Rising Star in Pakistan for Cyber Security & Research

  Rising Star in Pakistan for Cyber Security & Research
Before I start questioning I would like to write something about Rafay.

Rafay Baloch is the founder/CEO of RHAinfosec, He runs one of the top security blogs in Pakistan with more than 25k+ subscribers and 100k+ Facebook fan. Rafay has helped major industrial giants such as Google, Facebook, twitter, paypal, adobe, apple etc to improve and secure their online presense. Rafay managed to find a Remote Code execution vulnerability inside paypal for which he was awarded 10,000$ and also was offered a job inside of Paypal as a security ninja.

Currently, the major area of Rafay's research are bypassing modern security defenses, HTML 5 and other client side javascript. Rafay holds CPTE, OSCP, CCNP Route, WAPT certifications and ECCS Certification by Voice of Green Hats. Rafay's work has been featured in enormous amounts of articles, newspaper, magazines and local TV channels.

Lets Start questionings

Q: What was your first finding? How did you felt at that moment?
I really don’t remember if it was my first finding, However as far as i can catch up my memory it was a SQL injection authentication bypass attack, at that time i really didn’t know why it worked but i felt really surprised at that time.

Q: You hunt bugs for what? Money, Fun, Fame or you want to make the Internet a safe place?
Well, honestly, Little of every thing, First of all, I don’t only hunt vulnerabilities on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.

Q: Rafay, you have received a bug bounty of $10,000 from PayPal. What was the real story behind it?
It was a remote code execution vulnerability i found inside paypal, which allowed me to execute any commands on the server. For that Paypal rewarded me 10,000$.

Q: Why you didn’t accepted Job Offer from PayPal? I think that was a Golden Chance for you.
Well, I am in middle of my bachelors, therefore i think i did not accept that offer and honestly i am not in a favor of doing a job or working for something, i would rather prefer working with some one rather than working for some one. However, i still think i can avail it after my bachelors.

Q: Every one have someone who have inspired him. Who is your inspiration?
Kevin Mitnick is definitely an inspiration for every one, his social engineering techniques were really amazing, he has shown a different approach towards hacking.

Q: Google and Facebook have also Paid you Bug Bounties, how you feel when you receive Bounties?
Bounties add an extra income to my pocket every month, however, i really feel lucky to receive bounties from so many companies.

Q: You are much Famous my bro, tell me on how many sites you are listed as a Security Researcher?
Alot, On linkedin profile i listed more than 50 websites who have listed me on their responsible disclosure/whitehats pages. However, there are lots of websites who do not have an acknowledgment list on their website, so they thanked me via an email or sometimes by sending a gift T-shirt, toolkit etc etc.

Q: PKNIC is always been targeted my site was also down for some hours. What you recommend them to increase their Security?
The threat is on their web application level, which allowed the attacker to access it’s database, I remember, i saw a screen shot on a forum where it was vulnerable to SQL Injection attack, So i would recommend them to review their security policies and validate inputs properly to prevent any kind of these attacks in the future.

Q: If you don’t mind, can you tell me what courses are essential to do to become a successful Security Researcher?
Honestly speaking i never did any courses, nor i did any certifications though i have tought courses like CEH, CPTE to lots of people, but i never did any of these certifications, However, in terms of value i believe CEH, GPEN is at the top, in terms of knowledge i think CEH is only good for beginners, it’s just a catalog of tools, In terms of knowledge i would recommend any one to go after learn security (ecPPT), OSCP (Offensive security Certified Professional), ECCS Certification by Voice of Green Hats and SANS gpen.

Q: What are your future plans. Would go for a job or start your own Company?
I would be launching my book "Ethical hacking and penetration Testing" this year inshA ALLAH, after that i 'll work on DOM based XSS wiki and something cool related to HTML 5.

https://www.facebook.com/photo.php?fbid=10151689272288001&set=pb.538643000.-2207520000.1390942219.&type=3&theater

It was great interview by

Ziaullah Mirza
@ziaullah699

Comments

Post a Comment

Popular posts from this blog

Ethics of Competitive Intelligence

  Download in PDF Ethics Of Competitive Intelligence By Ziaullah Mirza Online Publication 2011 (Part 1)   Basics of Competitive Intelligence Competitive intelligence   is the art of defining, gathering, analyzing, and distributing intelligence about products, customers, competitors, individuals, concepts, information, ideas or data needed to support executives and managers in making strategic decisions for an organization. Includes a broad array from government intelligence to market intelligence to business intelligence. Competitor Intelligence   can include competitor analysis, knowledge management, market research and business strategy and business research. Competitor Intelligence   can be used as an everyday business tool to  analyze stocks  or look for weaknesses in your competitor. Competitor Intelligence   can be used for everyday consumer activities such as comparing  renter’s insurance plans  to buying  motorcycle insurance . Before You Do Competitive Intell
Read more

#Competitive Intelligence report on Cyberwarfare with respect to Pakistan

Cyberwarfare which is known-ed to be the actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption. Cyber  warfare  is a  relatively  new  concept  whereby  politically  motivated  hackers  and Computer  scientists  develop  means  of  causing  disruption  or  damage  to  a  government’s  IT  system  and  network  infrastructure. There  are  various  techniques  that  fall  under cyber-warfare  such  as a  virus  or  malicious  software  (most  recent  examples  would  be  stuxnet  and  Duqu)  or  web  vandalism.    The  constant  developments  in  the  IT  world  inevitably  lead to  an  increasing  occurrence  of  cyber  warfare.    This raises  the  question  as  to  whether  it  is  more  dangerous  as  opposed  to  traditional  warfare. Cyber  warfare  also  puts a  large  amount  of  focus  on  espionage. Spy  weapons  and technologies  are  advancing  at  a  rapid  pace,  allowing  individuals  to  gain 
Read more

Youngest Microsoft Certified IT Professional

Image
Ms. Rooma Syedain - Youngest Microsoft Certified IT Professional (Arfa Karim Inspiration) Today when Information Technology is very important for every one and for information technology research, innovation and advancement is very important and for research, innovation and advancement, I recommend sustainability, consistency and security. For all these elements we must jump into technology adventurously to acquire it strongly and rock with it to guide our new generation to the right path on right time in educational way. This what Ms Arfa Karim (late) has done for new generation in Pakistan and rest of the world but unfortunately she could not continue her mission to teach the nation about the fruit of literacy and she passed away. She famed Pakistan as the nation's daughter for being World Youngest Microsoft Certified Professional at the age of 12. Alas!  After she passed, a girl from Gujranwala with her (Arfa-Karim) inspiration started hard work to give an other dau
Read more