Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news — he had hacked their Web site and could book flights anywhere in the world for free.
It was a familiar tale for India’s army of “ethical hackers,” who earn millions protecting foreign corporations and global tech giants from cyberattacks, but are largely ignored at home, their skills and altruism misunderstood or distrusted.
India produces more ethical hackers — those who break into computer networks to expose, rather than exploit, weaknesses — than anywhere else in the world.
Photo: AFP
The latest data from BugCrowd, a global hacking network, showed Indians raked in the most “bug bounties” — rewards for exposing security loopholes.
Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of last year than any other researchers.
Indians outnumbered all other bug hunters on HackerOne, another registry of about 100,000 hackers.
One anonymous Indian hacker — “Geekboy” — has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games.
Most are young “techies” — software engineers swelling the ranks of India’s US$154 billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cybersystems.
“People who build software in many cases also understand how it can be broken,” HackerOne co-founder Michiel Prins told reporters by e-mail.
However, while technology behemoths and multinationals are increasingly reliant on this world-class hacking talent, just a handful of Indian firms run bug bounty programs.
Information volunteered by these cyber-Samaritans is often treated with indifference or suspicion, hackers and tech industry observers told reporters.
Anand Prakash, a 23-year-old security engineer who has earned US$350,000 in bug bounties, said that Facebook replied almost immediately when he notified them of a glitch allowing him to post from anyone’s account.
“But here in India, the e-mail is ignored most of the time,” Prakash told reporters from Bangalore, where he runs his own cybersecurity firm, Appsecure India. “I have experienced situations many times where I have a threatening e-mail from a legal team saying: ‘What are you doing hacking into our site?’”
Sajnani, who has hacked about a dozen Indian companies, said he was once offered a reward by a company that dropped off the radar once the bugs were fixed.
“Not getting properly acknowledged, or companies not showing any gratitude after you tried to help them, that is very annoying,” the 21-year-old told reporters from Ahmedabad, where he hunts for software glitches in between his computer engineering studies.
An unwillingness to engage its homegrown hackers has backfired spectacularly for a number of Indian start-ups, forcing a long-overdue rethink of attitudes toward cybersecurity.
In 2015, Uber-rival Ola launched what it called a “first of its kind” bounty program in India after hackers repeatedly exposed vulnerabilities in the popular app.
This month, Zomato, a food and restaurant guide operating in 23 countries, suffered an embarrassing breach when a hacker stole 17 million user records from its supposedly secure database.
The hacker — “nclay” — threatened to sell the information unless Zomato, valued at hundreds of millions of US dollars, offered bug hunters more than just certificates of appreciation for their honesty.
“If they were paying money to the good guys, maybe ‘nclay’ would have reported the vulnerability and made the money the right way,” Waqas Amir, founder of cybersecurity Web site HackRead, said by e-mail.
The incident was especially galling for Prakash.
He had hacked Zomato’s database just two years earlier and said if they listened to him then “they would never have been breached in 2017.”
In a mea culpa rare for an Indian tech company, Zomato agreed to launch a “healthy” bounty program and encourage other firms to work with ethical hackers.
“We should have taken this more seriously earlier,” a Zomato spokeswoman said in a statement.
The Zomato hack, and panic surrounding last month’s global WannaCry cyberattack, comes as the Indian government aggressively denies suggestions its massive biometric identification program is susceptible to leaks.
The Indian government has staunchly defended its “Aadhaar” program, which stores the fingerprints and iris scans of more than 1 billion Indians on a national database, and has accused those who have raised concerns of illegal hacking.
Prakash said it was vital the government embrace its own through a program like the “Hack the Pentagon” initiative, which last year saw 1,400 security engineers invited to poke holes in the US Department of Defense’s cyberfortifications.
“The Indian government definitely needs a bounty program to make their system more secure,” Prakash said.
When a hiker fell from a 55m waterfall in wild New Zealand bush, rescuers were forced to evacuate the badly hurt woman without her dog, which could not be found. After strangers raised thousands of dollars for a search, border collie Molly was flown to safety by a helicopter pilot who was determined to reunite the pet and the owner. A week earlier, an emergency rescue helicopter found the woman with bruises and lacerations after a fall at a rocky spot at the waterfall on the South Island’s West Coast. She was airlifted on March 24, but they were forced to
HIGH HOPES: The power source is expected to have a future, as it is not dependent on the weather or light, and could be useful for places with large desalination facilities A Japanese water plant is harnessing the natural process of osmosis to generate renewable energy that could one day become a common power source. The possibility of generating power from osmosis — when water molecules pass from a less salty solution to a more salty one — has long been known. However, actually generating energy from that has proved more complicated, in part due the difficulty of designing the membrane through which the molecules pass. Engineers in Fukuoka, Japan, and their private partners think they might have cracked it, and have opened what is only the world’s second osmotic power plant. It generates
Showcasing phallus-shaped portable shrines and pink penis candies, Japan’s annual fertility festival yesterday teemed with tourists, couples and families elated by its open display of sex. The spring Kanamara Matsuri near Tokyo features colorfully dressed worshipers carrying a trio of giant phallic-shaped objects as they parade through the street with glee. The festival, as legend has it, honors a local blacksmith in the Edo Period (1603-1868) who forged an iron dildo to break the teeth of a sharp-toothed demon inhabiting a woman’s vagina that had been castrating young men on their wedding nights. A 1m black steel phallus sits in the courtyard of
Hundreds of Filipinos and tourists flocked to a sun-bleached field north of Manila yesterday, on Good Friday, to witness one of the country’s most blood-soaked displays of religious fervor, undeterred by rising fuel prices. Scores of bare-chested flagellants with covered faces walked barefoot through the dusty streets of Pampanga Province’s San Fernando as they flogged their backs with bamboo whips in the scorching heat. Agence France-Presse (AFP) journalists said they saw devotees deliberately puncturing their skin with glass shards attached to a small wooden paddle to ensure their bleeding during the ritual, a way to atone for sins and seek miracles from
RSS