Hiring Hackers? It's a YES!

Toufik Ben Jaa: 0:01

There is no degree for hacking. Well, right now there is. But back then there wasn't. All my hacking experience. I use it every day since I started at Odoo as a developer. At first, all the programming skills that I learned when I was younger, I use it every day. One of the main attacks that you can see on the internet are phishing, which is a very hard task because it's a combination of technical skill, I would say, and using social engineering.

Olivier Colson: 0:30

Hi, Odoo viewers, and welcome for another tech and dev episode. Today I have the pleasure of welcoming Tewfik Ben Jaa, a software developer at Odoo. With him, we'll discuss his quite atypical professional profile. We'll see how he uses it in daily life, and of course, how it positively impacts Odoo both as a company and as a tool. Ready? Let's dive in. Hello, Toufik.

Toufik Ben Jaa: 0:51

Hello, Olivier.

Olivier Colson: 0:52

I'm really glad to have you here today. And it's actually been a while since we last saw each other. Right? Yeah, exactly. How's it going?

Toufik Ben Jaa: 0:57

I'm fine and you?

Olivier Colson: 0:59

Oh, good. Good. I'm doing the podcast now. You know, things evolve, and lots of new perspectives in my career. It's good.

Toufik Ben Jaa: 1:05

I see that, I see that.

Olivier Colson: 1:07

So what are we going to talk about today? Exactly? What? What are you doing at Odoo? Could you tell people?

Toufik Ben Jaa: 1:12

So at Odoo, I'm working on the security team. The security team is the team that is handling all the security side of Odoo, meaning the security on the development of the code, the security of the deployment, the security for our customers, and our own Odoo database that we use to manage the company.

Olivier Colson: 1:30

A? Couldnd your personal story is a bit special, I would say. So could you explain, could you tell people how you enter the Odoo and why you are working on these kind of issues now?

Toufik Ben Jaa: 1:41

So my story is very different than the normal one. If I can say that I never went to a university to learn programming or anything else, I started on my own when I was 12. So I started to learn development when I was trying to make game modes for video games. So if you know there is a GTA, there was an online modification that allowed you to play with your friends. This modification allows you to develop game modes, so you have to learn a language that is pretty close to the C. So that's where I started. I started to learn this language programming.

Olivier Colson: 2:21

So you started with something pretty low-level.

Toufik Ben Jaa: 2:24

It looks like a C, but really it's a really high level. It's a scripting language. So that's where I started. I mixed video games and programming, which are two things that I love. On my own, learning programming from 12 and switch to hacking when I was like 14 or 15.

Olivier Colson: 2:42

And what brought you to try some hacking? It was just for, for the experience of it or...

Toufik Ben Jaa: 2:48

Well, because the modification that allowed to add multiplayer on GTA San So it was something made by amateurs. And at that time, with my small knowledge of programming, I didn't understand how you can modify software that you don't have the source code. That's where I learned about reverse engineering. It's a way to read the code of a binary that you don't have the source code.

Olivier Colson: 3:17

So can you maybe explain very roughly how you get to do that? Because, indeed, for Non-developers, it might be a bit confusing. How do you do that?

Toufik Ben Jaa: 3:26

Yeah, I see so from there, I was wondering how you can modify your game without That's where I learned about all those things. And from there, when you learn reverse engineering, you start to be interested in Malware's exploits, bugs, and anything that you can use to hack a computer or software. So from there, I had the straight path to hacking, which I went through all my younger years. Younger days, I would say. So from there, doing hacks, mainly on the GTA game, I became known in the community, made my name made, released a lot of tools, a lot of modifications. So when I was 21, went to the university to have a degree, at least to have a job on my head, I needed a degree to have a job. I went to university, but I didn't like it because it was far away from my home. I had to take a train for an hour and a half when it was at its best, going to university, learning things that I saw when I was like 12, or 13. So it was boring. After a year or two, two years, I stopped. So I started to to think about applying for a job. One of my friends in the GTA community was working with Rockstar Games, the one that the editor of the GTA games. Okay. So. And he advised me to apply to this company. I did, mainly with the goal of taking the lowest job in programming because I don't have any degree to at least have a foot in the industry. Then from there, I go up. Go up? Sure. So my CV was mainly filled with personal projects. All the projects were around the GTA games. So when the editor received my CV, I looked at it. They saw that I had the potential to work on the security team more than the job for which I applied. So I was contacted by the security team, made the interviews, and went through all the recruitment process until the end. Because I had signed a contract, I was going to work for them. But, at this time, I would say that the political situation on the United States was not the best for foreigners that wanted to work on their country, so I didn't they didn't give me the visa to work there. So this plan was over.

