TV
Mahalingam, Jayadevan PK, Harsimran Julka & Shantanu N Sharma, ET Bureau Jan
29, 2012, 07.27AM IST
The candidate dispensed with
greetings. Instead, he began by revealing the personal history of the
interviewer. "I was shocked. I am not a member of any social networking
website. Yet he knew everything: the schools and colleges I attended, my marks
and even the organisations I had worked for," recalls the recruiter who
doesn't want to be named. The result: "I hired the guy immediately. He had
established his credentials beyond doubt." What was his job going to be?
Hacking.
No, the candidate wasn't related to
Kim Dotcom. Neither did he sport a dragon tattoo on his shoulder. He was a
regular guy, one of thousand others landing plum jobs in MNCs and the
government. Or maybe not so regular. Hacking does need a nerdy streak, after
all.
Such people are in demand because
the black hats, the guys who give hacking a bad name, have been on a rampage
for the past couple of years. On December 3 2010, the website of Central Bureau
of Investigation was defaced by a hacking group calling itself the Pakistani Cyber Army. This was not
a rare hit. According to the Computer Emergency Response Team
(CERT), over 8,600 websites, mostly with '.in' domain, were hacked in 2011
alone.
Boardrooms haven't been spared
either. ADAG chairman Anil Ambani was the victim of a recent phishing attack.
Even anti-virus software-makers are not insulated. Last month, an Indian hacker
group called the 'Lords of Dharmaraja' pinched the product code of anti-virus
software-maker Symantec ( see "India's
Black Hat Gangs" )
Today, websites are being defaced by
script kiddies, hundreds of user-names and passwords are bought off the shelf
and state-sponsored targeted attacks are on the rise. A 2010 report by security
company McAfee pointed out that a "state actor" was behind a series
of attacks on 72 organisations across the world (including Indian). Even though
the company did not name the country, fingers are pointed at China.
Recently, passenger handling systems
at Terminal 3 of Delhi's Indira Gandhi International Airport were attacked with
a virus code, shutting it down for several hours. "In India, traffic
lights are not controlled by IP, else it can be quite chaotic," says
ethical hacker Ankit Fadia. But air traffic control and power transmission
grids do at some point connect to computer networks making them vulnerable to
attacks from computer worms like Stuxnet.
But this doesn't mean you must trash
your computer, pack your bags and run to the hills. Like the candidate who
rattled off the interviewer's personal details, a bunch of good guys, white
hats in hacking parlance, are banding together in the country. ET on Sunday
discovers they have what it takes to force the black hats into a hole. As long
as they win some battles in their own backyard.
White Hats of the World Unite
At his new lab in Bangalore, Amit
Singh (name changed) is warming up to some mischief. He is about to unleash a
'man in the middle attack' on a target computer. What Singh hopes to do is
this: whenever the user transfers money from one account to another, a small
sum gets transferred to an account set up by Singh. A few minutes later, the
target system is compromised and all Singh needs to do is, wait for a transfer.
"This is child's play," he says.
Singh is no black hat. He is the
chief technology officer of a Bangalore-based Internet security startup.
"There are thousands of hackers who can do this in a few hours," says
the CEO of the company, referring to the man in the middle attacks. The firm
has come up a "security on a stick solution", a USB with software
loaded on it, that it claims will protect customers and banks from the most
sophisticated hacker attacks.
But that's just one part of the
story. The Indian ethical hacking community is going through a golden patch of
sorts. In a couple of years, the number of sites, forums, community e-magazines
and conferences (like ClubHack, Nullcon) for the hacking community have seen a
sharp increase.
Says Pune-based security evangelist
Rohit Srivastwa, who organises ClubHack, a hacker's convention, and advises
several government bodies on IT security: "2009 was a milestone for
information security in India. After, the 26/11 attacks, authorities realised
there was an IT and technology angle to those attacks. After 2009, we have seen
a lot of people from the army and navy attending hacking conferences."
Hack's Back
Interest in hacking is also fuelled
by the increasing number of high-profile hacking attacks worldwide. McAfee
dubbed 2011 as "the year of the hack". Indian organisations too are
becoming a lot more security conscious, says KK Mookhey, founder, Network
Intelligence India, a Mumbai-headquartered information security company which
counts the likes of ICICI Prudential, State Bank of India, Bank of India and Saudi Telecom among its clientele.
"Banks that used to get ethical hackings
done once in three years are now doing assessments as regularly as once in
three months," says Mookhey. He adds that his company headcount of ethical
hackers has tripled to 35 in the last year or so. This is not to say that hacking is new in India. The community has been around for a while but in the past three years it has become larger, more organised and is finding a voice. Does that mean that there are tens of thousands of hackers in India today? The answer is tricky. It depends on how you define a hacker.
The simplest definition is anybody
who is a skillful programmer and approaches problem-solving innovatively. This
would include anybody who can write a basic program. The other definition is
somebody who can break into a system or discover vulnerabilities in it, with or
without authorisation.
There is also a question of skills.
"It's very easy to become a script kiddie [somebody who downloads
readymade tools programs to conduct simple malicious activity]. You can
download tools and Trojans from the Net. But to become a hacker requires a lot
more dedication and years of effort," says Vinoo Thomas, product manager, McAfee Lab.
With these parameters, how big is
the Indian hacking community? Exact figures are not available but members of
the hacking community believe that enthusiasts and script kiddies could run
into several thousands but the number of quality hackers would be about
1,000-3,000. There is a shortage of quality white hats in India.
All In the Mind
A veteran white hacker who doesn't
want to be named told ET on Sunday an interesting anecdote to explain why
hackers are tough to create: "A few years ago, well before the days of CVV
numbers [numbers on the back of a credit or debit card used for verification]
we were attempting an ethical hack into a West Asian bank who was our
client."
His team figured out a sequence for
the last digits in the cards issued by the banks. "If we got a real card
number issued from that bank, all we needed to do was add 17 to the last two
digits to get another genuine credit card number. The problem was that we did
not have a credit card number to work with, especially the first four digits
that represent the number allotted to the bank."
How did they solve that problem?
"We got a screen grab of a card being inserted into an ATM slot from a
television advertisement for the bank. It had a card number," says the
white hat. Text books cannot teach such problem-solving skills.
"To be a good hacker, you have
to understand networking, software programming and many other areas. A degree
or certificate does not make you a good hacker," says Aseem Jakhar, a white
hat and founder of Null, an open security community. Mookhey says it is tougher
because no engineering or programming course teaches security.
Hacking the Law
Cynics could argue that India hasn't
seen any serious economic crimes perpetrated by hackers. Pavan Duggal, a
prominent cyberlaw advocate, disagrees. "Most hacking related cases in
India never get reported," he says. Duggal believes that only 50 of 500
cyber crimes get reported to the police, of which only a handful materialise
into First Information Reports (FIRs).
For its part, in an email interaction with ET
on Sunday, Zsecure says that it had the best intentions of the companies in
mind. "Using this vulnerability, any black hat can dump [download] the
entire [connected] database of the affected web portal. This vulnerability may
even result in defacement of the entire web site and alterations in the
existing database tables/fields," said the Zsecure spokesperson. But not everybody is buying that argument. "You can't break into my house to show me how unsafe it is, however noble be your intentions," says Mookhey, admitting ethical boundaries of hacking are thin and personal.
Some believe that hacker groups should make full disclosures after the companies have been informed of the loophole and it has fixed it (however long it takes). But hackers tell a different story. "Instead, Indian companies threaten well meaning hackers that discuss such disclosures with legal action. The approach is confrontational," says a hacker who wishes to remain anonymous.
Maninder Bharadwaj, director of Enterprise Risk Services, Deloitte, a consultancy believes responsible disclosures are at the heart of good hacking practices. "At times, a bug or a loophole may not be easy to fix and may take a few months. Hackers should give companies a chance to fix the loophole before claiming credit," he says.
