Haroon Meer Reveals His Process for Security Research
In our ongoing series of interviews, this week Haroon Meer answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.
Haroon Meer is the founder of Thinkst, an applied research company with a deep focus on information security. For the past decade, he was the Technical Director of SensePost, where he built and led the company’s technical team. Meer has contributed to several books on information security and over the past 10 years has written numerous articles and papers on penetration testing and related topics. He has presented research at conferences around the world from DeepSec in Vienna to Hack in the Box in Malaysia. Meer has presented papers at several academic conferences and institutions and has managed to present novel attack (and defense) techniques at almost every BlackHat Las Vegas since 2002.
In 2010 Meer left SensePost to start Thinkst with the aim of working on more difficult problems.
What motivates you to find security vulnerabilities?
Historically most of my vulnerability finding has been done for customers under NDA. As ugly as it sounds, this means that a fair bit of vulnerability finding was clearly for profit. Most of my published research has been less about bug finding, and more about new avenues for attack, defense or what is today being called “post exploitation.” My motivation is somewhat cliché: to get a better understanding of how things work and a desire to make the theoretical possible.
What are the primary tools you use, and how do you use them?
I have done fairly deep dives in many different areas in our field, so I have become pretty used to using existing tools, mangling old ones, or building new ones from scratch when needed. It also means that I’ve had different favorites over time. Consistent headliners would have to be Python, Wireshark, VMware scapy, OllyDbg and Paros.
How do you choose your target of investigation? Do you pick your target application and look for bugs, or look for a genre of bug in many different applications?
When doing client work, it’s clearly a combination of both: Picking a target application and trying to bug find as exhaustively as possible, for example. When researching for fun, I’m much more turned on by roads less travelled.
How do you handle disclosure? Which vendors have been good to work with and which have not?
I don’t have many vendor horror stories, but this is generally because I don’t have strong religious views on disclosure. I acknowledge that the research I do fulfills my desire to fiddle and won’t try to cloak it in a veil of altruism. I’m constantly surprised by people with strong opinions on how others should handle disclosing their bugs. I think people should follow whatever disclosure policy suits them with bugs they spend their time and effort working on.
What are you working on currently?
Thinkst is pretty new and has been keeping me busy and (mostly) out of trouble. Early this year we became interested in how many security conferences have sprung up lately, so we started gathering data to see if we could get useful stats on this. firstname.lastname@example.org has managed to wrap some of the scraped data into a pretty webapp which we will release soon. (This may sound arbitrary, but should eventually allow us to see interesting things like topic trends over the years, or how many talks are new versus recycled repeats, etc.)
We have also been spending time building custom solutions to address niche security problems for customers. This means I’m currently quite interested in topics around detection. How easily can we tell when our traffic is being intercepted or when our machines are being owned, etc.
Which do you see as the bigger challenge to security, smart phones or the cloud?
Hah! I think both those technologies rapidly meld into one, and the adoption of one encourages the use of the other. From a security point of view, I think it should be obvious even to non-technical observers that the perimeter is obliterated. To some extent, I think smart phones get an opportunity to do it “righter” (and to some extent they do — with mandatory code signing and application sandboxing.)
“The cloud” worries me more from a privacy standpoint, mainly because many cloud services require us to make drastic privacy sacrifices in the name of convenience. These are often not side effects, but design choices so they are not likely to be “patched” any time soon.
What do you think is the biggest challenge facing the security industry?
I think the biggest challenge right now is being able to honestly confess our state of vulnerability while we scramble to find and invent reliable solutions. I don’t think most of the companies spending millions of dollars worldwide know how vulnerable they currently are, or how ineffectual most of their current security spend is. The challenge is exacerbated because those championing this cause sound uncertain (by definition) while those selling silver bullets are cocksure and confident. It’s an old problem, Bertrand Russell said, “The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser men so full of doubts.”
What are the additional challenges security vendors outside the U.S. face?
The world is pretty small these days, and you would be hard pressed to distinguish between security researchers from South Africa and security researchers from Southern California (except maybe that we are better looking). I think non-US based research houses lack the infusions of cash that can be won through U.S. government grants or funding, but guys from these countries are used to doing more with less and will manage to get by.