Driver's seat
17 July 2018

Unexpected Pathways to Ethical Hacking

Andre Gerard

Driver's seat

Move straight to self-taught hacker and skip the driver’s seat along the way…

From what we’ve seen among our crowd of the world’s most accomplished ethical hackers, becoming a highly skilled hacker requires an inquisitive nature, persistence, and a “breaker” mentality. Kevin Roh, is no exception; he is good natured and always willing to lend a hand, and he is achieved a lot of success as an ethical hacker on the Synack platform in a relatively short amount of time. We caught up with him at Synack HQ to learn more about what led him to ethical hacking. As it turns out, his journey started with onboarding as an Uber driver in college…he accidentally fell into hacking along the way. We also asked him to share some tips for up-and-coming hackers on the Synack Red Team; read on to learn more about Kevin, his story, and insightful advice:

Kevin Roh

Q&A with Kevin

Q: When did you become a researcher?

A: In 2015, I was at UNLV studying computer science. Looking to make a little bit of cash here and there, I decided to drive for Uber. During the process of signing up and onboarding, I found my first ever vulnerability in their application. It was all on accident, but I stumbled upon 100’s of Uber drivers’ social security numbers, driver’s licenses, and tax documents on Uber’s Partner portal. I reported the PII exposed during the sign-up process to the Uber security team; they then rewarded me well for the report and then encouraged me to join bug bounty programs. I consider this my “break through” moment. I realized that I could make money hacking, and I continued to find vulns in the partner portal and driver apps. I actually never ended up driving for Uber…

Q: What motivates you as a hacker?

A: After my first bounty payout from Uber, my motivation was primarily about money, but that has changed over time for me. All of the services we’re using today are vulnerable in one way or another, and those services are holding our personal information. I definitely don’t want my personal information disclosed by a vulnerability that could have been found. Now hacking for me is really about making the Internet a safer place.

Q: How do you learn new hacking techniques? Any advice or tips for our community that can help make you a more efficient and effective hacker?

A: I do have a background in computer science, but when it comes to hacking, I’m self-taught; I used to go to Google and YouTube a lot in the beginning to help me learn. In the beginning I didn’t know there was such a big community for ethical hackers, but once I found it, I realized that there were a lot of ways to learn from other people and exchange ideas.

I think you can learn a lot by hacking on platforms and learning as you go. I’ve also learned a lot from other hackers. I follow them on Twitter; I read their blogs and books and I look through their reports to help me understand how they find vulns, what techniques they use, and how to write good reports.
Also, reproducing vulnerabilities similar to what top researchers have found, learning about new methods you can use helps.

For Twitter, you should follow @SynackRedTeam (and you can follow Kevin at @rohk_info)
For book recommendations, check out Pete Yaworski’s book Web Hacking 101 and Andy Gill’s book Breaking into Information Security. For tools, I use Burp to see traffic going through a web or mobile application and then I try to manipulate requests to try to find a vuln. I also use tools such as; masscan, nmap, metasploit, sublist3r and a few others. I also attend hacker and security events to meet and talk to people in person and exchange ideas.

Q: What have you learned from being on both an ethical hacker on the Synack platform and a security analyst at Synack?

A: If you are ever given the opportunity to work for Synack or any other platform, you should seriously consider it. Before working at Synack HQ, I only knew and understand what it was like to be the researcher and the person who reports vulnerabilities. But understanding more about concerns that customers have and what they can benefit from in vuln reports has brought a new perspective into my approach; mitigation strategies, playing the defense against malicious hackers and things that the customers value like report quality, coverage and always staying within scope — these things ultimately have made me a better hacker.

Q: Are there types of targets you prefer over others?

A: I prefer Web, but I’d like to expand my skills, and I’m getting into Host Infrastructure more because the targets and vulnerabilities are interesting and the payouts are good, and also interested in working on mobile targets.

Q: Do you think you’ve improved your skills over time?

A: Definitely. When I first started doing bug bounties, I would easily spend 20-30+ hours a week trying to learn and trying to find vulnerabilities. In the beginning, I probably found 1-2 vulnerabilities a month but that started to increase over time. After joining the Synack Red Team, I probably reported over 10 vulnerabilities a month.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

A: The most interesting bug that I found was also maybe the most simple. It was so simple that it made me confused how and why it actually happened. While I was looking through a portion of an application, there was a ticketing system that allowed you to dispute specific transactions. To do this, you had to communicate with the seller themselves and, if needed, an administrator could intervene. If you intercepted the request while making your response to the Seller and removed the cookie header, it would would mark the comment as the administrator.

Q: How do you manage your personal life, work, and bug bounties? Do you have any advice for aspiring hackers?

A: When I first started going after bug bounties back in 2015, I used to go to class and then I spent the rest of my time hacking. I tried to learn as much as I can, and I think I did learn a lot, but it’s easy to get burned out.

I do think it’s difficult to balance time between work, personal life and bug bounties. It’s important to set goals, but you also need to pace yourself and decide how much time you can dedicate to hacking. Like many other hackers probably, I’m a night owl and think sleep is for the weak!! Just kidding, always make sure to take some time to sleep!

Synack provides initiatives to help foster the researcher community and engage top talent; technology to optimize researcher efficiency and accelerate vulnerability discovery, opportunities to work on unique targets, personalized support, and skills development. We do this through the Synack platform and our SRT Levels program which includes fun competitions, gamification, mentorship, and specialized projects.

Apply to join the Synack Red Team and become one of the chosen few. We provide the best support for our researchers, and put the highest quality, most relevant features into our platform  – it was designed by hackers for hackers.

If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.