Sunday, November 1, 2015

Pepelux: "Today, the naive with curiosity gets spanked"

José Luis Verdeguer, VoIP expert.

Today we talk with one hacker from the goods side, not too much lover of the media. José Luis Verdeguer, Pepelux, 43, from Alicante, is CTO at Zoonsuite VoIP operator. In his spare time he enjoys competing in hacking contests or giving security talks. There's no Spanish CON(ferende) where Pepelux has not speaked, at lease once with presentations or workshops. Besides, he has written a book: "Hacking VoIP and security".

But do not get fooled by those many talks. Pepelux is a discrete type, almast tight, not giving his confidence to everyone. We repeat: A good boy, old-fashioned hacker, so humble that often he goes unnoticed. This week we had the honor to hear many things that we've never heard in public: from his business vision in cybersecurity to his beginnings in hacking. That's why we allow us to offer one larger interview than other Sundays, since we think the information provided has a great value.

- Is there a lot of people knowing that you are an "old-soldier" in hacking?

- Well, I think I'm from the second generation, I'm not that old :-P But I've been a loot of time with this, and I've had a couple more of nicks before Pepelux. As Apòstols people talk about how they contrived to get things, I was lucky to get a little later and learn from their works, typical webzines or ezines at that time, such as SET or !H (Restless minds). It was a little easier for me, as there was very little information in Spanish, but after all there was something.

- I go into your website, I see a lot of exploits, and it seems its something attack-oriented. But this is not your business...

- I've been always in love with security and it would have been great to work analyzing flaws, either reversing or pentesting, but then it was not as easy as nowadasy to work in this field. Now I'm left on the shelf :) Concerning my page, there was a time when I dedicated myself to analyze Windows binaries or open source applications in PHP, and I published what I found, as a way to keep hacking without getting into trouble, because of legislative changes.

- You have participated in several CTFs, always first places finishing. Do you like hacking only as a hobby?

- OK, it was just then, now youngest are sticking very strong :) The truth is that CTFs are escapes, since I'm not professionally devoted to security. Today you can not touch anything in a website if you want to sleep peacefully; and we get older, we have family and we lose that curiosity to analyze third-party systems, as long as anything you do, you get spanked. At CTFs you can let your imagination fly and although many of them have become mere pastime, sometimes you get one with recently published real flaws that you must exploit.

- And witch 3 things would you have with you at a CTF?

- I always carry one Linux machine with my tools and scripts, one Windows device with more tools and a pendrive with my other CTFs solutions, as many challenges are similar and I can already re-use programmed scripts.

- What do you thing about infosec business?

- You say it well: it's business. Money for security enterprises and not so pretty job for technicians: they do what they like, but they usually can not spend too much time with analysis, and most of their time goes preparing reports. I think only a few people really enjoy the pentesting as an art, and also as an occupation. Ultimately, everything is limited to using a number of tools and reporting. It's like the artisan who has an industrial machine to increase productivity, but he ends up losing his skills because everything is done by machines

- Do security experts defend well the net and the users?

- In this country things are like... When a train derails, the location is marked as a black spot, and patched. So does with security. They are plugging holes. The profiles of crooks have changed and so laws get harder. But the poor naive who is simply curious to see if a system is vulnerable gets spanked by making a simple port scan, when we should focus on the real danger that organized gangs represent.

Today we may find perfectly structured mafias for all kinds of fraud, I'm speaking of phishing, malware, ransomware, etc. Another thing is the desire of governments to control everything, and this leads us to be paranoid and not rely on the operating system or device drivers. You've seen how certain countries, especially Asian ones, are using their own operating system, their own networks, their own hardware, and they do not let anything from outside.

I think that the community is doing a great work and that’s why everyday we see news about backdoors detected in the firmware of some devices, new spy systems,etc. But maybe the biggest fear for a company today is being the objective of an organized group which could attack it with an army of bots, or to be set as an objective to blow out your system, just take a look at what happened with Ashley Madison.

