What's new

Can India churn out ethical hackers like it has produced coders & programme

Joined
Nov 17, 2010
Messages
3,404
Reaction score
-27
Country
India
Location
United States
Can India churn out ethical hackers like it has produced coders & programmers?

The candidate dispensed with greetings. Instead, he began by revealing the personal history of the interviewer. "I was shocked. I am not a member of any social networking website. Yet he knew everything: the schools and colleges I attended, my marks and even the organisations I had worked for," recalls the recruiter who doesn't want to be named. The result: "I hired the guy immediately. He had established his credentials beyond doubt." What was his job going to be? Hacking.

No, the candidate wasn't related to Kim Dotcom. Neither did he sport a dragon tattoo on his shoulder. He was a regular guy, one of thousand others landing plum jobs in MNCs and the government. Or maybe not so regular. Hacking does need a nerdy streak, after all.

Such people are in demand because the black hats, the guys who give hacking a bad name, have been on a rampage for the past couple of years. On December 3 2010, the website of Central Bureau of Investigation was defaced by a hacking group calling itself the Pakistani Cyber Army. This was not a rare hit. According to the Computer Emergency Response Team (CERT), over 8,600 websites, mostly with '.in' domain, were hacked in 2011 alone.

Boardrooms haven't been spared either. ADAG chairman Anil Ambani was the victim of a recent phishing attack. Even anti-virus software-makers are not insulated. Last month, an Indian hacker group called the 'Lords of Dharmaraja' pinched the product code of anti-virus software-maker Symantec ( see "India's Black Hat Gangs" )

Today, websites are being defaced by script kiddies, hundreds of user-names and passwords are bought off the shelf and state-sponsored targeted attacks are on the rise. A 2010 report by security company McAfee pointed out that a "state actor" was behind a series of attacks on 72 organisations across the world (including Indian). Even though the company did not name the country, fingers are pointed at China.

Recently, passenger handling systems at Terminal 3 of Delhi's Indira Gandhi International Airport were attacked with a virus code, shutting it down for several hours. "In India, traffic lights are not controlled by IP, else it can be quite chaotic," says ethical hacker Ankit Fadia. But air traffic control and power transmission grids do at some point connect to computer networks making them vulnerable to attacks from computer worms like Stuxnet.

But this doesn't mean you must trash your computer, pack your bags and run to the hills. Like the candidate who rattled off the interviewer's personal details, a bunch of good guys, white hats in hacking parlance, are banding together in the country. ET on Sunday discovers they have what it takes to force the black hats into a hole. As long as they win some battles in their own backyard.

photo.cms


White Hats of the World Unite


At his new lab in Bangalore, Amit Singh (name changed) is warming up to some mischief. He is about to unleash a 'man in the middle attack' on a target computer. What Singh hopes to do is this: whenever the user transfers money from one account to another, a small sum gets transferred to an account set up by Singh. A few minutes later, the target system is compromised and all Singh needs to do is, wait for a transfer. "This is child's play," he says.

photo.cms


Singh is no black hat. He is the chief technology officer of a Bangalore-based Internet security startup. "There are thousands of hackers who can do this in a few hours," says the CEO of the company, referring to the man in the middle attacks. The firm has come up a "security on a stick solution", a USB with software loaded on it, that it claims will protect customers and banks from the most sophisticated hacker attacks.

But that's just one part of the story. The Indian ethical hacking community is going through a golden patch of sorts. In a couple of years, the number of sites, forums, community e-magazines and conferences (like ClubHack, Nullcon) for the hacking community have seen a sharp increase.

Says Pune-based security evangelist Rohit Srivastwa, who organises ClubHack, a hacker's convention, and advises several government bodies on IT security: "2009 was a milestone for information security in India. After, the 26/11 attacks, authorities realised there was an IT and technology angle to those attacks. After 2009, we have seen a lot of people from the army and navy attending hacking conferences."

Hack's Back

Interest in hacking is also fuelled by the increasing number of high-profile hacking attacks worldwide. McAfee dubbed 2011 as "the year of the hack". Indian organisations too are becoming a lot more security conscious, says KK Mookhey, founder, Network Intelligence India, a Mumbai-headquartered information security company which counts the likes of ICICI Prudential, State Bank of India, Bank of India and Saudi Telecom among its clientele.

"Banks that used to get ethical hackings done once in three years are now doing assessments as regularly as once in three months," says Mookhey. He adds that his company headcount of ethical hackers has tripled to 35 in the last year or so.

This is not to say that hacking is new in India. The community has been around for a while but in the past three years it has become larger, more organised and is finding a voice. Does that mean that there are tens of thousands of hackers in India today? The answer is tricky. It depends on how you define a hacker.

