Hacker Interviews – Matteo Meucci

Today, it is a pleasure for me to interview an Italian colleague, Matteo Meucci, a great professional, a perfect mix of talent and discipline.

Enjoy the interview.

 

Hi Matteo, you are one of the most respected Italian experts on cyber security. Could you tell me which his your technical background and when you started hacking? 

Thank you for the interview Pierluigi. I’m of ‘72, and as many of my current colleagues, I started programming BASIC with the Commodore VIC 20 in the early ‘80s. I started hacking for fun on TV screen in the first big supermarket in France that was controlled by a C-20… Then I studied Scientific High School with Informatics and Informatics Engineering at the University of Bologna to improve my technical background.

What was your greatest hacking challenge? 

From my perspective hacking and challenge are the same thing, so if I look behind me surely the challenge to start from scratch the new OWASP Testing Guide in 2005 represented for me the big project I ever did. In 3 months thanks to hundreds of people involved in the project, we wrote a new methodologies, that nowadays represent the standard de facto to perform a web application penetration testing https://www.owasp.org/index.php/OWASP_Testing_Project.

What are the 3 tools that cannot be missed in the hacker’s arsenal and why? 

The first great tool is our mind with all the mindset on to think out of the box, the second one is our eyes to identify the issues asap, third our hands to write tools to hack the specific scenario.

Joke at part I suggest to use the following:

–  OWASP Zap to navigate the web sites and find web vulnerabilities (see a basic example of how to find a very easy vulnerability in 2005 using an HTTP Proxy as Zap here: http://bit.ly/29Y8DYK);

– Wifi Pineapple to show the weakness of the today wireless model (see here a demonstration I did at the last Festival of Journalism: http://www.festivaldelgiornalismo.com/programme/2016/attacking-online-services)

– Finally, Kali Linux for sure is the best container of all the best hacking tools.

Which are the most interesting hacking communities on the web today? 

You know I’m involved in OWASP (The Open Web Application Security Project http://www.owasp.org) from 2001, so I see OWASP as one of the most interesting hacking communities world wide. Here you can find all the information, tools and methodologies to understand how to hack a web application and how to protect it.

Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why? 

Nowadays all the industries are exposed to cyber attacks because they are part of the cyber space and anyone, from anywhere at any time can interact with their services. In the communities we are discussing about new attacking techniques, how to exploit new 0days but if we look at the last years we see a few very complex and innovative attacks to the industries; many attacks today rely on old techniques such as SQL injection, basic malware or the exploiting of old vulnerabilities that are not patched on critical systems. That said, we can affirm that the easiest way to attack a company nowadays it to send fake emails to exploit old vulnerabilities or hack the wifi network. The Companies are not ready to manage attacks with old techniques such as ransomware or pineapple wifi network: they do not understand they are under attack.

What scares you more on the Internet? 

I’m not scares of the Internet and no one should be scared about the freedom of the Net. I’m scared that many Companies are not ready to protect them from basic attacks that happens today.  The key points are to have an internal team and processes in place capable of fixing the vulnerabilities as soon as possible , to manage the possible attacks and to and to raise the awareness about cyber attacks in the  Company.

We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe concrete the risk of a major and lethal cyber attack against a critical infrastructure? Why and which are the most exposed CI?

Today it is very easy to hack networks that use old technologies: for example many companies are still using today Window XP and Internet Explorer 8. From an attacker point of view, there are a plethora of way to comprise successfully this scenario using old exploits that already work.

CI represent a collections of old technologies and we can affirm that the maturity regarding cyber risk is very low comparing to the IT of TELCO, Finance companies. So they are very exposed to possible cyber attacks, it is only a question of opportunity for the cyber criminals and time maybe…

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Hacker, s1ege)