There’s a movie of the 92 that I love, called Sneakers, and that reflects how they access to a supposedly impassible system using both social engineering and analysis not only of the system but also of the people who work there, the buildings etc. Today is even easier, because we have a lot of information, it’s very simple accessing anybody's private life. Imagine a corporation with hundreds of employees… how many would cost taking the working account of one of them considering they'll have their Facebook, LinkedIn, Instagram, wifi at home, etc?

- You’re one of the few Spaniards who investigated deeply the Tor network. What is your opinion?

- Tor was created with the idea of helping people but the problem is that many people use it with bad intentions and looking for profit. Tor is (or was) a good tool to maintain the anonymity if you live in a country where you could be killed for publishing in a blog. But nowadays it has become an illegal market where people traffic with anything, since drugs, guns, stolen stuff, till the sexual liberty of the kids. Today Tor doesn’t brings anything good, and even the FCSE think that if you use Tor is because you're doing bad things.

I was in your lecture about VoIP of the NNC5ed. Like a demonstration you called at the same time all the mobiles of the public, from the 666 666 666 number. Magic?

- It’s simple, I called changing the call identifier. I did it as a joke, but this can be done for other murky purposes… I talked about this with the lawyer Ruth Sala in the NNC5ed. I commented to her how easy is to change the ID of a call or a SMS and that it wouldn’t be very reliable to present like an evidence in a trial, unless you have the original phone of the call (or the sent message) to verify that it was really made from that device.

- Is curious that, when half the world investigates the security of mobile phones, you’re investigating the VoIP security 

- Well, as I've said before, I'm not in the security professionally, so I investigate about the things close to me. Currently I work in a VoIP operator and what I "discover" comes related to my day to day. Besides, this is rising, because in a while the conventional telephony will disappear and everything will go by VoIP because is more convenient for the carriers. A lot of providers install in your home a router working with VoIP without the user knows, for example, Orange. You continue with your conventional phones and for the user is something clear, but the router brings a Getaway SIP and all the calls you make or receive go through VoIP.

- Tell us, hacker: What has changed in the hacking?

- Well, everything has changed. On the one hand, today a lot of people just only know how to audit websites, because there’s a vein of gold in this. If you don’t find a SQLi, you find a LFI, or a XXS or any other thing, then you upload a shell in PHP and you have access to the system, and all because a programmer didn’t make his work properly. In the 90’s there was no PHP, the websites were HTML and it was very difficult. In that time the audits were based in analyzing every single net service, since obtaining user information with the finger until watching if it exported directories without defining good the IPs with access, if it allowed to make a bad configurated rlogin, or if the routers or servers had default passwords. Time was spent in every service, if it was good configured, if it had any known vulnerability, etc. And the best part is that everything was hand-made.

Isn’t bad having work-saving automatized applications, but I think that's very important to understand what these tools do, I mean, if I launch SQLmap against a web and I obtain all the data base from a server, why I obtain it? The app doesn’t make magic, just makes a task that manually is really boring, but I should know, even if I spend a few months, that I could make it manually, because I understand the dynamic.

It’s the same thing that happens many times with Linux. A lot of people execute the configuration script of anything, it doesn’t run and then they get stuck. This happens because they never have to manually touch the files and they’re used to leave the hard work for the script. I think that many people have become more comfortable because of the huge amount of information and applications we have. This is pretty good, but also knowing to get by, because you learn how things work.

On the other side, younger people are more open-minded. Before, we came to this world with bread under the arm, now they come with a computer. What I want to say is that people is much more prepared than before and they have much more capability of understanding, because technology is part of their lives. This means that we have many experts in everything, but is more complicated to somebody to stand out, like happened in the non-information period. I’m still wondering with QueSo and NePED apps programmed by Savaged in that time, or with the famous article by Aleph One that supposed the beginnings of exploiting.

- And tell me Pepelux: there is any quote which is the light that guides you?

