we hope you have all been well. Today we have a new interview for you. We have spoken with Alberto Fontanella, CEO of Fulgur Security. We have talked about ethical hacking, cyber security industry and security awareness training. Enjoy!
[eForensics Magazine]: Hello Alberto, how have you been doing? Can you introduce yourself to our readers?
[Alberto Fontanella]: Hello, I would like to say thank you for this interview. About myself, I’m a Cyber Security lover and Ethical Hacker. For several years, I was involved in Cyber Security underground into black hat environment – during which I led a research group and wrote exploits/papers/tools and I matured a lot of useful experience into the wild. I worked on my ICT Security Training at Security/Cryptography Labs c/o University of Salerno, Italy and I graduated in IT on September 2009 in the same University. I worked as ICT Security Specialist with several big customers and in my free time I’m involved in research, bringing out some exploits/tools/projects about Cyber Security. Now I work as Cyber Security Specialist and Ethical Hacker, bringing forward the name of Fulgur Security with several big companies (government & military, telco and banking) and I’m located in Rome, Italy.
[eFM]: Thank you for having us! Can you tell us something about your company, Fulgur Security?
[AF]: Fulgur Security is a Cyber Security project born in 2009 founded by me with the aim to provide a professional Cyber Security knowledge and Services following a strong Ethical Hacking approach to clients and community. Compared to other big companies, we are very small in number and, in our opinion, our strength resides in real hacking skills of our team learned during a period of many years in Cyber Security underground (black hat). Because of these Cyber Security years-long experiences in a real environment, we have the skills to understand deeply any Cyber Security threat, write code, exploits and security tools – and obviously the capacity to be informed and have access to latest attacking threats and exploits – so guaranteeing a very effective Cyber Security proposal. Despite the business approach often used in many big companies (often focusing on quantity/lower prices than quality), our policy is to focus on the quality of our people and proposals and because of this, any Fulgur Security collaborator is a Hacker and/or a very skilled Cyber Security individual with real hacking experiences learned in the wild and not just within academic world or with some IT certification. For us, this is very important and it’s what distinguishes us from other realities.
[eFM]: Can you tell us something about your products? Ones that especially caught my eye are: PHP Code Obfuscator to ByPass AV/NIDS and WordPress Security Fingerprinter.
[AF]: These are simple tools developed by us during our Cyber Security activities (mainly Penetration Tests and other) that we have chosen to release for free. PHP Code Obfuscator is a simple tool that allows one to inject obfuscated malicious data inside PHP files avoiding AV/NIDS identification and WordPress Security Fingerprinter is another simple tool to scan and exploit WordPress websites. We have many other private Cyber Security tools developed by us aimed to help us during our ethical hacking tasks, see for example FS-NyarL (a network take over and forensics analysis tool). We have, for example, our own framework to perform Mobile Application Penetration Test and another to perform our Web Application Penetration Test, and so on.
[eFM]: In your opinion, how important is sharing tools among the community?
[AF]: I think that sharing tools and technology in general is fundamental to allow the community and Cyber Security to grow. I also believe in full disclosure about vulnerabilities and I think this approach is the only way that can allow a real awareness (a real understanding of vulnerabilities and following solutions). Obviously, we are against the “security by obscurity” approach often used within big companies.
[eFM]: Your main service is Ethical Hacking. Why this one?
[AF]: Our core is Ethical Hacking, yes. Because within our Ethical Hacking proposal we have a lot of creative and demanding challenges to the current Cyber Security world. We understand that a real and effective possible solution to resolve companies’ issues is possible only with a hacking approach/methodology (not bound to trends, brands and so on) and not with a “multinational” approach where the aim is selling some expensive product or solution.
[eFM]: Among the companies you usually work with, do they understand that approach well?
