We are more than happy to welcome Zoltán Balázs, (also on Twitter) as the next security expert on our blog. Zoli has long track records in bypassing security defense products. He regularly gives talks on security conferences such as DEFCON, Botconf or Hacktivity. He is now working as the CTO for MRG-Effitas.
Here is his story.
Zoltán Balázs: I think there were multiple important milestones in how I really started IT security. The first one was when I found the Dodge Viper hacker club which was a very old Hungarian website. They collected all of the tools and know-how for script-kiddies. I really enjoyed that. The next important milestone was meeting the infosec faculty at the Budapest University of Technology and Economics where I really started to invest my time in IT security. The next milestone was my thesis with Sándor Gajdos about database security. It really helped me to deep dive into one special area in IT security. Next, I started to try challenge sites like WeChall. This way, I was able to practice my skills on different areas in IT security like cryptography or ethical hacking. Last, but not least, what was really motivating to me in the past is when I met the Hungarian ITsec community in 2009.
ZB: I think the first time I heard about the Dodge Viper hacker club was on IRC. It was just really fascinating for me to see that there is really a new world. It opened my eyes that there are always constraints what you can do, but if you are creative enough and you have the skills, there is always a way to circumvent these constraints.
ZB: Oh yes. Actually, I think this kind of thinking what really helps you to develop the hands-on skills needed in IT security.
ZB: Back then, it was the only field I knew so it was my favorite one, but I think nowadays I don’t have any single topic which is my favorite. I always enjoyed reading about malware analysis, anti-forensics, opsec and similar topics, but I’m basically interested in everything in IT security which is not about policies and certifications. And… Why do I love IT security? I think every day there is something new, something interesting and I really love the cat and mouse game in this whole infosec area.
ZB: I think it was more controversial in the past and my opinion is that for example joining the army is more controversy than being an ethical hacker. I think nowadays people understand that in order to fight the bad guys you need skilled good guys who can think like the bad guys. So there is no question about that.
ZB: I think it mostly has to do with how you have been raised as a child and follow the ethics you learned. Sometimes you can see in the news that a blackhat hacker became part of a team of a huge company after doing some illegal activities. These are mostly fairy tales, I think. It is a lot easier in the long run to just stay ethical and build up your career on the ethical path.
ZB: Yes, I totally agree.
ZB: In general, I think bypassing defensive products (not just AV) is very similar to traditional ethical hacking and sometimes it can be even part of general ethical hacking project. But, let me tell you an interesting and very recent story about bypassing these products. Before the last ethical hacking conference here in Hungary, Buherátor started an ad-hoc hacker challenge on Facebook. The challenges were about to generate a meterpreter-style malware which downloads and executes another exe file downloaded from the Internet and executes it locally. The task was that it shouldn’t be detected by any of the engines on VirusTotal. First, it took me about four hours to figure out what the task is, because it was very cryptic and you didn’t know what to do. When I figured out it these, it actually took me like four hours to create such malware which bypassed all the engines on VirusTotal. Although there is a small cheating here because on VirusTotal only a subset of the AV defenses are running. I think it still proves that automated defenses are never enough for new threats.
ZB: Yes, you know at our company one of our key strategy or message is that don’t just break things, but we also help to fix it.
ZB: I believe that the reason that I was the first Hungarian speaker at DEFCON, is not because of the sophistication of my topic, but rather of my faith that I can do this. I can tell you at least 10 Hungarian speaker presentations from the past five years which are good enough for DEFCON, but I guess people never tried to send their presentation to DEFCON, because they never thought that they are good enough. I think it’s sometimes a problem here in Hungary that people don’t believe in their capabilites. My message to all the current and wanna-be speakers is that being rejected from a conference is still better than not submitting your talk at all. I got rejected many times, but still the few cases, when my talk was accepted compensated everything.
ZB: Yes. Actually I have seen tweets from people I respect. For example, Dan Kaminsky or the grugq who enjoyed my talk. I was really proud of it. I have to say that DEFCON is the second best conference I have attended so far right after Hacktivity. But I might be subjective on this part :).
ZB: Many things in the US have a larger scale. And DEFCON is also huge, but in a new and really exciting way. For me, the experience of being at DEFCON was like being in candyland for a child.
ZB: First of all, the biggest issue now is to convince management to invest in security. Nowadays, unfortunately, ransomware is doing the job well to convince management people. Actually this is the very first threat which really helps people to understand that IT security is important. The second biggest issue is education, because education cannot keep up the pace this field advances and hence there is a shortage of skilled IT security people.
ZB: I think it’s both, because there is a lack of talented people in IT itself, but in IT security the issue is even worse. Even if we got more people from general IT, we would not solve the problem on a global level.
ZB: But also another issue is the lack of good guys from high school. If you don’t get good guys from high school the university cannot build upon those people.
ZB: Yes, I totally agree, because nowadays almost every child is playing with computers.
ZB: I started my career at a financial institution with the biggest internal network in the world and while I was changing jobs I started to work for smaller and smaller teams and companies. I think big corporations are good to see how things should be done or sometimes how things should not be done. But if you’re working for a small company, you can basically build something new and big corporations are not the good way if you want to create something big or something that is really yours
ZB: All of these.
ZB: Never stop being curious about how things work and don’t be afraid to try and fail before succeeding because those who never fail never succeed.
ZB: I would highly recommend these challenge sites, because you can find a topic which really gets your attention. The more skills you acquire through these challenges, which might be addictive sometimes, the better you can become in every field.
ZB: I think I use more tools than the average IT security guy, but still my favorites are python and powershell.