Team Blogogist had the chance to catch up with Rafay Baloch , a talented ethical hacker who is currently doing his undergraduate studies from Bahria University Karachi. A soft spoken and bright fellow, Rafay had a lot to share with us as we delved deep into the mind of the pen-testing genius. Here is how it went:
Rafay, kindly tell us a bit about yourself.
I started in the field of Information Security about 7 years back, when I was in grade 10. I was curious about how attackers went about hacking. Especially Orkut accounts because at that time it was very popular. So I went ahead and learned a couple of techniques. After that, a few of y friends advised me to write about hacking, which I did and started Rafayhackingarticles.net found in ’09.
What was your inspiration?
The movie Matrix was the biggest inspirations for me, I was really impressed by Neo who could bypass security and hack computers at will.
How did your peers respond?
Some of them were really impressed while the others were… “meh”, telling me I didn’t know what I was getting into, kiddie script, stuff like that but I used the critics to my advantage and honed my skills in the domain.
How did your parents respond?
At first they weren’t very supportive. There’s a culture here that you need good marks in school to get into a good college. And good marks to get into a good university and so forth. But I took it in stride and once I started writing blogs, the money started pouring in. Then in 2009, my first book came out and I received overwhelming response from the readers who bought it. So, yeah, parents’ support increased.
You have many achievements under your belt, one of them is finding a bug in Paypal System. Care to share that?
It was 2012, August when I started participating in Bug bounty programs. I was searching for vulnerabilities when I came across a remote command execution vulnerability in Paypal system. It was a sub-domain of Paypal and I managed to compromise the system gaining root level access and submitted the bug. I wasn’t expecting an amount of $10000 reward that came, but hey, I’m not complaining. *grins*
You have an array of certifications under your belt; OSCP; CPTE; OSWD; EWAPT …
I’m not a big fan of certifications. Most of the certifications I possess are like offensive security and I was a partner with Mule2 and in return I was allowed a free shot at each of their certifications. So thats the story of the certifications under my belt.
Rafay, tell us what you see in the white hat industry in Pakistan?
White hat industry is growing at a remarkable pace world wide but in Pakistan we only have a handful who deal in Information Security. But there is light at the end of the tunnel and the way people are taking interest, I foresee a positive change in near future.
You are currently studying at a university, how do you see the curriculum being taught, correlate professional level?
*chuckles* I was expecting that question. The fact is that most of the stuff we are taught have nothing to do with work that we perform in industry. There is no correlation between the theory and practical and the subject of Information security remains untouched at the bachelors level in Pakistan.
What is the horizon for you? Any big plans?
I have a book coming up, Ethical Hacking and Penetration Guide, that is going to be released by the end of July and I would publish a more localized version later this year that would be aimed at beginners. After my degree I would like to research more in Information Security and maybe conduct my own certification training.
What would be your advice to someone new in the field?
First of all, learn programming because the best hackers that I’ve met or spoken to are well versed in programming. You cannot translate your concepts learnt in hacking techniques to solid steps unless you possess knowledge of a programming language or another.
On morals, I would like to advise youngsters not to engage in black hat activities, like scarding (stealing credit card info) or defacing sites. That is very counter productive. Chinese hackers, for example, do not deface rather penetrate into whole networks and drain information. That’s real hacking. Some new field should read the existing literature and know about the current flaws and then analyze it to predict new flaws and correct them.
Don’t let anyone else’s opinion demotivate you or keep you down. GPA really doesn’t matter. I’ll admit publicly that I don’t have great GPA but I already have offers from different parts of the world. If you love doing something, just go after it and do your best.