For Ping and Country
Even as the Indian hacking community grapples with these issues, a larger crisis is around the corner: the spectre of state sponsored hacking attacks. After the spate of attacks on its websites last year (over 219 government websites were hacked in 2010), the government is devising a counter strategy.
"We are now very strict. For any government site hosted by NIC [National Informatics Centre], cyber security audit is mandatory. Also, if an existing site does not get itself audited, it could be de-hosted by NIC," says Sachin Pilot, minister of state for communications and IT.
Security agencies have been jointly asked to map out the cyber infrastructure of neighbouring countries. The Indian Institute of Science is helping the government to develop safety specifications of network equipment to be deployed on a government network. The decision follows the covert attacks from China- based hackers to steal documents from India's Ministry of External Affairs last year.
"Many of these threats are clearly traceable to China," says Vishak Raman, senior regional director, Fortinet India & Saarc. "Last year we saw such attacks gaining momentum. These look like well funded activities, partly state sponsored," he added.
The official line though, is diplomatic. "It would be wrong for me to say that hackers are from China or Pakistan. Identifying the real culprits is a problem. The hackers use various techniques including use of proxy hosting. Our strategy is to defend our systems by constantly getting them audited," says Pilot.
The Battle Within
For this, the government needs hacking skills it does not have. A white hat is paid anywhere between Rs 30,000 and Rs 2.5 lakh a month depending on his skill sets. This kind of salary does not often appear in government of India pay slips.
Also, given that the hacker will have access to top secret information, establishing his/her credentials becomes vital. With an eye on fixing this gap, a national security database is being created. The database of security professionals is being put together by ISAC, a non-profit organisation.
"We hope to create a ready list of security professionals which the government can use," says Dinesh Bareja, one of the board members of ISAC. Hackers who want to get empanelled will have to also have to undergo psychometric tests, adds Bareja. The first tests begin in March in Mumbai.
For now though, what the government needs is a rewiring in its approach to fighting cybercrime. Duggal says he has seen cyber crime investigators seize monitors instead of CPUs, hot wax poured on storage devices to "seal evidence" and a seized computer being used by "a policeman's child to perform better in his maths exam."
As long as things like this are happening, and bureaucrats transact on gmail and yahoo ids, hiring hackers alone won't be enough to safeguard our online space.
White Hats in Demand - A look at how the Indian hacking scene is shaping up:
Why the buzz?
Post 26/11, virus attacks and hacking of government sites and official email ids, the government is a lot keener to address web security issues. Others believe that in the past two years or so, the industry has organised itself better with more forums and community magazines like Null and ClubHack that facilitate interaction among hackers.
How big is the Indian hacking community?
As per estimates, the number of serious hackers (guys who know their business) ranges from 1,000-2,500. If you include enthusiasts and guys who download tools off the Net to deface a website, it is several tens of thousands.
Duggal's argument is backed by a
recent report by PricewaterhouseCoopers which ranks cyber crime as one of the
top four types of economic crimes in India. Nearly 24% of the 106 Indian
executives surveyed admitted to experiencing cyber crime in the past 12 months.
Nearly 32% reported losses exceeding Rs 50 lakh to their organisations.
"Companies which have faced a
hacking problem are afraid of negative publicity. Moreover, they don't want the
perception of being safe companies to be affected," says Duggal. That's
just one half of the story. Duggal shares another statistic: since internet was
introduced in India in 1995, only three cyber crime related convictions have
happened. "None of them have been for a hacking related crime," he
adds.
Moreover, amendments made to the IT
Act in 2008 make hacking a bailable offence. "As a result, some hackers
have been out on bail attempting to destroy every shred of evidence," says
Duggal, arguing that the amendment has taken away the deterrent against
malicious hacking by black hats.
Black, White and Grey Hats
Then, there are the grey areas. Last
year, Zsecure, "a group of freelancers providing web security consultancy
services", identified vulnerabilities on the websites of six companies
including banks and telecom operators. Zsecure informed them and published some
details about these loopholes on its website. That move has stirred up some
debate within the hacking community.