The simplest definition is anybody who is a skillful programmer and approaches problem-solving innovatively. This would include anybody who can write a basic program. The other definition is somebody who can break into a system or discover vulnerabilities in it, with or without authorisation.

photo.cms


There is also a question of skills. "It's very easy to become a script kiddie [somebody who downloads readymade tools programs to conduct simple malicious activity]. You can download tools and Trojans from the Net. But to become a hacker requires a lot more dedication and years of effort," says Vinoo Thomas, product manager, McAfee Lab.

With these parameters, how big is the Indian hacking community? Exact figures are not available but members of the hacking community believe that enthusiasts and script kiddies could run into several thousands but the number of quality hackers would be about 1,000-3,000. There is a shortage of quality white hats in India.

All In the Mind

A veteran white hacker who doesn't want to be named told ET on Sunday an interesting anecdote to explain why hackers are tough to create: "A few years ago, well before the days of CVV numbers [numbers on the back of a credit or debit card used for verification] we were attempting an ethical hack into a West Asian bank who was our client."

His team figured out a sequence for the last digits in the cards issued by the banks. "If we got a real card number issued from that bank, all we needed to do was add 17 to the last two digits to get another genuine credit card number. The problem was that we did not have a credit card number to work with, especially the first four digits that represent the number allotted to the bank."

How did they solve that problem? "We got a screen grab of a card being inserted into an ATM slot from a television advertisement for the bank. It had a card number," says the white hat. Text books cannot teach such problem-solving skills.

"To be a good hacker, you have to understand networking, software programming and many other areas. A degree or certificate does not make you a good hacker," says Aseem Jakhar, a white hat and founder of Null, an open security community. Mookhey says it is tougher because no engineering or programming course teaches security.

Hacking the Law

Cynics could argue that India hasn't seen any serious economic crimes perpetrated by hackers. Pavan Duggal, a prominent cyberlaw advocate, disagrees. "Most hacking related cases in India never get reported," he says. Duggal believes that only 50 of 500 cyber crimes get reported to the police, of which only a handful materialise into First Information Reports (FIRs).

photo.cms


Duggal's argument is backed by a recent report by PricewaterhouseCoopers which ranks cyber crime as one of the top four types of economic crimes in India. Nearly 24% of the 106 Indian executives surveyed admitted to experiencing cyber crime in the past 12 months. Nearly 32% reported losses exceeding Rs 50 lakh to their organisations.

"Companies which have faced a hacking problem are afraid of negative publicity. Moreover, they don't want the perception of being safe companies to be affected," says Duggal. That's just one half of the story. Duggal shares another statistic: since internet was introduced in India in 1995, only three cyber crime related convictions have happened. "None of them have been for a hacking related crime," he adds.

Moreover, amendments made to the IT Act in 2008 make hacking a bailable offence. "As a result, some hackers have been out on bail attempting to destroy every shred of evidence," says Duggal, arguing that the amendment has taken away the deterrent against malicious hacking by black hats.

Black, White and Grey Hats

Then, there are the grey areas. Last year, Zsecure, "a group of freelancers providing web security consultancy services", identified vulnerabilities on the websites of six companies including banks and telecom operators. Zsecure informed them and published some details about these loopholes on its website. That move has stirred up some debate within the hacking community.

For its part, in an email interaction with ET on Sunday, Zsecure says that it had the best intentions of the companies in mind. "Using this vulnerability, any black hat can dump [download] the entire [connected] database of the affected web portal. This vulnerability may even result in defacement of the entire web site and alterations in the existing database tables/fields," said the Zsecure spokesperson.

But not everybody is buying that argument. "You can't break into my house to show me how unsafe it is, however noble be your intentions," says Mookhey, admitting ethical boundaries of hacking are thin and personal.

Some believe that hacker groups should make full disclosures after the companies have been informed of the loophole and it has fixed it (however long it takes). But hackers tell a different story. "Instead, Indian companies threaten well meaning hackers that discuss such disclosures with legal action. The approach is confrontational," says a hacker who wishes to remain anonymous.

Maninder Bharadwaj, director of Enterprise Risk Services, Deloitte, a consultancy believes responsible disclosures are at the heart of good hacking practices. "At times, a bug or a loophole may not be easy to fix and may take a few months. Hackers should give companies a chance to fix the loophole before claiming credit," he says.

For Ping and Country

Even as the Indian hacking community grapples with these issues, a larger crisis is around the corner: the spectre of state sponsored hacking attacks. After the spate of attacks on its websites last year (over 219 government websites were hacked in 2010), the government is devising a counter strategy.

"We are now very strict. For any government site hosted by NIC [National Informatics Centre], cyber security audit is mandatory. Also, if an existing site does not get itself audited, it could be de-hosted by NIC," says Sachin Pilot, minister of state for communications and IT.

