These explorers' findings of critical vulnerabilities – from Heartbleed to Shellshock – have generated excitement, along with awareness, and made an indelible mark on security.
Rafay Baloch is the founder and CEO of RHA InfoSec. Baloch has responsibly disclosed hundreds of vulnerabilities in his roughly six year career in security research – earning as much as $10,000 from companies such as PayPal in the process. His biggest discovery may be CVE-2014-6041, a bug that could allow a bad actor to circumvent the Android Open Source Platform (AOSP) browser's Same-Origin Policy (SOP). It was a significant issue – it was covered by major news outlets and was deemed a privacy disaster by security experts – and at the time impacted the approximately 75 percent of Android users running platforms older than version 4.4. Baloch initially disclosed the vulnerability on his blog on Sept. 1, providing a proof-of-concept exploit. Baloch's primary areas of expertise include network security and web application penetration testing. He specializes in finding vulnerabilities in web applications, frameworks and browsers, as well as bypassing web application firewalls, HTML 5 attack vectors and breaking filters of modern web browsers. Baloch is very active in bug bounty programs, having submitted and been recognized by companies such as Google, Facebook, Microsoft, Twitter and Dropbox. he holds numerous certifications.
A self-described open source enthusiast, Stéphane Chazelas skyrocketed to fame at the end of September when he reported on Bash bug, also known as Shellshock, CVE-2014-6271 – a vulnerability that made it possible for attackers to exploit Linux and Apple OS X systems. Chazelas has strong skills in C – and the UNIX API – and Perl, is an expert in UNIX shells, and has good knowledge of a number of other interpreted languages, such as Python, TCL, and PHP. He additionally has an extensive knowledge of internet protocols, and is familiar with MySQL. Chazelas earned a diplôme d'ingénieur – the equivalent of a Masters of Engineering – from the École Nationale Supérieure des Télécommunications de Bretagne, specializing in computer science. The security expert has worked as an IT Manager at SeeByte in Edinburgh for roughly five years, where he designs, implements and maintains the company's IT infrastructure and systems. Previously, Chazelas worked as a product support engineer for Emerson Network Power, Embedded Computing. He yearns to tackle diversified high technology challenges involving creativity and problem solving, and seeks a future as an expert software engineer that will offer him an opportunity to widen his experience and knowledge. Aside from technology, Chazelas enjoys guitar, hiking and paragliding.
Andrew Komarov has uncovered a wide variety of threats as CEO of cyber intelligence firm IntelCrawler. Some of his noteworthy research in this role involves point-of-sale (POS) malware, such as ‘Nemanja,' which infected more than 1,500 POS devices and compromised as many as half a million payment cards, and JackPOS, which resulted in more than 4,500 payment cards being compromised by 11 infections across the U.S. and Canada. Prior to IntelCrawler, Komarov worked in the private and public sectors where he investigated major financial crimes, human and drug trafficking cases, and was involved in anti-terrorism cooperation with international law enforcement agencies. He began his career researching vulnerabilities, but eventually made his way into positions that enabled him to do full investigations. In these roles, he gained an understanding of how attacks are carried out, as well as how to identify the bad actors and their motives. Context-aware cyber intelligence technologies are at the heart of Komarov's research at IntelCrawler – collecting large amounts of data and using cutting edge technologies that can extract preemptive and predictable attack attributes, which will be valuable for large enterprises and governments. Ultimately, Komarov is passionate about finding flaws in systems and software.
Dan Kaminsky is a cofounder and chief scientist at White Ops. Currently, he is developing systems that reduce the cost and complexity associated with securing critical infrastructure. In 2008, Kaminsky gained fame after uncovering a critical vulnerability in the Domain Name System (DNS) protocol, CVE-2008-1447, that could enable DNS cache poisoning attacks – meaning, ultimately, that web traffic, email and other important network data could be redirected to systems under an attacker's control. Kaminsky went on to spearhead what could be the largest-ever synchronized fix to the internet's infrastructure. In the event of an emergency, there are seven recovery key shareholders that have the ability to recover the internet's root DNS keys, and Kaminsky is the American representative. Kaminsky aided in other critical research as well, including a way to easily detect the Conficker worm, and identifying numerous flaws in the SSL protocol. He previously held the role of director of penetration testing with IOActive, additionally worked for Cisco and Avaya, and spent three years working with Microsoft on the company's Vista, Server 2008 and Windows 7 releases. Kaminsky also advises Fortune 500 companies.
Neel Mehta has been a Google engineer for six years and his claim to fame is finding the infamous Heartbleed bug, which was disclosed publicly in April and was reported on by major media outlets. Mehta is credited with discovering the now notorious flaw along with Antti Karjalainen, Riku Hietamäki and Matti Kamunen, all of whom are employed at Finnish security firm Codenomicon. The critical vulnerability, CVE-2014-0160, existed in widely used versions of the OpenSSL library and could enable attackers to immediately and surreptitiously steal the private cryptographic key of any secure server. The devastating bug put websites, emails, direct messages and other communications utilizing SSL/TLS encryption at risk, and even threatened payment card data. Mehta earned a cool $15,000 reward for his discovery of the Heartbleed bug; instead of pocketing it, he went ahead and donated the whole prize to a Freedom of the Press Foundation fundraiser to support encryption tools that can be used by journalists to protect digital communications, according to a The Daily Dot report in April. Prior to working with Google, Mehta worked in research and development for IBM Internet Security Systems. Mehta earned a Bachelor of Science from The University of British Columbia, and is a co-author of The Shellcoder's Handbook: Discovering and Exploiting Security Holes.