Case Study: Hacken’s Audit of EBSI Smart Contracts
Hacken performed smart contract audits for the EBSI, contributing to the safety and reliability of digital public services across Europe
🇺🇦 Hacken stands with Ukraine!Learn more
During Bug Bounty Marathon held by HackenProof and called Hacken Cup, we invited 25 most talented hackers from around the globe to take part in the hackathon. During the event, we interviewed them on different interesting topics including their background, interests, career goals, impressions about the conference and many others.
Tell us a little bit about yourself. How did you start hacking?
Ebrahim Hegazy: It was a cool story in a movie about a hacker that I saw once. The guy was doing amazing things and I was really motivated by that. I wanted to be like this guy. That was maybe when I was 14 – 15 years old. Then I started reading about cybersecurity, how it goes and so on. But at some point, I gave up. After one year, maybe less, I started again as a system administrator for a hosting company. At some point, the server I was managing got hacked. I realized that was the right time to go back again to this. I started again and since that time I’m hacking.
What about hacking is the most appealing to you? What do you like about it?
Ebrahim Hegazy: It’s the most exciting feeling that you get. You’re getting rewarded for breaking things. Not to build things but to break things. It’s of the nice things that I like about hacking. Also being in the technology field. We know that this is a new era, right? You get to know everyone in the field. You should earn the respect of everyone. It’s not because they’re afraid of what you can do but because you’re a part of the new era of technology. Security and technology go hand in hand. Security completes the IT field.
Do you have any hacker mentors? Are there any hackers that you follow personally and learn from?
Ebrahim Hegazy: I’ve never thought of that question. I do follow lots of people, actually. But the one that I really look up to is Tavis Ormandy. The guy works for Google but most of his findings are RCE in Windows. I really like his findings. I would really want to be like this guy.
Can you tell me about your visit to Ukraine? Do you like it here? Have you seen the country a little bit?
Ebrahim Hegazy: I really like Ukraine. This is my second time here. At some point, I saw that we have many things in common. I’ve also lived in Amsterdam and there’s a big difference between here and there. I feel that Ukraine is closer to my culture. I really like it here. Also the same with food. I’m also very excited about the Chernobyl visit.
How’s Hacken Cup going for you so far?
Ebrahim Hegazy: I did some interesting findings. To be honest, I’ve attended other HackerOne events too and compared to those the targets are pretty tough here. They are nicely secured. But it doesn’t mean that we’re not able to break it, we still find some things anyway.
What do you like the most about on-site Bug Bounty marathons?
Ebrahim Hegazy: Aside from getting rewarded you get to know everyone. It’s about networking. You get to learn from each other, get to know each other, learn their techniques and approaches they are following. Networking is the most I like about such marathons.
What do you like and don’t like about Bug Bounty platforms? How they can be improved?
Ebrahim Hegazy: I like that bug bounty platforms are governing hackers and companies as well, to be more secure and for hackers to get rewarded. We didn’t have that opportunity before. Before you should’ve applied to some job but you could have been rejected. Whereas, now with the bug bounty you can do whatever you want and when you want. It also helps companies very much. For instance, they have around one million IP addresses online, maybe more, and their security department has 5, maybe 6 people. What can they do about one million IP addresses? It’s a crazy number. While at bug bounty, there are around two thousand hackers participating. That helps companies a lot but also the companies help hackers because they get rewarded for their time. What I don’t like about them is that they do force lots of restrictions. I do understand that it’s necessary to make sure hackers don’t leak the data but sometimes bounties are taking it to the next level. One of the programs, I won’t mention any names, requires VPN? Which means they’re controlling your network traffic, your DNS, your routing, everything. How can I make sure that they are not hacking me? It’s the next level.
What do you do when you’re not hacking? How do you relax?
Ebrahim Hegazy: I usually dive. I’m a certified advanced diver. People do not believe me but I do dive with sharks in Hurghada. We have lots of sharks in Egypt and none of them attack people. It’s pretty safe to dive with sharks, I like it. When you’re underwater, where there are no human beings, no stress. You only see beautiful water and colors. This is where I always relax.
What is the role of bug bounty platforms in converting hackers to the light side?
Ebrahim Hegazy: It’s a good question. As a black hat, you find a vulnerability and you can sell it, for example, for 50 thousand dollars. No one will know about it, you’re hidden. At some point, you’ll need to join some company or group. But if you’re a black hat, you have no records. You cannot just say what you did because they will ask you for the proof. If you’re a white hat hacker and you found the same vulnerability, for example, for Facebook, you get 30k. It’s not the same as 50k but you will still get rewarded and you don’t break any laws. As a white hat hacker, you can report almost everything that you find. But as a black hat, no one will buy something from you unless it’s really critical. Also, it involves you in lots of political stuff which no one likes. If you get involved, no one will know what could happen to you physically. Your life could be at risk. As a white hat hacker, you’re afraid of nothing. You can get invited to conferences, you travel across the world, you get rewarded for your time, you get to have a nice CV, nice job, and etc.
What is your ultimate goal? What do you want to accomplish with your career?
Ebrahim Hegazy: I would really like to make the internet safer. I’m trying my best. I’m doing free training on YouTube, I do write-ups whenever I find, so the others will learn from this. Also, I would like to help other people to get engaged in the same community so that they could also learn and get nice jobs. I would really like to do that.
What is the most interesting bug that you’ve found during the Hacken Cup?
Ebrahim Hegazy: It was a vulnerability that allowed me to access the ride details. Where is it going to, where is it going from, the passenger’s name, taxi driver’s name, and the order number. It wasn’t anything super critical, but it still was a nice one.
What would your advice to hackers that are just starting out?
Ebrahim Hegazy: This is the most interesting thing to join from a technology perspective. If you are a developer or system engineer, security is always the most interesting part. I would really encourage everyone to join and at least give it a try. It’s super interesting.
What can be done in order to improve the bug hunting community?
Ebrahim Hegazy: I would say, to let other people participate. For example, in my country, I really wish we could have a bug bounty platform. But companies are afraid if someone would find vulnerabilities in their system then no one would use their services. The best thing that can help bug bounty platforms is a security awareness or even bug bounty awareness by the companies. A bug bounty is not a bad thing. Hackers are helping you. You can keep this a secret for as long as you want. You can sign an NDA with the researcher so that they won’t disclose anything at all. That would keep you on a safe side whereas you’re not losing any money. Bug bounty awareness is the next step that really needs to be done by bug bounty platforms.