Search Box

Getting paid for Hacking & Breaking Network Security

Thirty-four-year-old Atiqur Rehman Khan is an information technology enthusiast who spends a sizable part of his day detecting weaknesses in local and foreign computer networks. His objective is clear – to let the administrator know the vulnerabilities of the system, which could potentially cause serious financial losses. In return, he is rewarded in cash and kind.                     

“Most of the time, the response from a foreign enterprise is quite encouraging,” he says. “They appreciate an effort to disclose a bug in their network.”

Khan says the reward could be in the form of an acknowledgement of the administrator’s help on the company website and its monetary value may range from $2,000 to $20,000 per report, depending on the critically of the vulnerability.

“It is a sizable amount,” he answers, clarifying: “that is so for reporting and not for fixing.”

“Patching earns a security solution provider additional money,” says Khan. He recounts accessing the admin panels of various country-specific domains of PayPal, eBay, etc.

Khan placed the logo of his cyber security solutions company on the lending (main) pages of the international payment gateway PayPal with domain names such as .ca, .de, .fr, etc.

These ventures are known as “bellwether” in the ecommerce industry. Therefore, their acknowledgement to Rehman’s reporting was obvious.

Author: Tariq Ahmed Saeedi
Source: Hacking: boon and bane 
Publication: Money Matters (Jang Group) - May 27, 2013 Issue
Unfortunately, Pakistani enterprises do not understand the significance of having a sound and secure cyber presence, say IT experts here.

Their reasoning is simple. When a foreign venture, using advanced technology and a strong firewall, may be vulnerable to cyber attacks, how can a Pakistani venture, featuring less sophisticated technology, be cyber-secure?                          

Khan has received a positive response from the banking sector. He detected a bug in the website of a leading private bank. “I can’t disclose the name of the bank, with which I am in negotiations at the moment,” he says.

Hacking is not a new term. It has been in use for the last five decades, which is how long we have been interconnecting a set of computers/servers. In the past, hackers were known for their ability to spot weaknesses in a system and exploit them for personal gain. These days, computer geeks enjoy considerable prestige for alerting IT-dependent enterprises of their vulnerability to a cyber intrusion.                

In cases where information and communication technology are core components of companies, they allow penetration testing of their computer network to find loopholes in their system and resolve them.

Apart from companies, defense and aerospace sectors also use the services of skilled hackers to prevent cyber espionage by other hackers motivated by malicious intent.

“Cyber criminals and hacktivists will strengthen and evolve the techniques and tools they use to assault our privacy, bank accounts, mobile devices, businesses, organisations, and homes,” stated the McAfee 2013 Threats Predictions report.

“Near-field communications-enabled phones are becoming more common. As users are able to make “tap and pay” purchases in more locations, they’ll carry their digital wallets everywhere. That flexibility will, unfortunately, also be a boon to thieves,” it added.

Companies and governments allocate resources to build defensive shields against cyber attacks and ward off threats to public property and life. Recently, cyber intrusion on the Iranian nuclear facility has been reported in the media. A tussle between US and China over Internet theft is also ongoing.          

The hacking industry is growing on free flow of information over the Internet. Books on hacking techniques and e-tutorials can be downloaded from the Internet.

Senior IT expert Sultan Hamdani says one can use Google and other search engines to learn how to hack. There are numerous tutorials available on the Internet whereby one can learn the basics of hacking; advanced courses are also available, he adds.

Others say it’s not quite so simple. Afaque Ahmed of Breezecom says hacking is a science that also requires a degree of creativity for the hacker to play with codes.            

The community of charity (good) hackers in Pakistan also fears legal prosecution against them in case of a bug reporting, comments a programmer. They say that administrators of infected systems do not take too well to any attempt that identifies weaknesses in their system.

“An executive of a bank was infuriated when I told him about the vulnerability of the bank’s network,” recalls Rehman. “He could have accused me of hacking,” he says.

Unlike developed countries, in Pakistan, there are no comprehensive laws on the subject of cyber crime, which could govern all aspects of the information and communication technology sector.

“It is not all about the law; rather, how it is being enforced,” argues Ahmed. “In developed countries, if there is a law to control cyber crime so is the ability to trace suspects and crimes,” he says. There are disclosure terms and conditions related to bug reporting governed by a relevant law in those countries, adds an expert.

In Pakistan, law enforcement agencies do not know which provision within the present legal framework should be invoked to prosecute an electronic offender. Subsequently, victims do not know how to seek justice.

The government enforced the Prevention of Electronic Crime Ordinance 2007 and made the Federal Investigation Agency with a special wing of the National Response Centre for Cyber Crimes (NR3C) responsible for tackling all kinds of electronic offences in the country. However, the ordinance has lapsed.

The objective of establishing the NR3C is not only to develop a mechanism to fight against electronic fraud but also to educate people about cyber crime. However, this wing has been reduced to a weak institute sans comprehensive laws and regulations.

“Now, what we have is the Telegraph Act to deal with an e-crime,” says a senior FIA official, who requested anonymity. The section 36/37 of the Electronic Transactions Ordinance is also invoked to prepare a charge sheet against a suspect.    

In some cases, the application of this section is ridiculous, remarks Ahmed, who represented Pasha in the government-constituted committee, which drafted the cyber crime bill. The bill has been gathering dust in the power corridor for some time now.

“When a person is arrested in connection with a cyber crime, he is prosecuted under irrelevant sections of the given law. Technical knowledge is low and so people cannot question its relevance,” he says.

Post a Comment

0 Comments