Olivier Colson: 6:09

Okay. Just because you couldn't go into the country?

Toufik Ben Jaa: 6:11

Yeah, exactly. I had to work in San Diego and I needed a visa, so it was not Okay. From there, my friend Denis working at Odoo, whom, I met in the GTA community when I was 12. So he was my friend before working in Odoo just told me that Odoo was searching for people to work on security or developers, so and then boom, here it told me to try. I tried, and here I am.

Olivier Colson: 6:40

Yeah. Pretty nice, pretty nice. And indeed, it was really a close call. You nearly weren't into Odoo, so. Yeah. Yeah. And how would you say now in the, in the way you work at Odoo and in what you do at Odoo, your, your personal skills and the things that you, you learn on your side like that and, and everything you gathered from your personal projects interacts with your day to day job?

Toufik Ben Jaa: 7:04

Well, I would say that since I started at Odoo, as a developer, at first, all younger, I use it every day. I mean, programming is the main part of the job, so doing it every day. And for the second part, I would say the hacking part, all my hacking experience that I that I got when I, when I started to learn everything, I use it every day. I mean, there is no degree for hacking. Well, right now there is. But back then, there wasn't. So hacking security is not something that you can learn straight from out of the book or at school. It's something that comes from practice and experience. So this experience and all the skills that I learned back then, I mean, I use it every day. You cannot you cannot work in security without having the experience.

Olivier Colson: 8:00

Because you have this habit of analyzing things that you don't know and being And where could I break this thing? And that's it.

Toufik Ben Jaa: 8:10

See if it's the kind of job where you have to sing the pattern by yourself, you where to search, etcetera. So you have to have your own experience. So yeah.

Olivier Colson: 8:27

Okay, let's know about, more practically speaking, the details of what you do at I guess you're working on security. So most people would say, oh, so you protect Odoo against attacks, but a lot of people know that you can be attacked over the internet, but not everybody knows what it actually is. So maybe it would be nice to first remind people or explain maybe if they don't know what an attack is, what does it consist of? What can it be? What kind of form can there be?

Toufik Ben Jaa: 8:57

Well, attack is a broad word. So you have a lot of meaning on this, on this word. When you say an attack in IT, people think a malicious person breaks into your computer.

Olivier Colson: 9:10

We all have this image, you know, brought by the movies and so on, or I don't then it enters the servers from the government and poof, he's in. So it's not always like that.

Toufik Ben Jaa: 9:24

Not always. I would say that it's a minority. Most of the attacks that we have to work on are mainly phishing. So one of the main attacks that you can see on the internet are phishing, which is a very hard task because phishing is not something technical. I mean, it's a combination of technical skill, I would say, and using social engineering. Social engineering is the way to use people to get to your means. So, for example, phishing, the most phishing that we have is people trying to send false invoices to the accounting team, for example. So the accounting team transfers money and things that they paid an invoice, which is not a real invoice; it's sent by a malicious person. We have people sending fake PDFs with malware in it.

Olivier Colson: 10:21

Because it's something that not... I think a lot of people don't know that. But PDF is not just a document that you can display. There is a possibility that this thing runs some JavaScript code.

