Hacker Interviews – Gabriel Bergel

Enjoy the interview with Gabriel Bergel  (@gbergel), one of the most talented hackers in the wild.

Gabriel is an Infosec Rockstar and Viking-Cyborg (he loves Vikings and has had 2 chips inserted in his hands). He is the Founder & organizer of @8dot8, He’s CSO and owner of ‪@hacking4def, He’s CSA of‪ @ElevenPaths, He’s coordinator of ‪@info_CCI and supporter of @colocolo.

You are one of the world’s most talented cyber security experts, Could you tell me which his your technical background and when you started hacking?

Thank you very much for your opinion, I think I’m just another hacker but I’m very enthusiastic, passionate and hyperkinetic. My approach to technology began as a child, mainly because I liked very much game consoles. The 1st console, I had, was the Atari 2600, then the Atari 800 XL, and when I was older in 1990, I had a 286 Laptop with black and white screen, and that was when I really started to feel a passion for computers. I first studied Electrical Engineering but I didn’t like it, and I decided to study Systems Engineering. I was never very good at programming, and I think that was the reason why I liked information security. Generally, all the people studying Systems Engineering come out with profile as programmer, which is why I started to be interested in data networks, routing, switching by the time I was finishing my studies, and it was then I started “to play” with devices and discover “things” in the networks and on the web. It must have been around 2000 I took my first steps in Hacking.

What was your greatest hacking challenge?

I have had several technical challenges, but I think my biggest challenge wasn’t technical. It was when I created the 8.8 Computer Security Conference (www.8dot8.org), the 1st Hacking conference in Chile (which also takes place in La Paz, Bolivia and next year in Lima, Peru too). This technical conference was something many people yearned for. But until 2011 when it took place for the first time, there was nothing similar and the questions were many; starting with if we could get a place to host the conference, if any brand would support us, if the police would agree, if the public would attend, if we could get speakers, if it was good idea or not to serve free beer, etc., etc. We first felt the sensation of getting access to something prohibited or when we get root privileges when 400 people arrived, the press arrived, we went on TV during prime time, people hugged us and asked us to do the conference again next year.

What are the 4 tools that cannot be missed in the hacker’s arsenal and why?

1. The mind and brain: Fundamentally, there are many tools and they are becoming more accessible all the time. A hacker’s mind and his gray matter are essential, since his philosophy, strategy, perseverance, attitude, ethics, etc. depend mainly on that. And these are the main characteristics that every hacker should have, and for that reason I am convinced that those soft skills are more important than any tool and technique, since they both can be learned.

2. Nmap, for me, I don’t know if I am very old school ;), but it is still a fundamental tool, it is the scanner par excellence. For me to do a port scan is fundamental in every field, in fact OSSTMM thinks so too. Furthermore it includes many options, scripts, it is flexible, powerful, portable, easy to use, free, good documentation, etc.

3. Kali Linux, the Swiss knife in my opinion, has more than 600 tools, it is free, has a secure development environment, packages and repositories signed with GPG, supports several languages, fully customizable and effective.

4. Spiderfoot, to make OSINT, there are many tools of this type, but this is the one I like the most. It is open source, free, it works on Linux and Windows, it is easy to use, modular (made in Python), and it is full configurable. In my opinion it performs very well the automation of the process of gathering intelligence for a target, makes good data extraction, good visualizations, etc. I recommend it!

Which are the most interesting hacking communities on the web today?

There are 3 most interesting in my opinion, and they are all in Spanish, starting with the blog “Un informático en el lado del mal” (http://www.elladodelmal.com) by Chema Alonso (friend and boss). I have been following him for a long time. The blog has a lot of information, free books, videos, news, conferences, competitions, articles, and very interesting posts about information security and hacking. It is very varied and dynamic. Chema never rests, so everyday there is something new to read. The other community I like very much and follow is Dragonjar (http://www.dragonjar.org). He is another friend called Jaime Restrepo. It is the largest security community in Latin America, and as the previous one, it has a lot of quality information, news, articles, research, contests, and even a conference, the “DragonjarCon”. The third is SBD (http://www.securitybydefault.com), which really is very similar to the other two and another friend and Chilean, Lorenzo Martínez,  is part of it.  What I mainly want to emphasize about  the 3 is that they are technical communities, with quality information, they are dynamic and have contributed to knowledge, and it is where new professionals in the hacker community are born.

Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why? What scares you more on the internet and why?

Today the main driver of cybercriminals is money. So when they attack the most important attribute is “the easiness” to complete the attack.The banking and financial industry is obviously the source to get money, but it has been the most attacked and also the most regulated, so it is the one that invests the most in technology, processes, and information security advice. However, the industries related to this sector were not the most attacked nor the ones who invested the most in security, and therefore the industries or sectors most exposed are those who got relaxed for a time thinking that they were not nor would be the target of attack, such as Retail, Hotels, Rent a Car, Call Centers. They all, just like the banking sector, share the payment means and use of credit cards and that has been the reason why they are being the targets of the most attacks and apparently will remain so …

What scares me the most about the Internet is the anonymity, despite all the efforts we make, awareness, tools, etc., paranoia, we will never know who the person on the other side of the cable is, and unfortunately the cases of Pedophilia, Cyberbullying and Grooming that affects children through the internet are becoming more common. The real scare is what my daughters (2.5 and 5 years) will live in the future if this does not change.

We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? 

Yes, every day we see more attacks on critical infrastructure (CI): To me it is very clear that sooner or later there will be fatal consequences caused by a cyber attack, and the CIs are precisely the infrastructures that could cause this fatal impact due to a cyber attack. All the time we learn more about attacks on CI; there are new types of malware, new studies, new breaches are discovered, etc. To make it worse, and the reason why I think it is a real risk, is that this type of industry and infrastructures are more related to Industrial Physical Operations or Operations Technology  (OT) than to computer science or IT, so the environment is not very aware of cyber attacks. In addition, because they are CI the “availability” vs. security has always been privileged. I mean, it is more feasible not to install a patch on a server despite being critical because this could affect the availability of the server. In Chile, we have a saying that fits this reality perfectly: “if it works, do not touch it”. The only reassurance in this respect is that every time the industry that owns the CI is more aware of the risks, and the governments are also developing and implementing policies and regulations, but in this industry things happen very slowly …

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Hacker, Gabriel Berger)