[AF]: Not all and not always. Many big companies are still bound to old paradigms and old approaches but the world is changing and, of course, Cyber Security is changed and it will change, so in our opinion, if they want to survive every new threat, they have to follow this “new” approach. However, unfortunately, inside these big companies there are also many business questions involved in the process, so not always the best Cyber Security approach/solution is taken. Business does business and often Cyber Security is considered an obstacle, slowing down the “business = quick money” process. In our own small way, we are working to change this dysfunctional process.
[eFM]: You “offer targeted solutions for a whole range of issues not covered by any other service of Cyber Security”. What does it mean?
[AF]: We are open-minded people and know that the Cyber Security world is an ever-changing one. So we can build and deliver any proactive Cyber Security solution to our customers. We can adapt our personal approach and skills to a customer’s environment in order to provide the perfect Cyber Security solution. Often, for example, someone asks us to provide some “Social Engineering” solution to test their staff. This service, obviously, is a creative and not fixed one. Other services can be more sensitive, for example, find a corporate inner threat (industrial espionage), and so on.
[eFM]: Have you ever had a customer asking for the impossible?
[AF]: Yes, of course. Often a first contact is with a sales man and not a technical one, so usually they ask improbable or impossible solutions. However, we try to find the best solution for their needs and, so far, we have always found them.
[eFM]: Can you tell us something about Klaatu Project?
[AF]: Klaatu Project was a research project joined by me during my University training. It was about Malware/Botnet Fingerprinting/Identification and development and management of a Honeypot/Honeynet infrastructure. It was a useful project to show some malware/botnet behavior and its results were published with my thesis/paper named “Intrusion Detection System – Rilevamento ed Analisi degli Attacchi”.
[eFM]: On your LinkedIn profile you state that you have finished one course: Fulgur Security. Do you provide training? What is it about?
[AF]: We offer aimed Cyber Security training to both non-IT and IT staff in a more interactive and participatory way avoiding a simple slides reading. We understand that the first step of Cyber Security is awareness, so we try to provide it in a good way.
[eFM]: What is the most important thing to convey to learners when doing a security awareness training, in your opinion?
[AF]: That Cyber Security doesn’t relate to IT individuals only but it’s related to any people involved in any company. It’s also important to underline that the problem is not technology itself but the individual’s bad habits, and the solution is to change those bad habits.
[eFM]: What do you think about cyber security and hacking market in Italy? Are there many companies within this industry?
[AF]: There are several IT companies that provide Cyber Security services but not many provide Ethical Hacking services. We understand that Ethical Hacking is a more challenging approach and requires the right people with the right skills and obviously real ethical hackers with real hacking skills learned in the wild are a limited number of individuals. Many IT companies do not have ethical hackers within their team so, in our opinion, they cannot provide an effective and good Cyber Security solution.
[eFM]: Are there any challenges your company is facing at the moment?
[AF]: We are currently facing many bank challenges and are focusing our energies on Mobile Application Penetration Test of Financial Apps and Advanced Persistent Threat VA where we try to avoid/prevent financial frauds.
[eFM]: Any plans for the future?
[AF]: We are always facing new hacking challenges, keeping our feet in this environment and spreading out our Cyber Security awareness and professional skills within European companies.
[eFM]: Do you have any piece of advice for our readers?
[AF]: I suggest your readers keep informed about the Cyber Security world, for example, reading magazines like this one and for your readers who own an IT company to rely on their company’s security and on a real ethical hacking company that for us is the only one that can provide and cover real and always latest threats.
Fulgur Security’s contacts
Web: Fulgur Security
LinkedIn: Fulgur LinkedIn
Fulgur Security’s core services
- Ethical Hacking
(Social Engineering, Physical Security, Internal Threat, Industrial Espionage)
- Advanced Penetration Test
- Web Application Penetration Tes
- Mobile Application Penetration Test
(Android, iOS, WinPhone, BlackBerry)
- Thick-Client Application Penetration Test
- Vulnerability Assessment (also ASV certified)
- Advanced Persistent Threat VA (for Banks and Financial companies)