Hacking: A growing threat to Indian IT

• 

(A gang of cyber-criminals…)

NEW DELHI: The recent data theft by hackers from two Indian companies processing prepaid cards for several overseas banks, which led to a global fraud of 45 million dollars, has made India's 100 billion dollar IT industry a primary target of spam, phishing and viruses. The security breach has reopened the debate on IT security norms followed by Indian firms and the role played by 'ethical' hackers.

A gang of cyber-criminals operating in 26 countries stole $45 million by hacking their way into a database in the second week of May 2013. Another incident which happened recently is of Rs 2.4 crore heist by cyber criminals who hacked into the Mumbai-based current account of the RPG Group of companies.

There have been many attempts by 'ethical' hackers going rogue, resulting in the breach of cyber security of companies as well as individuals, causing financial loss and damage of reputation. The 45 million dollars heist, the News International phone hacking scandal, Indian hackers' retaliatory attack against Brazilian or Bangladeshi counterparts, etc, leaves the victims defaced and robbed.

Reportedly, a group of anonymous hackers from India hacked and defaced 37 Brazilian websites. The attacks were apparently in retaliation to the April 6 cyberattacks on Indian government websites supposedly by Brazil-based hackers. Although there is a nationalistic tinge to the whole scenario, it could prove disastrous if not monitored and channelised.

Lords of Dharmaraja is also alleged to have hacked and posted a threat by uploading the secret documents, memos, and source code of Symantec's product on Pastebin.

It is indeed tough to define something as diverse as hacking. Is it ethical for any computer expert to infiltrate into another person's websites and e mail accounts? Yes, if it is a trustful 'hacker' who uses his ethics and software expertise to strengthen his employers' security apparatus from the hackers with mal intentions. Also, if done for the cause national security. But, if a computer wizard illegally gains access to someone's computer by pretending to be a bonafide entity for fulfilling a personal agenda, then that is a cause for serious concern.

In India, according to Microsoft, 'ethical' hacking is synonymous with prominent names like Ankit Fadia, Sunny Vaghela, Pranav Mistry, Vivek Ramachandran, Koushik Dutta, Aseem Jakhar and a few more.

Ankit Fadia, a world-renowned 'ethical' Indian hacker, described the cyber security threat as a menace. "Identity theft of Indian IT firms is rather common. Hackers have the potential to damage the reputation of a bonafide IT firm by stealing their identity and engaging in unscrupulous activities under the corporate's garb that can have disastrous consequence and tarnish reputation. In fact, such misdemeanours could go unnoticed for years together if not detected and rectified in time," he said.

There are quite a few ethical hacking groups in India, like the Indian Cyber Army aka Indishell, Team NUTS, Team Gray Hat, Lords of Dharmaraja and the Indian Cyber Devils, that have reportedly been working to safeguards India's cyber space.

An ethical hacking group, on conditions of anonymity, revealed that even while working on a national cause, they may masquerade as an information security company to register domains or create malware in order to protect themselves and get back at their arch-rivals - Information Security and anti-virus companies.

Imparting ethical hacking training is like treading on dangerous grounds, as it raises questions like are these activities justified? Can there be a guarantee that these groups will refrain from crossing the line of mandate? And, is anyone safe in this scenario?

In India, there are a number of training institutes that empower the youth in latest ethical hacking tools & techniques. Institutes like Techdefence, K-Secure CEH, IntelleSecure Network Solutions, Crezone and Kyrion are few of them. However, the most popular certification is CEH (Certified Ethical Hacker) by an American organisation called EC Council, and training material of almost every institute is shaped around its curriculum.

Ethical hacking ensures that the cyber security infrastructure of a private organization as well as government bodies is robust and secure. Although ethical hackers are fast becoming a tribe in India, it is critical to monitor them along with their training institutes. Trainers need to be conscious of imparting this knowledge while setting up the curriculum. Perhaps, it would be prudent for the government to intervene in designing the curriculum and set a minimum age of 18 to shoulder responsibility of such potent knowledge.

Why are the LulzSec hackers being locked up?

Why are the LulzSec hackers being locked up?

