In the space of one hour, my entire digital life was destroyed. First my Google account was taken over and then deleted. Next, my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all the data on my iPhone, iPad, and MacBook.
This is not a sci-fi movie, but a true incident that occurred with Mat Honan, a reporter in 2012. In today’s super-connected digital world, this just shows how crucial internet security is. In 2014 alone, over 42 million cyber attacks were estimated across the globe which was 48% more than that of 2013. Recently, some of the top Indian startups like Ola, Zomato and Gaana.com were hacked exposing millions of users’ data at risk.
Security is no more a luxury, it’s a necessity. This week’s Techie Tuesday spends most of his time understanding, breaking and fixing products and other security related research. He’s on the Hall of Fame for security research at Google, Facebook, Adobe, Mozilla and Twitter by winning their bug-bounty programs.
Riyaz Ahemed Walikar is a web application security professional and a penetration testing engineer. He is responsible for identifying and exploiting vulnerabilities in Web sites and digital entities. Having spent a considerable amount of his life in Goa, Riyaz’s story is as interesting as it is insightful.
An astronomer, a teacher, may be an astrophysicist, how about a pilot…
In his childhood, Riyaz was active to the extent that he could be conveniently called a nuisance maker. Both his parents couldn’t go to college, so they made sure that their kids understood the importance of education. In his school days, he had a different answer to the question, ‘What do you aspire to become?’ in almost every other class. In seventh grade, he wanted to become an astronomer, and in eighth he aspired to become a teacher. His aspirations later changed to being an astrophysicist, a pilot, and a doctor. He recalls,
I just wanted to be satisfied with life. If I’m able to help people and contribute to the country (and planet) moving ahead, I will know that I have played my part. I think I’ll be successful then.
Riyaz was introduced to computers in ninth standard but he couldn’t afford them so he used to help in cleaning computers, dusting and doing library work to get access to the systems. He liked biology in his 12th standard, but couldn’t clear the cut-off for the only government medical college in Goa. The other college’s fee was Rs 18 lacs, so he opted to do engineering instead because of his renewed interested in computers.
Authoring a 400-page book by third year of engineering college!
Riyaz took admission into electronics & telecommunication because of two major reasons:
- His father’s friend claimed that there’s no future in computers while electronics & telecom have a good scope.
- He thought he could learn computers from the very basics including microprocessors and hardware.
Riyaz had C++ and microprocessors in his first year and he excelled in both. However, this made him realize that his love for computers will not be justified if he continued with his current discipline. He decided to learn computer science without any formal education. He says,
Mr. Sandesh Patil and Ms. Razia from the IT department were very fond of me because of my interest and skills in computers and supported me. Even though electronics students didn’t have access to the full fledged computer lab, I was given access to the IT labs where I learnt whatever I could on my own.
By the second year, Riyaz was already coding in C++ and Visual Basic. In the same year, the Goa state government was distributing computers along with a printer for only Rs 1000 for the students of class 11th and 12th. His brother was an 11th grader and he convinced his parents to get the computer. Within 10 days of getting the desktop, he had already opened it and was working on it referring to Stephen J Bigelow’s book - Troubleshooting: Maintaining and reparing PC’s hardware.
When he was introduced to the Squid proxy server, where HTTP requests are sent to Squid instead of being sent directly to the internet, his curiosity pushed him to read how to break into these things. He was often denied access to many networks and controls which annoyed him even more. In his third year, Riyaz wrote a program to control other system which enabled him to send a message to the handler, control system’s mouse, and take screen shots and log and display keystrokes in real time. He could completely control the system when the program was running. Little did he know that these will form the baby steps towards his prolonged interest and career in network security.
Ineligible to appear for job interviews but eligible for jobs
By the end of his third year, Riyaz finished a 400-page book titled ‘Beginner’s approach to Windows’. Riyaz wasn’t eligible for the campus placements because he had scored only 56% in his five semesters while the minimum requirement was 60%. He, however, went with his batchmates for the placements as a representative of the placement committee. He knew what kind of questions will be asked at the interviews so that he could train students by taking mock tests. When Microland came for the placements, Riyaz was attending the company’s session by their representative Arul Raj and his colleague. He recalls,
I wasn’t eligible for the interviews so I wasn’t paying attention. They spoke about how they were helping other companies with security with their team of official penetration testers. Till then, I had never known of any such profession and that very moment I decided to be one of those people.
