In our ‘meet the hacker’ series, we’re taking the time to talk with Intigriti community members that have an impressive track record, an unusual methodology or have made valuable contributions to the community. This time, we were talking to Rana Khalil, who is well-known for her Youtube channel and write-ups she hosts on Medium.
Hi Rana! Please tell us a bit about yourself, who is Rana Khalil?
Hi, everyone, my name is Rana. I have a bachelor’s and a master’s degree in computer science. I’ve been working in the computer security field for the past three years.
I started off in application security and then I moved to pentesting at the beginning of this year. I’m also a content creator. So, I write blogs and I create videos about computer security related topics.
How did you get into IT security?
The short answer is through university. It’s a bit of a long story on how I transitioned because I didn’t do a degree in computer security. My bachelor’s degree was not just in computer science, it was joint honours in mathematics and computer science. So, I have a very strong mathematical background. In one of my courses, we learned about cryptography. And that’s where I was introduced to something called fully homomorphic encryption. This kind of blew my mind.
That was the first area in computer security that I was introduced to. So, I ended up working on cryptography during my honours project and after that I was set to do my masters in that area as well.
I know that you are OSCP certified. How important do you think are certifications nowadays to land a good job?
I’ll answer from two perspectives. The first is the HR perspective. It depends on the country you live in, and the job you’re applying to. In some countries, I know pentesters, that don’t have any certifications and they’re at the top of their field. In other countries, you need them in order to bypass HR requirements. So, if it’s uncommon, then you don’t have to get certifications.
Looking at my own perspective in regard to learning and growing, that would depend on the person. I’m the kind of person, who likes structured courses, at least for the fundamentals, When I pick certifications, it always has to be practical. So, you have to get some hands-on knowledge.
Let’s move over to a different topic. I know that you are a content creator. Tell me a little bit about the media platforms that you use? Where do you host your content and what exactly are you offering?
I started off with Medium. That’s where I wrote my hack the box write-ups for when I was studying for the OSCP. And then I think it was this year that I decided that I no longer want to do full time blog writing, I wanted to step up a little bit and move to videos. Right now, the other media platform that I use is YouTube. That’s where we cover the more application security related content versus network pentesting.
Other than that, there’s Twitter. That’s where I announce when a new blog is out, or when a new video is out. And in the future, we’re going to have Discord as well where people could ask questions. And I think that’s it for media platforms.
That’s pretty cool. That’s such a big number of platforms that you’re covering. Where on all those do you see the most interaction happening with your followers right now?
Right now, it’s through Twitter comments. So, with having a full-time job, and then content creation kind of feels like a full time job as well, I don’t really have time to respond to all the messages that I get. This is why I’m backlogged on Twitter messages. I’m also backlogged on YouTube comments. But I usually definitely get back to all the Twitter comments that I get. I think that’s where the most interaction is right now. In the future, I see it happening most on Discord.
Was there at one point, any feedback or a message that you have received that made you laugh out loud or almost burst into tears?
Burst into tears, no, but smile. Weirdly, I get a lot of messages that say, I love your voice, which is so not the purpose of these videos. But I don’t have an image and the videos are just me talking. I get at least a message a week. All the other feedback is also pretty positive. Surprisingly, I kind of expected some trolls on the internet.
Let’s talk about computer hacking! Do you have a favourite vulnerability class?
I don’t know if logic flaws fall into a vulnerability class, but they’re usually found in broken access controls and broken authentication. So, I would go with that. Those are usually the ones that scanners can’t find. And you actually need a human being to do that work for you. And they’re the most interesting and usually the most destructive ones as well.
Those are usually the ones that scanners can’t find
Do you have any tool that you have added to your toolset recently, one that you really like?
Not recently, I mostly just use Burp for web app stuff. For network assessments, it is just the normal tools that you would use like Nmap, and venom and all those other tools. The classic tools.
What’s the first thing you would share with somebody who is new to infosec?
Always keep on learning. And always be persistent in everything that you do, whether it’s learning or trying to exploit something. You might not be able to exploit it right now. But as with everything that you learn, trying to exploit it will come in handy in the future. So just keep on learning and be persistent in the way you do things.
I do have a couple of fun questions for you right now. Would you rather want to record videos covering publicly known findings, or would you rather like to record videos on security research?
In general, I like doing a lot of security research, it would be fun to kind of expose, I guess, the general public on that methodology. Because you do see a lot of people covering newly found vulnerabilities, right. Security research, I feel is something that we’re lacking in the YouTube world. And so yeah, that would be something that I would like to cover if I had the time.
Would you rather collaborate on a video with your country’s president or with a pop star of your choice?
Let’s go with the president. I feel like that’s more professional and might do wonders for my career versus a pop star, which technically will give you attention and followers. Yeah, I don’t know. never really considered it. But I’ll go with President.
Thank you for the interview!
Did you like the short form of the interview? Do you want to hear more from Rana? Watch the full conversation between Pascal and Rana right now on Youtube:
