An Interview with Mr. Dependent of Defencely.com : Tushar. R. Kumbhare

1. Introduce yourself:
Hello EHN readers and everyone else from the World Wide Web Community, I’m Tushar Rajhans Kumbhare from India. Probably, your next question would be related to my work, so here goes: I am pursuing a B.E Degree in Telecommunication & Electronics.

At the moment, I am awaiting my study completion, which is going to take a while. However, what I actually do right now and something that has become my destiny as of last few weeks, is my role as a Security Analyst and Pen Tester at Defencely.Com.

Am I too chatty, aren’t I? To cut it short, Defencely is India’s number one and upcoming online cloud penetration services company. Prior to joining their team, I was independently working as a security researcher, and got several awards of recognition from:

• Microsoft
• Apple
• Adobe
• RedHat
• PayPal
• ZenDesk
• Weraki
• Avira
• iFixit
That’s about it… I guess.

2. How did you get into Information Security Field?
Yeah, that is an interesting tale. Generally speaking, I belong to the modern generation, where kids are fascinated with the idea of computers, website hacking, security intrusion, whether good or bad, and reverse engineering. I guess it kind of gives them a sense of control and purpose in life.

However, there are hardly any cases when these “kids” grow up to pursue their dreams. I, for one, loved the idea of computer and website hacking. Not that I was a hardcore hacker, I did things ethically and wanted to become part of the good guys team :P

I just got my laptop 3 years ago. Before that, I was using computers at par level. It is unbelievable, right? It took me 3 years to get better at online security penetration related stuff. As the story goes, there I was in my 2nd Semester’s Programming class. They have that mandatory C language course for everyone.

The first day when I was in C language lab, I was the only student sitting in front of a computer that wasn’t even powered on. How so? I didn’t know how to turn that “darn PC” On. The snobbish teacher walked up to me, thinking that I was just wasting her time, and said, “Why don’t I see you writing any program like the rest of the class?”

I hesitated. By then the dialogue took a wild turn when I admitted to know nothing about powering on computers. Her words: “What” and “Get out of my class, young man” still echo in my head. Besides, I was the laughing stock of the entire university for about two weeks.

My parents were very supportive of me. They spent a chunk of their savings to buy me a laptop. Since then, I have been pursuing my fascination, which is computer and website hacking. From then on, I scavenged all kinds of knowledge about Hall of Fame security acknowledgements.

Hard work and persistence took the better of me, and there I was, trying to get listed on these company pages.

3. Why did you choose to become a Security Researcher?
Curiosity is the harbinger of dreams - (I just came up with this quote myself. Dibs on that) I already said that security research always inspired something in me. Therefore, I set off to develop my “how stuff works” mentality. My long term goal was to get listed in various websites’ Hall of Fame pages. They have these pages set up for security analysts; anyone who points out a vulnerability in the system.

But it wasn’t easy. Endless nights and countless hours were spent to achieve this dream. I worked diligently and was finally able to become a part of society that believes in making the internet a better place for all.



4. How did your first vulnerability report go? How did you find it and what did it feel like at that time?
I’m very glad you asked that question. No one forgets his first encounter with a big company. For me, it was Microsoft back then. After detecting a vulnerability in their network, I reported it without any hopes of seeing my name at their website’s Hall of Fame section. Time went on, and one day I got confirmation from the guys at Microsoft. They thanked me as their company’s custom goes.

It was the most wonderful moment of my life. I was ecstatic, speechless, happy and downright surprised at myself. The incident sparked confidence in me and motivated me to pursue cloud penetration professionally.

Here I’d love to tell all aspiring security analysts that you are your own boss. The so-called “experts” will not only laugh at you, but they’ll also refuse to help you. People hardly part ways with their knowledge in this field. Therefore, you have to work hard and one day you’ll overcome your dreams.



5. What's your research that makes you especially proud?

3 months ago was a “Bug Hunting and Reporting” season for me. I’m not talking about pesticides and actual insects lurking around; it was kind of a virtual online thing. Jokes apart, it took me a lot of time to cover the gaps. No one guided me, or helped me; all upcoming security researchers know this by heart.

The crux of my research is to manually scan any online resource for security threats, and then report it to the concerned authorities. Other than computer related stuff, I also submitted a research paper on Einstein’s Theory of Relativity in 12th Standard. They thanked me and gave me a certificate. I guess this “research” factor comes to me by blood :P



6. How do you feel after being part of Defencely?

How did I feel? I can’t give words to my feelings. First of all, Defencely is the only cloud penetration services company that purely hails from India. There are others too, but most of them are headed in the U.S of A, with some team members scattered around in India.

