The road less travelled: Hacker Lyon Yang’s penetration tales

• Started by playing around with vulnerable machines
• Now a speaker at HITB’s rebranded GSEC hacker conference

BECOMING a penetration tester – or a ‘hacker’ in less polite company – is a rare thing in this part of the world, as Asian parents often push their children to become doctors, engineers or bankers.
 
This makes Lyon Yang (pic above), senior security consultant with Vantage Point Security, pretty much an outlier.
 
A penetration tester is a person who looks for exploits or vulnerabilities that can be used to penetrate a network or system. It has been three years since Yang took up this particular discipline, and he has had no regrets so far.
 
“It’s very fun and there’s an adrenaline rush when you manage to break into a system and own it,” Yang told Digital News Asia (DNA) in Singapore, adding that he has always had a passion for computers “and stuff like that.”
 
“It’s always something different and something fun – sometimes you have to hack a POS (point of sale) system one day, and an ATM (automated teller machine) the next; it’s not a mundane job.”
 
Claim to fame

Computer science courses these days shy away from teaching students how to hack, preferring to just teach the basics of coding and logic. Hence Yang got his first taste of hacking not from school, but from venturing on his own.
 
“I started playing around with vulnerable machines online that you can play and learn with,” Yang said.
 
“The first time I managed to break into one, it felt really good and very fun, and now you know how hackers do it,” he added.
 
Yang’s first hack was a virtual machine on a vulnerable server which had an easy exploit with which to run and break into the system.
 
“When I realised how easy it was to pick up, it sparked an interest to go deeper and find more difficult vulnerabilities,” he said.
 
When he was offered a job to do that for a living, it seemed like a dream come true. Yang relates to the saying “follow your passion and you will never work a day” very much.
 
“Hacking legally is fun – you need to use your brain a lot to think about how to break into systems,  and this requires a lot of technical knowledge,” he said.
 
“The fun part is using creativity, combined with technical knowledge, to think about how to break into a system,” he added.
 
Yang’s first job was a huge web application that he broke into after some research, exposing the vulnerabilities for a client.
 
“It required a bit of research to find these vulnerabilities and that was the fun part,” Yang said.
 
Yang has also enjoyed the fact that his efforts in exploiting Small Office, Home Office (SOHO) routers garnered him worldwide recognition – not bad, since he was just looking for a way to secure his home network.
 
“I am a security guy and I don’t want people to hack my stuff,” he quipped.
 
“I started looking into it because a lot of the Singapore routers are not being reviewed – most people just review bank web applications, and not much is being done on the Internet of Things (IoT) front,” he added.
 
The assumption that hardware is secure is a false one, according to Yang, as vulnerabilities are still present. There is a range of low-hanging fruit which are easy to exploit, to harder ones which require more work.
 
Discovering this SOHO router exploit also propelled Yang to hacker fame, leading to him speaking at conferences such as Defcon and Xcon, as well as the upcoming HITBGSEC Singapore 2015 conference being organised by the Hack In The Box crew out of Malaysia.
 
The opportunity to present has fulfilled Yang’s five-year goal of being able to present at such conferences – ahead of his target date.
 
“I’m actually quite happy to be able to do it in three years instead of five,” Yang said.
 
Singapore’s hacking community
 
The hacking community in Singapore is still small according to Yang, but groups like OWASP and Null meetup are helping to boost interest in this area.
 
“The community is still small – three years ago, there were only 20 people showing up to these events, but now there are about 50,” he said.
 
“Personally, I only know about 20 people who have the technical expertise,” he added.
 
OWASP is an international organisation that provides methodologies and information on how to test products and best practices. Null meetup provides activities and talks to spread information security awareness.
 
Not resting on his laurels, Yang is planning to look deeper into vulnerabilities present in IoT devices. Singapore’s Smart Nation initiative, which has proposed smart dustbins, provides opportunities for him to delve into.
 
“I’m going to look more into devices like web and baby cameras, Singapore’s Smart Nation stuff like smart dustbins, and hopefully go more into these smart stuff and weirder ones,” he said.
 
“Basically go deeper and research more into these devices – which I think is currently lacking in the industry,” he added.
 
Finding vulnerabilities will force companies to review their products, according to Yang. Ultimately, it is about protecting people from being attacked due to unpatched vulnerabilities by manufacturers.
 
Yang will be speaking on SOHO router vulnerabilities at HITBGSEC Singapore 2015, to be held from Oct 12-16.
 
The conference will showcase exploits and vulnerabilities, and feature thought-provoking panel discussions. DNA is an official media partner.
 
Related Stories:
 
HITB now out to hack the conference experience
 
HITB: An eco-system of disruptions and dependencies
 
The end of HITB? No, it's a level-up
 
Vulnerability allows hackers to take control of home Internet routers
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.