Hackers. Faceless people who deface government Web sites, who can peek into your computer without you knowing. What are they like? Forbes India asked Akash Mahajan, a Certified Ethical Hacker, for a few insights into the shadowy world.
Hackers — the good guys — are different from crackers, who have nefarious goals. Does it bug you that everyone uses the term 'hacker' for both?
It used to. Then I realised that while some can't be bothered, most people just don't know the difference. A hacker is simply someone who finds a novel way of doing something. When people site has been "hacked," the correct term is usually "defaced."
How do you become a hacker or a cracker? Can anyone learn?
Do you have a natural tendency to ask the question "why?" If you revel in the challenge of failing and asking why do these rules apply, what would happen if I try something else, if you start getting answers then you are already a hacker.
To learn, get a good grasp of Windows and Linux and at least one scripting language. Learn the fundamentals of TCP/IP. It will take some time but if you are determined you will become skilled. What you do with your skills after that is up to you.
What is the most vulnerable area of a Web site?
The part where the site code talks to the database in the backend, like a log-in form, or a page which fetches data based on some numeric id. Using specially-crafted code, malicious users try to extract data from the database itself. There are a lot of easy-to-use tools available, and lots of vulnerable websites, so this is one of the most tried attacks. A variation is to insert malicious links which can infect the computers of the site's users.
Which is the most dangerous kind of hacking?
Anything that tampers with control systems for mechanical or electrical devices, like lifts, assembly lines, medical devices etc. For example, there's a rumour that when the Israelis bombed a fairly inconspicuous place in Syria, their hackers first disabled air defence radar systems.
Are there forums where notorious hackers share ideas?
"Notorious" is subjective. If you went looking for criminals who deal in stolen credit cards, bank accounts they usually set up invite-only forums. A famous example: Shadowcrew, which was busted by USA's FBI. Many folks interested in web-related hacking and cracking follow mailing lists like Full Disclosure and Bugtraq, and websites like milw0rm. A lot of my friends are part of null.co.in, where we learn, discuss hacking techniques, get better at computer security and take part in hacking challenges that we set up.
Is there a competition hackers aspire to win?
The ultimate hacker conference is DefCon, which happens every year in Las Vegas. Their "Capture The Flag" tournament would be one competition most hackers would want to win. For most of us here in India, going to Defcon is a pipe dream. But there's the pre-nullcon hack challenge and the nullcon CTF. In the last pre nullcon hack challenge, more than 2000 people started; eventually only 5 people finished it fully.
Any country that is a hotbed for hackers?
Name a country and it has people doing malicious things for money, ideology and many times just for fun. According to people who make it a business to know, even Nepal and Bangladesh have very active hacker communities. A lot of political hacking happens due to the Israel/Palestine situation. Many hackers from Turkey are also extremely active.
What is the biggest financial fraud committed by hackers?
The TJ Maxx incident: hackers stole over 45 million credit cards and debit cards. Just in terms of number of accounts stolen, this was the biggest theft ever. Almost everyone involved has been apprehended, and they are serving long jail sentences.
What's a hackers biggest fear?
Getting hacked. Hackers and crackers are extremely paranoid about their online activities; it would be the ultimate embarrassment to get hacked themselves. It has been known to happen. One of the most respected security professionals, Dan Kaminsky, was hacked a couple of years ago. The people behind it posted his personal emails, torrent history, filenames and lot of passwords on public mailing lists.
Chinese and Pakistani hackers 'wage war' on countries and corporations that they think are enemies. Are there similar Indian communities?
Many! Google is your friend; they aren't very difficult to find.
In India, where can you find the most hackers?
Time and again I end up meeting from three cities more often than others; Delhi, Pune and Hyderabad.
Which is the most hacked website?
No idea. But most of Indian websites I encounter have major security issues. Most of them could have been hacked many times over. A lot of networking equipment owned and run by Indian ISPs is vulnerable.
Easiest way to avoid a hacker's attack?
Get off the internet! Seriously, if you are worried about getting hacked, reduce your vulnerable 'surface.'
This could mean not using the most common operating system, web browser or PDF reader. Never clicking on a file that is not from your computer system. Never plugging in a USB or CDROM.
Has any hacker been able to infiltrate BlackBerry servers?
I don't have any information on this. Most times hackers/crackers look at the easiest way in. Like installing spyware on your phone, or compromising your Bluetooth service.
Are there any legendary Indian hackers?
I don't know any. And yes, being good at working the press doesn't make you legendary!
Have you read The Girl with the Dragon Tattoo? Do you think it portrays a realistic image of
the hacking world?
Haven't read it, but now that you've mentioned it, I will. The most realistic hacking I have ever seen in a movie is in The Matrix Reloaded. On an old UNIX terminal in a power station, Trinity uses a tool called nmap to find a vulnerability in the software and exploits it to get elevated privileges. The nmap website has stills from that scene even now!
If you are looking at fiction which portrays real world hacking, try the Stealing The Network series: How to Own the Box; How to Own a Continent (the best of the lot); How to Own an Identity.
Do your parents know you are a hacker?
My parents know that I am security professional. They didn't know when I started. They are very proud when I do well, like any parents. My mother was extremely happy when I won a free stay in Goa after I won the pre nullcon hacking challenge.
Akash Mahajan (akashm.com) is a security consultant who hacks Web sites to assess their security; he's had experience in application and network security. He currently heads the null Bangalore chapter (null.co.in)