Security agencies have been jointly asked to map out the cyber infrastructure of neighbouring countries. The Indian Institute of Science is helping the government to develop safety specifications of network equipment to be deployed on a government network. The decision follows the covert attacks from China- based hackers to steal documents from India's Ministry of External Affairs last year.

"Many of these threats are clearly traceable to China," says Vishak Raman, senior regional director, Fortinet India & Saarc. "Last year we saw such attacks gaining momentum. These look like well funded activities, partly state sponsored," he added.

The official line though, is diplomatic. "It would be wrong for me to say that hackers are from China or Pakistan. Identifying the real culprits is a problem. The hackers use various techniques including use of proxy hosting. Our strategy is to defend our systems by constantly getting them audited," says Pilot.

The Battle Within

For this, the government needs hacking skills it does not have. A white hat is paid anywhere between Rs 30,000 and Rs 2.5 lakh a month depending on his skill sets. This kind of salary does not often appear in government of India pay slips.

Also, given that the hacker will have access to top secret information, establishing his/her credentials becomes vital. With an eye on fixing this gap, a national security database is being created. The database of security professionals is being put together by ISAC, a non-profit organisation.

"We hope to create a ready list of security professionals which the government can use," says Dinesh Bareja, one of the board members of ISAC. Hackers who want to get empanelled will have to also have to undergo psychometric tests, adds Bareja. The first tests begin in March in Mumbai.

For now though, what the government needs is a rewiring in its approach to fighting cybercrime. Duggal says he has seen cyber crime investigators seize monitors instead of CPUs, hot wax poured on storage devices to "seal evidence" and a seized computer being used by "a policeman's child to perform better in his maths exam."

As long as things like this are happening, and bureaucrats transact on gmail and yahoo ids, hiring hackers alone won't be enough to safeguard our online space.

White Hats in Demand - A look at how the Indian hacking scene is shaping up:

Why the buzz?

Post 26/11, virus attacks and hacking of government sites and official email ids, the government is a lot keener to address web security issues. Others believe that in the past two years or so, the industry has organised itself better with more forums and community magazines like Null and ClubHack that facilitate interaction among hackers.

How big is the Indian hacking community?

As per estimates, the number of serious hackers (guys who know their business) ranges from 1,000-2,500. If you include enthusiasts and guys who download tools off the Net to deface a website, it is several tens of thousands.

What does a typical white hat do?

An ethical hacker identifies security weaknesses in computer systems and networks but instead of taking advantage of these loopholes, exposes the weakness to the system's administrators allowing them to fix the breach.

Is it easy to become a hacker?

Yes and no. If all you want to do is to deface a site or crack an email account, it's pretty easy. The Net offers many tutorials and tools for this. Becoming a real hacker takes years of studying systems, networks and programming. There is no course in India or anywhere in the world that can make you a good hacker overnight.

Are ethical hackers paid well?

They can start their career with a Rs 30,000 salary a month for penetration testing. Senior IT security analysts earn as much as of Rs 2.5 lakh per month.

International Hacker Heroes - The White Hats

Steve Wozniak: Co-founder of Apple and the company's original engineering brain, Woz got his first kicks out of the Blue Box, a phone phreaking device that allowed him and Steve Jobs to make long-distance calls for free by imitating the tones that routed signals on the AT&T network. The duo sold more than 100 Boxes for $150 each.

Tim Berners-Lee: The World-Wide Web was not on his mind when Lee and a friend were caught hacking at the Oxford University. Both were banned from using the university's computers during their study tenure. Maybe that's why Lee soldered one for himself using iron, TTL gates, an M6800 processor and an old television.

Linus Torvalds: The star of the ultimate hacking fairytale. Torvalds cobbled together a makeshift operating system titled 'Linux' and shared the program at an online forum. Feeds poured in with fixes, improvements and new features. Code contribution became the USP of Linux, an operating system built on central hacker ethic: free for all.

Tsutomu Shimomura: Not an intuitive hacker, he was prodded to showcase his skills when Kevin Mitnick hacked Shimomura's home computer. The result: a good cop bad cop chase that ended with Mitnick in jail. Shimomura didn't escape scrutiny: he hacked Mitnick's cell phone to track him to an apartment near Raleigh-Durham International Airport.

Richard Stallman: Dubbed the father of free software. He earned the badge as a 'staff hacker' at the Massachusetts Institute of Technology where he cracked a password system. He moved on to tinkering with the code of a printer and finally ended up with the big one: The GNU Project that writes free software and mass produces its operating system.

