Happy Cybersecurity Awareness Month! In celebration of October, we at Maltego are excited to introduce the OSINT October campaign and the Women in OSINT Spotlight Series!
OSINT October: Women in OSINT Spotlight Series 🔗︎
We started OSINT October as a campaign to help both beginners and advanced practitioners brush up their OSINT skills. As part of the campaign, we interviewed women who are actively practicing and conducting OSINT investigations, where they share their OSINT journey, recent projects, and tips for those who aspire to start out in the field.
Welcoming Dr. Katie Paxton-Fear: The Bug Bounty Hunter & YouTube Educator 🔗︎
Our first guest for the Women in OSINT Spotlight Series is Dr. Katie Paxton-Fear!
Katie is a Cybersecurity Lecturer at Manchester Metropolitan University and Technical Community Manager at Bugcrowd, but she’s probably most well known for her hobby: In her free time, she’s a hacker and a YouTube educator.
Since 2019, she has found more than 30 vulnerabilities in real software in production, when she first got into hacking “accidentally.” She got her start in security thanks to a mentorship at a HackerOne live hacking event in 2019 where she found her first two bugs in Uber, despite it being her first-time hacking. After being invited as a mentee again in Vegas during DEFCON, she realized the privilege she had and once she got home, she started making videos teaching others how to get into hacking.
Since then, she has made more than 50 educational videos on a range of topics, explaining beginner vulnerabilities, tools, APIs, note-taking, and mobile hacking. She is interested in the intersection of data and web application vulnerabilities and developing understanding from noise.
In this interview, we will dive into her journey and experience of being a bug bounty hunter, how OSINT plays a role in her projects, her aspiration of teaching and creating educational content, and the three of the most important things that helped her become who she is.
Let’s jump right into it!
Listen to the full interview on our YouTube channel.
Welcome Katie! Tell us a bit about yourself. How did you “accidentally” get into security and hacking? 🔗︎
Katie: Thank you! Like you said, I started in 2019 but didn’t really intend to get into security. I have a degree in Computer Science and after finishing my degree, I went and worked at a company doing data science and development. It was fun. It was challenging.
I was walking to lunch one way and realized I wasn’t very fulfilled, so I quit. I decided to go do a PhD. Unfortunately, this was around Christmas time and the PhD applications had already closed. So the one option that I really had was cybersecurity mixed with what I already knew—like natural processing and data science.
So you really never intended to get into security? 🔗︎
Katie: I very much kind of just landed here by accident. And I did actually find quite a joy. I was very fortunate and invited to be a mentee at HackerOne in 2019. I just applied and they accepted me. I was like, that’s cool! I had never done any kind of hacking before. I found my first two vulnerabilities and got my first bounty. And I have been doing that ever since.
Do you remember how you felt when you found your first bug bounty? 🔗︎
Katie: It was pure joy. I was shaking.
I found my first bug primarily just because one request was a little bit different from all the other ones. It wasn’t even like a major thing. It was just a little bit different and I realized, oh my god, I can do something here.
When we were coming up to the last moments of the event, I sat there writing up and had to get it in by the deadline. I was shaking, panicking. My mentor, who has significant experience in bounty cybersecurity, was freaking out as well.
After we went in by the deadline, someone from HackerOne came over to us. He was like, “Oh Katie, how are you doing? I’ve got some good news for you. I’m giving you a thousand-dollar bounty.” And I was like, “No! No! No! You’re not!” Not only is it my first time to find a bug, my first bug, my first time ever hacking, it was also the first bounty I got. It’s just pure joy. I’ll never forget it.
“I found my first bug primarily just because one request was a little bit different from all the other ones. Not only is it my first time to find a bug, my first bug, my first time ever hacking, it was also the first bounty I got. It’s just pure joy. I’ll never forget it.”
Amazing. Is there any relevance of open source intelligence (OSINT) in your work? 🔗︎
Katie: Oh for sure. When we’re hacking, we’re hacking over the internet. The amount of stuff you can just get off Google is incredible.
There’s a type of hacking called Google Dorking, which is literally searching in Google and getting bugs out of it. You find exposed personally identifiable information (PII) or some vulnerable versions on the web that are exposed.
