From having friends ask if they can hack into an ex’s account, to trending on Twitter for their work when they really want to stay anonymous, it can be strange standing in the shoes of an ethical hacker today.
“Most people don’t really understand what we do”, says Sai Krishna Kothapalli, 23, from Hyderabad, who runs a cyber security startup, Hackrew. At least today, there is some sense that ethical hackers are part of the larger framework required to protect all the personal digital data out there — whether on social networking sites or delivery apps or even in the databases of hospitals, schools and government institutions.
But when Kothapalli first became addicted to cracking code, as a college student, in 2015, his parents didn’t understand it, his friends couldn’t tell the difference between the white hats (ethical hackers) and black hats (criminal hackers), and there were very few in his circle who shared his interest.
With a large community has come greater competition. Over just one year, for instance, the number of hackers registered with HackerOne, the largest global interface between companies and ethical hackers, almost doubled, going from 166,000 in 2017 to 300,000 in 2018. At the same time, there are a lot more bugs to find now, and more apps to help secure.
Karan Saini, 20, an ethical hacker from Bengaluru, says that while growing internet penetration has heightened competition in his field, it has also finally spawned a support community where white hats can connect with others who understand what they do, and why they do it.
Kashif Masood / HT Photo
The biggest frustration, Kothapalli says, is when you work tirelessly for hours on a vulnerability only to miss the mark by a whisker, and see it reported by some other researcher.
On the upside, more ethical hackers means better resources. Over the past three years, Kothapalli says, the resources available to a young hacker have boomed, from blogs, conferences and meetups to courses and white hat clubs at institutes like IIT-Roorkee and IIT-Delhi.
Networks have grown stronger online, and there is a sense of community that is helpful in a profession where one generally flies entirely solo. “On Twitter, hackers as young as 15 reach out to me. Initially, we discuss bugs and blogs about hacking but eventually also what is going on in our lives,” says Karan Saini, 20, a product support engineer and ethical hacker from Bengaluru. “I have seen hackers’ social lives being affected because of merely the number of hours the work takes up. It is important to have a support network comprising people in the same field who have encountered similar problems.”
Always on the hunt
One of the things about being an ethical hacker, says Saini, is that, like a doctor, you can never turn it off. Every symptom jumps out at you; you’re always assessing for vulnerabilities.
“Take the current Information Technology Act. Technically, as it now stands, we could be prosecuted for helping companies identify bugs in their systems.” Typically, ethical hackers do this by gaining access to the source code of an app or website (often at the company’s invitation). They then seek out weakness and vulnerabilities in firewalls, security encryption, etc. If done without prior permission, even if the results are then handed over to the company for rectification, this can land you in jail in India.
Gurgaon-based hacker Avinash Jain says the most frustrating thing about chasing a bug is how unpredictable it all is. ‘You’re racing, and thinking out of the box; but nothing. The key tool, you soon learn, is patience.’
Sanjeev Verma / HT Photo
How Indians are leading the charge
- The most comprehensive report on ethical hacking activity globally is compiled each year by HackerOne, which acts as an interface between companies and hackers. While its data is based primarily on its own operations through the year, the numbers are considered indicative of the industry at large. Here’s where India figures on its world map
- According to the HackerOne 2019 report, India has the highest number of ethical hackers — 27% of all known white hats are Indian.
- In terms of payments earned and bounties won, India is second only to the US. According to the HackerOne report, Indian bounty hunters won a combined $4,982,260 (about Rs 35.50 crore) in 2018. That’s payments made by companies for spotting flaws in an app and / or suggesting fixes for one.
- According to a Data Security Council of India (DSCI) report from 2019, India was the second most affected country due to targeted cyberattacks, between 2016 and 2018.
- Ethical hackers say this is because Indian government departments typically move so slowly. To address that issue, a National Cybersecurity Strategy is set to be unveiled by the end of February. This will be in accordance to the Cyber Security Policy’s vision to build a more secure and resilient cyberspace for citizens, businesses and government.
Of course there are grey areas. He studied some of those grey areas in his year with the thinktank, Centre for Internet and Society. “But this kind of thing, to me, is scary,” he says. “It’s scary that our laws are so out of touch with our digital worlds.”
That’s why some prefer to stay completely anonymous. The 30-year-old who was recently in the news for creating bots that helped report other bots that were influencing what trended on Twitter, would not give us a first name or even initial.
You can reach him online, as numerous publications did in January, but he won’t share a phone number.
“It’s hard enough as it is,” he says. “I get death threats and obscene messages every day. My relationships with people have been changed by the work that I do. The trust network you build up through your whole life, suddenly gets called into question. You don’t know who you can rely on. At times you don’t trust even your parents with all the information, because you don’t know how much they may share with other family members — and you also don’t want them burdened.”
