Amidst the technological prosperity of the 21st century, our lives and identities are to some extent connected to the virtual world. Following this dependency, comes the question of cyber security. With threats of cyber security being breached by hackers emerge the ethical hackers who hack, but with a licence, to identify loopholes in cyber security system. Bangladesh is also catching up the trend as a lot of young ethical hackers are working in this field. Talking to experts and industry members, writes Ishtiaque Foysol
Going down the rabbit hole
Where am I when I'm not in reality or in my imagination?
— Domenico in Andrei Tarkovsky’s ‘Nostalghia’
APART from the 90s hacker movies to the recent Noah Harari’s prophecy, a conscious observer cannot deny that the line between ‘real’ and ‘virtual world’ has become greyer as Elon Musk ‘reveals brain-hacking plans’ and Facebook ‘funds AI mind-reading experiment’.
On the one hand, creative criminal minds around the world are not only manipulating these sophisticated latest technologies or the devices connected to the internet, but the human brains in forms of pornography, blue whale challenge, triggering communal unrest using manipulated religious photos (Nasirnagar in Bangladesh on October 30, 2016), engineering elections in different countries or recent trend of spreading rumour over social media that claimed a number of innocent lives in lynching.
On the other hand, tech giants like Google and Facebook are also accused of stealthily mining users’ various forms of data, instead of gold, that would be invaluable in near future to exploit a huge number of human beings for social, economic and political purposes, according to experts.
Once science fiction or luxury has become inevitable part of life and the differences between human and machine are transforming into similarities.
All these issues have triggered the necessity of acquiring at least basics of how to live in the parallel universe of cyber world — the playground of ‘Mad Hatters’ and ‘Mad Haters’.
Hackers, cyber criminals and cyber security
MOST of us, blinded by the media and movie industries, often misinterpret the terms hacking and cybercrime by using them interchangeably. It is also hard to keep pace with the leapfrogging shiny technologies and harder to get deeper knowledge about how do they work under the hood.
So, the realm of cyber security remained vague as the aforementioned terms are closely related to it.
Let us start with some myth busters. Firstly, hacking is not something that is represented in movies and media; at all.
According to Richard Stallman, founder of Free Software Foundation and GNU project (to be precise the real Santa Claus), ‘playfully doing something difficult, whether useful or not, that is hacking. You can help correct the misunderstanding simply by making a distinction between security breaking and hacking — by using the term ‘cracking’ for security breaking. The people who do it are ‘crackers’. Some of them may also be hackers, just as some of them may be chess players or golfers.’
Hacking, apart from the technical world, also fits perfectly in arts, music, sports; each and every human activity being done from the ancient time.
Eric S Raymond, a hacker culture Zen Guru, says, ‘There are people who apply the hacker attitude to other things, like electronics or music — actually, you can find it at the highest levels of any science or art. Software hackers recognise these kindred spirits elsewhere and may call them ‘hackers’ too — and some claim that the hacker nature is really independent of the particular medium the hacker works in.’
Cyber security, in reality, deals with security in cyberspace, a networked world of humans and machines, where playful and professional hackers are continuously fighting with criminals to protect computers, networks, programs, data and most importantly humans from unauthorised accesses, manipulations, exploitations and attacks that are aimed for any form of harm.
Humans are, above all, the most sophisticated creatures developing technologies for their ease of living from the ancient time. Cyber criminals thus target two things — humans and the technologies.
The first one is social engineering while the later is digital forgery. In movies we are mostly misled by the over representation of digital forgery while the social engineering, that often comes more devastating — is mostly ignored.
Hacking as passion and profession
MD MUQEET Halim, chief executive officer of Bangladeshi cyber security firm Beetles, talked to New Age Youth as a cyber-security professional and shared his first-hand experiences.
‘Real hacking is totally different from what we watch in movies. For one thing, it is not possible to manually brute-force a 128 bit encryption as seen in the movie ‘Swordfish’. Also, there is no intense background music when we work. There is a lot of background work, understanding of the technology and research that goes behind each of our testing cases,’ he said.
‘A cyber criminal may be someone next to us in a public place or workplace’s cafeteria, or anywhere in the planet earth definitely not someone in hoodies, typing lightning fast random codes on a keyboard in a dark room.
Also, we do not really do all our work on a black screen with green binary sequences running up and down,’ Muqeet added.
