Happy Cybersecurity Awareness Month! In celebration of October, we at Maltego are excited to introduce the OSINT October campaign and the Women in OSINT Spotlight Series!
OSINT October: Women in OSINT Spotlight Series šļø
We started OSINT October as a campaign to help both beginners and advanced practitioners brush up their OSINT skills. As part of the campaign, we interviewed women who are actively practicing and conducting OSINT investigations, where they share their OSINT journey, recent projects, and tips for those who aspire to start out in the field.
Stay tuned for daily OSINT tips, resources, news, and spotlights on the Maltego Twitter and LinkedIn channels.
Welcoming Dr. Katie Paxton-Fear: The Bug Bounty Hunter & YouTube Educator šļø
Our first guest for the Women in OSINT Spotlight Series is Dr. Katie Paxton-Fear!
Katie is a Cybersecurity Lecturer at Manchester Metropolitan University and Technical Community Manager at Bugcrowd, but sheās probably most well known for her hobby: In her free time, sheās a hacker and a YouTube educator.
Since 2019, she has found more than 30 vulnerabilities in real software in production, when she first got into hacking āaccidentally.ā She got her start in security thanks to a mentorship at a HackerOne live hacking event in 2019 where she found her first two bugs in Uber, despite it being her first-time hacking. After being invited as a mentee again in Vegas during DEFCON, she realized the privilege she had and once she got home, she started making videos teaching others how to get into hacking.
Since then, she has made more than 50 educational videos on a range of topics, explaining beginner vulnerabilities, tools, APIs, note-taking, and mobile hacking. She is interested in the intersection of data and web application vulnerabilities and developing understanding from noise.
In this interview, we will dive into her journey and experience of being a bug bounty hunter, how OSINT plays a role in her projects, her aspiration of teaching and creating educational content, and the three of the most important things that helped her become who she is.
Letās jump right into it!
Listen to the full interview on our YouTube channel.
Welcome Katie! Tell us a bit about yourself. How did you āaccidentallyā get into security and hacking? šļø
Katie: Thank you! Like you said, I started in 2019 but didnāt really intend to get into security. I have a degree in Computer Science and after finishing my degree, I went and worked at a company doing data science and development. It was fun. It was challenging.
I was walking to lunch one way and realized I wasnāt very fulfilled, so I quit. I decided to go do a PhD. Unfortunately, this was around Christmas time and the PhD applications had already closed. So the one option that I really had was cybersecurity mixed with what I already knewālike natural processing and data science.
So you really never intended to get into security? šļø
Katie: I very much kind of just landed here by accident. And I did actually find quite a joy. I was very fortunate and invited to be a mentee at HackerOne in 2019. I just applied and they accepted me. I was like, thatās cool! I had never done any kind of hacking before. I found my first two vulnerabilities and got my first bounty. And I have been doing that ever since.
Do you remember how you felt when you found your first bug bounty? šļø
Katie: It was pure joy. I was shaking.
I found my first bug primarily just because one request was a little bit different from all the other ones. It wasnāt even like a major thing. It was just a little bit different and I realized, oh my god, I can do something here.
When we were coming up to the last moments of the event, I sat there writing up and had to get it in by the deadline. I was shaking, panicking. My mentor, who has significant experience in bounty cybersecurity, was freaking out as well.
After we went in by the deadline, someone from HackerOne came over to us. He was like, āOh Katie, how are you doing? Iāve got some good news for you. Iām giving you a thousand-dollar bounty.ā And I was like, āNo! No! No! Youāre not!ā Not only is it my first time to find a bug, my first bug, my first time ever hacking, it was also the first bounty I got. Itās just pure joy. Iāll never forget it.
āI found my first bug primarily just because one request was a little bit different from all the other ones. Not only is it my first time to find a bug, my first bug, my first time ever hacking, it was also the first bounty I got. Itās just pure joy. Iāll never forget it.ā
Amazing. Is there any relevance of open source intelligence (OSINT) in your work? šļø
Katie: Oh for sure. When weāre hacking, weāre hacking over the internet. The amount of stuff you can just get off Google is incredible.
Thereās a type of hacking called Google Dorking, which is literally searching in Google and getting bugs out of it. You find exposed personally identifiable information (PII) or some vulnerable versions on the web that are exposed.
