How Nepal's ethical hackers protect the country's cyberspace

In august 2011, Mark Zuckerberg's Facebook profile stated that he’d quit his job. This life-event post on Zucker­berg’s profile made headlines across online news sites like fossbytes.com, venturebeat.com and thehackernews.com. This post was also used as click-bait content on many social media sites. Unbeknownst to many neti­zens, Zuckerberg’s profile had been hacked by a local Nepali ethical hack­er, Sachin Thakuri. While the status update was making news in the online community, Thakuri had hacked and already even reported the exploit to Facebook officials. As of to­day, the URL exploit used by Thakuri has been fixed, he has been included in Facebook’s hall-of-fame, and the social media mogul, Zuckerberg, still retains his post.

This Facebook exploit, which was a form of a bug bounty hunt—an open call for all hackers to try and hack into different organisations’ systems for a price—garnered international fame for the Nepali hacker and also shed light on one of the most important aspects of a digitised world—securi­ty. Nepal’s cyberspace has been ex­panding rapidly and is almost on par with the rest of the world because of localised services like digital wallets and internet banking; but as much as the growth in Nepal’s cyberspace has been exponential, the majority of local websites and web-services still have sub-par security. This has, according to security personnels, led to a host of criminal activities in the Nepali webspace, ranging from the run-of-the-mill hacks by local geeks to ATM fraud and international hackers visiting Nepali sites in order to exploit their vulnerable cyber security.

“Threats to cyberspace in a more and more digitised nepal have made it necessary to improve cyber security"

Threats to cyberspace in a more and more digitised Nepal have made it necessary to improve cyber securi­ty. Fortunately, there are more than a handful of ethical hackers and cyber security experts working tirelessly to secure Nepali cyberspace against at­tacks. Ethical hackers in Nepal—who have managed to identify security flaws in highly secure systems like Facebook’s, Google’s, YouTube’s and Yahoo’s for bug bounty hunts—have also been working to test and fix sys­tem loopholes in order to secure a company’s internal data. And in the thriving Nepali cyberspace, the need for ethical hackers like Thakuri has become crucial to ensure safety of digitised information.

Since Nepali systems are suscepti­ble to cyber attacks, the only line of defence that the systems have against these nefarious attacks are white hat hackers and cyber security personnel. White hat hackers, or ethical hack­ers, tend to hack into systems with­out any intent to destroy or defame the systems they hack into. Unlike black hat hackers, who tend to hack into systems to destroy them or for personal benefit, white hat hackers hack into systems to figure out ways to plug security holes to keep black hat hackers from gaining access to the systems. Many coders turn into white hat hackers by studying cyber security in college courses. Others, however, tend to start out as black hat hackers—to refine their skills; quite a few of these coders later utilise these skills as security professionals. But regardless of how coders turn into white hat hackers, they are required to use similar methods as black hat hackers do and think like black hat hackers would to remain a step ahead and ensure maximum security for the systems they work with.

But even though it should be a given that systems today need to be secure, not too many companies in Nepal have understood the importance of having an enhanced security system. Saroj Lamichhane, an established In­formation Security Consultant, who also works as an Information Security lecturer at Islington College, Kamal Marg, says, “The reason why Nepali systems are so vulnerable is that the business houses who make use of these online systems don’t think about cyber security very seriously. Many banks, for example, think that their systems are secure just because they employ international banking software. But many of these systems are far from secure. A lot of vulner­abilities can arise during the imple­mentation of these systems. These systems are also constantly updated, which means that with each update, a new vulnerability can rear its head.” He adds, “Many locally designed systems are even worse. Internation­al systems undergo rigorous securi­ty testing after the system has been coded, but many systems developed in Nepal don’t go through any of these processes.”

There are other additional reasons why Nepali systems are considered vulnerable. Some of these vulnera­bilities have to do with how recently the digital revolution came to Nepal. The country hasn’t been working with digitised information for very long, and our practices in building websites and web systems are not as refined as the practices of countries that have been working with the in­ternet for longer.

Vulnerabilities also arise when proper coding practices haven’t been implemented properly. Since a lot of the owners of websites and web systems want to cut costs during the design and development phase of the system’s being created, they commis­sion amateur coders to design their systems. The coding methods adopt­ed tend to be sloppy in such cases, and they are prone to security holes, which many criminal hackers can exploit. “I’ve been hacking for quite some time now,” says a Nepali coder (who has chosen to remain anony­mous for this article) who has tested quite a few Nepali sites. “And many coders here don’t really think about security. I’ve got into systems where coders for well-known companies haven’t even changed the default us­ername and password. I’ve even got into a few systems where a single line of code has gotten me past all of the systems’ security measures.”

Many hackers spot these vulner­abilities and hack into systems for fun, or to build their portfolios and improve their hacking skills. Black hat hackers additionally try to use the holes in a system for illegal per­sonal gains. In recent years, there have also been increasing numbers of international black hat hackers who come to Nepal to take advantage of the poor cyber security and hack into online banking systems for mon­etary benefits.

