Welcome to our new blog series, Meet 1337! Each month, we will shine a light on one of the genius minds within our awesome network of hackers!
Today we are happy to introduce you to Kasper Karlsson. Kasper is a senior security researcher, while outside his work he is busy doing Bug Bounty hunting and Responsible Disclosure.
Please tell us a bit about yourself. Who are you?
I am a senior security researcher at Omegapoint in Gothenburg, Sweden, where I lead expert teams performing security reviews of web applications, APIs, operational technology, and embedded/IoT. We typically work closely together with the dev team behind each solution, as opposed to the “one man army” style Bug Bounty hunting and Responsible Disclosure hacking I engage in outside of work.
After encountering (and hacking) countless insecure systems, ranging from vehicles and financial institutions to infrastructure and governments, I am not convinced that digitalization is the best solution to all problems. It seems to me that we are often so eager to centralize and connect, we sometimes forget to make sure our new single points of failure are secure enough.
As a contrast to all the technology at work I prefer spending my free time AFK, exercising and sharing experiences with friends and family. Lots of running, hiking, growing vegetables, cooking, designing masquerade costumes, collecting silly hats and attending everything from free jazz concerts to beer festivals.
How much time do you spend on hacking?
An average day for me has four main parts, two of which include hacking.
I start off hacking customer systems at work, followed by family life and social activities. When my friends and family go to sleep I stay up for “me time”, which covers both physical exercise and bug bounty/responsible disclosure hacking. The last part is of course sleep, which I do not require much to wake up well-rested and excited for work the next day.
Apart from having a low need for sleep by nature, staying off social media/feed scrolling and generally trying to avoid procrastination gives me a lot of extra time to hack.
When did you start hacking?
My parents got a PC around the mid-90s, and I soon got more interested in figuring out how it worked than playing games. When we got an internet connection I found some international hacking forums which taught me a lot, and around this time I also started setting up my own systems to hack.
My interest for hacking was a contributing factor when I decided to study computer science at the Chalmers University of Technology, which in turn led to a dream job in offensive security.
Could you share some challenges you faced while hacking or in this industry?
About 20 years ago, attempts to responsibly disclose vulnerabilities to organizations were not always appreciated. In the best case, you got an informal thank you from a sysadmin, but defensive (or even hostile) responses were quite common.
A game changer for me in this context was Mozilla, whom I contacted in 2008 to disclose a vulnerability in their add-on system for Firefox and Thunderbird. This was my first encounter with an organization which would not only say thanks, but even reward my research. They sent me a bunch of stickers and two T-shirts, which probably made a deeper impact than any cash bounty I have ever received.
What was your most interesting/crazy hack?
Tenant isolation bypasses in larger systems have often led to interesting results. In one Zerocopter program, I gained full CRUD access to the database of a system built for the program owner by a third party. I soon realized that it not only contained all data for the (in-scope) system I was hacking, but that the database was shared between dozens of the developing company’s other customers (clearly outside of the program scope).
Another tenant isolation bypass in a surveillance system gave me access to thousands of real-time video feeds from high-security facilities all around the world. This was WAY beyond our scope as this assignment was from one single tenant of this system, but the system vendor was luckily very quick to respond and take action. Tenant isolation bypasses in cloud platforms themselves have also led to some very interesting results, to say the least.
As for my most crazy hack, I once owned a… let’s say “1000+ tons entity”, which led to a long night on the phone with a person more similar to the cigarette smoking man in The X-Files than I previously considered possible in the real world.
Could you share some surprising stories or fun facts that occurred to you during your career?
Hacking an ever-growing number of products and services leads to more and more observations related to them in real life. It’s a strange feeling when you look at your clothes, the soda can in your hand, your credit card, a car passing by or a billboard advertisement on the street and realize that “I hacked that!”.
I guess this is one of the reasons I enjoy nature so much. Lying in the hammock next to a lake after cooking dinner over an open fire really makes me feel at peace. As much as I love working with technology, it also makes me appreciate the absence of technology even more.
What are your favorite tools/resources/content/people to learn from and which you could recommend to others?
My absolute favorite is simply learning by doing. When something catches my interest, I usually start off doing some basic research (i.e. discussing the subject or reading documentation and blog posts) to build a mental model of the problem space. Initial hacking attempts often yeild unexpected results due to my flawed understanding, and figuring out why things turned out a certain way helps refine my model.
Further hacking attempts based on this improved model leads to new rabbit holes, providing a positive feedback loop which generally works _way_ better for me than watching instructional video series or just reading other people’s writeups.
Why do you hack with Zerocopter?
Zerocopter is my absolute favorite Bug Bounty platform, with both interesting programs and reasonable numbers of researchers for invite-only initiatives.
What really stands out is their responsive and pragmatic triage team, who seem to enjoy exotic or unusual findings just as much as I do and can reason about technical impacts with a deep level of understanding.
What is your favorite swag that you ever got?
Easy pick – the Dutch municipality of Delft once sent me a hacking-themed Delftware tile plate.
This was a perfect blend of local craft tradition and humor, which led me to research their history and appreciate the swag even more. If more organizations followed this format, I would love to have a swag-only tile-themed bathroom!
What is, in your opinion, the best conference to go to?
While I really enjoy both huge conferences like DEF CON or Black Hat as well as our local Swedish ones like SecurityFest here in Gothenburg or SEC-T in Stockholm, I have to say my absolute favorite is NDC Security in Oslo, Norway. It is small enough to feel really intimate, yet large enough to attract world-class experts in its field.
I have often returned home from NDC Security with deep insights from long discussions with the speakers, which has affected both my research and the way I hack customer solutions in a most positive way. If you go there, also make sure to try out sledding at Korketrekkeren!
What would you like to learn in the future?
Automation of monotonous or boring tasks has always paid off in terms of both fun and efficiency.
I have a feeling this would apply if I were to invest some time into learning how to build browser extensions to automate and optimize certain aspects of my web application hacking. Who knows, it might even bring side effects of getting back into browser hacking!