Finally, here’s the exclusive interview of Rafay Baloch one of world’s best security researcher .Rafay have received bounties from lots of companies some days back in a bug bounty program PayPal Awarded him the total Bounty of $10,000 Rafay was offered a job at PayPal as a Security Ninja. He has been listed inside more than 99% of the hall of fames that exist today,In this interview Rafay have given some usefull tips for the bigenners who wants to be security researcher
InfinityLoopers: Hi Abdul Rafay Baloch, Welcome to infinityLoopers.com. thanks for giving us your precious time. Rafay please introduce yourself a bit.
Rafay Baloch: Well, Name is “Rafay Baloch”, I am the admin of http://rafayhackingarticles.net, I am author of two books on Ethical hacking and security, My primary interests include Security Research, Penetration Testing and Blogging. Right now i am doing my bachelors in computer science from Bahria University karachi.
InfinityLoopers: How did you get into Cyber World ?
Rafay Baloch: Well, From my childhood days i was interested in Information security, however if you are asking about the serious part, it has been around 3 years. Since I have started researching in this field.
InfinityLoopers: Some people think hacking is probably unsafe, is it? Are there any concerned authorities who fight against cyber crime ? describe briefly
Rafay Baloch: That’s true because, no matter how many proxies you chain in order to get to a particular destination, no matter what you use, you are not 100% anonymous, because in every case you can be traced back by cyber crime authorities. Lot of open proxies (SOCK4,SOCK5)etc have been setup especially by cyber crime agencies in order to investigate the behavior and nature of new attacks, therefore what every you would do there be logged and it would be really easy for them to trace you back. In the country where we live, FIA and N3rc are most active.
InfinityLoopers: why did you choose Ethical hacking rather than being a black hat hacker ?
Rafay Baloch: I was more interested in security rather than hacking itself, my personal opinion is that security researcher’s and Ethical hackers are one step ahead of black hat hackers, because not only they know how to hack into a particular system, but also how to protect it from being hacked. And being a security researcher you not only learn wide variety of attacks but also learn them to implement it in a safe way.
InfinityLoopers: what are these three type of hackers White Hats , Black Hats and Grey Hats
Rafay Baloch: White hats are the people that are basically the good guys, they find bugs for companies and get paid and they make sure that the vulnerability reporting is always a responsible disclosure. On the flip side there are black hats, who are considered as computer criminals, they usually hack in to a computer system for personal gain or profit. And in the middle of both of them, there are Grey hats, who some time act as a white hat and some times as a Grey hat or in other words we can say the combination of both of them, a common example would be a person who works for a company as a Penetration tester in the morning and in the evening he is involved in activities like credit card frauds and other type of illegal activities. Another example from wikipedia would be and I quote
“ A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee”
InfinityLoopers: How can one learn hacking ?
Rafay Baloch: That’s question is quite complex, I get this question from my readers all of the time, what I tell them is that hacking is not only limited to account hacking, I could list here more than 20 types of subjects that are a part of hacking. If you are talking in terms of a web applications, I would recommend people to understand the mechanism of web application before researching for layer 7 attacks, learning about html, CSS, PHP, AJAX , Jquery etc and all other different types of things inside web applications before actually learning how to attack a web application, if you are talking in terms of network hacking, I would recommend to learn about networks, how networks work, I would recommend people to go after CCNA as that would help you understand layer 3 attacks in a better fashion. In summing up learn about the service before attacking it.
InfinityLoopers: Rafay Tell us something about your books How many Books you’ve written related to Hacking
Rafay Baloch: Have written two books on the subject of Ethical hacking and security , A Beginners Guide To Ethical Hacking” and “An Introduction to keylogger, Rats and malware”, writing a third one write now, which if the time permits, I would be releasing it at the end of this year. Along with it I have also recorded a video course of the subject of facebook hacking , you can find it on www.facebookhackingcoure.com.
InfinityLoopers: what courses are essential to do to become a successful Security Researcher?
Rafay Baloch: I would recommend you to do either go for SANS GPEN or either go for Offensive security certified professional. These both courses would push you to the limits and you will learn get some thing out of it.
InfinityLoopers: How much a normal ethical hacker can earn from Bug hunting?
Rafay Baloch: If you are lucky sky is the limit. But, one can easily earn his bread and butter with bug hunting, just like I do
InfinityLoopers: What is your advice for new bug hunters?
Rafay Baloch: Be patient while testing, study the application before actually attacking it.
InfinityLoopers: How can one hack facebook?
Rafay Baloch: There are numerous ways, the most basic way would be to reset the password by guessing the secret question, or by making three fake accounts and adding it to victims account and resetting the password by three trusted friend’s accounts. Apart from that Phishing, keylogging is very common, in terms of advanced attack vectors browser exploitation is very common now a days, take an example of the latest zero day java vulnerability which was made public affected lots of computers even of facebook employees.
InfinityLoopers: Tips for protecting facebook account?
Rafay Baloch: Don’t click on any suspicious links, facebook won’t ever ask you for the password, so don’t give it to any one who asks for you, even if any email comes to you asking for it, it’s 99% of the time fake.
Keep your self updated with the following pages:
http://facebook.com/rafayhackingaticles (Shameless Self promotion )
InfinityLoopers: How long have you been hunting bugs and what sources did you used to learn hacking?
Rafay Baloch: I started bug hunting at the end of July 2012, when I saw Microsoft’s responsible disclosure page, that’s where i started hunting bug.
InfinityLoopers: When and where did you found your first bug ?What was it? How did you felt at that moment?
Rafay Baloch: I really don’t remember, but my first big finding was an XSS vulnerability inside Microsoft India. I also reported Http parameter pollution vulnerability along with it.
