Good Samaritan hackers face hurdles


IT laws prosecuting ethical hackers remain unchanged as cases of data breach increase

Bangalore April 9 2018: A Reddit user named, always_say_this, exposed the vulnerabilities—like gaining access to bank account details, passwords, names of customers etc.—of the servers belonging to Truecaller Pay and Tata Sky. He expected to get rewarded, get or job or simply acknowledged but instead was met with silence. He like most ethical hackers like this are forced to work from the shadows.

Corporates and governments across the world invite ethical hackers to detect vulnerabilities in their systems and applications to prevent instances of data breach.

Companies organize competitions like ‘Bug Bounty Programs’ or ‘Vulnerability Reward Programs (VRPs)’ where hackers get paid upto $100,000 for detecting loopholes in the system. Major companies like Google, Apple, Yahoo, Intel and Cisco all have similar programs to help maintain strong firewalls against hackers.

Kanaad Pathak, Ethical Hacker and Developer said, “Such auditing is required for systems that deal with a large amount of public data or safety-critical systems.”

In India, however, white hacking is still a taboo and condemned by the government and private firms which makes it difficult for white hackers to function in the country. The Indian IT Act of 2000 which has not been amended in the last 10 years makes any kind of unauthorized access to a computer illegal. This Act is the greatest hurdle faced by ethical hackers as the Act has provisions for prosecuting hackers who expose the weaknesses of a firm.

Chirag Jariwala, a student from the SRM University of Science and Technology and white hacker said, “When a Tribune reporter pointed out physical security issues in Aadhaar (such as the access to all Aadhaar details for Rs. 500) the response from the government was not good. They filed an FIR against her.” Many Aadhar critics said this was another example of the government trying to silence someone who is reporting vulnerabilities in the Aadhar system. In February, a hacker who uses the pseudonym Elliot Alderson pointed out major security flaws in the mAadhar application. He was able to hack into and gain sensitive information like Aadhar number, information about government program beneficiaries etc.

”He added, “The government boasts that the Aadhaar system is secure but we all know the reality and loopholes are being pointed out by security researchers around the globe.”

Deepali, a cybersecurity consultant at Data Resolve, a data security company said, “In India, whenever a data breach or hack happens in an organization, it damages their reputation and they choose to keep it a secret. They don’t give that much importance to data security. Most of the people think, why would someone hack me or they think, maybe we’re secure or I’m not that important that someone will hack me.” Ethical hackers have proven to be indispensible in many instances, one such instance includes a hacker pointing out the lapses in Zomato’s internal servers. This helped Zomato patch up its vulnerabilites with the hacker’s help.

Soon after, Zomato created a ‘Bug Bounty Program’ with the suggestion of the hacker.

In another case, sensitive customer information was accessed by a hacker after he hacked into the servers of Tata Sky which compelled the company to fix the loopholes. But unlike Zomato, Tata Sky did not acknowledge the effort of the hacker and discreetly patched up their server. In 2016, when an infection hit the servers of several top banks, most of the banks denied any security breach.

Kanaad said, “The law still hasn’t caught up with the current technology, I’m not sure if efforts are being made to change these laws.”

Deepali said that most of the data breaches are not even revealed and companies don’t report such breaches to their users.

HYP3R PR3D@TOR, a hacker and law student said, “As a law student, I would say, the judicial officers are not aware of tech crimes”.

Ishwar Prasad Bhat, another hacker said that only a few companies in India offer a Bug Bounty Program.

Currently, Zomato and PayTM are the two major companies with a Bug Bounty program. Companies like Max Healthcare have no such programs in place but claim to get their systems checked by ethical hackers.