He went to the placement officer with his resume and copy of his book. Though the officer allowed him, Arul (company’s representative) did not agree to Riyaz’s request of granting him an exception. He had promised to appear for the technical test only if he cleared the aptitude test with the highest score. As a result, Riyaz faced a grilling four-hour technical test. He was given the job offer which wouldn’t be valid if his aggregate graduation score turned out to be less than 60%. He managed 60.2% at the end.
Network of network security
Riyaz was fascinated with the idea of working on network security during his training in Microland. At the end, he was the only one to be put in the testing team. It was only later he learnt that Arul had chosen him for the team on the day of interview itself and communicated the same to the company.
In his four and a half years at Microland, Riyaz learnt a lot in the field of vulnerability assessment and network security. Today, security is the ‘elephant in the room’ and a very important aspect of the digital world. He went to Qatar for a project for a month to work with a client. He demonstrated how the client’s wireless network (and the data) was exposed to external attacks. He says,
We were able to break into almost everything. At the end, we gave them recommendations on how to make their systems more secure.
His curiosity took Riyaz to null, India’s largest open security community where people learn and teach everything about security, right from hardware hacking, malware analysis, digital forensics, web application security, internet connected devices and anything hackable. He also met the community’s Bangalore chapter founder Akash Mahajan, who continues to be a close friend of Riyaz. He says, "More than half of what I know comes from sessions at null. The community fuelled the passion in me."
Riyaz became the chapter leader in 2010 and gave the title to younger blood later. He learnt how hackers can play around with FUD (fear, uncertainty and doubt). He is also associated with OWASP (Open Web Application Security Project) where he also heads Bangalore chapter along with Akash and Prashant KV.
Riyaz’s claim to fame came in December 2012 when he was invited to speak at the Black Hat Conference in Abu Dhabi. It is one of the most premiere conferences on information security across the world. Earlier, he has spoken at OWASP Texas, USA. He had submitted a paper for the web app security conference discussing the vulnerability in web apps that would allow an attacker to use the web application’s server resources to target other networks. This vulnerability, is called Server Side Request Forgery (SSRF) or Cross Site Port Attacks (XSPA) CWE-918.
What’s wrong with our security?
In one of his assignments to do security assessment of one of the largest payment gateways whose database was hacked, Riyaz found out that the reason was the broken system. This happened even though there are government regulations to ensure that websites have to pass certain tests on security for being eligible to become a payment gateway or similar carrier of data. He says,
We’re heading to times when everything is connected and we cannot take risks. This decade is witnessing an IOT (Internet of Things) revolution and security (in relation with the IOT) becomes even more crucial with its connectivity.
There are some examples in today’s world where hacking could risk lives. Whether it’s controlling a pacemaker or a flush (using Bluetooth), or controlling a plane by hacking into its system, merely sending packets of information could kill people. There is a constant fight between security and state-sponsored cyber terrorism. A much talked about example is Stuxnet, which is a computer virus discovered in 2010 to attack Windows machines specifically and aimed at shutting down the nuclear reactor.
What is lacking?
According to Riyaz, developers do not understand the importance of security and what it can lead to. Most of their technical (code) learning comes from Google searches which often display results that make websites functional, but may not make them secure.
There is also a constant fight between balancing the triangle of security, usability and functionality. The more secure something is, the less usable and functional it becomes. Riyaz says,
Most of the recent hacks could happen because people are not trained. It is important to look into security when you’re designing and building, it’s too late to do that while implementing. Some of the e-commerce firms pay a lot of money for security because they want to be proactive and not reactive.
Riyaz stated that in case of user data getting hacked, major threat is the misuse of PII (personally identifiable information).
Taking care of our security
At null, Riyaz and his colleagues teach for free. People in their capacity are training in government offices, schools and colleges. He says,
At our conferences, many officers from the state police departments, armed forces etc., Airforce, IAS, IPS, ministers, CEOs, CTOs and other decision makers attended the sessions on security. It is very important to ensure that everybody who has anything to do with computers is secure.
Riyaz lists down the following three advice for everyone as a parting thought on security:
- Not everyone you meet or everything you read on the Internet is true. There are a lot of charlatans amongst the real contributors to the field of computer security.
- Ensure that you treat your data like your personal belongings. Don’t leave them unattended for people to find and misuse.
- Be aware of the complexity of connectivity around us. Anything you do or say can cause a completely different event in a completely different part of the world(butterfly effect).
(The views expressed here are solely those of Riyaz in his private capacity and do not in any way represent the views of his current or previous employers.)