Despite having the highest number of bug bounty hackers and numerous institutes teaching ethical hacking, government agencies in India lack a proper mechanism to respond to the security alerts they receive
“My only intention is to find the bug and then report it. But in most cases the government body doesn’t even revert — let alone fix the issues,” says Sai Krishna Kothapalli, final year BTech student of IIT Guwahati. When Sai is not studying computer science, he tries to brush up his bug-finding skills on different websites. This might be considered hacking, which is deemed illegal. But if he reports the issue, he will be called an ethical hacker, who ensures the security of an organisation.
An ethical or white hat hacker, is basically any person having expertise in information security, who systematically attempts to penetrate a computer system, network, or a website to find security loopholes, with due permission. This practice is hardly ever followed in India. “The body which governs and oversees the incidents and issues pertaining to cyber security do not acknowledge the mail sent to them,” Sai says.
On February 20, 2016, , when he was in the third year of college, Sai and his friends were preparing for a hacking competition. While they were brushing up their skills for the competition, they came across a bug on the Intranet website of BSNL (Bharat Sanchar Nigam Limited), a state-owned telecommunications company. They believed that any hacker could again access to the entire BSNL intranet database, which included user details and information about each employee – both current and former — of BSNL.
The loophole was on the login page of the BSNL intranet website, which according to Sai, “wasn’t difficult to find.” Sai was shocked to see how easy it was to gain access to the data. The data was extremely vulnerable to being leaked. When his friends came to know about this, they advised him not to report to it to Cert-in, the national nodal agency which deals with cyber security threats which could pose a serious threat to national security.
Sai, nonetheless, went ahead to report this to the concerned authorities. From the “about us” section on the website, he got the Email address of the Chairman and Managing Director of BSNL and wrote a mail informing him about the issue. But he did not get a reply. He made another attempt — he sent mails to the people associated with BSNL, which was again of no avail.
“I tried reaching out to them through multiple channels. Facebook, Twitter, Email,” says Sai. All he wanted was to report a serious issue on the BSNL website, which could put the personal information of 1,88,897 people (as per data by the BSNL Employees Union) at stake.
When all his efforts proved to be futile, he decided to tweet Prime Minister Narendra Modi. Sai thought since the PM’s Twitter handle is active, he might get a reply to one of the eight tweets he sent him.
Pushing his luck further, Sai reached out to Cert-In again, as suggested by the then director of IIT Guwahati. Much to his surprise, the process turned out to be age-old, and required him to fill a ‘Vulnerability Report Form’. But due to his busy academic life, he never filled the form. Later, he found out that another hacker had come across the same bugs on the BSNL intranet website.
BSNL finally acknowledged the issue and fixed it within two days — two years after it was reported by Sai. In his blog, Sai also wrote that he feels that ‘action was taken only after a French security researcher of considerable Twitter fame reported it.’
“My intention was to find the bug. But there’s no proper mechanism to report such things to the government,” says Sai.
Although all the government websites mandatorily go through the security audits to be ‘totally secured’, Sai feels that is hardly the case. “The IT security organisations, which are authorised to empanel the websites, have scanners and do test runs which are not very effective,” he adds.
Last year, while applying for a PAN card for his mother on the NSDL website, he found a loophole in the Aadhar authentication that comes up on the website. Technically, it should allow only one request to the Aadhar server, but it was letting Sai process as many requests as he wanted. “I could piggyback my requests and NSDL only had to authenticate,” says Sai.
Although he didn’t report the issue this time because of his earlier experience while reporting the bugs on the BSNL intranet website, but he questioned the security of these websites and felt that there is a laid-back attitude when it comes to auditing these websites.
However, Rahul Tyagi, Co-founder and Vice-president of Lucideus, an IT risk assessment and digital security services provider, says that the websites undergo many security rounds. “When we worked on the BHIM app, our team of 42 people audited over a lakh line of code manually,” says Tyagi.
He adds that there can be a thousand bugs one can find and report, but for the government it might be difficult to find that particular mail citing an issue. “They come back when it’s very critical. You also need to quantify the attack,” says Tyagi. Another way to address issues and find bugs is through the bug bounty programs. It is a programme hosted by several private and government organisations to reward the hackers, if they manage to find a bug.
According to a 2016 report by HackerOne, a global vulnerability coordination programme, India has 21% bug bounty hackers, which is the highest in its list of countries.
Talking about what is so special about hacking, Tyagi says, “It’s not a technique. They have got a third eye. While others see the colour of a product, they will see the model number.”
Nowadays, there are a number of institutes which have courses on the lines of ethical hacking – such as Lucideus in Delhi. Tyagi also heads the training department there.
“It’s a booming industry and many institutes also try to exploit young students in these courses,” says Falgun Rathod, who is an Information Security and Cybercrime consultant and also assists various government agencies on cyber security issues. When he was asked to share some interesting cases, he replied, “That’s all confidential.”
He says that there have been cases where people have offered him Rs. 50,000-60,000 to hack somebody’s Instagram account and access their conversations, but he has refused. When it comes to ethical hacking, he adds, “A lot has to do with the moral conscience of the hacker.”
Sai seconds this opinion and says, “Most hackers know the art of hacking but it’s up to them whether they want to act ethical and report the cases.”
According to Sai, India doesn’t lack skilled hackers. Even during the annual bug bounty event held by Facebook, for which it takes applications from hackers of 126 countries across the world, India tops the list again. According to a 2016 press release by Facebook, Indian hackers received the highest number of pay-outs after various bugs were reported.
Tyagi feels that if someday the government launches a bug bounty program, a student who’s participating may get hired permanently for the skills he/she possesses. On the other hand, Tyagi points out that the bug bounty doesn’t cover each and every vulnerability which could occur later.
“Facebook is still being hacked. The programme only focuses on particular vulnerabilities,” says Tyagi. “I found loopholes in Discovery Channel once, it was a beauty for me, sometimes they did give me recognition. In the end, it enhances the talent,” added Tyagi.
Sai mentions a very interesting case of cyber wars between India and Pakistan. “They used to beat us. But we could find the vulnerabilities in Indian systems. Had the government given us access, we could’ve easily beaten them,” says Sai. All of this is in jeopardy as the Indian government agencies are not in a state to acknowledge the countless ‘ethical hackers’.