Reboot 25: Threat seekers
Rafay Baloch is the founder and CEO of RHA InfoSec. Baloch has responsibly disclosed hundreds of vulnerabilities in his roughly six year career in security research – earning as much as £6,600 from companies such as PayPal in the process. His biggest discovery may be CVE-2014-6041, a bug that could allow a bad actor to circumvent the Android Open Source Platform (AOSP) browser's Same-Origin Policy (SOP). It was a significant issue – it was covered by major news outlets and was deemed a privacy disaster by security experts – and at the time impacted the approximately 75 percent of Android users running platforms older than version 4.4. Baloch initially disclosed the vulnerability on his blog on Sept. 1, providing a proof-of-concept exploit. Baloch's primary areas of expertise include network security and web application penetration testing. He specialises in finding vulnerabilities in web applications, frameworks and browsers, as well as bypassing web application firewalls, HTML 5 attack vectors and breaking filters of modern web browsers. Baloch is very active in bug bounty programs, having submitted and been recognised by companies such as Google, Facebook, Microsoft, Twitter and Dropbox. He holds numerous certifications.
A self-described open source enthusiast, Stéphane Chazelas skyrocketed to fame at the end of September when he reported on Bash bug, also known as Shellshock, CVE-2014-6271 – a vulnerability that made it possible for attackers to exploit Linux and Apple OS X systems. Chazelas has strong skills in C – and the UNIX API – and Perl, is an expert in UNIX shells, and has good knowledge of a number of other interpreted languages, such as Python, TCL, and PHP. He additionally has an extensive knowledge of internet protocols, and is familiar with MySQL. Chazelas earned a diplôme d'ingénieur – the equivalent of a Masters of Engineering – from the École Nationale Supérieure des Télécommunications de Bretagne, specialising in computer science. The security expert has worked as an IT Manager at SeeByte in Edinburgh for roughly five years, where he designs, implements and maintains the company's IT infrastructure and systems. Previously, Chazelas worked as a product support engineer for Emerson Network Power, Embedded Computing. He yearns to tackle diversified high technology challenges involving creativity and problem solving, and seeks a future as an expert software engineer that will offer him an opportunity to widen his experience and knowledge. Aside from technology, Chazelas enjoys guitar, hiking and paragliding.
Andrew Komarov has uncovered a wide variety of threats as CEO of cyber intelligence firm IntelCrawler. Some of his noteworthy research in this role involves point-of-sale (POS) malware, such as ‘Nemanja,' which infected more than 1,500 POS devices and compromised as many as half a million payment cards, and JackPOS, which resulted in more than 4,500 payment cards being compromised by 11 infections across the U.S. and Canada. Prior to IntelCrawler, Komarov worked in the private and public sectors where he investigated major financial crimes, human and drug trafficking cases, and was involved in anti-terrorism cooperation with international law enforcement agencies. He began his career researching vulnerabilities, but eventually made his way into positions that enabled him to do full investigations. In these roles, he gained an understanding of how attacks are carried out, as well as how to identify the bad actors and their motives. Context-aware cyber intelligence technologies are at the heart of Komarov's research at IntelCrawler – collecting large amounts of data and using cutting edge technologies that can extract preemptive and predictable attack attributes, which will be valuable for large enterprises and governments. Ultimately, Komarov is passionate about finding flaws in systems and software.