According to him, the professional life in cyber security differs from the traditional concept of job. For regular professionals it is a regular job with good working hours while for the pen-testers or the hackers like flexibility in working hours and job conditions that naturally differs from Bangladeshi norms.
Security professionals, moreover, have a great responsibility to their clients and industry as they have to deal with a lot of confidential and sensitive data.
They must adhere to high moral standards and not to be compromised even accidentally, said Muqeet adding, ‘If we slip off, we put the client at risk and that is a burden we must bear.’
He explains the passion of the profession, ‘It is great. We get to break down walls and bypass security measures! It is interesting, challenging and at times highly frustrating and we love it. There is nothing like the thrill of implementing your own exploits and gaining access to a system, or from being able to correctly guess a password and bypassing controls.’
Marketplace, cyber security in Bangladesh and opportunities for youths
ACCORDING to Muqeet, importance of cyber security have drawn attention after the Bangladesh Bank heist in 2016 although people have been working in this sector in Bangladesh for long.
More people are online, businesses are moving towards the cloud technology as well as Bangladesh is becoming a global go-to hub for IT outsourcing and support.
Recent incidents have proven that technologically booming Bangladesh is becoming a regular target of cyber criminals from around the globe and this will increase.
‘But we must not let this deter us from the path that we are on, instead, we need to grow cyber awareness and more businesses need to realise the importance of spending on cyber security. Along with digital Bangladesh, we need to grow digital security,’ said Muqeet, the cyber security expert adding, ‘From our experience of having worked with over 30 clients for the past two years, in various industrial sectors, including the financial, we are overall weak and vulnerable to any major cyber incident.’
‘Due to lack of skilled resources with proper subject matter expertise, we tend to overspend on nonessential items and prioritise them as well, trying to go with the ‘recent trend’, in comparing us with a market with a more overall cyber security maturity.’
When asked about the academic background and certifications needed for youths interested to enter into this adrenalin pumping profession he said that their company looked for people with logical problem solving skills and passion in cyber security. They do not look for any specific academic educational background nor give any high importance to certifications for pen-testers as ‘the profession is all about skills that one accumulates and sharpens.’
What bare minimum everyone must know
CYBER security is all about protecting both human and electronic resources/data from unauthorised local and remote access, change or destruction.
Confidentiality, integrity and availability — known as the CIA triad — are the basic of cyber security.
Confidentiality means to keep the data private, only accessible to people it is meant for. Integrity is to ensure that the data, or the system itself, cannot be altered or changed without proper authorisation. And availability is to ensure that the system can be used when desired or as designed, explains Muqeet adding, ‘This is what any cyber security firm does. We ensure the CIA triad of an organisation. Recently though, it is now also practical to add another property, resilience, what ensures that a system will endure security threats, in the event of an incident, instead of critically failing, because, regardless of what happens, the business must go on.’
People, process and technology are inevitably connected to each other while in most cases people are the weakest among them. They have a tendency to go to random sites, clicking random links from unknown senders, providing personal data to invalidated sites in the hopes of a discount, using free Wi-Fi and then use that same device within the corporate network et cetera possess cyber threats.
Experts suggest end users for not to use public Wi-Fi and using easy to guess passwords like ‘password1234’ or mobile number and writing them down in diary, using two factor authentication and practicing good cyber hygiene for their security.
Muqeet also emphasised auditing IT infrastructure like that of an external financial audit once a year.
Uncanny social engineers: blue pill, red pill and the one mama gives
You have to understand, most of these people are not ready to be unplugged. And many of them are so inured, so hopelessly dependent on the system that they will fight to protect it.
— Morpheus to Neo in Matrix by Wachowski siblings
MOHAMMAD Asif Chowdhury, lecturer at the department of international relations of Gono Bishwabidyalay, talks about the gray line between the social and cyber world which is often exploited by social engineering — the extremely powerful tool often ignored by film and media.
‘When we talk about social engineering, some ideas come to our mind and those are manipulation, deception, influence, brain wash, propaganda, mob psychology, sense of insecurity et cetera. But the real thing is that society uses engineering to cope with new situation,’ he says.
According to Mohammad Asif, education policy has to be considered as social engineering too. Textbook contents to TV advertisements — everything is in the realm of social engineering.
‘At first I heard about social engineering from Karl Popper, professor at the London School of Economics and Political Science. He wrote several books on political philosophy. The most renowned of them is his 1957 book The Poverty of Historicism, in which he criticised historicism and proposed social engineering. By social engineering he means small changes are made to society in order to cope with the unpredictable future. Critics may term it the anti-communist propaganda. But many thought it is for the development of society.’
