Hacking is a word which is always described notoriously hence making everyone uncomfortable but if we dig deeper we will understand that there are two sides to it. One, there are ethical hackers and computer security experts who penetrate into networks, computers, applications etc. to track down security vulnerabilities and help prevent exploits. While on the other hand, black hat hackers violate computer security for little reason beyond maliciousness or for personal gain.
We are in conversation with the world’s best security researcher from Pakistan — Rafay Baloch. Rafay still remains underutilized in his country for his talents and skills. Rafay, 22, started hacking half a decade ago when he was still in college. He has also been a researcher and his publications include Android browsing, HTML 5 security, bypassing client/server side protections such as WAF, encoders. Web, network, malware, mobile applications and browser security are his expertise, where as he likes to revise on JS, flash etc.
Initially it was a malware tool he installed in his computer which made him curious to learn more about hacking. The zest to learn more about how .exe files and other viruses can infect a computer paved Rafay’s way to where he is today. The great time began when Rafay was recognized for detecting a serious vulnerability in PayPal’s service. He won a prize money of $10,000 and was also offered a position at PayPal to officially check their systems for security vulnerabilities, which he rejected for personal reasons. Rafay was featured as one of the top 5 ethical hackers last year in CheckMarx, which is world’s leading security publication. Rafay has also been featured on Wall Street Journal, BBC and Forbes. Rafay excitedly mentioned that the prize money helped him buy a car for his mom.
Rafay told me how two-step-verification for logging into platforms is a good security check introduction to reduce vulnerability. He exclaimed, “Before the two step verification it was easy to hack into someone’s account using phishing.” He also warned adding, “Even with the latest verification systems, one should stay extremely cautious with gadgets that connect with internet or while installing applications that take multiple permissions to connect with your smartphone because this can result in malicious actions like identity theft.”
I asked him if hacking comes naturally as an innate skill or is it something one can learn over a period of time? In his response he left a message for all the young aspiring hackers, Rafay said “Inspiration is very important, my inspiration came from Matrix. A person with dedication and passion can accomplish anything, everyone has to start from somewhere take a leap of faith and follow their passion – dig deep and go in the rabbit hole.” According to him, at any age, if you have the right resources and correct motivational drive, one can learn and develop any skill, but for something like hacking which has the potential to become hazardous, one needs to be at an age where they can strictly remain a white hacker. Although it is a personal choice and integrity to practice hacking ethically; Rafay says, “A person can use a hammer in a positive way to fix something or use it to hurt someone.”
Rafay also founded RHA InfoSec in 2014 with his friend Danish Iqbal, the website provides specialized web application penetration and network penetration testing mostly, however it was also providing wide variety of security solutions including malware removal, stress testing, mobile application testing. In simpler words, they provided cyber security solutions. Unfortunately, the project was shut down due to security reasons; which brings me to the most important part of the conversation.
Initially, Rafay explained, how his family had concerns with him practicing hacking because they thought his actions could potentially be seen as unauthorized intrusions. It is true that the term ‘ethical hacker’ seems like an oxymoron: how can something so precarious claim to be in relation with code of ethics? Later he had to decline PayPal’s offer because it is a fact that experts do not absolutely stick to coding practices for detecting problems, hence the concern still remains ‘how ethical is an ethical hacker?’ This puts someone like Rafay, especially being as young as he is, in a position where he is only left with declining the offer for a better luck next time.
With the rise in most businesses turning into e-commerce, a data security vendor should be an important part of small or medium sized businesses to manage and secure networks and data communications. A security tester can reduce the level of cyber-crimes and ensure that organizations consider a holistic approach to security. An organization cannot combat hackers or other vulnerabilities with tools like an anti-virus.
Unfortunately, even after understanding that companies need white hackers to outwit other black hackers, here in Pakistan companies pay no attention in hiring an IT expert for ‘penetration test’. Another regrettable point of discussion is that ethical hackers do not have the security and protection they should have from government and legislation. Where ethical hacking should only be a powerful strategy to fight against online crimes, penetration testers have actually gone missing to serve personal purposes. There have been numerous cases where experts were arrested based on false allegations. Security researchers, in Pakistan, have no control over how their actions are judged by authorities.
In the end, Rafay concluded, “Do not hack for vengeance, hack for protection. One could not learn security without learning hacking. As a community we can build our own sense of ethics, so stay safe and ethical.”
On the contrary, Rafay is not such a brilliant student at his university and he isn’t ashamed about it at all. He says “Do not run after your GPA. We are taught to excel in studies but never taught to excel in skills and passion we possess. It is because people have lost faith and believe that they need to score a good GPA, to earn well; without even trying to figure out if they could be better at something else. I was given a choice to do ANYTHING, this is what I chose.” When not being a security expert, Rafay is just another under-grad student at Baharia University, who plays piano brilliantly. This talented guy is also known as Pakistan’s “Top Ethical Hacking Prodigy.”