Shahmeer Amir: “The Cloud can be 100% secure, but if your password is 1, 2, 3, 4, 5, 6, 7, 8, even Jeff Bezos won’t be able to protect you from an attack”

Our systems are far more vulnerable than what most cybersecurity professional may think. At least, you can’t help thinking it seeing Shahmeer Amir’s bug bounty palmares. This young Pakistani “white hat has identified more than 10,000 vulnerabilities across 400 different companies, including many Fortune 500 tech companies.

This worldwide-renowned cyber security expert is also a serial entrepreneur. FIC 2023 visitors will have the opportunity to benefit from this double experience.

Could you briefly introduce yourself for those of our readers who wouldn’t know you already?

My name is Shahmeer Amir, I’m 28 years old and I’ve been recognized as the third most accomplished bug bounty hunter and cybersecurity researcher in the world by multiple organisations. I’ve written three books in cybersecurity and I’m also doing my doctorate in applied blockchain. Finally, I’m the founder and CEO of multiple companies. One of them is Younite, another is Authiun.

In which field do they operate?

I’ve been working on Younite for the past two and a half years now, and it takes up about 75% of my time. We’re developing an app which provides the user with secure audio-conferencing channels. I can’t reveal much about it now, we’re about to launch soon.

Then comes in Veiliux. It’s the company that I initially founded five years ago. It’s a company that offers tailored cybersecurity solutions for all kinds of businesses and clients. Indeed, cybersecurity should not be a luxury. It should not be out of reach to small to medium businesses. Similarly, big companies shouldn’t have only a few options when it comes to cybersecurity.

And then comes Authiun, which is the latest project I’ve been working on for the past year and a half. It is a multi-factor authentication platform that eliminates passwords. So, it is a cybersecurity product that I’ve created based on my knowledge and learning of all the years. We’ve recently raised some funding on it from Canada and we’re looking to start operations from Canada and the Europe soon.

According to you, what would be the major threats we have to face in the cyber space in 2023? And from which countries would they come from?

To be honest, I don’t view cybersecurity threats as a geographical variable. I look at it from the perspective of what the attacker must gain from a particular attack. Obviously, bad guys are everywhere, right? But, yes, there are state-sponsored attacks. Most of the time, they come from countries like Russia and China. But that doesn’t mean that they’re all bad guys.

After all, the first cyber state sponsored attack we know of was Stuxnet, the malware that basically destroyed the Iranian nuclear program. But they’re going to come from places and countries where there is a lot of innovation in advanced persistent threats (APT) and ransomware fields.

Indeed, during the last years, there was a rise in ransomware attacks. Now, the attackers are going to take it one step further and create APT based on what they’ve learned from the past years using ransomware. I think it’s time that the attackers will start combining APT with the power and learning from ransomware and target major corporations.

Vulnerabilities, and especially zero-day vulnerabilities, detection is on the rise. How would you explain that?

You could pay a $10 million firewall and still have some nut job with someone clicking on a phishing link in their email and everything would just go out the window. So I think that companies should spend more time than ever in user awareness training. The weakest link is always the person behind the keyboard. Moreover, cybersecurity should be treated as a required component to run a business rather than a luxury.

The Cloud seems to be a more and more risky environment. What specific threats would you identify regarding the Cloud and the multiplying of the Cloud uses?

Cloud is an open infrastructure. The problem we often meet is that companies that create Cloud accounts dedicate them ill-trained and ill-equipped resources. That’s why they end up getting hacked. The Cloud can be 100% secure, but if your password is one, two, three, four, five, six, seven, eight, even Jeff Bezos is not going to be able to protect you from an attack.

So, when it comes to deploying their own servers, people often deploy them in default configurations, which is horrendous. A Cloud is basically someone else’s computer that you’re virtually accessing and utilizing. How you utilize that and what layer of security you deploy is on you. And what most companies fail to understand is that, however secure the infrastructure of the Cloud itself is, however big of a firewall it has, if your own configuration of the hardware that you’re using virtually is not secure, then you’re not going to be able to protect your server from attackers.

Cloud security all boils down to the fact that the user of the Cloud servers and resources are skilled enough to secure their Cloud. That is my two cents on it.

In 2022, cyber-attacks tended to have a greater impact on the physical world, like the supply chain or critical infrastructure. Will this trend still go on in 2023?

Yes, I think this will still be the case in the coming years. Let me put it this way: everything that is connected to a computer, whether it’s a fan or a nuclear centrifuge, is vulnerable to some sort of attack. This boils down to what we call SCADA security, right? If your technical resources are not secured, then your hardware resources won’t be secured either.

As an ethical hacker, do you have an increasing share of bug reporting that is related to the Internet of objects? Does it affect your activity as an ethical hacker?

Yes, I do. It would be about 5% of my reports and it’s on the rise. And for me, looking for bugs into the Internet of Things is not that different from what I usually do. At the end of the day, the hardware has firmware, which is software, right? And that software is like another software that runs a Web application. The difference between software is in their logic, it’s not in the coding scenario or in the programmatic way.

There are going to be more and more threats from SCADA and from the Internet of Things because we have advent of more and more AI technologies in the coming near future. So, we need to be vigilant on how we build up these systems, we need to have cybersecurity as a foundational aspect of them, we’ll be much better off.

You were mentioning artificial intelligence. What impact this technology has in the field of cybersecurity?

There is something like that I mentioned earlier. It’s called an advanced persistent threat, which is basically a threat that makes decisions on the fly. If it has questions or problems, it stays into the system undetected. It changes itself and its by code based on the environment itself. So, there are already AI-based malware out there.

At its foundation, AI is a program that can make decisions based on changing variables, like Stuxnet: it was a malware coming in using flash drives and it detected if the system was connected to a centrifuge. If it were not, it would remain dormant and the next time a USB was attached to that system, it copied itself onto that USB and it went on to the next computer until it found the system that was connected to a centrifuge. That’s making decisions based on circumstances. So that was also somewhat AI.

Of course, in today’s world, AI malware is much more advanced, they’re able to perform lateral movement in networks, provide different scenario-based attacks. And there can be extensions soon. Take ChatGPT. It’s only a conversational AI, but if an attacker used OpenIA technology to build a malware, we’d be in big trouble. We are very positively going towards a “Terminator” scenario where a cyber hack will be performed with such an AI that will make major damage. How far is that? Technically, I don’t think it’s going to happen in a near future. But it will.

Can you give us insights on the main market trends in terms of cybersecurity for the coming years?

Authiun develops an AI-based multi-factor authentication system that eliminates the use of passwords. Similarly, there are going to be more and more AI-based products that are going to come out, such as vulnerability scanning automation, automate recon or malware analysis. Now is a time where AI is transitioning from being a buzzword to an actual usable technology.

You’re invited to be one of the key speakers to the next FIC in Lille. For a professional like you, what does this kind of event represent?

Well, it’s a great opportunity to network with new people. I’ve always been working in the US, the UK, and the Middle East, but I’ve never been to that part of the world, and I have some great insights, great experiences to share with your country. At the same time, I’m looking to meet as many people as possible in this short span of time so I can learn from them and be a part of what they’re doing, so to speak.

And can you give us a little heads up on your speech you will give in the FIC?

Sure! I am going to be doing plenary sessions with a lot of very talented individuals, very respected and decorated in their fields of work. I’m going to be giving two sessions. One is on multi-factor authentication and the other is on an industrial control system security.