Mar 11, 2015

An Interview with Rafay Baloch - (Ethical Hacker)

I have interviewed one of the world top ethical hacker Rafay Baloch, A very passionate security geek and a pentester. Let's see how he began his hacking career and became world famous security researcher. He also has lot of advice for your career as well.

Who is Rafay Baloch?

Rafay Baloch is a Pakistani security researcher, founder of popular blog RHA and author of Ethical Hacking and Penetration Testing Guide paper-book. Rafay has received countless bug bounties from tech giants like Facebook, Google, PayPal etc. His most famous finding is remote code execution in PayPal worth $10,000 USD that's not all, he is also listed in many security disclosure page.

1. How did you get fascinated towards hacking?

7 years back, I downloaded a tool which claimed to hack an Orkut account and as of that time orkut was at it's top famous list among social networks; the tool which I was curious about turned to be a virus which was designed to steal information. Weird things started to happen to my computer, eventually after lots of googling, I figured it out and managed to clean the infection successfully.

This however made me curious how could had been the little program actually work beyond the curtains. This alone was my starting point, and from that morning on-wards i dedicated my every step of career information security.

2. Where did you learn so many things?

I have dedicated almost seven years into this field and I am still learning more and more every single day. Learning never stops. The most essential thing you would need to have for learning is patience and dedication; these combined lead to heights of excellence. I haven't done any courses especially in terms of information security.

I have self-explored most of the things and I am still doing it with my learning passion. With regards to the learning part, I was lucky to get great mentors such as David Vieria, Giuseppe, Alex and File Descriptor to name a few. A list of Great friends such as Prakhar Prasad and Deepankar who helped me with my learning.

3. Why you're inactive in bug bounty programs?

The reason being is that I lost interest, money was never a problem alhamdullilah, but I felt like I was not learning anything new with it, So I moved towards security research especially with Android. I think security research is more challenging than bug bounty, we as security researchers invent techniques which pentesters use.

4. What is your advice to beginners in Hacking

My advice is first of all is to be ethical and not to compromise your integrity, A hammer could be used to build something and it could be used to destroy something. My personal integrity is to bring positive change in this world. Secondly, With regards to learning, I would recommend everyone to focus more on web application security instead of networks and other layers due to the fact that the attacks have moved towards web applications and there is a huge playground and potential for bug bounties.

If you are into Blackbox testing, before you even start your first test, you should interact with the application and see how it works and start identifying all the inputs and start manipulating them against well known bugs. To be a better penetration tester, you need to be good at finding logical bugs, which you can only find given that you understand how the application really works.

5. Tell us about your book Ethical Hacking and Penetration Testing Guide

The book was published in 2014, It is completely dedicated towards beginners, the idea behind the book is that offense is the best defense. I have received mixed reviews. While people have really liked the contents of the book, however there have been people who have complained about the Grammar specifically and have criticized the editor.

I appreciate your time for this interview Rafay would you like to say anything else?
My pleasure, thank you very much. The last message I would like to give is
Never get demotivated by your failures, turn your weaknesses into your strength and follow your passion.