Toufik Ben Jaa: 10:30

It's a container that you can that contains a lot of images, JavaScript, and So there is a part where you can embed the code that can be executed. So if you download the wrong PDF, the wrong code is going to be run on your computer. So we have a lot of attacks. As I said, you have phishing. We have people trying to DDoS our servers just to make them unavailable.

Olivier Colson: 11:01

So DDos is a distributed denial of service. And indeed, the basic idea is to make the server unavailable and then be like, okay, I can turn it on again, but you have to pay me.

Toufik Ben Jaa: 11:10

Yeah, exactly. We have bot attacks, so we have bots running on our website So online databases, then those databases are used for fishing or anything else.

Olivier Colson: 11:23

Because then you send a, I don't know, a message from some random bank, and you register, I don't know, or asking you to pay something. And people, if they don't pay attention, could just fall into it.

Toufik Ben Jaa: 11:38

Exactly. So the word attacks means a lot of things. So every day I would say a new attack is invented.

Olivier Colson: 11:46

Because yeah, they can combine together.

Toufik Ben Jaa: 11:48

Exactly. So we have to follow what are the most common attacks to be on the It's a day-to-day. It's an everyday work. You have to follow new attacks. You have to. You have to follow a new way of protection. You have to teach the employees of Odoo what are the best practices. The tech side has its own best practices, best practices, sales, the accounting. I mean, each team has to be taught how to behave securely. I would say.

Olivier Colson: 12:20

Yeah, because, indeed, the threats are not the same actually. And the mistakes you can make are not the same either. If when you receive an invoice, you just pay it without asking what it is. Well, you should pay more attention. But if you're a developer, it's not something you do. But when you are a developer, you could introduce some breaches or I don't know, in the code. And you know, I know typically a low SQL injection somewhere. Boom. And if you do that yeah it's a big problem, actually.

Toufik Ben Jaa: 12:44

Yeah. So exactly. So we have the tech team for example, that has the best practices on how to write code without security issues. We have tools, automated tools that check the code that our developers write every day. So these checks tell us if if we have to take a look at the new code, see if there is an issue, a security issue, or not. We give formation to our employees, mainly Olivier, give those those formation teaching them how to write good code, how to avoid, how to avoid traps. That leads to security issues.

Olivier Colson: 13:24

And there is the typical talk at Odoo experience every year with all the cases

Toufik Ben Jaa: 13:32

Mistakes.

Olivier Colson: 13:33

Yeah. What you need to avoid actually.

Toufik Ben Jaa: 13:37

Okay.

Olivier Colson: 13:38

About the way you interact with other departments than, well, R&D, I would say. But more than that, than other people, than technical people, actually. Isn't it sometimes a challenge to make them realize, okay, you should pay attention to this, that because it can be sometimes very, you know, that thing of the fake invoice, for example, you say that to someone and he's going to tell you, well, of course I'm not going to pay an invoice from some random dude like this. Come on. But the fact is, this is the kind of technique that, well, phishing, typically you send ten thousand of them, and there is there are 100 that work actually, because people didn't pay attention. And in the flow of your day-to-day work, sometimes you make mistakes, and that's what they rely on. People are not stupid. I mean, not 10,000 people are going to pay the invoice. And so isn't it sometimes tricky to explain that to people who don't have this technical knowledge and who have never actually really experienced this kind of thing? I would say.

Toufik Ben Jaa: 14:29

That people generally are good people. So they don't think with the mind of a bad person. Sure. The issue here is if you don't think with the mind of the hacker or someone who wants to attack you to steal money from you or anything like that, you won't be able to see the traps beforehand. So the thing that we try to learn to our employees is you have to be the hacker yourself to understand how to protect, to protect yourself. I would say if you don't have in your head the thought that tells you, okay, this link might be malicious or this invoice doesn't seem correct because I paid the same invoice two weeks ago. You know it's on the details, so you have to learn the employees to focus on the details, and for each detail that is suspect, you should take it into account. So that is the hard part of teaching the employees because you have to change their mindset without changing them. Too paranoid that that is carried to click on any link or anything like that. So it's a balance between being paranoid, I would say, and being naive.

