Pierluigi Paganini
July 13, 2016
Chema Alonso is currently Chief Digital Officer at Telefonica, he is one of the most talented cyber security experts, a skilled hacker that is considered a star of the IT security industry.
Enjoy the interview.
You are one of the world’s most talented cyber security experts, could you tell me which is your technical background and when you started hacking?
I started coding when I was 12 years. Programing simple algorithms in BASIC that I run in my AMSTRAD. Then I went to university to study Computing Engineer Degree and I specialized in Databases. After University I worked as an expert in Tunning Oracle Databases, and 25th of December 1998 first doc about SQL Injection written by rfp (rain.forest.puppy) appeared on the Net. I was very used to create long SQL queries and I fell in Love with SQL Injection techniques.
Years after, I was presenting at DEFCON 16 about Time-Based Blind SQL Injection techniques, and (Blind) LDAP Injection in BlackHat Europe. And then, I did my Ph.D in that kind of hacking techniques.
What was your greatest hacking challenge?
I’ve worked as a pentester and a security researcher for a lot of years, and unfortunately not in all the works you are able to get full access to the systems. If I am honest, this had happened only in a very limited number of projects when you are constrained to a single app and cannot attack users, but in those cases you feel like trying to solve a puzzle with no enough pieces.
This said, I never did anything illegal against a company and I tried to study new hacking techniques and new discover flaws in technology. In some of the targets I spent weeks and weeks with zero results, but this is how this works. When you find something like Connection String Parameter Pollution or Time-Based Blind SQL Injection or Blind LDAP Injection you feel great, but they are few moments compared with the big number of hard working hours.
What are the 4 tools that cannot be missed in the hacker’s arsenal and why?
It depends on what your focusing, but I always have installed Burp Proxy, WireShark a my dearest FOCA and Evil FOCAJ. Fearh the FOCA!
Which are the most interesting hacking communities on the web today?
Well, today there are a lot of communities in different places. Telegram, forums, etc. In Spain and Latinoameria we have a big number of events and around them there are hacking communities sharing knowledge, tools and experiences. I really think we have a healthy hacking community level.
Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why? What scares you more on the internet and why?
I really think that most of them are exposed to cyber attacks more or less at the same level. Banking and Telecommunication industries have been a classic target for cyber attacks, but today we have news about common security incidents in Hospitals, or about vulnerabilities in cars. I honestly think that we left the childhood phase in cybercrime and they are very well prepared to attack any industry that can give them good benefits. Unfortunately, Cybercrime is a healthy business.
We often ear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and letal cyber attack against a critical infrastructure?
“The end of world is near” J Well, jokes apart, Critical Infrastructures are under attack as the rest of the industries. The problem is that a vulnerability in a Critical Infrastructure has a higher risk level for all of us. Verizon was explaining how a Water Plant was hacked and attackers try to poisoning the water in a UK area. And of course, we had analyzed and re-analyzer all possible effects of Stuxnet if that exploit was used in another context.
Cars, trains, planes, IoT, Scada systems or voting technologies. Today you don´t know what could be next “Stuxnet” in our lives, but for sure, believe, it will be breaking news because we are in an exponential growth of digital thinks and there are a lot of code running near to our lives that a hacker never audited.
Chema Alonso
Twitter: @chemaalonso
Blog: http://www.elladodelmal.com
[adrotate banner=”9″]
(Security Affairs – Hacker, Chema Alonso)