- There are many sentences you tell yourself when you get stuck and  you don’t achieve your objectives, like ‘Any connected computer to an informatics network is vulnerable’ or ‘no program has a perfect code free of bugs’.

- Honestly: the hacker is born or made?

Born, but many times is something hidden deeply until you see anything which opens your mind and you discover a new world. And when I say it's something you born with I mean the passion, not qualities like a sportsmen. Anybody who shares the ideology can be a hacker.

- And how you discovered that you were a hacker?

- The truth is that I’ve always been very curious. Since my childhood, everything dropped in my hands was ripped-out to saw its bowels, but when I set it up again I always had some extra pieces. I don’t know how many clocks, radios, toys and all kind of stuff I would have broke (my parents were afraid of me xD).

Is the typic topic of my generation: one day you go to your friend’s home who has an Spectrum and you stayed amazed, considering that videogames then were only for one game, that is to say, imagine you have a Gameboy with only one game and to play with another different you need another new Gameboy. A machine capable to load different games and seeing them on TV was the best.

When I was 11 they bought me an Amstrad CPC-464 monochrome and usually, you have games (in cassette) borrowed from your friends so you copy them, obtaining others from magazines like Micromanía, in text... I mean, with the printed code in the pages of the magazine which you had to copy line by line. I remember I spent a lot of hours with my father fingering code. He dictated me and I wrote the code. And, of course, in the time of compiling the failures came. It could be because you fingered wrong the code, or because there was a misprint in the magazine. When this happened you pissed but you forced to understand the code to correct it.

Later, you've learnt to program your own games in Basic. I remember I made a Pacman and an Arkanoid. What a beautiful memories, when I had time for fun :) I also remember that a friend's uncle, who was pretty geek for that time and loved so much the computers, gave me a book of language in assembler for the Z80. I loved that book and it opened a new world for me. The truth is that I had to read it several times to understand it, but thanks to him I learnt to alterate the binaries of the Amstrad games to put me extra lives or to change the colours of the screen and other things.

After that, I had a Commodore Amiga 500 that I only used for playing and when I entered the university I get my first PC, a 486 with Ms-DOS where afterwards I installed, first Dr-DOS, and then again Ms-DOS with Windows 3.11.

In university we worked with AIX and, since I read an article in the magazine “Muy Interesante” talking about how to crack an Unix account, the bug started bitting me. I've always been impressed by the fact of how it's possible to access a computer which you have no access. Apparently, you access and find a login window and you don’t know the credentials. However, systems were vulnerated, but how?

It was a very funny time – I’m sorry for Jose Selvi who couldn't live it ;) – where the systems were fragile because security wasn’t a priority, it didn’t exist the /etc/shadow and everything stayed in the /etc/passwd, accessible for any user. Besides, there wasn’t a list of sites to access and you have to follow machines browsing by DNS registers or making ranks scans. People created machines for one determinate use and they weren’t aware of that anybody who had that IP could access.

In that time the first Linux appeared, installed with a list of floppy disks. You spent a lot of hours making them work not knowing what to do with them afterwards, because there were not applications yet. I remember that the first one I mounted was a Slackware, then I went to Suse and finally I chose Debian.
Pepelux with the ConectaCon organization  
The first hacking, cracking, phreaking, etc. manuals I had, were from a BBS of Alicante, where you had to ask for permission to the administrator for accessing the private folder where they were these manuals. The truth is that the accesses to BBS were terrific then. Your phone called with your modem and, if nobody else was connected, you could access a menu that allowed you to upload or download things, leave messages to other users etc. The truth is that, with so little information you read it with a lot of excitement. Today there’s a lot of information and you just need the desire of learning.

After that, came the IRC time, first accessing from Infovia and after from Internet. There was a time when I spent a lot of nocturne hours talking with people in hacking channels but I got bored because that mentality wasn’t like today's. As you know, there were all wars, really close circles to see who was more elite or who lick more. This is really better today, because all these secrets and rivalry don't exist and the people help each other.

Text: Mercè Molist


Post a Comment