Know your community – Celil ÜNÜVER

Bug Bounty hunter – found and reported vulnerabilities in Microsoft, Apple, Adobe, IBM, Novell and more, Co-Founder of TRAPMINE and SignalSEC, Founder of NOPCon, speaker at PoC / Code Blue / Swiss Cyber Storm / CONFidence and more – please meet Celil ÜNÜVER

Questions

Q: How many years have you been working in the security field?
A: Professionally I have been working in the security industry for 9 years. However I started to read about security & hacking topics when I was 10-11 years old. At the total, I’m interested in the security field for about 17 years.

Q: What was your motivation for getting into the security field in the first place?
A: Common answer is curiosity. When my computer got infected by a virus, I was so excited to learn how it happened. After that, I found myself reading about VX magazines and tried to learn how to write computer virus. I was a kid and I needed to learn programming first.

Thanks my father (R.I.P), he gave me C programming book named Turbo C. After some years, I found myself reading full-disclosure and bugtraq mail lists. I was so fascinated by Software vulnerabilities and exploits. I was dreaming about discovering zero-day vulnerabilities and publishing them. 🙂

Q: What was the first vulnerability you found?
A: I think it was a crappy bug affects a stupid media player or download manager software named GetRight.

Q: How did you feel when you found the vulnerability?
A: I was n00b at that time and finding a crappy bug in a stupid software made me so happy. I still remember how I called my friends to show it immediately because I didn’t have expertise to analyze that crash alone at the time lol… Anyway that feeling made me to improve myself in this area.

Q: Did someone help you?
A: I met really cool guys (n4rk07IX, Hurby, Yasin Sürer) in Turkish scene around early 2000s. I got a lot of motivation by them. I can’t forget help of Hurby (Ahmet Cihan) and Yasin during my studies in low-level security stuff.

Q: What is your field of expertise in vulnerability research?
A: I’m mainly experienced in memory corruption / safety issues about all kind of user-mode applications running on Windows OS. I discovered various vulnerabilities affecting browsers, SCADA, media players, flash, office and even Windows Mobile 🙂

Q: Is there some security research field that you always wanted to learn but never had a chance?
A: I have some knowledge in Windows Kernel vuln research & exploit but never had a chance to expertise on it. I always wanted to spend more time on kernel stuff. If I have free time in future, I definitely want to learn more about Windows and MacOS kernel exploiting.

Q: What would be your dream job? pure research? exploit development? relaxing at the beach?
A: I started to get bored of my job because of the industry. Snake-oil consultants, shady and liar competitors try to attract companies and people by their lies in my country. There is still not enough respect to real researchers who do their best in the job.

Our industry is pretty good place for security charlatans but people are coming to their senses. I definitely dream about doing some pure research alone and stay away from the market in the future. Doing this in a Baltic country or Iceland would be a nice choice. 🙂

Q: Can you tell us how (and why) you started NOPCon?
A: I attended a hacker conference named CONFidence in Poland. It was my first experience in an international hacker conference. At that time, all the conferences organized in Turkey were commercial infosec confs. Every year, same local consultants were speaking at these events about network security 101, pentest-101 topics.

After I have been at CONFidence, I thought we should change this situation and organize a real hacker conference in Turkey. So I started NOPcon with my best friends from scene (Ulas and Yasin). Our aim was to build a non-profit small international hacker conference and I think we succeed to do so.

Q: Do you remember the first conference? ( How many people attend? / How many talks / topic etc)?
A: The first edition of NOPcon organized at Istanbul Bilgi University in 2012. I think just 100 people attended. It was very amateur and small. We had only two international speakers. At the total, we had 9 talks about Linux Kernel Exploiting, IE Exploiting, iOS , VoIP and Android security.

There wasn’t any sponsor talk and local community was amazed. It was a different move for Turkey. I would like to mention that only Beyond Security supported the first edition of NOPcon by becoming a sponsor.

Q: Did you ever thought that NOPcon will be the conference it is today?
A: NOPcon became a well-known boutique conference in the industry. I am happy for it. Yes, in first edition of NOPcon , I thought it will be a well-known event in next years.

Q: How complex is it to organize a hackers conference? – and do you have any funny stories?
A: It is really complex because NOPcon is completely free event. Attendees don’t pay for the ticket. Our conference is one-day event but we have started to host more international speakers in last few years. We try to get well-known researchers in the field. Also we try to rent better places as we get around 300-400 attendees every year. We cover speakers’ expenses and we try to host them very well in the beautiful city Istanbul. However, it’s hard to find sponsors for hacker conferences in Turkey. So it is really complex for us to organize a non-profit conf here.

Q: Do you pay for well-known security researchers to come and give a lecture in the conference?
A: Unfortunately no. I believe that researchers should want to give lectures at conferences to support the local community, to share new ideas / research and gain reputation and not for the money. However, as I mentioned in previous question, NOPcon is completely free event and we don’t organize it for profit. So we just try to cover speakers’ travel and accommodation expenses.

Q: You are a very experienced researcher and you had the opportunity to participate in many security conferences – You have been speaker at PoC / Code Blue / Swiss Cyber Storm / CONFidence and more. What is you favorite security conference?
A: I really like POC and Code Blue conferences. They are top favorite conferences for me. CONFidence is another conference from Europe and it is definitely in my favorite list. Additionally, Nordic Security Conference in Iceland was a special event for me because I gained a close friend (Stephen Watt) through this conference. Unfortunately organizers discontinued NSC conference. In a near future, I would like to attend Ekoparty too.

