An IT Security Expert Talks about “Anti-Hacking”
Kirit Sankar Gupta #TalkbackTuesday
Hi, and welcome to #TalkbackTuesday. This week’s interview is with Mr. Kirit Sankar Gupta. See his interview below.
Talkback Tuesday is a weekly interview with everyday people. It is always inspirational to look into the life of another person and realize it is just as complex and large and confusing as your own.
1. For the readers, who are you, what do you do, and what is your current side project?
Hi, my name’s Kirit Sankar Gupta. I am an “anti-hacker” of sorts, which I provide as a service via my company (based out of Kolkata), Indian School of Anti Hacking. In addition, I’m also currently engaged with Intel and leading their Indian Pentesting Team.
I don’t get too much time for side projects, but something I’m very interested in is improving the security of open-source code which is assumed to be bug-free and used pretty much everywhere from Facebook to Google servers.
At a Glance: Kirit runs an ethical hacking company and works with Intel. All his projects revolve around improving IT security.
2. What kind of security risks does open-source code have? What excites you about the prospect of improving this code, and what drew you to “anti-hacking” in the first place?
I’ll start with the last question first to maintain chronological order. Hacking was something that interested me ever since school. I still remember the time when our labs had protected administrator accounts. We were given limited permission accounts and [I remember] the sense of achievement I got by being able to bypass them.
However, as time passed, I started focusing more on why a security problem (referred to as vulnerability from this point forward) is present and if it is, why it poses a risk in the first place. I guess these questions got me into the white-hat hacking business that I am in right now.
This is also exactly what excites me about the prospect of fixing software vulnerabilities in open-source code. It is a huge challenge to find these kinds of bugs in 15-year-old projects that the world can see and download. Something that has been eyeballed by a million other people besides me.
Imagine being able to upload an Instagram photo that could crash and reboot the server or fetch file contents like passwords.
So finding an issue in something like an image-processing library that’s a de-facto standard everywhere requires really understanding how it works at a code level. The challenge is in figuring out where the issue lies in the algorithm.
I do it both for the challenge as well as to benefit open-source software in general. I am benefitted in turn since every finding gives me a CVE which I can add to my collection.
As for what kind of bugs are there, imagine being able to upload an Instagram photo that is processed by this open-source library. In the past 2–3 months, I have reported issues with images that could do everything from simply crashing and rebooting the server to fetching me file contents (like passwords and source-code) from the server itself, all just by uploading a crafted image and triggering some edits/operations on it.
3. Tell me about Indian School of Anti Hacking. What services do you provide, and what inspired you to name it like it is? What do you personally think is its biggest strength?
ISOAH provides two kinds of services: Vulnerability Assessment and Penetration Testing (VAPT) and Training.
VAPT services are basically like a company reaching out to us because they think they have been hacked or they are afraid of being hacked. We are asked to go through their IT infrastructure and applications to find out all the ways in which a malicious hacker can get access to their data or network.
Besides that, we also have two training wings. The Corporate wing provides training to sysadmins and developers of the company, as a value-addition to the VAPT services, so they know how they should do things moving forward. We also have a student training wing, for college students who are interested to get into this domain but don’t know where to start.
It’s a sad truth that the awareness of security, in general, is terrible in India and even worse in our region. We reported issues to banks and e-commerce websites and they took 3 years to just fix them properly.
This kind of flows into the second question, why the name. The company initially started off as Indian School of Ethical Hacking. However, a common question we faced whenever we pitched our services was “How can hacking be ethical? Are you taking permission to steal money?”
Sadly, hacking is equated to stealing. That’s how bad the awareness is. Post this, we changed our name to Anti-Hacking to better explain what our goals are. Also, this opened up a more personal goal of actually educating the companies here about security and the risks they face if it’s not taken care of properly.
As for our biggest strength, that would be the person with whom we started ISOAH, Sandeep Sengupta. He has worked for half his life in this domain, in 3 different countries and with clients like central governments, military, and banks. He is also my mentor and a very big inspiration for me.
Also, I should say that being a small team in a niche helps. That’s another one of our strengths. Less time is spent on process and people management, leading to very quick response and lead-up times.
At a Glance: ISOAH provides security testing and training to companies, as well as a training option for college students. They call themselves anti-hackers because people don’t understand how hacking can be ethical. Their primary goal is awareness and appreciation of security.
4. Fantastic. So if you had to give a crash course on Ethical Hacking, what are the three things you would focus on the most?
How networks work (and break), coding (from C to Java / Python / PHP) and their associated flaws and finally how Operating Systems work (and break, once again).
Penetration Testing (that’s what we all prefer to call it over hacking) is more about knowing how things work so that you can figure out the flaws in their operation. [It’s not] what you usually see in movies about running a bunch of tools and blowing up America.
Mr. Robot gives a good impression of how hacking works in the first place, analyzing system/people behavior, finding flaws and then going for the actual hack.
5. Great. Finally, what can you leave the audience with? What should they explore next?
This question makes me wonder how many readers were actually aware that the underlying security issues that I mentioned earlier exist and are possible. Maybe something we can look at in the comments.
But I know that a vast majority of people you’ve interviewed earlier are entrepreneurs relying on IT (who doesn’t?) to help their business. Using IT comes with its associated risks, which are pretty massive.
So it is definitely something you should stop and think about before you grow — that is when competitors will start looking for ways to bring you down and weak Operation Security is the easiest way to go down. If you need any help or advice on that, you know whom to ask now.
Thank you for reading Talkback Tuesday! Did you enjoy it?
Next, check out the previous interview from last Tuesday with Amogh Jain by clicking on the image below. He is an advertiser and entrepreneur who has both started a business and performed at his first open mic in the last few months.