 from the Hard Rock Hotel in Las Vegas. It's theCUBE, covering Hoshokon 2018. Brought to you by Hoshok. Okay, welcome back everyone. We're here for CUBE's live coverage here in Las Vegas for Hoshokon. This is the first industry conference where the smartest people in security are together talking about blockchain security. That's all they're talking about here. It's a bridge between multiple diverse communities from developers, white hat hackers, technologists to business people, all kind of coming together. This is theCUBE's coverage. I'm John Furrier, next guest, Anand Prakash, who's the founder of AppSecure. He's also the number one bounty hunter in the world. He's hacked everything you could think of. Exchanges, crypto exchanges, Facebook, Twitter, Uber. Welcome to theCUBE. Thanks for joining me. Yeah, thank you John. So you've hacked a lot of people. So let's, before we get started, who have you hacked? You've hacked an exchange. Exchanges plural? Yeah, most of the exchanges. Most of the exchanges. ICOs. ICOs. And bunch of other MNCs. Twitter? Twitter, Uber, Facebook, and Tinder. A lot. Yeah, a lot. And the number one. I cannot say the name. You're the number one bounty hunter just to clarify you're a white hat hacker, which means you go out and you do a service for companies and it's well known that Facebook has put bounties out there so you take them up on their offer. Yeah, so basically companies say hack us and we'll pay you. So we go and try to hack their systems and say this is how we are able to discover a vulnerability and this is how it can be exploited against your users to steal data, to hack your systems, and then they basically say this is how much we are going to pay you for this exploit. How did you get into this? I want to get started. How did you get started? So it started with a simple phishing hack in 2008. It was an Orkut phishing hack and one of my friends challenged me to hack his Orkut account and I Googled how to hack Orkut account and I wasn't having any technical knowledge or at that point of time, no coding knowledge, nothing. I just Googled it and found 10 steps and I followed that 10 steps, created a fake page. I sent it to my friend and he basically clicked on it and entered his username and password. He fell for the trap right away. Yeah, yeah. So quick Google, kitty script kind of thing going on there, which is cool. Okay, now you're doing it full time and it's interesting here. This is the top security conference. So there's big names up there. Andreas was given a keynote but I was fascinated by your two discussion panels or sessions. Yesterday you talked about hacking and exchange and today was about how to hack Facebook, Twitter and these guys as part of the bounties. This is fascinating because everyone's getting hacked and you see the numbers. I mean, half a billion dollars, 60 million here, 10 million. So people are vulnerable and it's pretty easy. So first question for you is how easy is it these days and how hard is it to protect yourself? So the attacks, the technology is changing. Attacks are getting more sophisticated and hackers are trying newer and newer exploits. So it's good for companies and this crypto exchanges to employ ethical hackers, wide-ed hackers and do pentests and bunch of other stuff to secure their assets. So you can say if a company is not doing security, then it's very easy for external hackers to hack their systems. But if a company is doing good in security, they are already having internal security and external folks securing their systems, then it's difficult, but it's not that difficult. Let's talk about your talk yesterday about the exchange. Take us through what you talked about there. That got some rave reviews. How did you attack the exchanges? What did you learn? Take us through some of the exchanges you've hacked and how and why and the outcome. Yeah, so we have been orating bunch of ICUs and exchanges from past few months and quite a good number. So what we see is most of them don't have security, basic security checks in place. So I can log in into anyone's account. They have a password screen on the UI but I can simply hit the API and without no authentication or authorization, I can just log in into anyone's account and then I can get funds out of their system. Very similar to, so one issue which we found in token sale was we were able to see PIA information of all the users, all the passport details and everything who has done KYC. So there are a lot of information disclosers in the API and the main thing which we hackers do is we try to test these systems manually instead of going more into an automated kind of approach or running some scanner to figure out such issues. So scanners are obviously good but they are not that much good in finding out all the logical loopholes. So you manually go in there, brute force it, kind of thing. Not exactly, so we try brute forcing but our own ways of doing things and there are a lot of good bounty hunters or white attackers who are better than me and who are doing things. So it becomes more and more sophisticated. We don't know when you get hacked. So when the bounties are out there, does Facebook just say, hey, go to town or they give you specific guidance so you just, they say, go at us, what do you do? Yeah, so basically they publish some kind of legal documentation around it and some kind of scoping on the targets to hack and then they basically publish their reward size and everything and the policy and everything around and then we just go through it, we try to hack it and then we report it to their team via a channel and then they fix it and then they come back to us saying, this is how we fixed it and this is what the impact was and this is how much we are going to pay you. And then they just pay you. Yeah, my yesterday's talk was mainly focused on hacking these ICOs and these crypto exchanges in the past, some of the case studies which we have done in the past and obviously we cannot disclose customers' name but we redacted some of the information and showed them how we had them. What should ICOs learn? What should exchanges learn from your experience? What's the