Olivier Colson: 15:44

So and so. Inside Odoo we have this like phishing Academy stuff. Could you explain what it is? Because I think it's a good example of what you're explaining.

Toufik Ben Jaa: 15:50

Now we test our employees with fake phishing emails. I would say that the employees receive regularly.

Olivier Colson: 15:57

Actually, real phishing emails, but that are sent by you.

Toufik Ben Jaa: 15:59

Yeah, exactly. So when an employee clicks on these emails, he is informed that So you might need to take a look at this best practice. So every time they fall on a trap, they read the best practice. We hope that this will help them to understand what to avoid and regularly too, we have the Fish Academy. So we have a type of quiz that you can take part in. So this quiz let you take a look at phishing emails or different example. We have different questions related to phishing. So this way we try to make sure our employee doesn't fall on this trap. We let them see an example of phishing that are currently sent on the internet. They have the ability to test themselves. I would say regularly to see if they are on point regarding phishing or not. If they are not, they know it. They are not punished for it. But at least they gain experience, and we hope...

Olivier Colson: 17:18

I think it's really a good way to do it because just teaching the theory is you might also say, well, yeah, but it doesn't. It won't happen to me. It won't happen to our company for this or that reason. And you're actually wrong because, of course, this will happen. I mean, we all received some day, some message supposedly from our bank asking us to log in into something. I mean, really in our personal lives. And it's, of course, it's no, I think doing it like step by step and having these little spots of theory that take like really a few minutes to finish and, and then it's over and has these random phishing meals coming into your, your mailbox. And we'll ask you to actually pay attention to what is asked to you is interesting, because it's like doing the practice directly after the theory. And also the fact it's spread on time, and it's not something you do on two days, and then it doesn't exist anymore for you. It's interesting because it's something, well, it makes you think about it.

Toufik Ben Jaa: 18:16

And also the fact that you know that you are receiving fake phishing emails Before the Fish Academy, I mean, the employees were rarely sending us reports about phishing. Now, every time there is a phishing email, we receive a report. There are some false positives. But at least we know that a lot of phishing doesn't go through and are directly reported, which is really important because reporting one phishing email helps to avoid the other employee to get on the trap, to fall on the trap.

Olivier Colson: 18:50

Yeah, it's there's a little gamification side to it actually. The fact that, you know, you need to to to hunt for them. So of course you.

Toufik Ben Jaa: 18:58

Have to make things interesting.

Olivier Colson: 19:00

So maybe now as a means to illustrate what we talked about and to like conclude Maybe you have a few anecdotes of examples of attacks that we faced at Odoo, or things that you had to handle or I don't know.

Toufik Ben Jaa: 19:16

Yeah, I have a lot of what can stories I can tell you one where it makes a and the police.

Olivier Colson: 19:27

Okay, well, it starts really well. A little teaser. It starts really, really well.

Toufik Ben Jaa: 19:31

When I started to work at Odoo, I would say two years after I started, the It was a combination of Olivier, Xavier, some employees that were the usual culprits.

Olivier Colson: 19:44

Yeah.

Toufik Ben Jaa: 19:44

So they were doing their day-to-day job and on the side they were doing the So I started to work on the security on my side. And we had reports of big companies, French companies that were reporting to us that our Odoo was used to send Phishing to their customer and scam to their accounting team, and which.

Olivier Colson: 20:13

Is really annoying. Yeah.

Toufik Ben Jaa: 20:14

So from there you have a big company telling you that your product is used by So we started investigating this case, and we saw that this person was actually using a lot of Odoo databases to send a lot of phishing, scamming, a lot of company scamming, a lot of people. I would say we started to work with those companies, and those companies contacted the police. So we had the cooperation with the police, and we saw that this guy was actually using the trials to host a fake website, and the fake website was a phishing one, as you may imagine. And it was trying to duplicate the real website of those companies with a modification on the contacts. Yeah, of course. And the emails, you know, so you contact him somewhere too. Yeah, exactly. Of course. And this way he was sending, uh, false invoices to these companies, sending them the money, sending him the money. So for like a years, the same person was banned. Coming again, buying. Coming again. Banned. Coming again. Yeah.