What does a typical white hat do? An ethical hacker identifies security weaknesses in computer systems and networks but instead of taking advantage of these loopholes, exposes the weakness to the system's administrators allowing them to fix the breach.
Is it easy to become a hacker?
Yes and no. If all you want to do is to deface a site or crack an email account, it's pretty easy. The Net offers many tutorials and tools for this. Becoming a real hacker takes years of studying systems, networks and programming. There is no course in India or anywhere in the world that can make you a good hacker overnight.
Are ethical hackers paid well?
They can start their career with a Rs 30,000 salary a month for penetration testing. Senior IT security analysts earn as much as of Rs 2.5 lakh per month.
International Hacker Heroes - The White Hats
Steve Wozniak: Co-founder of Apple and the company's original engineering brain, Woz got his first kicks out of the Blue Box, a phone phreaking device that allowed him and Steve Jobs to make long-distance calls for free by imitating the tones that routed signals on the AT&T network. The duo sold more than 100 Boxes for $150 each.
Tim Berners-Lee: The World-Wide Web was not on his mind when Lee and a friend were caught hacking at the Oxford University. Both were banned from using the university's computers during their study tenure. Maybe that's why Lee soldered one for himself using iron, TTL gates, an M6800 processor and an old television.
Linus Torvalds: The star of the ultimate hacking fairytale. Torvalds cobbled together a makeshift operating system titled 'Linux' and shared the program at an online forum. Feeds poured in with fixes, improvements and new features. Code contribution became the USP of Linux, an operating system built on central hacker ethic: free for all.
Tsutomu Shimomura: Not an intuitive hacker, he was prodded to showcase his skills when Kevin Mitnick hacked Shimomura's home computer. The result: a good cop bad cop chase that ended with Mitnick in jail. Shimomura didn't escape scrutiny: he hacked Mitnick's cell phone to track him to an apartment near Raleigh-Durham International Airport.
Richard Stallman: Dubbed the father of free software. He earned the badge as a 'staff hacker' at the Massachusetts Institute of Technology where he cracked a password system. He moved on to tinkering with the code of a printer and finally ended up with the big one: The GNU Project that writes free software and mass produces its operating system.
International Hacker Villains - The Black Hats
Kim Dotcom: Known as Kim Schmitz, Kim Tim Jim Vestor and 'Kimble', Dotcom's hacking credentials are dubious. Be it cracking Citibank to transfer $20 million to Greenpeace, or hacking Osama Bin Laden's Sudanese account, no claim has been verified. But he is known for phone phreaking and has been arrested for online piracy.
Kevin Mitnick: The US Department of Justice says he was "the most wanted computer criminal in United States history." Mitnick started by bypassing punch cards to hitch free rides on LA buses. Later, he hacked databases of corporate giants like Nokia and Motorala. Finally a peeved Shimomura out-hacked him and Mitnick was jailed for 5 years.
Jonathan James: At the age of 16, James installed a backdoor into the US Defense Threat Reduction Agency server and messed with user names, passwords and strategic emails. Next up was the NASA database from which he stole software worth $1.7 million. The result: in 2000, James became the first juvenile to be imprisoned for hacking.
Kevin Poulsen: Law officers think he was "the Hannibal Lecter of computer crime" but hacker buddies knew him as Dark Dante. Poulsen's biggest hit: cracking Los Angeles radio's phone lines to ensure he was caller number 102, slated to win a Porsche. The FBI got interested when he hacked their database and soon it was prison time for Poulsen.
Robert Tappan Morris : The brain behind the first computer worm to attack the Internet - the Morris Worm. Released in 1988, it infected over 6,000 machines. Morris claimed he wanted to test the reach of the Net. Law officers didn't buy the theory: he served three years' probation, 400 hours of community service and paid a fine of $10,500.
Source: http://articles.economictimes.indiatimes.com/2012-01-29/news/30674046_1_pakistani-cyber-army-ethical-hacker-ankit-fadia
No comments:
Post a Comment