So it was a big deal for me to be a part of a network that belongs to my country. Defencely also inspired me to chase my dreams with due diligence. Besides that, my parents were damn proud of me… at last. I was kind of a lazy bum in studies, so my dad started doubting my future. I’m going to dedicate the rest of my time and effort to Defencely and brute force ethical standard hacking.



7. What is your advice for new bug hunters?

Dear brothers, I know it is quite easy to give advices but bear with me. As an upcoming security researcher of high caliber, you have to throw yourself at it. No one is going to teach you or hold your finger.

Keep in mind the high competition factor and make the internet your new teacher. On your way, you’ll meet all kinds of people. Some of them will vow to help you but they won’t. Others, though EXTREMELY rare, will give you in depth knowledge about hacking and security assessment. That’s about it. The rest of the stuff, you’re going to have to handle it on your own.

Stay motivated and don’t lose hope, no matter what kind of field you are interested in. By the way, start immediately with OWASP standards. Move your skills across WASC classes and learn anything that any online tutorial has to churn out.

Got it? Why are you still here, then? Go and start your work!

Here’s another one of my chin up speeches for you: To be successful in this field (or any field) you must have a positive and “can do” approach in life. Don’t let haters and their negative energy take you down. You will feel like a loser every now and then – this happens, but don’t give up on anything.

As a matter of fact, you can connect with me on:





8. What do you think about E Hacking News?

EHN is a great opportunity for anyone who is connected to the internet. Granted that you are contributing to someone or something and it is related to the scope of this website, talk to their super friendly admins. They will love to interview you; expose your skills to the world and help you meet fellow community members.

Already EHN has created buzz with its published content. I can only wish you guys all the best for your future endeavors.

9. Is there anything else you like to add?

I would like to add a few things here. First of all, a very special thank you note goes to Mr. Ritesh A. Sarvaiya, CEO and Founder of Defencely.Com. His character and role definitely bypasses as that of a CEO, which itself is a big responsibility these days.

Ritesh Sir (as everyone likes to call him that) has a knack for finding talent all over the world. One thing that I love about him is the fact that he is one of the very few people who would go to extremes to give your destiny a shape. As long as you have the talent to show for, and something that Ritesh Sir can work on, you’ll have it.

Atul Shedage. To me, Atul is like a brother and a great mentor. He is CTO (Chief Technology Officer) at Defencely. We have already heard a lot about him. He is the youngest Indian CTO to receive multiple awards of recognition from many online companies.

Lastly, I would like to thank Sabari Selvan; EHN website webmaster and owner. Without his unmatched support, I wouldn’t be here talking about my dreams and everything that you just read. Thanks Sabari, and good luck to you with whatever you are up against in life. A bunch of appreciation also goes to the entire Defencely and EHN panel. You guys rock.


E Hacking News Exclusive Interview with Aditya Gupta, co-founder of XY Security


Today, E Hacking News interviewed Aditya Gupta, one of the Famous Indian Security Researcher and co-founder of XY Security.  He got listed in a number of Hall of fame pages for hunting bugs.

*. Hi, Please introduce yourself to EHN readers.

Hello I'm Aditya Gupta. I'm a security researcher and also the co-founder of a security firm named as XY Security. I also like hunting for bugs, whenever i get time, and have found serious vulnerabilities in websites such as Google, Microsoft, Facebook, Apple, Adobe, Paypal, Webkit, iOS (webkit and iOS patch yet to be released) and so on.
I've also developed the mobile exploitation framework, Android Framework for Exploitation (AFE) along with my partner Subho Halder. That, i think says much about me.

*.How did you stepped in this InfoSec field?

Well, i stepped into this field few years back when i was preparing for my IIT-JEE in Kota.

So, instead of attending my classes in Bansal Classes, Kota, I ended up having nightouts in cyber cafes there, and learning more and more about hacking.

Even when i got admission to my college KIIT, Bhubaneswar in Electronics, most of my time went into Exploit Writing, Programming and finding new ways to break security of various devices and platforms.

It just started as a curiosity, and for fun experience, but now it has turned into my full time profession.

And you know, you should always do what you love. Thats what i recommend to everyone.

*. cool, you are ECE student?!
Yep. Mainly because apart from hacking, i am also interested in Electronics. And it turns out, that if you combine hacking and electronics, its an amazing duo.

you get to learn about the internals of everything, and it becomes more interesting to find security holes.