‘It may direct from political entities namely political parties or government or from social entities namely social leaders, religious leaders, sect leaders,’ said Asif Chowdhury, also a teacher of department of politics and governance of GB.
But these days, the meaning of social engineering has changed drastically. It has become the means of those who are commonly known as ‘hackers’. It has become the art of deception as popularised by Kevin Mitnick. Hypnotism, deception, manipulation and neuro-linguistic programming et cetera are attached to social engineering and make it more suspicious.
In recent time, social media takes the place of popular media. Its contents, freedom of the users and other flexible features contributed to its immense popularity. At the same time it also has some very dangerous security concerns, according to Mohammad Asif.
Personal securities as well as public securities are in danger when virtual and actual world are merged together. One such example is the recent series of lynching incidents took place in various parts of Bangladesh and India over child lifting rumours.
Cyber criminals make things viral on Facebook and YouTube. The rumours spread to the real world and there are some instances where people are killed by angry mob. ‘It is painful and pathetic that we are living in the very twenty first century with such stupidity. Social engineers (in positive sense like hackers) have to find out the causes behind this and law enforcers would take them away from the society,’ said the Gono Bishwabidyalay teacher.
In the past, politicians like Hillary Clinton and Donald Trump heavily relied on social engineering in order to capture political power by being elected as president of the United States of America. They assigned Facebook and other social media to reach and manipulate voters.
In the UK’s Brexit vote, one of the lethal weapons was Facebook. The social media secretly collected users’ social behavioural patterns, thought process and manipulated them in order to make Brexit possible.
In many instances marketing tactics like ‘micro-targeting’, ‘A/B testing’, ‘narrowcasting’, ‘choice modelling’ and ‘discrete choice model’ were assigned to influence social media users and they became weapons of mass manipulation, said Asif Chowdhury.
Academic study, professional training
TO KNOW about university programmes offered on cyber security, New Age Youth have contacted Dr Md Shariful Islam, professor and director of the Institute of Information Technology, University of Dhaka.
He says that the basics are taught in the regular courses like software security and other security related ones. ‘So, we have no specific department on cyber security. However, the students later develop their skills in professional life or through specialised trainings,’ Shariful Islam said adding that in every batch some of their students do research work on computer security fields.
Some globally authorised centres in Dhaka provide trainings and arrange international standard examinations like Certified Ethical Hacker (CEH) among others.
Certified Ethical Hacker, trademarked as CE|H, is an International Council of Electronic Commerce Consultants (EC-Council) authorised training-examination.
This is one of the most advanced ethical hacking courses that cover 20 of the most important security domains consisting of hacking techniques and tools used by hackers and information security professionals.
The CEH is a specialised training course for professionals like pen-testers, system administrators, network administrators, web managers, auditors and security professionals in general.
Selim Reza, assistant manager (education) of IBCS-Primax, says about the course details. IBCS-Primax is an EC council and ComTIA authorised training centre in Dhaka that provides CEH training and arranges online exam.
It is now providing the CEHv10 training that mainly focuses on security of cloud computing, mobile platforms, Internet of Things (IoT), backward compatible operating systems and newer vulnerabilities.
The 40 hour course costs Tk 50,000 that includes exam costs (excluding VAT and Tax), said Selim Reza adding that an examinee must obtain 70 per cent marks to pass the four hour examination by answering a total of 125 multiple choice questions.
New Horizons CLC, Dhaka, the franchise of New Horizons Computer Learning Center Inc, Conshohocken, Philadelphia, USA, also offers CEH and other security trainings. Their website contains a precise ‘career map’ for cyber security enthusiasts.
Md Majedul Islam, centre-in-charge of New Horizons CLC Gulshan Branch informed about the syllabus. ‘The institute teaches students, like other training centres, the core 20 modules of CEH that include, among others, Footprinting and Reconnaissance, Scanning Networks, System Hacking, Trojans and Backdoors et cetera,’ he said.
User end hackers
THE necessity and popularity of free and open source software is gradually gaining vibe among youngsters in Bangla speaking communities.
Availability of faster internet ensured access to do-it-your own videos, open source forums and groups on various social platforms that enabled them to interact closely on problems and sharing solutions/codes that have established them as the user end hackers.
