm not and from the high expectations that we have from ourselves how do we solve that we need to acknowledge our feelings we need to assess our abilities realistically I know that I wanted to speak in Defcon back in 2019 this was

not a possibility that would ever happen I had to travel the whole thing I had to be on besides other I had to be in a lot of things and then become a better person I'm not good enough still but I'm better I need to set realistic goal at just for times and I have to stop comparing myself to others I'm 42 now and I'm really happy because person called me and said oh can you kote on beside sopia Barack Obama when he was 42 was the president of United States so yeah you get the point we cannot really compare ourselves to everyone and to close that it's okay not to be okay if you

feel that you're not okay please reach out I I try to find if there was a Bulgarian line I failed miserably because I'm not good enough but if you have an issue if you feel that you're not okay if you feel that you want to hurt yourself please reach out to someone to help this is really really really basic you should do it and we're getting to the end final thoughts be consistent that's I cannot stress that enough you have to be consistent uh I have a 3% uh success rate from the 100 apis that I look three and a half are vulnerable this doesn't mean that I fail 97% of the time this means that I

success 3% of of the time participate in whatever you see besides sopia uh forums Twitter be as participant as possible so that you can get help never stop learning learn by doing um I really like learning by doing I don't like reading stuff that's probably I never finished my PhD because I wanted to do stuff and I didn't like to read and prepare for challenges find your knes you cannot judge a monkey on how it t it twim as you cannot uh judge a fish by how it gets on a tree Once you have the niche I have found the nishe it it's the API when you are finding it consider your market demand right now the AI

everyone wants AI if you understand AI it's an OB brainer you need to go to AI identify your strengths assess your interest do what you love and then you will love what you do thank you guys [Music]