Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news — he had hacked their Web site and could book flights anywhere in the world for free.
It was a familiar tale for India’s army of “ethical hackers,” who earn millions protecting foreign corporations and global tech giants from cyberattacks, but are largely ignored at home, their skills and altruism misunderstood or distrusted.
India produces more ethical hackers — those who break into computer networks to expose, rather than exploit, weaknesses — than anywhere else in the world.
Photo: AFP
The latest data from BugCrowd, a global hacking network, showed Indians raked in the most “bug bounties” — rewards for exposing security loopholes.
Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of last year than any other researchers.
Indians outnumbered all other bug hunters on HackerOne, another registry of about 100,000 hackers.
One anonymous Indian hacker — “Geekboy” — has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games.
Most are young “techies” — software engineers swelling the ranks of India’s US$154 billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cybersystems.
“People who build software in many cases also understand how it can be broken,” HackerOne co-founder Michiel Prins told reporters by e-mail.
However, while technology behemoths and multinationals are increasingly reliant on this world-class hacking talent, just a handful of Indian firms run bug bounty programs.
Information volunteered by these cyber-Samaritans is often treated with indifference or suspicion, hackers and tech industry observers told reporters.
Anand Prakash, a 23-year-old security engineer who has earned US$350,000 in bug bounties, said that Facebook replied almost immediately when he notified them of a glitch allowing him to post from anyone’s account.
“But here in India, the e-mail is ignored most of the time,” Prakash told reporters from Bangalore, where he runs his own cybersecurity firm, Appsecure India. “I have experienced situations many times where I have a threatening e-mail from a legal team saying: ‘What are you doing hacking into our site?’”
Sajnani, who has hacked about a dozen Indian companies, said he was once offered a reward by a company that dropped off the radar once the bugs were fixed.
“Not getting properly acknowledged, or companies not showing any gratitude after you tried to help them, that is very annoying,” the 21-year-old told reporters from Ahmedabad, where he hunts for software glitches in between his computer engineering studies.
An unwillingness to engage its homegrown hackers has backfired spectacularly for a number of Indian start-ups, forcing a long-overdue rethink of attitudes toward cybersecurity.
In 2015, Uber-rival Ola launched what it called a “first of its kind” bounty program in India after hackers repeatedly exposed vulnerabilities in the popular app.
This month, Zomato, a food and restaurant guide operating in 23 countries, suffered an embarrassing breach when a hacker stole 17 million user records from its supposedly secure database.
The hacker — “nclay” — threatened to sell the information unless Zomato, valued at hundreds of millions of US dollars, offered bug hunters more than just certificates of appreciation for their honesty.
“If they were paying money to the good guys, maybe ‘nclay’ would have reported the vulnerability and made the money the right way,” Waqas Amir, founder of cybersecurity Web site HackRead, said by e-mail.
The incident was especially galling for Prakash.
He had hacked Zomato’s database just two years earlier and said if they listened to him then “they would never have been breached in 2017.”
In a mea culpa rare for an Indian tech company, Zomato agreed to launch a “healthy” bounty program and encourage other firms to work with ethical hackers.
“We should have taken this more seriously earlier,” a Zomato spokeswoman said in a statement.
The Zomato hack, and panic surrounding last month’s global WannaCry cyberattack, comes as the Indian government aggressively denies suggestions its massive biometric identification program is susceptible to leaks.
The Indian government has staunchly defended its “Aadhaar” program, which stores the fingerprints and iris scans of more than 1 billion Indians on a national database, and has accused those who have raised concerns of illegal hacking.
Prakash said it was vital the government embrace its own through a program like the “Hack the Pentagon” initiative, which last year saw 1,400 security engineers invited to poke holes in the US Department of Defense’s cyberfortifications.
“The Indian government definitely needs a bounty program to make their system more secure,” Prakash said.
‘THEY KILLED HOPE’: Four presidential candidates were killed in the 1980s and 1990s, and Miguel Uribe’s mother died during a police raid to free her from Pablo Escobar Colombian presidential candidate Miguel Uribe has died two months after being shot at a campaign rally, his family said on Monday, as the attack rekindled fears of a return to the nation’s violent past. The 39-year-old conservative senator, a grandson of former Colombian president Julio Cesar Turbay (1978-1982), was shot in the head and leg on June 7 at a rally in the capital, Bogota, by a suspected 15-year-old hitman. Despite signs of progress in the past few weeks, his doctors on Saturday announced he had a new brain hemorrhage. “To break up a family is the most horrific act of violence that
HISTORIC: After the arrest of Kim Keon-hee on financial and political funding charges, the country has for the first time a former president and former first lady behind bars South Korean prosecutors yesterday raided the headquarters of the former party of jailed former South Korean president Yoon Suk-yeol to gather evidence in an election meddling case against his wife, a day after she was arrested on corruption and other charges. Former first lady Kim Keon-hee was arrested late on Tuesday on a range of charges including stock manipulation and corruption, prosecutors said. Her arrest came hours after the Seoul Central District Court reviewed prosecutors’ request for an arrest warrant against the 52-year-old. The court granted the warrant, citing the risk of tampering with evidence, after prosecutors submitted an 848-page opinion laying out
North Korean troops have started removing propaganda loudspeakers used to blare unsettling noises along the border, South Korea’s military said on Saturday, days after Seoul’s new administration dismantled ones on its side of the frontier. The two countries had already halted propaganda broadcasts along the demilitarized zone, Seoul’s military said in June after the election of South Korean President Lee Jae-myung, who is seeking to ease tensions with Pyongyang. The South Korean Ministry of National Defense on Monday last week said it had begun removing loudspeakers from its side of the border as “a practical measure aimed at helping ease
CONFLICT: The move is the latest escalation of the White House’s pitched battle with Harvard University as more than US$2 billion is suspended US President Donald Trump’s administration threatened to assume ownership of hundreds of millions of dollars worth of patents from Harvard University, accusing the Ivy League college of failing to comply with the law on federal research grants. In a letter to Harvard president Alan Garber on Friday, US Secretary of Commerce Howard Lutnick said the university is failing its obligations to US taxpayers, paving the way for a process that could result in the government seizing its patents under the Bayh-Dole Act. Harvard has until Sept. 5 to prove it is complying with the requirements, including whether it showed a
RSS