He made the news for creating bots that helped take down over 2 lakh other bots, over a period of about four months. The other bots had been programmed to tweet a certain kind of content in such large volumes that they could affect what trended locally on Twitter.
“I wanted to do this so that people had a clearer picture of how things stand,” he says. “I am glad I did it. The role of the ethical hacker is a political one. Some sacrifice has to be made. The only fear I really feel is that anyone can file an FIR. And it is a realistic fear, I feel.”
Gurgaon based Avinash Jain, 27, is one of those white hats who hunts down bugs like he’s living in a video game. He won about 80 bug bounties in 2018 alone — including $2,500 (about Rs 1.78 lakh) for finding a bug in Go-Jek, a multiservice platform. The first bug bounty he won was with Zomato, and the prize was just some merchandise, but the thrill has had him hooked ever since.
Sai Krishna Koathapalli from Hyderabad says government agencies are finally, slowly, opening up to working with ethical hackers – mainly to spread awareness about cyber crime and cyber safety.
Surajit Sharma / HT Photo
“The one downside is that the pursuit of a bug is so unpredictable,” he says. “Sometimes, you spend days without finding a single bug in the target domain. You’re racing, and thinking out of the box; but nothing. The key tool, you soon learn, is patience.”
During the day, Jain works as a securities engineer at a startup, so time is a constraint too. “I come back from work, go for a workout, freshen up and start my hacking work of the day. It can be tiring on some days but the joy of solving problems keeps me going.”
One of the bugs he’s proudest of identifying is a loophole in an online registration system for hospital appointments and admissions that could compromise the details of those who registered online. He didn’t win anything for it, but the problem was acknowledged by the hospital, and fixed.
How they stay safe, and you can too
- Use encrypted email and messenger systems. This is easier than it sounds. There are several apps that now provide end-to-end encryption and there is encryption software you can download. Once the information is encoded, only the intended recipient can view a message.
- Use local language phrases in your passwords; this makes them more difficult to crack. Hackers tend to use algorithms that draw largely on the English dictionary.
- As far as possible, use Bluetooth rather than another person’s USB device. When you connect using USB there are chances that if it is so programmed it can execute commands on your device and even install malicious software.
- Use an authorised, paid-for antivirus. It offers far more comprehensive protection, from viruses and hackers, than the free antivirus solutions. Free antivirus packages typically provide only the most basic of protection. They scan for malware from time to time. But features like firewalls for bad links come with paid antivirus software.
Typically, though, the ethical hackers say that government departments are slow to respond. Kothapalli was still an engineering student at IIT-Guwahati, when he tried to report a vulnerability on the BSNL intranet website.
It could enable a hacker to access the entire BSNL intranet database, which contained a lot of confidential data on existing and retired employees of the company.
He reported it but never got a response. Two years later, when an anonymous French hacker handle pointed out the same issue, the organisation acted to rectify the gaps. The French hacker, who calls himself Elliot Alderson, acknowledged that the issue had already pointed out by Kothapalli, in a tweet, so at least he got credit indirectly, he says, laughing.
A larger mission
Vineet Kumar runs the Cyber Peace Foundation, which works with governments to spread awareness about cyber crime and cyber safety, starting at the grassroot level.
Diwakar Prasad / HT Photo
Government agencies are slowly warming up to the work done by ethical hackers. Kothapalli’s Hackrew, set up in 2018, organised its first live hacking event with the Telangana government last June. Ranchi-based hacker Vineet Kumar’s Cyber Peace Foundation (CPF) has collaborated with government agencies like the National Council of Educational Research and Training (NCERT), to conduct cyber awareness contests, and with the National Crime Records Bureau (NCRB) to host a hackathon — an event in which hackers compete to spot loopholes and suggest fixes for an app or website within a stipulated time.
Kumar believes the responsibility of an ethical hacker goes beyond finding bugs and threats. “Given the reach of smartphones, it is important to educate and protect at the grassroots level,” he says.
His organisation has been working to educate rural users about the many kinds of cybercrime and about their rights. “Sometimes it’s simple things like teaching people that if you file a complaint in a case of financial fraud within 72 hours, you must — barring any malfeasance on your part — get your money back. Or teaching people that even downloading a child sexual abuse video is a crime. Or that sharing pictures and videos of children without parental consent is illegal,” he says.
Over the past two years, the CPF has worked with the police to conduct cybersecurity awareness workshops in states ranging from Assam and Jharkhand to Andhra Pradesh, Uttar Pradesh, Haryana and West Bengal. “We have a group of master trainers who work closely with the police to help in investigations too,” Kumar says.
“Digital literacy is crucial given how fast digital access has spread, and continues to spread, in India. The alternative is simply disaster.”