I was writing my script and guide for the From Noob to CyberSecurity Pro blog article (and possible video) which I started writing in June.
I wanted to prove a point about how the news makes programming and hacking seem so easy by stating that there are 13 year old hackers/prodigies/programmers.
Then i decided to search on google for similar fake stories since you can't possibily be an expert at such an young age. Leave Mozart be, he had training from the age of 3 and of course at the age of 13 he was proficient. Expertise comes with years of training. No wonder in that!
I ended up finding thousands of references to this young elite penetration testing mega hacker called TahirAhsan. He learned to become a hacker at age 12! In only 1 year he was able to haaxooor the world wide web my friends!
I've started writting this article because I believe that we should'nt always believe what the news is reporting. A lot of self inflated ego's out there. Can you really master a field in 1 year?
If you've had previous experience for let's say 10years in a similar field and are dedicated at working 8 hours a day then you can advance in your chosen field quite fast.
But if you have no prior experience then 1 year is not even enough time to grasp the basics.
NOTE: This article contains my personal view. It was written in June as an analysis. I've decided to post it now for the basic concept it contains. Most of the things are still valid today, next year and in 10 years from now.
It takes time to become good at anything. Mastery is an ongoing process of gaining experience.
Case Study on Cyber Security expertise
Aparentlly Ahsan "hacked" Google and Microsoft. Oh yeah boy. We have a real hacker.
I was really intrigued to find out how and why,. All i could find was that he might have reported some bugs in some apps.
That was discouraging. Why? Most of the news websites talk as if he really hacked into something.
I'm not downplaying that a bug can be a cause for havock I've seen this happen. However what I'm upset about is that the marketing/branding scheme here seems to misinform what he actually does.
When such a thing happens I usually tend to give it NO importance. But i was intrigued that nothing else existed about him other than the same text repeated over and over again on all the damn websites.
It's like the boy ran an automated script e-mailing everyone with his great achievements.
What made me really dig into this was the fact that he claims that he has learned hacking in only 1 year. From 12 to 13. I have to hand it to him, he is a genious if he managed to learn it so fast.
But by closer inspection and some fiddling around I actually confirmed my initial hunches. It's just a script kiddie who has followed some youtube videos. He has probably read some "elite hacking" books and has installed all the k3wl script kiddies tools to autoh4x0r systems! He seems to have chosen Web Penetration testing as a main theme.
A big congratulations from my part to him since he has chosen a field which will ensure he will always learn new things and hopefully have fun.
I've followed Tahir a bit on hackerone and some sites where he publicly posted his "findings".
It's funny to say but most of the them when he published something and they disclosed the information I started laughing out loud.
I mean this guy is really funny in the way that he has a lot of confidence in what he's reporting. The confidence which usually is lacking in other people.
I wouldn't even have the guts to report these low level things since if I don't have a Proof of Concept that actually works and is able to bring down the server or make changes I'd tend to think any possible fake "vulnerability" is just a waste of time. My time and the developer's time.
My initial view was that he seemed to be on the Fake Fast road to success and knowledge.
I have to hand it to him that he's really smart in the way he goes about everything. Most of the disclosures are on simple XSS or CSRF injection stuff that I'd disconsider from the start because I figured out everyone must possibly already know about this, right? WRONG. Seems he enjoys posting low level things.
I mean, a real hacker for sure! Below are a few
Full path disclosure (Oh my, i;ve seen thousands of these and never thought of sending an e-mail!)
Sure, seeing the full path can help a hacker determine some information. From the website above we know it's a windows system..But that can easily be found out with other means:D
Yes, we know the path.. Now what? If you can't find a way to get access this info is near useless since if you get access you'll know the path anyways..
Using DirBuster, are we?
https://hackerone.com/reports/153580 - nonces that are reusable for 12 hours or more seem to be vulnerable to.. stupidity.
https://hackerone.com/reports/147182 Finally, found something.. No e-mail verification when changing e-mail address form settings. Sure, this is true
https://hackerone.com/reports/152834 He tries to fill in a bug bounty for injected headers. He barely understands request vs response architecture in HTTP/HTTPS
So the famous hacker claims he can send spoofed e-mails coming from a certain domain.