The FOSS people, mostly the GNU/Linux enthusiasts, are more concerned on their security and prefer to develop script or configure their tools according to their taste and geeky interest.
Kuntal Kundu, a FOSS enthusiast from Balurghat India, shares his experience. ‘I prefer authorised websites for browsing and prefer VPN for suspicious ones, torrent sites mainly. I read the review before installing any program. VLC player, Libre Office, Probhat, GIMP, Inkscape and Darktable are some of my necessary tools.’ he said.
One practice is common among them which is not installing any software or run script at once as well as keeping the system minimal which in turn assures an optimised and easy to administrate environment.
They are patient enough to take time to pin point any issue, read documents before installing any software and review scripts or commands before executing. This enables them to maintain the hygiene of the system and becoming a power user.
Saumen Roy, a computer science student of Chittagong University of Engineering and Technology, said, ‘I don’t use any unnecessary packages (software) however mx is most complete distro I have ever seen with lots of extra utilities.’
An English literature major from Government Titumir College, Sammay Sarker says that the default configurations of system and network devices are usually safe. He rather thinks that humans are most vulnerable to cyber threats and emphasised the responsibilities of the users.
He focused on being careful of choosing browser add-ons and learning blocklist syntax on ad-blocks for fine tuning a safer internet surfing.
Sammay also suggests using different passwords on different platforms, using temporary email accounts, instead of main email account, for trivial works, using a reliable password manger to keep passwords safe — KeePass is his favourite and also uses GNU Privacy Guard (GPG) for sharing files or storage on mutual consent.
The self taught hacker is more focused on keeping the system free from unnecessary and resource hungry packages that depends heavily on more packages.
He said, ‘I always look for simple, lightweight programmes and try to read the documentation before installation rather than blindly following instructions available on internet. I always read the changelog before any upgrades. I always keep track of which packages are installed and remove dependencies after the build process.’
He emphasised reading documentations, manuals and keeping an eye on relevant websites like reddit, hackernews et cetera.
For local area network security Sammay uses Openwrt on router, keeps unnecessary ports closed, turns router’s broadcast SSID off and configures firewall for further security.
He says, ‘Most of the solutions are reading the manual and learning the duck-foo or stack-foo.’
Samnan Rahee, a computer science student of Dhaka University, also echoes Sammay and says that he tries to check dependencies before any installation and uses mostly Python to script his own tools.
Awakening is not a thing. It is not a goal, not a concept. It is not something to be attained. It is a metamorphosis. The caterpillar must accept its own disappearance in its transformation. When the marvellous butterfly takes wing, nothing of the caterpillar remains.
― Alejandro Jodorowsky
Filtering information from media and search engines is one of the most important skills to master to survive in the cyber world.
Then comes playing with the devices and operating systems of interest, breaking it — messing up configurations, running arbitrary codes, disassembling hardware — and being solely responsible for making it alive; except living things, they are fragile and might bring collapse like the doom day.
Some tips for enthusiasts
MAKING Quora, Reddit and Stackoverflow a bed-mate; getting detailed answers, being humiliated and filtering to the point technical details from there, in respective order.
One could keep hard copies of reference books of favourite system and languages — human and programming.
An extra plus for keeping Jibanananda Das and Sigmund Freud on book shelf, along with The Art of Deception by Kevin Mitnick and William L Simon, Hacking the Hacker: Learn From the Experts Who Take Down Hackers by Roger A Grimes and UNIX System Administration Handbook by Nemeth, Snyder, Hein, Whaley and Mackin, Social Engineering: The Art of Human Hacking by Christopher Hadnagy among others.
Bookmarking the blogs of Richard Stallman, Julia Evans and Eric Raymond, also the Gentoo and Arch Linux wikis — they are gory, detailed, vast and enlightening.
Reading blogs of Daniel Miessler and Brian Krebs are highly encouraged.
Acquiring basic knowledge on C and Python to feel how Prometheus — Denis Ritchie and Guido van Rossum — snatched fire from heaven.
If skies are too high or too slow (Tarkovsky and Jodorowsky), watching the masterpiece of Wachowski siblings — the Matrix trilogy once again trimming off the technical showoffs.
They are vast and philosophic; and avoiding unabated porn surfing — it is unhygienic in both the cyber and real world.
Ishtiaque Foysol is a Homo sapience.
Want stories like this in your inbox?
Sign up to exclusive daily email
More Stories from Cover