White hat hackers, on the other hand, tend to hack into systems to identify the vulnerabilities of the systems and ensure system safe­ty. The overall process of security assessment starts with the infor­mation-gathering stage, in which hackers coordinate with system im­plementers to understand the back-end of the system—this includes system coding language and serv­er-security implementation, among others. The information that is gath­ered helps white hat hackers figure out different ways of penetrating the system and learn how the sys­tem’s in-built security can be broken. During this phase, also known as the research phase, the white hat hackers also try to evaluate the overall secu­rity of the system and scrutinise the system for security holes that can be exploited. After adequate research has been done, white hat hackers at­tempt to figure out, for example, that should a hacker gain access to the system what kind of information the hacker can extract. This is the vul­nerability assessment phase. During this process, white hat hackers imple­ment different kinds of techniques like cataloguing assets and capabili­ties, assigning quantifiable value and importance to resources, identifying vulnerabilities, and mitigating the most serious vulnerabilities.

After this step, white hat hackers move to the penetration-testing phase. In this phase, the hackers brutally attack the system using all hacking tools available to them. Penetration testing is usually done in a white box environment, which means that the white hat hackers attack a system in a simulated space, and the company knows about the hacking attempts. The hackers are also given a free run of the system that the company is hav­ing assessed. This is a non-destructive way of hacking. Once the white hat hackers enter the system, they implement a back-door Trojan, which helps them enter and exit the system with ease. The back-door Trojan is put in place to identify what hacking attempts can do to the back-end of the system. It also helps security profes­sionals to understand how great the security vulnerability is. In the end, white hat hackers compile a report of all the vulnerabilities they have found and all the different methods they used to gain access to the system. Mea­sures for rectifying these issues can then be undertaken by the company’s in-house IT department, or could be outsourced to security professionals.

“We estimate that there are around 22-25 ethical hackers who know the ethical hacking process completely and are working professionally in Nepal,” says Bijay Limbu Senihang, Chief Technology Officer at Rigo Technology, a cyber security company based in the country. “Our cyber space is constantly under attack. We’ve seen hackers tourism in Nepal—where hackers from other countries visit Nepal for the purpose of hacking into our systems. And yet, even after international and local hackers get their hands on sensitive data, people here still don’t seem to be willing to hire security professionals to con­duct cyber security assessments. This could be because of lack of knowledge in Nepal of what white hat hackers can do, or because of businesses’ lack of knowledge regarding cyber security. It is absolutely imperative that we start securing our cyberspace if we want to prevent cyber chaos. The need for white hat hackers has grown over the years.”

Those few individuals who have understood the importance of cyber security have introduced a host of ethical hacking schools in Kathman­du. There are schools like Computer Point, Nepal Training Centre, SIIT Nepal and IT Security Nepal that of­fer ethical hacking courses to local students. These institutes are also responsible for showing students the alluring monetary aspects of becom­ing an ethical hacker. On average, one security assessment session earns a security firm close to Rs 18 lakhs, and white hat hackers receive a good amount of those earnings. The allure of finances, paired with the thrill of cracking a secure system, can make white hat hacking a desirable field to get into, and a growing number of Nepali students have been trying their hands at ethical hacking.

An added incentive for coders has also been the bug bounty programmes that international companies like Facebook, Yahoo, Twitter and Goo­gle encourage ethical hackers from across the globe to take part in. These companies ask hackers to find vul­nerabilities in their systems and pay them if they are able to crack into their systems. Sachin Thakuri and Prakash Sharma, both of whom are commemorated on Facebook’s Hall of Fame, have accumulated over USD 50,000 from various bug bounties.

The monetary incentives, the name, and the thrill of mastering the skills for white hat hacking have also made ethical hacking a desirable voca­tion for those hackers who haven’t received any formal training. “I’ve been working as an ethical hacker for quite some time now, even though I haven’t received any formal certifica­tion in the field,” says Nirmal Dahal, a 19-year-old Nepali ethical hacker who has received certificates of ap­preciation from companies like eBay and skarbol.com. “I’ve been hacking into systems and reporting them to system administrators, and in return, I get acknowledgements from them for my efforts. I would like to work for a cyber security company eventually, but for now, I’m just building my port­folio by participating in bug bounties and trying to find vulnerabilities in online systems.”

There is today a growing demand for white hat hackers in Nepal with the capabilities to defend the coun­try’s cyberspace. Today, everything from birth-certificates and citizenship information to driving licences has been digitised. The country’s institu­tions need to be able to protect sensi­tive information from people trying to use them in criminal ways. Com­panies need to realise the importance of cyber security because cybercrime is increasing by the day. “It is very important that companies take ap­propriate measures and work closely with ethical hackers to patch security holes in their systems that make them susceptible to hacking,” says Lamich­hane.