14 DAY TRIAL // Even though security researchers, or white hat hackers, don’t have interesting stories about making justice in the world and missions to unmask corrupt governments, their contribution to Internet safety makes them one of the most important links in the cyber-security chain.
This week, Hackers around the world features Shadab Siddiqui, an independent security researcher from India, who has managed in the past weeks to identify a lot of vulnerabilities in the public websites of high-profile companies worldwide, many of which make the Forbes 500 top.
He shared some things about the life of a security enthusiast in India, the battle between black hat crews from opposing countries and some details on how a hacker must think to ensure his success.
Softpedia: Do you have a hacker name?
Shadab Siddiqui: Yes. I have a code name as “gr4yf0x”. But you would not find much about this name over the Internet. And now I use my real name as you can see in my previous reporting to Softpedia.
Softpedia: What’s the significance of this name?
Shadab Siddiqui: gr4yf0x is a combination of 2 words, gr4y and f0x. Here, gr4y = gray(colour) - well, I hope I don’t need to say anything more as what it indicates - and f0x = fox. You must have heard "to be as cunning as a fox”, which means to be very clever at getting what you want, especially by tricking someone.
Foxes have a reputation for being cunning. I think that this clears the significance of this code name.
Softpedia: When did you discover your passion for security? And how old are you now?
Shadab Siddiqui: It all started back in 9th standard when for the first time we had computer subject and I scored bad marks in it, making myself the laughing stock of the class.
I never had a system of my own, but I used school computers to learn. I also used the system in my dad's office where I used to go every Saturday/Sunday to work and learn things practically.
I got my first PC when I passed my 12th standard board exam. Though in 12th standard I was awarded with “best programmer of the year”, award given by CSI (Computer Society of India) in a programming competition.
Interest in security began in 12th grade itself when I was getting my hands dirty with C++. After that I bought my own laptop and internet connection. That was in the summer and I used to read online books on security and networks to know more and more about computers / networks / deep web.
I used to sit on Orkut two, as it was popular those days. Then I had an online friend with the code name x3r0 (as of now, I can’t disclose his real name) who had a team. I learned lots of things from him and his team. I understood what C/C++ is capable of and I could do anything on my PC though my own C/C++ program.
One thing’s for sure: the Internet is the ocean of knowledge. The deeper we go, the more we learn.
That was the time I understood the meaning of “don't learn to hack, hack to learn.”
My first hack was when I gained access to someone else's account through session hijacking :P.
Then I started believing in “Practice like Evil. Play like Angel”
Formally speaking, I am 23 years old and I have successfully completed my B.tech. Now I am pursuing an M.B.A., but this is apart from what I use my computer for most of the time.
Softpedia: Did you ever cause damage to websites? Was there a time when you considered yourself a black hat?
Shadab Siddiqui: No, I don’t think that I ever damaged or defaced any website. I find vulnerabilities and help the web admins patch the vulnerabilities as I am against defacement. I rarely wore a black hat back when I started exploring and loved to shell servers. But that happened a long time back, not now. :)
Softpedia: What is your greatest achievement so far? What was the most important site that you found to be vulnerable?
Shadab Siddiqui: Well, I can't disclose the biggest site I found vulnerable, though there are many high-profile websites in which I found vulnerabilities, like the ones you are already aware of.
Furthermore, I am a security researcher. Finding vulnerabilities isn't an achievement, it’s about improving yourself to explore the knowledge that other people have all around the world and thinking out of the box.
Softpedia: Tell our readers a bit about what India has to offer for a hacker/security researcher. Are there sufficient resources to start a carrier in the security business?
Shadab Siddiqui: Frankly speaking, in India there isn’t a trend of opting for hacking as a career, as the govt. offers no support. Though, all the private organizations do support it and even have vacancies for it.
But in recent years a trend for conducting so-called “hacking workshops” has been around in which students in India have got exposure to a new dimension called “security”. Before that, they only knew of developer/tester carreers, nothing more.
That doesn’t mean that India does not have security professionals. Instead, there are a couple of them quite good who, depending upon the needs, are black hat or white hat.
But let me make one thing clear. They are not just good, they are “Too Good”, as I know a few of them personally.
The problem with Indian Govt. is that most of the government websites are taken by companies who have internal links. So, they’ve got the tender of the sites, but they never take so much responsibility to make the site secure.
Actually, they do not have that much knowledge, or maybe they don’t want to invest (to make more profit), so the site remains unsecured.
I myself have found so many vulnerabilities in MAHARATNA and NAVRATNA websites of India and contacted so many govt. officials, but bloody nobody cares here. So we have left them as they are and that’s the reason they are a “piece of cake” whenever there is any cyberwar.
For now, India does not have enough room for taking up security professionals as a carrier, unless you get a job with private companies and societies. And even those think they are too good for you, looking down at you as if you’re a criminal.
Softpedia: What do you think of the cyber-war that takes place between Indian and Pakistani or Bangladeshi hackers?
Shadab Siddiqui: Well, as I already said, I am against defacing websites, whether it's my own countrymen or some other countrymen. I don't see any point in defacing and the only people suffering in this cyberwar are those who have nothing to do with cyberwar.
BCA (Bangladesh Cyber Army) defaced somewhere around 20K websites in India, out of which more than half were the websites of schools and companies that gave money to some developer to put their site online. Now their website got defaced and again they will pay the same amount to get their website back.
Same is the case with every cyber army.
Softpedia: Please talk about your other hobbies besides Internet security.
Shadab Siddiqui: Apart from internet and computers, I love playing chess, table tennis and basketball, though I rarely get time to play these now, as I spend almost all the time on a system. I also love listening to songs which, depending upon my mood, could be metal or slow numbers.
But most importantly I love food and taking too much rest (I always have my lappy while resting :P). I am not lazy but I have a habit of taking a rest before I start working on anything.
Softpedia: Where do you see yourself in the future?
Shadab Siddiqui: As of now I am pursuing my M.B.A. (IT) from Europe and I do not have a job for now, but I hope to get a good one soon. But I want to be an entrepreneur and implement my own idea that I have and that could bring change to the world, starting from my own country. :)
Softpedia: Do you know how to find vulnerabilities in web applications, or do you mainly specialize in websites?
Shadab Siddiqui: I started with exploiting applications only. For instance, everyone knows how to write a C/C++ program, right? Well, what if I just call the main() in main() itself. E.g.: (#header int main() { main(); Return 0; }
For all those who have been writing many C/C++ programs I think what it will do. This is from where I started. Each one of us knows how to call a function but depends on how you think that determines how far you can go exploring.
Hacking is just about thinking out of box and implementing it. Hacking simply means being the best at whatever you do and not an illegal activity, as many think. Hackers (I mean the real ones, Elite Hackers) are the most knowledgeable people alive.
So now, do I need to answer the question “what I am good at?” :P
Softpedia: How exactly could you help a company improve the security of its site?
Shadab Siddiqui: Helping a company on improving its security just starts from its website, but the website is not the only thing that needs to be secure. What about the company networks (internet/intranet)? Don’t we need security at a lower level? Routers, switches, etc. are much more important in some cases.
What if the intruder has got access to one of the systems on the internal network, or if he exploits a flaw in a web application? :) Don’t they need to be secured?
So, helping a company improving its security occurs on various levels, but everything starts from securing the site, as it's the first thing that presents the company. I could help a company on all those issues.