Thats why, i have recently published a research paper on ARM Exploitation titled "A Short Guide to ARM Exploitation" along with my friend Gaurav Kumar

*. You have discovered security flaws in a number of high profile websites, what's the most memorable vulnerability you've discovered?
You know, the most interesting vulnerability i discovered was the Facebook one.
It allowed the hacker, to remotely and silently record videos from victim's webcam and post it to his timeline, without the victim even knowing about it.
And one more interesting one was, on Google +. It wasn't much severe, but it allowed the hackers to trick victims to update their status. That was when Google+ had just started. And I think, I may have saved it from a lot of spam campaign, which you used to see on other social networks like Facebook earlier.

*. what is favorite part of InfoSec ,  WebApp Pentesting or Mobile Hacking?
I would say that WebApp sec is surely the most interesting one, and you get a lot of satisfaction when you find high level bugs in a client's website or get bugs in a website offering bug bounty.

But my personal opinion would be Mobile Hacking. And i believe that mobile would be one of the most growing areas in security soon. And you know, thats why i started working on AFE, and i plan to make it really big in the coming future, one of the de-facto for mobile exploitation.

For that, will need a lot of contribution from the infosec field. That is one of the things i'm looking forward for.

I would also like to point out one of the upcoming features of AFE, if you don't mind, which will be included in the next update on March 5th, is exploitation of vulnerabilities in applications.

So, it would be like, you just specify the name of the application - say Facebook Android app, and it would show you, if there is any available exploit for it, and boom, the next second, you will be exploiting the vulnerability.

Also, one could find a lot of vulnerabilities in android apps using the framework, so that i believe is one of the reason the infosec community would be interested in it.

*. Really interesting one , is AFE open source ,where can i find futher details?

Its completely open source. You could find it at github here http://github.com/xysec/

Also, you could have a look at some details : http://afe-framework.com


*. Tell me something about your company XY Security

Its a company i've co-founded with two more of my friends : Subho Halder and Gopinath Danda.

We provide services like Penetration Testing, Application Audits and especially trainings.

We also present our research and give trainings at international security conferences such as BlackHat, Toorcon, OWASP AppSec, SysCan, Nullcon, Clubhack and so on.

We are based in Bhubaneswar right now and we have a small and amazing team with people who are really passionate about security.

*.Recently, you conducted Advanced Android and iOS Hands-on Exploitation Course at OWASP AppSec AsiaPac2013,How is your experience with AppSecAsiaPac2013 ?

Well yeah, i had a training over there. Its a nice conference, after all its OWASP AppSec.

They are more of a global conference, with international speakers, so i got in touch with other security researchers in person and its a nice experience overall.

Unlike my earlier trainings, this one was more of a hands-on one, for which we provided virtual labs and code samples for all Android, ARM and iOS.
Also, Jeju Island (the place where this conference was held) is an amazing place.

*.What's your research that makes you especially proud?
Well, I think i have contributed and researched more than anything else, on Mobile Security, especially Android.
That is one of things i'm really proud of have done.
But, you know one has to keep doing new stuffs, and trying out new things everyday.
That is how i keep myself busy all the time. But yea, its fun.

*.What is your advice for newbie who interested in infosec field?
All i would say them is to be really passionate and dedicated about whatever you are trying to achieve.

Keep learning something new everyday, through blogs, forums, articles and websites.

Don't settle for using tools to find vulnerabilities, unless you will learn manual hacking methods, you won't learn anything new.

A tool is really helpful, but only when you understand the functionality behind it.
And yeah, My best wishes to all the ones who are new in this field. Just work hard, and nothing is impossible.

One last thing, you'll surely get criticised at some point or the other in whatever you're doing, just don't give up, and prove yourself!

*.Students used to ask me how to become ethical hacker and get jobs related to information security, so can you give me some advice to them?

To become an ethical hacker, i would suggest you to learn about hacking and exploitation, and try it out on various vulnerable targets such as Webgoat, Mutillidae or Metasploitable.

And then one could always go for certifications such as OSCP, SANS and so on.
The only thing that matters if you apply for job, is how much knowledge you have. Also, choose a language of your choice, be it Python, C++ or C#, anything, and code in that language. It will help you a lot if you're looking for jobs.

Because,
Good Programmer + Good Hacker >> Good Hacker

*. It is nice to talk to you. What do you think about E Hacking News?
Well, its a great website and keeps me updated with all the security news all over the world.

Also, a media partner of most of the top conferences in the world, its surely one of the websites i would recommend to everyone.
Really a nice job.