The internet is really big. A single target like Yahoo is not just Yahoo.com. It is knowing all the local versions of Yahoo.com. It’s not as simple as: Here’s a website, go and hack it. If you really want to find unique bugs that nobody else has found before, you need to dive deep into anything you can find. And of course, they don’t let that information out in the open, so you need to work for it.
OSINT is really incredible. The investigations we deal with more is to see that this company has acquired this company and what’s the history of that company? To look at email address records, look at DNS and see how the host of some websites has changed over the time dimension. OSINT is critical for understanding.
How do you find and maintain your motivation to continue hacking? 🔗︎
Katie: So the thing about human motivation is that money is actually a great motivator to a point, and after that, it’s not a motivator anymore. I think some people get stuck because they only think about financial motivation.
The way to think about hacking is through the three lenses:
- Master: Getting better at something
- Autonomy: Doing it in the way we want to do it, and
- Purpose: Doing something which has a greater impact on society.
It’s really important to shift your motivation away from finding bugs to get paid. Instead, think about what greater value you have. Learning more about how the internet works, learning how to break the internet, doing it because it’s beneficial for the society.
Besides hacking, you also run an incredible YouTube channel full of educational content. Would you tell us more about it? 🔗︎
Katie: After the HackerOne event, I was convinced that the two bugs I found were a fluke. And then I think a week later, I was invited to go to DEFCON. When I was there, I found two more bugs. I was like, well, you know, I know data and I put two and two together. I might be kind of good at this.
But really, what inspired my YouTube channel was meeting other mentees and realizing what they were struggling with, and understanding the difference between me as somebody who had been successful and where they were at, and the difference in knowledge level. It wasn’t that they were bad or their mentors were bad.
I realized the gap in knowledge in both bounties and—more generally—cybersecurity isn’t the beginners because a lot of people can open up a tutorial. It’s what happens next. People tell you there’s a bug here, here’s the attributes it has, and here’s how it works. But they don’t explain to you how you can find it.
So I was like, I’m going to be the change I wish to see in the world. The motivation was kind of answering that question.
“I had this insight into what it was like to know nothing at all, which made me look at the other content out there and realize what was missing.”
How did you build up your channel? What tips would you give for people aspiring to create educational content? 🔗︎
Katie: In terms of tips for people who want to be a content creator, one of the most important things you can do is find out what that is for you. A lot of people on YouTube would try finding your niche, but it’s far more about finding the problem you want to solve. That tells you what your content should be about.
The other tips I give are more procedural, like understanding what your videos should look like. Because of my background in academia, I wanted to make videos that felt like traditional classroom environment because I felt that was the best way to present this information.
In addition to that, I don’t think you need to have a good microphone or camera. As long as you’re enthusiastic about what you’re trying to present, you’ve got that in-depth connection with what you’re talking about. It’s that general enthusiasm that people think you’re not just making content to get rich, but that you want to educate, inform, and give people interesting facts.
And my final tip is, don’t just think about it. If this is something that really interests and excites you, don’t just sit on it. Don’t just go, “That’d be really great if I could do that.” Really look at how you would put that into practice, whether it is arranging work schedules or cutting back on relaxation time to put effort into it.
That’s gold. Can you share your tips on top resources and how you stay motivated to keep learning? 🔗︎
Katie: One thing that I found really useful in learning is to make sure I have a mix of things that I’m working on right now. There is not one magic box that will teach you everything about hacking. It just doesn’t exist. If somebody is claiming that, they’re probably trying to get to you spend money on it.
There is no book, no course, no degree, no magic scroll that’s going to teach you everything about hacking. You’ve got to learn it from a lot of different sources that work for you.
Something that I really like is mixing up. I’ll do a bit of reading. I’ll do a bit of CTF practical exercises. I’ll do a bit of trying something. I’ll kind of mix it all around, so I’m not just studying constantly.
There’s More: Listen to Our Full Interview with Katie! 🔗︎
If you find the snippets of the interview interesting, don’t miss even more stories and the websites, books, and resources Katie shares in the full interview for people who want to learn hacking!
Listen to our full interview with Dr. Katie Paxton-Fear to learn more about her journey in-depth:
- How she builds up her core strength in hacking
- Her recent work with APIs
- How she started her YouTube channel and what kept her going
- Books, communities, and resources she recommends
- Her plans for the future
- Her pro-tips for anyone in OSINT