walk away for them besides being focused on security? What specifically do you share? Yeah, so I've been, so to be very frank, I know a few of the companies and a bunch of companies who don't appreciate white attackers at all. So these are ICOs and crypto exchanges. So the first and foremost thing they should do is, if they are not having any internal external, if they are having any internal security team right now, then they should go for a bounty program to make sure people like us or people like other white attackers go and hack their systems and tell them ethically. How does a bounty, how does someone set that up? So, have you helped people do that? Yeah, so our company does that. We help them setting up a bounty program from scratch and we manage it via third party platforms and we invite private, we do it privately and we invite ethical hackers to hack into their systems ethically. And then we do have agreements with bunch of them and that's how they are going to secure. So how does that work? They call you up on the phone or they send you an email, they send you a telegram, how do they get in touch with you? They go to the website, they do face to face with you, they have to do it electronically. What's the process? For the bounty hunting? Yeah, if it's setting up a bounty program. Yeah, for setting up a bounty program with our company, we basically get on a Skype call with them, we explain them what is going to be their budget and everything, how good their security team is. And if they are not having an internal security team right now, then we never suggest them going for a bounty program because they may end up being huge amount of money. So then we basically sell our pen testing services to them and say, this is, you should go out for a pen testing service first and then you should go for a bounty program on. Because they can be paying way too much in bounties. Yeah, because they don't know what their exposure is. So you do some advisory and consulting, get them set up, help them scale up their security practice basically. Yes, yes, their entire security thing. So what was the questions in the session? What were some of the things that the audience was asking you? Did any good questions come out that you were surprised by or you expected? No, so all of, so for the very first talk, but the hacking crypto exchange and all, all of them were surprised. They thought putting up a two-factor authentication or something like that makes their account secure. But it's not like that. We hack on the APIs. So it's very, very, very super easy for us most of the time. So the APIs are where the vulnerabilities are? Yeah. Mainly. APIs, the URLs. Yeah. So you guys, you use cloud computing at all. Do you use extra resources? I saw a bunch of stories out there about quantum computers and that makes things better on the encryption side. What's your thoughts on all that, Habab? Yeah, so mainly we use a normally intercepting proxy to intercept these calls, which are going on STTPS by putting out our own SSL, big SSL certificate, and then trusting it. So we, we try to play into the APIs and then doing stuff. We don't need a big high end machine to hack into someone that's using it. Yeah, so you're dealing with the wire transmission. So tell me about the conference here. What have some of the hallway conversations you've had? What's your observation? The folks that could not make it here. What's it like? What's the vibe like? What's, what's it like here? So they missed a lot of things. And it was first blocked in security conference and I've been flying from all over to India to just attend this conference. I was here one month back for DEF CON and Black Hat and for some other hacking events. So you were, you wanted to come here? Yeah. Yeah. I mean a lot of cool people here. I meant so many great people. I had to hand it out even before DEF CON and Black Hat. I had to go to Osaka. I think this is an important event. I think this is like a new kind of black hat because it's a new culture, new architecture, blockchain's super important. There's a lot of interest and there's a lot of immature companies out there that are building fast and they need to ramp up. And they're getting ICO money, which is like going public. So it's like being grown up before you're grown up. And you got to get there faster. I mean that seems to be, do you agree with that? Yeah, definitely. So a lot of people are putting money into ICOs and what if they got hacked and people don't know about security that much. So it's a big decision. So what are you excited about? So now stepping back from the bounty hunter that you are, as you look at the tech industry, security and in blockchain in general, what are you most excited about? What are you working on? So frankly saying, so I'm looking forward to hack, I think I'll hack more and more exchanges and I believe none of them should ideally get hacked but that's where most of the money is going to be in future. So that's the most interesting thing. Blockchain security is the most important. And that's where the money is. Yeah, yeah, yeah. The modern day bank robbery is happening. Global modern bank robbery. And Andreas is right by the way. He's talked about that today. It's not like the old machine gun, give me the teller, give me your cash drawer. No, it's that was very nice. It's other people from other banks with licenses. The new bank robbers. Well, thanks for coming on theCUBE, sharing your story, appreciate it. Thank you. Great to have you on. Thank you for inviting me. You're a real big celebrity in the space and your work's awesome. And I love the fact that you're ethically hacking. Yeah, by the way, I'm not the number one bounty hunter. I'm just- Number two. Not number two. Maybe there are a lot of people out there. I'm just learning and I'm- I'm a whole special around Netflix series on the bounty hunter. Yeah. Follow you around. Follow you around. And thanks for coming. I appreciate it. Thank you. Good to see you. All right, more CUBE coverage after this short break. Stay with us here live in HoshoCon. First security conference around blockchain. I'm John Furrier. Thanks for watching.