Olivier Colson: 21:25

Because I assume it's really difficult to detect these kinds of things.

Toufik Ben Jaa: 21:29

And after a while of investigating, collecting a lot of traces, IPS, the browser attacking, and which email address he was using. We were doing our investigation work on our side, you know, so we felt like working on the police, with the police. I mean, I felt like I was working for the police at this time.

Olivier Colson: 21:54

Odoo secret services. Yeah.

Toufik Ben Jaa: 21:56

So after that, the cooperation with the police was actually, well, working. And this person was arrested. And actually, this person was actually someone living in Belgium. He was like 50 years old. So for a year, a full year, we were attacked by a guy, a 50-year-old guy. We made all the tools necessary to find which person was doing that, and allow the police to arrest them. And the years after he started back to use Odoo, uh, to try to do the same again. But this time we were prepared. We had all the tools to detect it.

Olivier Colson: 22:33

How did you know, it was the same guy?

Toufik Ben Jaa: 22:35

Because.

Olivier Colson: 22:35

You recognize the style or?

Toufik Ben Jaa: 22:38

If I recall correctly, I think he used his own home address, home IP address. And by geolocating.

Olivier Colson: 22:46

Big mistake.

Toufik Ben Jaa: 22:47

Yeah. What was the address? And you know, the pattern of the database name. A lot of thing. We directly knew he was him. It was him. And we contacted him directly this time.

Olivier Colson: 22:57

Stop it.

Toufik Ben Jaa: 22:57

Just stop. Please.

Olivier Colson: 22:59

How did he react?

Toufik Ben Jaa: 23:00

I don't really remember, but I think he might not have replied.

Olivier Colson: 23:05

All right. So that's a very nice anecdote, actually. Do you have maybe another one that you can share with us?

Toufik Ben Jaa: 23:11

I have a lot of stories to tell, but I cannot share them at this moment.

Olivier Colson: 23:15

Oh, top-secret stuff. Yeah, exactly. Maybe they will be declassified in like ten years or so. We'll see.

Speaker3: 23:20

We'll see.

Olivier Colson: 23:22

Okay, so it's the end of the episode. So would you maybe have some final advice to give to people?

Toufik Ben Jaa: 23:29

Yeah. An advice to people that want to work in security because it's very rare Yeah. So the thing that people should not think I would say is teaching the order, the security, I would say how to be secure is as important as the means that you put on the technical side to protect yourself. I mean, human is the weak link in this ecosystem. So if you have the best tools to protect technically your software deployment or anything, if the human between the computer and the chair is the weak link, I would say then nothing...

Olivier Colson: 24:12

Nothing will go right.

Speaker3: 24:13

Yeah.

Olivier Colson: 24:14

So you don't have only to protect yourself against Tony Stark. You also have to fight against Loki. So if you if you see it otherwise.

Toufik Ben Jaa: 24:21

It's a good analogy.

Olivier Colson: 24:23

Well, thank you for all your answers. There was a lot of things and the anecdote was really nice. And it was good to see you back in person.

Toufik Ben Jaa: 24:31

Yeah. Me too. Thank you for receiving me. I hope we'll see each other again soon, and I hope the listeners will like this podcast hopefully.

Olivier Colson: 24:41

And that's a wrap for today. Thank you for joining us. I hope you enjoyed discovering such an atypical profile and how hacking can positively affect the company's security. Let us know if you enjoyed it. If you'd like to stay with us longer and discover more about security, don't hesitate to listen to software security. Catching bugs before they catch you. A pretty interesting episode we had with Olivier Doney. Another legend that Odoo. See you next time. Cheers.