Q: What kind lectures you like to attend? listen to?
A: Any lectures related with vulnerability research and exploit development.

Q: What do you love most in conferences? (conference events – CTF / hacking village / Hack the badge, drinking parties etc)
A: I love meeting my friends from community in conferences. It is best way to meet old friends and have new friends. I don’t drink but I like attending drinking parties after the conference. Especially drinking hell in POC is awesome 🙂

Q: What is the most exotic place you attended a security conference at?
A: I attended Nordic Security Conference in Reykjavik, Iceland. Iceland is the most exotic country I have ever seen.

Q: In which country have you been surprised by the size / quality of the security community?
A: It was Korea definitely. They organized CTF for women in POC 2015. It was very surprising for me to see so many women participating in the CTF.

Q: How has the Turkish security community changed in the past 5 years?
A: Turkish security community is growing day by day. Most of the community were interested in network and pentesting topics 5 years ago. It changed now. People are more interested in low-level security topic. University students try to learn about reverse engineering and bug hunting. I would like to say that my efforts have an impact on this change. I tried my best to get attention of people to low-level stuff via conferences, papers, blog posts and especially via NOPcon!

You are co-founder and principal researcher of TRAPMINE, SignalSEC co-founder, NOPCon organizer, vulnerability researcher, Pentester, Reverse Engineering and bug bounty hunter.

TRAPMINE provide an endpoint security solution, SignalSEC is a vulnerability research company.

Q: It looks like you are in both sides (as a defender and as an attacker) – which part do you like more?
A: I’m working in defensive side for the last 2 years. We just give training/consulting services in SignalSEC currently. Before founding Trapmine, we were doing more offensive research like vulnerability hunting and exploit development. However we always shared our research with vendors and bounty companies to make the cyber world safer. Currently, we use our past offensive research experience to develop defensive solutions in Trapmine Inc. Anyway, I can admit that it is always more exciting to break something than building.

Q: You have the opportunity to look for vulnerabilities in different products (Clients and more) – In your opinion, do you think that developers today are more aware of security issues?
A: Yes. It is harder to find bugs than before.

Q: Do you have example of security issue that repeat itself in most of the product that you check?
A: Yes, I remember an experience about a security issue in SCADA product repeated itself although it was reported before and vendor claimed they fixed it.

on January 2017 you were interviewed (https://siberbulten.com/english/turkish-researcher-ios-suffering-from-heap-overflow-bug/) and told that you found “two vulnerabilities in iOS. The first, harmless. The other, a heap overflow, we consider worthy but did not report it to Apple as we wanted to keep it a zero-day.”

Q: Why did you decide to keep the vulnerability as a zero-day?
A: I need to analyze it more and then it is better to report it to Apple through a bug bounty program/company and get a reward. No other offensive reason. I try to work with bounty programs to report issues. I don’t like bugs used offensively. However I don’t like to report them to multi-million companies for free also.

Q: Do you think vendors don’t pay enough? Even though they have bug bounty program?
A: Most of the vendors still don’t pay actually. If they have a bounty program, they pay the lowest price in the market!

Q: As an offensive security researcher, how many times do you get “shady” emails / contacted by unknown companies asking about acquiring vulnerabilities? and what is your funniest story of someone who contacted you?
A: Yes, I got a lot of shady emails before. All vulnerability researchers get these kind of shady emails in the industry. No need to read and spend time on these emails. “Mark it as spam!”

I saw that over the years you found and reported vulnerabilities in Microsoft, Apple, Adobe, IBM, Novell and more.

Q: Is it possible to make a living from bug hunting?
A: Of course! I earned a lot from bug hunting before. I have many friends make a living from bug hunting.

Q: What is the longest period of time it took for a vendor to patch a vulnerability you reported?
A: 6 years and still not patched 🙂 Maybe they forgot it and I don’t remind. It is nice to stay on a zeroday for 6 years.

Q: What was the silliest reward you got for reporting vulnerability to a vendor?
A: Silliest reward is just being “credited” in security bulletins by the vendor….

Q: Do you think the rewards security researchers get from report vulnerabilities are fair?
A: No. They should pay more!

Q: Have you noticed a lot more non-traditional companies and organizations showing interest in bug bounty programs?
A: Yes… Because companies becomes more connected to internet. Ransomware attacks, exploits affect even all companies and individuals.… Bug bounty is effective way to fight against security issues.

Q: What industries or business sectors would you like to see more involved in the bug bounty business?
A: Government organizations, energy and ISP companies

Q: What are the best companies to work with when hunting for vulnerabilities? What traits do they have in common?
A: I never found a bug in Google products but I guess Google is the best vendor to report a vulnerability and work for responsible disclosure. They respect the research and they try to reward vulnerability hunters.

Q: Are you still looking for vulnerabilities on your free time?
A: Yes but not too much… Because I can’t find enough free time for hunting vulnerability anymore. However, I definitely want to start again in next years..

Q: What type of products do you like most looking into vulnerabilities in?
A: All kind of products working on Windows OS.

Q: What’s the single most important piece of advice you would want to give for someone seeking out a career in the security filed?
A: Please first learn the philosophy of hacking and feel the spirit. Then follow the masters in this area. Read their papers, books and try to publish your research.

Q: What are your hobbies?
A: Japanese Traditional Jujutsu, swimming, playing guitar, travelling.

It was a pleasure, Celil, to talk to you

You’re welcome.