The internet is really big. A single target like Yahoo is not just Yahoo.com. It is knowing all the local versions of Yahoo.com. Itās not as simple as: Hereās a website, go and hack it. If you really want to find unique bugs that nobody else has found before, you need to dive deep into anything you can find. And of course, they donāt let that information out in the open, so you need to work for it.
OSINT is really incredible. The investigations we deal with more is to see that this company has acquired this company and whatās the history of that company? To look at email address records, look at DNS and see how the host of some websites has changed over the time dimension. OSINT is critical for understanding.
How do you find and maintain your motivation to continue hacking? šļø
Katie: So the thing about human motivation is that money is actually a great motivator to a point, and after that, itās not a motivator anymore. I think some people get stuck because they only think about financial motivation.
The way to think about hacking is through the three lenses:
- Master: Getting better at something
- Autonomy: Doing it in the way we want to do it, and
- Purpose: Doing something which has a greater impact on society.
Itās really important to shift your motivation away from finding bugs to get paid. Instead, think about what greater value you have. Learning more about how the internet works, learning how to break the internet, doing it because itās beneficial for the society.
Besides hacking, you also run an incredible YouTube channel full of educational content. Would you tell us more about it? šļø
Katie: After the HackerOne event, I was convinced that the two bugs I found were a fluke. And then I think a week later, I was invited to go to DEFCON. When I was there, I found two more bugs. I was like, well, you know, I know data and I put two and two together. I might be kind of good at this.
But really, what inspired my YouTube channel was meeting other mentees and realizing what they were struggling with, and understanding the difference between me as somebody who had been successful and where they were at, and the difference in knowledge level. It wasnāt that they were bad or their mentors were bad.
I realized the gap in knowledge in both bounties andāmore generallyācybersecurity isnāt the beginners because a lot of people can open up a tutorial. Itās what happens next. People tell you thereās a bug here, hereās the attributes it has, and hereās how it works. But they donāt explain to you how you can find it.
So I was like, Iām going to be the change I wish to see in the world. The motivation was kind of answering that question.
āI had this insight into what it was like to know nothing at all, which made me look at the other content out there and realize what was missing.ā
How did you build up your channel? What tips would you give for people aspiring to create educational content? šļø
Katie: In terms of tips for people who want to be a content creator, one of the most important things you can do is find out what that is for you. A lot of people on YouTube would try finding your niche, but itās far more about finding the problem you want to solve. That tells you what your content should be about.
The other tips I give are more procedural, like understanding what your videos should look like. Because of my background in academia, I wanted to make videos that felt like traditional classroom environment because I felt that was the best way to present this information.
In addition to that, I donāt think you need to have a good microphone or camera. As long as youāre enthusiastic about what youāre trying to present, youāve got that in-depth connection with what youāre talking about. Itās that general enthusiasm that people think youāre not just making content to get rich, but that you want to educate, inform, and give people interesting facts.
And my final tip is, donāt just think about it. If this is something that really interests and excites you, donāt just sit on it. Donāt just go, āThatād be really great if I could do that.ā Really look at how you would put that into practice, whether it is arranging work schedules or cutting back on relaxation time to put effort into it.
Thatās gold. Can you share your tips on top resources and how you stay motivated to keep learning? šļø
Katie: One thing that I found really useful in learning is to make sure I have a mix of things that Iām working on right now. There is not one magic box that will teach you everything about hacking. It just doesnāt exist. If somebody is claiming that, theyāre probably trying to get to you spend money on it.
There is no book, no course, no degree, no magic scroll thatās going to teach you everything about hacking. Youāve got to learn it from a lot of different sources that work for you.
Something that I really like is mixing up. Iāll do a bit of reading. Iāll do a bit of CTF practical exercises. Iāll do a bit of trying something. Iāll kind of mix it all around, so Iām not just studying constantly.
Thereās More: Listen to Our Full Interview with Katie! šļø
If you find the snippets of the interview interesting, donāt miss even more stories and the websites, books, and resources Katie shares in the full interview for people who want to learn hacking!
Listen to our full interview with Dr. Katie Paxton-Fear to learn more about her journey in-depth:
- How she builds up her core strength in hacking
- Her recent work with APIs
- How she started her YouTube channel and what kept her going
- Books, communities, and resources she recommends
- Her plans for the future
- Her pro-tips for anyone in OSINT
Check out Katieās work on her Blog, Twitter, and YouTube channel!
Donāt forget to follow us on Twitter, LinkedIn, and YouTube and subscribe to our email newsletter, so that you never miss an update, tutorial, or interview like this.
Happy OSINT!