InfinityLoopers: Rafay, How many bounties you have received other then PayPal. tell us you paypal experience?
Rafay Baloch: Other than paypal I have received bounties from lots of companies that’s the reason whymy name has been listed inside more than 99% of the hall of fames that exist today, however I would prefer to keep them confidential from now, Regarding Paypal, honestly I would say that their bug bounty program was not organized very well, at first they payed a lot for low priority bugs like server information disclosures . So they received tons of reports and as they started running out of the budget they allocated for bounties, they started changing their policies and decommissioned lots of websites. Changing policies in the middle of the bug bounty program is a very good sign that the bug bounty program was not properly organized.
InfinityLoopers: List down your achievements in cyber space ?
Rafay Baloch: Author/admin of the top security blogs in Pakistan http://www.rafayhackingarticles.net, Author of two books on Ethical hacking and Security, “A Beginners Guide To Ethical Hacking” and “An Introduction to keylogger, Rats and malware”.
The first Pakistani to find RCE inside Paypal and also the first to be offered a job by Payapl as a senior security Penetration tester, Found bugs/vunerabilites in almost all major giants like Google, Facebook, Ebay, apple etc.
I have maintained a linkedin profile for this purpose, where I have added complete details regarding my achievements.
InfinityLoopers: What vulnerabilities have you discovered so far in your career as a Bug Hunter? What is the favorite vulnerability found by you?
Rafay Baloch: There are so many i cannot remember as i hunt for them every day, Almost all vulnerability types related to web application security i.e. RCE, LCE, RFI, LFI, Arbitary file upload, SQL Injection, XSS etc.
Usually, i find zero days and keep it private for testing purposes, however, i do release some of them periodically, you can check out my packet storm profile. My favorite vulnerability was a the remote code execution vulnerability i found last year inside paypal, i had access to very sensitive stuff, the paypal subdomain was behind a JBOSS server, I was able to bypass the authentication and upload my backdoor to execute commmands, Paypal paid me 10,000$ for it, though if i had found it inside Google they would have payed me 20,000$.
InfinityLoopers: Tell us about future ventures on which you are working?
Rafay Baloch: I am working on multiple things right now, First of all currently working on some white papers to be released on DOM based XSS and some other topics, Apart from that I am also working to setup an Organization/NGO with the name “Voice Of Green Hats”, the purpose of that organization would be to provide Government and educational sites free of cost testing to secure there websites.
InfinityLoopers: Tell our readers about facebook hacking?
Rafay Baloch: Facebook is getting secure day by day and so as the attackers are getting smarter, apart from attacks such as phishing and keylogging, users are being targeted mostly by browser based exploits.
InfinityLoopers:: Who is your inspiration?
Rafay Baloch: Kevin Mitnick is definitely an inspiration for every one, his social engineering techniques were really amazing, he showed a different approach towards hacking.
InfinityLoopers: What is the future of hacking in the next 5 years?
Rafay Baloch: No one can fully predict it, the technology is moving so fast, but what i can predict is that the attacks would be fully moving towards client side, new html 5 attack vectors would be released, DOM based XSS would be more common as the detection techniques improve and go user friendly.
InfinityLoopers: When you participate in a bug bounty, what methodology do you follow? how many bounties you have won uptill now?
Rafay Baloch: Well, i don’t strictly follow a proper methodology, but i do use OWASP testing guide as a reference as according to me it’s one of the best testing guides out there. What i have learned in my past one year is that, time is the most important factor in a bug bounty program, so i try to take part as soon as the bounty program kicks off. For websites like Google, Facebook, it’s very less likely that you would find bugs in their main domains or important services, since lots of researchers have already been testing before you. For these websites, i either try to go after their subdomains or acquisitions. Giants like Google and Facebook constantly acquire new companies, so there are chances that you would find bugs. The best advice would be to “keep digging”.
InfinityLoopers: If there was one thing you could suggest to improve the way bug bounties are run, what would it be?
Rafay Baloch: A better tracking and feedback system for duplicate bugs.
InfinityLoopers: Why is there is no unity in hackers like bloggers?
Rafay Baloch: It’s due to the ego problem, lots of people hack because they want to become famous and be talked about.
InfinityLoopers: Tell us some thing about PKNIC ? How was PKNIC hacked ? Any suggestions for PKNIC?
Rafay Baloch: PKNIC is the registrar on which almost all .pk domains are running, The first time when it was hacked by a turkish attacker eboz, lots of people thought that it was a DNS cache poisoning attack, however, I investigated it and found that the PKNIC itself was vulnerable to SQL Injection, I was reading a post when few people told ProPakistani that it was vulnerable to boolean based SQL Injection, I would like to correct that boolean based sql injection is itself not a vulnerability, but a method used to test true or false statements.
The registrar itself was vulnerable to error based SQL Injection, therefore the attacker hacked into it and changed the DNS details, (DNS is responsible for the translation of IP address from a domain name). The vulnerability was later fixed by PKNIC, however the attackers did a great job backdooring the server, that’s how it was hacked the second time. Therefore, I would recommend PKNIC to thoroughly scan not only their servers on server level but also on web applcation level too.
InfinityLoopers: Any suggestions for infinity loopers? what sections do you want to see on our site as it is new and is in initial stages.
Rafay Baloch: The posting frequency is very awesome, just stick to it and stay in touch with latest google algorithm chances.
InfinityLoopers: Thanks for the advice , Is there anything else you want to add?
InfinityLoopers: Who’s Interview you want to read at our website next?
Rafay Baloch: May be David Viera Kurz from Major security (My mentor).
Thanks for Giving me your precious time Rafay. have a nice day!
Your most welcome.