Getting on the fast track and leveling up …
Ozgur is a solid example of what it takes to “Level Up”, moving quickly from recent college grad to now being one of the most active Synack Red Team contributors. He’s earned top status as one of the few SRT Level 0x05 researchers on our platform. Lucky for us, he shared some of his secrets to success and how he got to where he is today. Ozgur graduated from college in 2013; now he is living the life he dreamed of splitting his time between lucrative ethical bug hunting and lecturing for college courses in cybersecurity. We captured our chat with Ozgur below; a “hacker’s perspective” on web and mobile vulnerabilities, sharpening your skills, hacker toolkits, and how to find success on the Synack platform.
Ozgur, on what he looks forward to as an SRT member:
“More targets, more challenges, and more surprises!”
Q&A with Ozgur
Q1: What’s your background?
I was born in one of the biggest cities in Turkey- Izmir- and grew up in Denizli. After finishing high school, I started a dual-diploma program between Istanbul Technical University and SUNY at Binghamton Campus for my Bachelors degree in Information Systems Engineering
Q2: At what age did you started getting interested and what motivated you to become a hacker? Did you have a mentor?
I’m not one of those “wonder kid hackers” who hacked big technology companies when I was 12. I only started getting interested in cybersecurity during the last year of my Bachelors, so I was about 23 years old. However, starting from childhood, I was always interested in puzzles, challenges, and brain teasers; I still consider these my favorite hobbies and I think it helps towards success in finding vulnerabilities. I think my career in cybersecurity first started when one of my university professors gave my network security class a small assignment on Hackquest. For me it was like a puzzle and ended up being the first challenge that I ever solved.
I didn’t find my first real mentor until I first started working at Deloitte, my manager Burc Yildirim, Cyber Risk Services Senior Manager at the time, and I still consider him a mentor today. His expertise was offensive security and pentesting. He helped with the technical approach and pentesting methodologies. I’d like to give him my special thanks; he has provided a lot of support and coaching to help me get to where I am today.
Q3: What do you find interesting about participating in bug bounties?
Offensive security, in concept, is very similar to my favorite hobby: solving puzzles. That feeling of finding a critical vulnerability after hours of bug hunting is incomparable.
Bug bounties serves as an always-evolving challenge that keeps me motivated and helps me continuously and rapidly improve upon my technical skills. The biggest motivator for me is that I simply get to do what I love to do, competing with the best out there, and get paid for it.
Q4: Do you have any advice or insights for CISOs that you’d like to share from your experience as a security researcher?
Make sure to invest in good people, not just new technologies – have enough skilled resources that have expertise and know how to utilize new technologies. It’s typical to think that security software alone can protect you, but it’s hard to protect a company’s infrastructure without any skilled human power. Also, diversity of the people working can bring companies different point of views put into practice.
Q5: Which industries do you see as having the most vulnerabilities?
Without breaking it down by industry, I’ll say that companies who don’t invest in security awareness have the most vulnerabilities. But as far as I can tell, the financial services industry tends to have the most maturity, which I’d guess is due to security regulations. It’s more common for these companies to conduct pentesting early on and regularly, which protects them by chipping away at the chance of a critical vulnerability existing in live systems.
Q6: Do you have a “day job” outside of being a researcher? Does your job lend its skills for bug hunting?
Currently, I don’t have a full-time day job, but I teach classes on Cyber Security 101 and 102 at the Istanbul Bilgi University. Lecturing and researching actually have a great synergy. In lecturing, I have to stay up-to-date on the latest security news, trends, techniques etc., which also lends itself to helping me keep my bug bounty skills sharp. On the other side, when I’m researching and I discover a new attack vector or a zero day vulnerability, it also helps me stay current in my thinking facilitating better lectures and provides me with more technical examples to share (I always keep specific details private).
Q7: How do you balance your time? What hobbies do you have?
I personally spend between 25-30 hours as a researcher and 5-10 hours as a lecturer per week. During the rest of my free time, I go to social events to spend time with my wife, friends, and family. After my favorite hobby, which is hacking, I really love traveling and discovering new places around the world. Recently my wife and I visited Maldives on our honeymoon — special thanks to Synack!
Q8: How do you sharpen your skills, and what set of skills are you looking to sharpen within the next 6 months?
Today, I think my pentesting skills are sufficient to do my daily jobs and get better naturally over time as I work on great projects. My goal right now is to learn more on the subject of artificial intelligence and how to better combine my security skills with new, up-and-coming AI technologies and use them on the Synack platform.
Q9: Do you have a specialty and/or look for specific types of challenges? What do you think the easiest vulnerabilities are to find for that target type?
I work mostly on web and mobile platforms for two reasons. First, web and mobile platforms are more complex than infrastructure or network platforms. Second, most bug bounty programs’ targets are web and mobile. I can best improve upon my skills when I have more listed targets to work on that are also complex in nature.
On web and mobile targets, the easiest vulnerabilities to find are logical vulnerabilities and authorization and authentication problems in my opinion. Other technical vulnerabilities like SQL Injection, XSS, etc. are easy to find, because you can use automated vulnerability scanners to help you. (As far as I know, there is not a technology that exists which can scan for and find logical vulnerabilities in web and mobile applications.)
Q10: Without disclosing confidential details, can you share your favorite vulnerability discovery and dive into some of the details of your approach?
This is a hard question, because it’s hard to choose! I was on a pentest project and looking for vulnerabilities on a mobile banking application. In the application, there was an “installment module” that allowed the user to split up payments (ie: debts into installments). Due to the lack of logical controls and input validation, I found that a user could change the installment count up to 1000 months by tampering http requests! Once one installment was split up into an amount smaller than 1, the amount rounded down to zero and – voila – the payment would get lost from the account. If that vulnerability was found and exploited on the live systems, an attacker could delete all his/her payments on the credit cards which may harm both financially and reputation of the company. In terms of business impact, this was the biggest vulnerability I have ever discovered.
Q11: For those just starting out as new hackers, do you have any advice for them? If you were to start today, how would you go about learning how to hack?
If I had to start today from the beginning, I would start with the core system of the platform that I was interested in learning more about and hacking on. For example, if I wanted to be a good web bounty hunter, I would start with programming a web application first. Knowing the back-end of a platform improves people’s knowledge and expands their point of view when they’re hunting. Starting with ordinary information and no back-end experience would be a huge mistake that is hard to recover from later.
Q12: Do you ever work together with others on targets, or as a mentor?
In my former job, we had a team of 10 and we were always working together. For bug hunting, I work independently. For my lecturing job, I serve as a mentor for my students. In my opinion, working together as a team always improves your chances of being able to provide the best possible work. For Synack, I think if working together would be possible as a team or any other system, more vulnerabilities can be discovered with the combining security researchers experiences.
Q13: How did you hear about Synack?
I was looking for a job that could be done remotely, and I found the SRT early on in my Google search! Originally, I was concerned by the application process and amount of screening, but it was worth it.
Q14: What do you like about the Synack Red Team and SRT Levels?
I feel like Synack really respects me. I am most amazed the response times from Synack Ops Team and the payouts- both are really fast! If I find a vulnerability today, and it’s not low-level or a duplicate, and if I write the report in the correct format, it will get accepted within approximately 24 hours! If I were to decide to cash out my payout immediately, the amount will be transferred to my account in another 24 hours. So if I find a vulnerability today, I can spend it on a trip to Maldives 2 days later!
Also the superiority of the analytics section differs Synack from other platforms. It is a really valuable function that heads up researchers for duplicates and possible vulnerabilities which are not identified yet.
