Slouched over his favourite Macintosh console, 23-year-old Anand Prakash pulled up his Facebook account. He clicked on the ‘Forgot password’ option and entered his phone number. His mobile buzzed, heralding the arrival of the OTP (one-time password), a six-digit code which would allow him to reset his password. But, what if he did not have access to his phone? Or if he was a third party with a malicious intent, trying to force his way into someone else’s account? Could he brute-force (a trial-and-error method which employs an exhaustive search of all different combinations) the OTP? Facebook.com blocked him after a dozen invalid attempts, but he found that the absence of a limiting feature made it possible to do so in beta.facebook.com and mbasic.beta.facebook.com. A few lines of code and some hours later, he successfully set a new password for his dummy account. And, the Bengaluru-based techie had discovered a way to access more than a billion Facebook accounts—his to deface or loot at will.
A few months later in the same year, 2016, Hemanth Joseph, an engineering student in Pala in Kerala, purchased an iPad, running iOS 10.1, from eBay. The device was locked, thanks to Apple’s iCloud Activation Lock, but it allowed the user to choose a Wi-Fi connection. He chose WPA2 enterprise edition, filled in the name, username and password with thousands of characters (there was no limit) until the screen froze. His hunch proved right, the application layer had failed. After some manoeuvres with the smart cover (which automatically wakes up the device), the screen landed right on the home page. He had bypassed a much-touted security feature of Apple.
It would have been an easy task for any computer user with a rudimentary knowledge of networks to use browsers that offered complete anonymity to access the dark web and auction off these vulnerabilities for a fortune. But Anand and Hemanth are white hat hackers, professional bounty hunters who operated within the purview of the law. They test systems with the prior sanction of the organisations and disclose the presence of bugs. Some of these bugs could potentially compromise financial data, personal information or identity of billions of users.
“Facebook policies restrict us from damaging other accounts. I use dummy accounts, for the attempting such takeovers,” said Anand, who was a security engineer at Flipkart. Facebook paid him $15,000 for discovering the vulnerability.
Bug bounty programmes are nothing new, at least in the global arena. The first of its kind was introduced by Netscape in 1995. Mozilla (2004), Google (2010), Facebook (2011) and Microsoft (2013) followed suit, promising lucrative deals for hackers who could point out security flaws in their systems.
And, Indians dominate the sector. According to a 2016 report by US-based bug bounty aggregator Bugcrowd, Indians accounted for around 39 per cent of the bounty hunters globally, followed by the US (11.79 per cent). Facebook announced that, in 2016, Indians received the highest number of bounty payouts. It paid a total of $6,11,741 to 149 researchers in 2016.
Indian companies are also in the fray. Paytm, MobiKwik and Ola have launched their bug bounty programmes. This is a welcome change from the Indian companies’ earlier approach to internet security, said Anand. “Two years earlier, I noticed a bug on the website of a prominent tech company. When I intimated it to the company, I was contacted by their legal team,” he said.
Arun Suresh Kumar, 21, of Kollam in Kerala hogged the headlines when Facebook paid him $16,000 for reporting a bug in the website’s Business Manager tool. “Using the bug, I could have taken over any Facebook page,” he said. Tall and gangly, he is not your stereotypical Red Bull-swilling, anti-social hacker who swears by Kevin Mitnick or the Anonymous. The final-year student of computer science, who was inducted into the Facebook Hall of Fame in 2016, is as worried about his exams and projects as any other student. Does the college interfere with his research? “Usually, they are mutually exclusive. It is only at night, I catch up on the latest developments in the field or coordinate with my counterparts in the US,” he said.
Tracing vulnerabilities, anyway, is not something that you can just sit down and do. “Suppose I am coding a software, I will have some idea of the security aspects and specific points of implementation. Out of curiosity, I may check out other programs to see if they have thought of the same. It may turn out be a bug,” he said.
Are there any protocols for reporting bugs in a public bug bounty programme, like the one run by Facebook? “There are no written formalities as such. But you will have to follow the responsible disclosure policy and relay the bug through the proper channels,” he said.
Even as a tween Arun is part of a global network of white hats and security enthusiasts—the midnight’s children of digital revolution who share an intangible connection through open source forums and the occasional meet-and-greets. In India, for instance, NULLCON, which is held annually in Goa, facilitates meetings between white hat hackers and security specialists. Arun was part of a team from India which, in 2016, was invited for a private get-together with Facebook security engineers in Las Vegas.
But it is not all fun and games. “Being a security researcher calls for utmost dedication from your part. The competition is fierce. The moment a software is updated, we have to check for flaws. With each passing day, it gets more stable as vulnerabilities are rectified,” said Arun. Then there is the issue of bug duplication. Sometimes, after a hacker reports a bug after days of effort, they will come to know that a counterpart had beat them to it—sometimes in a matter of hours.
But what about the flip side of the issue? With a seismic shift in trend from paper currency to digital wallets and online payments post demonetisation, will our security infrastructure be able to deter a resolute, hostile attacker? The numbers are not encouraging.
In October, the Indian financial sector came under a wave of devastating cyber attacks. Hackers compromised more than 3.2 million debit cards in the process. In 2015, CERT-In, India’s nodal computer emergency response team, handled 49,455 incidents related to website intrusion, malware propagation, malicious code, phishing, distributed denial of service (D-DoS) attacks, website defacements and unauthorised scanning activities.
Said Saket Modi, CEO of Delhi-based cyber security firm Lucideus Tech, which has performed security audits for the BHIM app, “In cyber security, it is always the chicken-and-egg situation. Should we have cyber security infrastructure in place first before we give a push to cyber wallets? We have to admit that the security infrastructure requires a much needed fillip, but the shift towards digitisation was inevitable. Overall, it is a tremendously positive shift.”
He lauded the government for announcing the constitution of a Computer Emergency Response Team to strengthen the financial sector, in the 2017 Union Budget. “The problem we still face is that many companies do not feel the need to invest in cyber security until they are actually hacked,” he said.
Says Dhanya Menon, India’s first woman cyber-security investigator and an expert in cyber law, “We have to properly use the resources in our possession. Our laws—like IT Act sections 43, 66—are very elaborate.”
Many states have taken note of the issue. Hemanth was one of the ethical hackers invited to a cybersecurity conference organised by Cyberdome, a public-private partnership programme of the Kerala Police which seeks to ensure security in cyber space. He said the interest in the field was skyrocketing. “Last year, I helped organise a forum for those interested in the cyber security field at Infopark in Kochi. The response was overwhelming,” he said.
The profession can be financially rewarding as well. “Our tier one hackers earn around $3,000 to $18,000 every month,” says Ankush Johar, director of BugsBounty.com, a crowdsourcing platform for bug hunters and companies. Perhaps these young ethical hackers are right after all. Being on the right side of the law does have its perks.