*. EHN really thank you for spending your precious time. Is there anything else you like to add?
I think i told most of the things i wanted to, with my really long answers.
Thanks a lot for your time as well.

E Hacking News Interview with The hacker group NullCrew


Today, EHN had an interview with the hacktivist group NullCrew who recently leaked the data from UN Wasatch and Wisconsin University site.  

In the past , the group breached the World Health Organization(Who) , PBS, UNESCO Etxea , Ford, DHS's Study in the States and Sharp Electronics UK, University of North Carolina , Yale University, South Africa's Leading ISP Directory site and more sites.


Why did you attack those sites?

These servers are a part of the system, a system which is ran by corrupt rich assholes. They mostly use their money for themself,

No donations to the people who need the money, and if they do; it's just so people look at them in a kinder way, only for publicity.

Wasatch is a partner of Microsoft, ran by Bill Gates; it was to target them as part of the system, their under the table dealings. The way they treat employees, take full credit for certian things.

The United Nations attack, mainly because the UN is all Nations together. And all nations are corrupt, wheather the people see it or not; that is something we wish to stop. Those are the reasons.

wisc.edu Became a target when they commited Animal Cruelty.

What kind of method you used?

The methods we're all SQL injection of different techniques. WasatchIT and Software were on a shared host, two of the websites hosted. On the server contained SQL injection, and in the databases displayed WasatchIT and WasatchSoftware.


We exploited [wisc.edu] via b-sqli. UN.org had a MSSQLi behind A WAF, which we had to bypass to gain access to the databases, and data its self.

What is your Next target?
Our next big release will be on Febuary 14th, yes, yes; VALENTINES DAY! It'll be the official release of #FuckTheSystem valentines day, and one target I will tell you is the pentagon.

But our next single release will be a multipul target release, on United States government servers; retaliating against #OperationFastAndFurious. How many more need to die, from weapons the government is putting into criminal's hands?

What is your ultimate goal? What do you hope to achieve by hacking these websites ?
Our ultimate goal, is to make the people of the system stand and revolt; and to prove that #FuckTheSystem is not a joke.  For people to finally live without fear, to be able to bring others into the world without fear.
 
Have you seen any results after your campaigns?
After our Unescoetxa defacment, with the song everything is corrupt; there were comments upon comments from people posting #FuckTheSystem from whatever country they lived in. So yes, we have seen results.

How many websites did you hack so far?
To be honest, atleast 150+ We've outlived most groups, and been highly active.



An Interview of Indian hacker D1617 64 (The Founder OF T|RA)

An Interview of Indian hacker D1617 64 (The Founder OF T|RA)

1. Introduce Yourself to our Readers
i m D1617 64 an explorer founder of The Revolutionary Army and Brothers OF 64 and One of the core member Of team open fire
who always fire on corrupt sector


2. What is the significance of your hacker name and why did you choose this name?
okk there are 2 reason as i say i always trying to fire on corrupt sector . D1617 64 = 64 and if i write 64 as 6+4=10 there are only 1 and 0
1 is for bring revolution
and 0 for destroy corruption
thts why i choose my name D1617 64

3. When and why did you start hacking?
i start hacking just before 1 yr , when i was in class 9 my father gave me a desktop for study and i starting learn many programming langage . after class 11 i have seen many corruption in internet like many website blocked me and many times i hv not get acess. according to me information should be free for all. after class 12 when i have got admission in college then i start hacking

4. What kind of hacker do you consider yourself to be?

its a difficult but i called my self a grey hat

5.What is your favorite hacking method?

there is many hacking method , but i most of the time working on metasploit , yeah metasploit , i have got amnt scada , root acess using this msf ... and networking is my favourite field . if any people have good knowledge abt metasploit then he/she can play with anything

6.tell me something about The Revolutionary Army
we are fighiting against corruption and reservation system done by the government
we will fight to make education free for all
this team was formed by 4 students but now in T|RA have 12 member ... and we always study our mission
as you know in IIT the government make reservation for sc and st . for this reservation system many general poor guys cnt study in IIT
after December #op remove resrvation system will start


7.Is there anything else you would like to add?

my fav hacker jonathan james

Interviews with Hackers: Today, interview with PrOtOn_An0n


anonymous hackers

Hello EHN Readers, Today we interviewed Anonymous Hacker "PrOtOn_An0n", who take down several Child porn sites. Recently, he take down 89 cp sites. You can find him here @PrOtOn_An0n

*. Introduce yourself to our Readers:
hai, I'm PrOtOn_An0n and for the last couple of weeks I've been combatting child pornography and pedophiles on the internet

* . When did you start hacking ?

my first hack was in primary school, i think i was 11 i found out that i could get into the admin of a program called lexia which was some education program thing, so i change the information for a couple of people and I’ve been picking up things ever since. But I no longer hack anymore. I find that the operations I'm involved in work out better without hacking

*. How many cp websites did you take down so far?