Dude this is so stupid it makes me slap myself. Of course anyone can send spoofed e-mails form any e-mail address.
Even if they go to INBOX it doesn't mean it's really from that e-mail address. It all depends on a lot of factors and mail servers along the way
How each server does verification and such DKIM keys, SPF field etc. Jesus Christ.
Anyway, you should always include SPF(Sender Policy Framework) in your DNS records and DKIM setup is mandatory, even Amazon Simple Mail services recommends it so no one can spoof your e-mails
By looking at all of the disclosed ones (couldn't access undisclosed ones) I could only state that 99% of the time it was such a small issue that it's actually a nonissue.
One thing is for certain, he did gain a lot of XP (experience) points and knowledge.
https://hackerone.com/reports/149027 Hello, mommy, I didn't get an email to inform me that i've changed my password, I think this is a security issue! WTF? Really now?
Reflected Self-XSS. Reflected SelF XSS is great.. for playing around. In real life if the website has some security countermeasures it's unusable.
But this needs a PoC
Yes, I've known this since the early days of software development. Don't give details if a user account exists or not. Not when logging in, not when resetting the password.
But come on, if someone wants to know if a user or email exists they might try to register it. D'OH!
Let's be real for a moment. Most modern web apps block brute forcing so why bother even clicking on the button to report this?
This is not a vulnerability, it's just praying for attention! This little boy is praying for attention because he probably won some bounties from Microsoft.
Yes, he's been on the wall of fameof MIcrosoft. Sure. 100 other people have been on that same blog post
Anyway, the developer posted a specific screenshot showing that the text is the same for random username that doesn't exist and one that does.
If this is the way a true hacker works then oh my god I should create accounts on all bug bounty websites and let the money pour in:))
Most of the serverities where 0.0 and they where just disclosures of "hey your webserver leaks Version Information"
No kidding, most webservers do!
Oh bummer, OAUTH2 access tokens are killed but you have a refresh token that is still valid temporarily. Sure, session hijacking IF you manage to get your hands on it.
https://hackerone.com/reports/141125 Yey, he made some money for disclosing the version of NGINX.
WE WANR MORE!
There are many others but i think it's enough since i've had my load of fun for the moment. I really should consider doubling my pentest documentation.
I mean, the clients need to know everything even if it doesn't have anything to do with real vulnerabilities, right?
A lot of marketing and branding and I have to hand it to him and whoever is helping him out. He's recieved a lot of attention.
Does he know cyber security? I'd say he memorized a few things and always goes for those. Just like some Managers and HR people use jargon all the time.. I'm curious how he's on the Reverse Engineering stuff. How good he's with Linux and real networking security.
Real threats and vulnerabilities disclosed by this bad boy? Probably 0.
Real high severity threats publicly disclosed by me? 0
Ah, the reasons why I didn't go fulltime in Cyber Security? The world is full of scriptkiddies.
Well if this guy claims to be a Security Researcher and the entrance barrier is so low then I'm probably one too without realizing it! Talking about the Dunning–Kruger effect!
The ONLY reason he got into security research was that from posting 100 bugs he might get 5 of low severity right and make some money to buy games.
Now, I've only analyzed this guy, I'm pretty sure there are hunderds like him doing the SAME things:)
No real security discoveries here. Just in for the $$.
The Fake Fast road to success and knowledge is a path that many people want to take. It's why the self development industry has gotten so much attention and why there are thousands of books written on suc htopics. The truth is that no one is going to become rich nor famous overnight. It takes time, hardwork and dedication.
People look up to those who seem to have it all. Most don't realize that appearances and branding make things look better than they are. When someone is telling you that he's doing awesome he's probably not doing any better than you do.
If you want to achieve something, start preparing and doing the work needed for 1 hour a day, every day at the same time. 1 hour is enough to become proficient in 10 years.
Even if you're 20 right now think that you'll still live to work untill your 70's. That 1 hour a day means that in 20 years you will become an expert. Want to do it faster? Increase the time spent.
Mastery comes to those who are willing to invest enough time.