Friday, March 9, 2012

‘Not all hacking is bad or should be considered so’ - A conversation with Sumon Ahmed Sabir VP of ISPAB

Sumon Ahmed Sabir, vice president of Internet Service Providers Association of Bangladesh and a cyber security expert in Bangladesh, tells Saad Hammadi how the much hyped cyber warfare between India and Bangladesh was only a matter of generating propaganda on state-owned websites with no real security

Tell us your opinion about hacking in general.

Hacking had begun since the time computer networks emerged. However, those who are into hacking, some of them do it to show their technical skills and expertise and some are into committing financial crimes and other forms of online criminal offences. There is however, another dimension to hacking when it occurs with the state’s patronage.

Recently, Bangladesh and India have experienced intense cyber warfare among important websites being shut down by the opposition. Some IT professionals have said that this was not hacking but nuisance. What is the rationale?

I will not call it a cyber war. A lot of Bangladeshi websites were compromised just as much as the Indian websites. However, this is nothing new. The security features are vulnerable in most government owned websites. That is why a large portion of the websites hacked belong to the Bangladesh government. Not much of technical expertise is required to hack most of these websites which are very poorly coded. Skills and expertise are utilised when websites hacked are of professional standards.

I am not really interested whether it was a cyber war or not but that our websites are not secured is something we should be concerned about. We are not secured on websites and this is not to speak of Bangladesh only but all countries. There is no point over arguing on an area of cyber warfare just because we are not able to resolve an issue diplomatically which will only increase grievances.

Bangladesh’s virtual services and facilities are still at a developing stage, where not much of commercial transactions are performed. Given that Indian hackers often attack on Bangladeshi, how do you view the web security of the country’s important websites?

This time the incidents that occurred did not cause problem but we are gradually becoming IT enabled. When transaction-based websites will emerge in the country that is when we will be affected most. And this will happen sooner or later because hacking is a regular affair. We should be careful that we do not break down the same way in the future.

Right now you can check your bank balance or clear your credit card bills, which are limited only to your account and cannot be transferred to another. Hence, we are not becoming affected financially. Outside the country however, most people are affected because of financial losses.

However, because of poor security on our web servers, other countries are becoming affected. Hackers are using Bangladeshi servers as proxy or phishing sites to acquire passwords and usernames of prominent international banks and other e-commerce websites, which allow them to transfer money to their desired accounts. Just because we are not being affected, we are not being concerned. But such fraudulent websites are very common and we receive a lot of complaints from the CERTs (Computer Emergency Response Teams) of other countries.

While Bangladeshi hackers claimed to have shut down many Indian websites, Bangladesh was nonetheless exposed to similar attacks. Do you believe the ICT Act 2006 of Bangladesh require amendment to address such defacement and temporary deactivation of websites?

The intentions of attacking the websites on both ends were not aimed at damaging them. They only removed some contents, put some images, used cursive words or shut it down temporarily. There was no intention to cause financial damage. The attack was aimed at generating propaganda. However, I still cannot justify such a practice. The contents in our present ICT Act only protect us of local violations. Internet is something that goes beyond the territory. Hence, addressing online crimes is still a grey area. It could be someone sitting in the United States, using a computer server in India to initiate an attack on a Bangladeshi website. Under such circumstances, there is hardly enough evidence because the logs can be cleared. So, addressing the issue is still a very complicated process.

Even locally, if someone is found committing an offence, the penalty should be very carefully decided. Keeping someone behind bars for eight years for sending a threat email does not sound reasonable, which we have seen happen in the country in the past. It will however, not be right for me to talk on the legal area but laws should not be such that a minor offence entitles heavy punishment.

Will you share some of the security elements that Western countries maintain to contain such form of intrusion or hacking?

Whether developing countries or the West, we almost use the same security elements. Some organisations may be slight better but in general we all are vulnerable. This time the website hacking that took place, it was because the coding standards were weak. The website developers were not concerned with the security features while coding. The servers and software we are using, these are not timely upgraded and maintained. Thirdly, proper firewall rule sets are not maintained, which help to determine the level of access.

Some hackers are passionate about identifying bugs in reputed websites, something they enjoy doing and challenging. They say it helps them increase the efficiency of the website and helps them learn new things. Can skills of hackers be put to good use?

Those who have the technical efficiency, no doubt they are highly skilled. In many cases in the past we have seen hackers have come to the help of not just independent organisations but also states and governments. There are numerous examples. Not all hacking is bad or should be considered so. Somebody identifying a bug or informing the authority is a noble. Unless and until that bug is exploited to attack it is a good deed. The hacker word was a good term in the past. Right now the term itself gives a negative impression. In abroad, security analysts are hired to do the same task as hackers.

Source: New Age

0 comments:

Post a Comment