International Hacker Villains - The Black Hats

Kim Dotcom: Known as Kim Schmitz, Kim Tim Jim Vestor and 'Kimble', Dotcom's hacking credentials are dubious. Be it cracking Citibank to transfer $20 million to Greenpeace, or hacking Osama Bin Laden's Sudanese account, no claim has been verified. But he is known for phone phreaking and has been arrested for online piracy.

Kevin Mitnick: The US Department of Justice says he was "the most wanted computer criminal in United States history." Mitnick started by bypassing punch cards to hitch free rides on LA buses. Later, he hacked databases of corporate giants like Nokia and Motorala. Finally a peeved Shimomura out-hacked him and Mitnick was jailed for 5 years.

Jonathan James: At the age of 16, James installed a backdoor into the US Defense Threat Reduction Agency server and messed with user names, passwords and strategic emails. Next up was the NASA database from which he stole software worth $1.7 million. The result: in 2000, James became the first juvenile to be imprisoned for hacking.

Kevin Poulsen: Law officers think he was "the Hannibal Lecter of computer crime" but hacker buddies knew him as Dark Dante. Poulsen's biggest hit: cracking Los Angeles radio's phone lines to ensure he was caller number 102, slated to win a Porsche. The FBI got interested when he hacked their database and soon it was prison time for Poulsen.

Robert Tappan Morris : The brain behind the first computer worm to attack the Internet - the Morris Worm. Released in 1988, it infected over 6,000 machines. Morris claimed he wanted to test the reach of the Net. Law officers didn't buy the theory: he served three years' probation, 400 hours of community service and paid a fine of $10,500.

http://economictimes.indiatimes.com...d-coders-programmers/articleshow/11666840.cms
 
.
^^^^ I don't think posting such articles in **** forums is a good idea..
 
. .
Well, posting it is okay, but I dont want other members (possibly naive insiders) who might spill the beans ... you know, we are new to this sector... and we dont want anything unfortunate, anywyas, what the end point though, are we developing a good cyber ar,y??
 
. .
Ethical hacking is not taken seriously in India. Govt should fund them and use them for some useful purpose. I gave up hacking cause I didn't want to steal money from poor people, and there was nothing else I could gain from hacking.
 
.
Ethical hacking is not taken seriously in India. Govt should fund them and use them for some useful purpose. I gave up hacking cause I didn't want to steal money from poor people, and there was nothing else I could gain from hacking.

Maybe there's a renewed awareness in the govt. wrt ethical hacking. You should not give up something with which you can help the country especially if you know you're good at it.
 
.
Ethical hacking is not taken seriously in India. Govt should fund them and use them for some useful purpose. I gave up hacking cause I didn't want to steal money from poor people, and there was nothing else I could gain from hacking.

had participated in one of the "Wars"...Lost interest right away... Waste of time...
 
.
Gents, each country has many secrets like the recently reveled Strategic Program Staff. Agencies like RAW, IB, CBI all for a fact do have IT sections but no one will come openly to admit we Good Hackers. I am certain we, do have COUNTER HACKERS in our country funded "Privately" or Directly by Government else why would our neighbors complain.

I dont have any like to support above statement but "Rationale Prevails"
 
.
Also worth a read:

NTRO

After 26/11 NTRO recruited hackers that RAW had been keeping track of and pretty much gave them an office, access to NTRO supercomputers and the freedom to do whatever they like. Luckily these guys were true patriots and have made real gains for India.
 
.
well sorry for wrong place of posting but i also think just one of our subramanian posted his desire to quit the forum because of bias against us, i too am quitting the forum.( till the post is not deleted) it's only goodbye to indian friends, no need for others to reply.

i got a warning as well so you guys know how pathetic it is to be trying to play a level game in a enemy territory

ANTIBODY said:
Dear step up,

You have received a warning at Pakistan Defence Forum.

Reason:
-------
Insulted Other Member/Nationality


-------

Original Post:
http://www.defence.pk/forums/india-...glitters-says-cm-post2518954.html#post2518954
delhi certainly has a level of insecurity for women. gujarat is safest though in this manner. i could compare the situation with pakistan where women have no rights at all . but this is our own problem , and as the economy of india improves we will have lesser and lesser of such problems. as far as few peoples mindset is concerned it will take time but i am sure we will manage .

Warnings serve as a reminder to you of the forum's rules, which you are expected to understand and follow.

All the best,
Pakistan Defence Forum


i hope we all quit and join some impartial forum.
 
.
Ankit Fadia google his name
lol he even conducts classes on ethical hacking...
 
.
Ankit Fadia google his name
lol he even conducts classes on ethical hacking...

Ask any good hacker in India about his opinion on Ankit Fadia,what it looks isn't what it seems.Going by the lol in your post I think you too know the reality which I like.
 
.
Back
Top Bottom