101 exactly

*. Are you working alone or team work?
At first I was working alone, but I felt that it wasn't like Anonymous to work lone-wolf, so I compiled somewhat of a team

*. What about scammer and spammer sites, will you take down them also? Becoz i used to take down scammers sites.

Actually that sounds like a good idea. After we take down all the CP sites we can find, I will most likely start downing scammer sites.

*. What is your next operation?

probably won't be starting another operation until we have taken every single CP site off of the internet, which might take awhile. But I would like to work with some already existing operations like #OpPedoChat because I've already worked with #OpDarknet

* It is nice to talk with you.  What do you think about EhackingNews?
I've actually been reading it for a while, if I want news on hacking or anonymous I usually go there

*.Is there anything else you would like to add?
follow the team working on this op for more news.  @Anti_CorruptUK @Anon_Antra @uk_anonymous

[Interviews with Security Experts]: Ashish Mistry, founder of HconSTF





Hello, EHN Readers. Today , We had a great talk with Ashish Mistry, Security Researcher and founder of HconSTF. Also, He is Providing Training in information security field to IT professionals, Management Professionals , IT students.


Please introduce yourself for our readers.
hello all, i am ashish mistry, i am individual security researcher, i am training people in infosec domain since last morethan 2.5 years
i run a site called www.Hcon.in and have couple of security related projects like HconSTF - Hcon Security Testing Framework
now a days this is what i known for. besides my interrest are OS , open source intelligence , and social engg

* Can you describe more about the HconSTF?
Its a compilation of tools, scripts and customization on a browser's code base to provide easy and powerful testing environment for web testing, vulnerability analysis, code analysis and much more. and now a days i m getting more responses on HconSTF for its use as client side vulnerability testing and more. currently it is in baby project but much stable and reduces efforts to test things

* How did you get into this field?
as the base i am from electronics field and during my college 2year my professor given me chance to take lecture for bachelor in computer application students as i am a computer geek and this all started and my first lecture specifically on information security was on cryptography and linux os and as i was done with my college i m into training and research only taken lectures in different colleges and institutes and now here i am now.

* You have done any certifications?
i dont have any information security domain related certs what ever i have is my own time and love for security  but i got many recognition from different people and organization for my research and things i do.

* We have heard that you started a new PenTesting Magazinge; we like to know more about it
it is one of my long awaited public projects currently the name is 'Hzine'. it will be free and pdf copy magazine may be monthly. and the idea for this magazine is to have a theme for each issue to make the magazine a quality content rich resource for beginners and security professionals .

The first call for paper(CFP) is out and theme is Operating systems and plans are to have articles on different sectors from security domain more info can be found at http://www.hcon.in/hzine.html

* What we can expect from the new release of HconSTF?
i got many request from different people for some more automated features but my point is if we are auditing mass web resourses than automation makes sense but as i already said for client side testing u have to have control in ur hands and not on automation. so the current plans are to make the base of HconSTF more stable and fast and introduce more features and semi automation so that the control is in ur hands while auditing things .

i have plans for linux version of it but, not yet finalized.

and i m also working on another project as i get time from my rituals it is a kind of a more powerful than HconSTF but, not sure when i will make it public.

but all other specific things for HconSTF is a surprise for the users but my final statement for it is you can take it as a roadmap or mission statement.
'the ultimate goal of HconSTF project is to make one stop shop for all audit process and make life easy for pentesters'

* Great. What do you think about the Young black hat hackers?
only one thing for them, stop what you are doing as this will lead you no where and eventually you will be broken and end up in jail. so choose your way accordingly

* What is your advice for newbie who interested in infosec field?
first and very important thing is to believe in your self and know what you are doing. second have a hunger for knowledge. this two will help you alot. no matter from what you start networking , OS , programming but keep this two things in mind and you will find your way eventually. as it is like a ocean no matter from where you jump into it but never stop swimming and mastering what you know

* It is nice to talk to you. What do you think about EHackingNews?
personally i find EHN more resourceful as news portal . and i m always excited for the data leak section. EHN and BTS combined makes a complete resource for my students to know the current happenings in information security domain and as a quality learning resource.

and i like thank EHN for inviting me for the interview.