India is rushing to align itself with Western countries when it comes to cyber security and as a result, some of the country’s experts have already begun organizing events, not only to educate the public, but also because they want to show that they have what it takes.
We wanted to find out more, so we interviewed Viknesvaran Sittaramane, a software developer at an MNC, and one of the organizers of DEF-CON Chennai
and the upcoming DEF-CON Bangalore.
Please introduce yourself and your team for our readers. Viknesvaran Sittaramane:
I am Viknesvaran Sittaramane, a bug researcher. I have more than 100 advisories on Web Application Vulnerabilities on Exploit-db, 1337day and other exploit databases.
Currently, I work as a Software Developer in a MNC, Chennai. My ultimate goal will be educating people about internet security.
Our team consists of R. Harikrishnan, R. Karthik and myself.
R. Harikrishnan is a fellow Bug Researcher and has got more than 100 advisories in various exploit databases to his credit. He is writing articles for Infosec Institute and he works as a Security Researcher in a MNC, Chennai.
R. Karthik is also a Webapp Bug Researcher. So far, he has written more than 30 articles in Searchsecurity.in, a unit of TechTarget. He works as a QA Engineer in a MNC, Bangalore.
The team organizes DEF-CON Chennai (DC602028) and DEF-CON Bangalore (DC9180).
Thus far, we have conducted four successful meets in Chennai, India, and very soon, we are planning to conduct the fifth meet in Bangalore, India.
Our team also performs security auditing and tries to work with our clients in a more comfortable way.
The goal: Spread the awareness about internet security among the masses and be the Internet guardians. Softpedia:
What were the most important vulnerabilities found by you and your team? Viknesvaran Sittaramane:
We had found persistent cross site scripting, as well as non-persistent cross site scripting in Google. Softpedia:
Were they found by only one member, or was it a team effort? Viknesvaran Sittaramane:
Yes, it was indeed a team effort and I am happy that we have accomplished this collectively.
The bugs were reported by R. Harikrishnan and myself. A total of 6 bugs got eligible for Google Hall of Fame. Softpedia:
Besides the ones on Google sites, what other vulnerabilities did you find? Viknesvaran Sittaramane:
We had found vulnerabilities in Microsoft, Yahoo, Ebay, Amazon, Rapid7, Adobe, Skype and so on.
Even in some banking sites such as Axis Bank, HDFC bank and Deutsche Bank, we had found vulnerabilities and reported them. Softpedia:
What advice would you give website administrators when it comes to protecting their sites? Viknesvaran Sittaramane:
Web administrator must understand, inner look of a website is more important than outer look. Most of the bugs are caused by human errors. Web administrators don't realize that security is their responsibility too.
The clients should be aware of security features provided for the website and possibly what are the preventive steps taken to protect the website from attackers. We request the web administrators to work on security the same way they work on designing the website. Softpedia:
From your experience, is it difficult for a security research team to successfully report vulnerabilities? Many experts are complaining that in some cases companies ignore their findings. Have you found the secret to not being ignored? Viknesvaran Sittaramane:
To be honest, a web administrator’s job is not an easy one.
A web administrator has so many responsibilities like designing, updating, and maintaining a website, and sometimes even advertising the website on social media. After all this, when we point out mistakes in their work, most of them do get mad at us. But some web-masters understand us and try to work with us to fix the vulnerability.
We don't want to blame them for security bugs on their project, they are doing their work of designing and maintaining website, and we are helping them to make it more secure. A bug researcher and a web administrator are heads and tails of a coin, they need to stick together so that the other one can win a toss. Softpedia:
Let’s talk about the security conferences you organize. For those interested in DEF-CON Bangalore, present the event in a few words. Viknesvaran Sittaramane:
After a great successful show in DEF-CON Chennai, we decided to shift our focus to Bangalore as it is the “Silicon City of India.” The upcoming DEF-CON event will be held on September 9th in Bangalore, Karnataka.
The Bangalore chapter is registered DEF-CON Community Group with ID - DC9180. The meet is about to witness experts and students from various domains of Information security presenting their papers and using us as a platform to showcase their work to the community.
The event is not just restricted to security evangelists alone, but also for people interested in Computer Science and Engineering. The event would also witness a networking party, probably for the first time in Indian DEF-CON group culture.
This will help fellow security mates to get to know each other and have a one-to-one interaction with each other. We would like to invite all the people from across the globe to participate in this event and help us make this a grand success. Softpedia:
Can you tell our readers how your previous DEF-CON conferences held in Chennai helped people? Viknesvaran Sittaramane:
In our previous meet in Chennai, we were able to provide financial aid to a social initiative made by one of our fellow members. It’s an initiative to help the poor increase their knowledge in IT and computer literacy from school levels. Andhra Hackers team had contributed towards the same as they had attended the meet.
From the remaining money of the meet, we contributed to a charity school at Sai Baba Ashram. Thus we were able to reach needy and helpless people, especially young minds, and support their education through our meets. Softpedia:
Where do you see yourself and your team in future? Viknesvaran Sittaramane:
Well, in this, we are all a team of people who get together regularly to share and develop better ideas and techniques in the field of information security. We have had students from 12th grade to elderly people with 15-18 years industry experience in the meet.
So, the team is vast and highly flexible to meet the needs of the current demands in information security. Currently the organizers of the meets are doing well in their field and working for private firms, and with God’s grace we hope to carry on our good works. Softpedia:
Apart from helping others securing the websites, what else you do in your spare time as a team? Viknesvaran Sittaramane:
In our spare time, our team goes to various colleges across the country in conducting workshops for students - as an initiative to spread information security among the Indian student community.
We also have e-learning resources attributed to our names. Hari and Karthik are regular contributors in terms of guides and articles for online portals like TechTarget and Infosec-Institute.
Karthik has released a Kindle version of his e-book named “The Backtrack Experience - An introduction to whitehat hacking,” on Amazon’s Kindle Store. The book basically covers the practical aspects of the OS and also gives a brief overview of the tools.
It also covers a few important tools in minute detail, informing the reader of its direct practical implications. The book is basically for a novice who is using Backtrack for first time.