A chance to put these young hackers' skills to better use goes wasted, while gangs who rob for personal gain go unpunished


Jake Davis has been jailed for 24 months for his part in masterminding cyber-attacks on major global institutions. Photograph: Metropolitan Police/PA


For lawmakers, illicit downloaders and hackers alike, the internet is one of the few bits of frontier territory left in the world: for the "rogues" there's lots more scope to get away with things not possible in more civilised, everyday reality, while for the lawmakers there's an ungovernable mess.

The problem with frontier justice is, of course, that when it strikes, it tends to be rough. And so it's proved for the four members of the hacking group LulzSec, sentenced in a London court: three were jailed for between two years and 32 months (they'll serve half), with the fourth receiving a suspended 20-month sentence.

Untangling the rights and wrongs of this case is difficult. The group carried out a series of cyber-attacks that caused millions of pounds' worth of damage, particularly on the Sony Playstation network. (And gamers won't have been happy about the disruption to services).

That fact shouldn't be ignored by those mounting a defence of LulzSec: some of the group's actions were political (of which more later), but some were fairly tenuously justified at best. And the consequences were real and expensive: anyone causing that much damage offline would certainly also face jail.

But the rest of the case is far less clear-cut. Three of the four convicted were teenagers at the time of their offence. Computer crime is one of the few areas where teenage pranks can dramatically escalate, a product of the interconnected nature of the internet.

How much should teens be held responsible for the structural vulnerability of internet institutions? How much culpability lies with those who leave architecture as easy to attack as it is? We could continually be locking up teens unless something changes.

The data obtained in the various hacking attacks could have been used for significant large-scale fraud and financial gain. At the time of his arrest, the computer belonging to Jake Davis (the group's spokesman, "Topiary") held more than 750,000 lines of data, including passwords, credit card details and more. There's no sign he ever made any attempt to profit from any of this.

It seems almost uncontroversial to suggest that hacking attacks made without the intent of personal gain should be treated as a very different beast to those by large, professional groups – who, it should be noted, almost universally escape detection and prosecution.

If personal gain wasn't the motivation, what was? And does it matter? While one of the main professed motivations was "the lulz" – hacking for kicks – many LulzSec actions had a political aspect.

LulzSec grew out of Anonymous, the amorphous hacking collective, which rose to prominence (in the mainstream media at least) once it had attacked Paypal and other sites after they joined a credit-card blockade against WikiLeaks.

WikiLeaks, like it or loathe it, had committed no crime, been charged with no crimes, and yet was cut off in all practical terms from funding sources. Attempts to redress the situation in the courts have proven slow and erratic, and any compensation for lost donations certainly hasn't materialised.

Anonymous and the other hacktivists engaged in direct action in the belief the justice system would let them down. And they were right.

The justice system could be letting everyone down again. When it comes to real, serious hacking actions across the web, there are only two shows in town. The first and most extreme comprises state-backed hackers across the world, targeting information systems, trade secrets, and even – in the case of the US and Israel – centrifuges used to enrich uranium.

The other is sophisticated criminal gangs, often operating from Russia, eastern Europe or Africa. These are the guys who'll empty your bank account, hold email accounts to ransom and more.

Instead of either of these groups being arrested and taken through the courts, we're seeing teenage hacktivists put on trial instead. Are they really the ones we should focus on?

And if we are going to arrest and convict them – let's remember the financial damage caused at this point – couldn't we be more creative and constructive with what we do next?

Several of those arrested are clearly gifted. Jake Davis could put many a professional PR to shame. Why waste their skills, and their life prospects, not to mention a wodge of public money, with prison sentences?

In the least imaginative scenario, these guys could be engaging in hundreds upon hundreds of hours of unpaid teaching work, building IT skills. In the most imaginative one, why not get them creating a dotcom startup for the public good?

A chain-gang incubator might seem like a mad idea. But it's no more bizarre or brutal than anything we've done in real life to those who do wrong on the online frontier.



• This article was amended on 17 May 2013. It originally referred to centrifuges inside nuclear reactors. This has now been corrected.