AN ANIMATED CONFERENCE ON INFORMATION SECURITY IN 2017
The conference on information security, with a “spelling play” title, “SecurITy 2017: Information Security Conference”, on the final day of BASIS organized Softexpo on February 4, felt like a rock concert with over three hundred and forty audience members packing the ground floor Media Bazaar hall at the Bangabandhu International Conference Centre.
Moderated by the CEO of Officextracts Prabeer Sarkar, the program engaged the buzzing crowd with a panel comprising of young security experts who looked and spoke like mad geniuses straight out of sci-fi films.
The panel of speakers at the program consisted of Nahidul Kibria, Synack Red Team Researcher and co-founder of beetles.io, Shahee Mirza, security researcher and co-founder of beetles.io, Tarek Siddiki, Synack Red Team Researcher and co-founder of beetles.io, Kaisar Y Reagan, IT consultant, Tapan kanti Sarker, president of CTO Forum Bangladesh, and Debdulal Roy, General Manager, Information Systems Development Department, Bangladesh Bank.
Most wanted bugs
Tarek Siddiki started his talk asking how many people were aware of the ‘bug bounty’ concept. Tarek’s organization beetles.io provides source code audit, vulnerability assessment, penetration testing, end point forensics, SECaaS (security as a service), and mobility security services.
Siddiki explained how the big companies like Facebook are employing the service of ethical hackers by providing bug bounty programs, where hackers are paid to find vulnerabilities. Netscape started a bug bounty program in 1995 and it was later replicated by Google in 2010, Tarek Siddiki informed the audience.
“When companies manage bug bounty programs on their own, itgets tougher for a company over time. So, a separate industry developed from this. This gave rise to many different platforms who started to connect companies with hackers. These are called ‘bug bounty platforms’,” Siddiki said.
“Bug bounty is the third phase in security. First, it was humanoid, then it was automation, scanning, and then the third phase is crowd sourcing cyber security. What’s next? The next step is artificial intelligence,” he continued “Bangladesh started to participate in the bug bounty programs in around 2012 or 13, led by Shahee bhai (Shahee Mirza, also a panelist at the conference). Now many people are getting into this, but is it enough?I mentioned HackerOne, who paid out over forty million dollars to bounty hackers, has over twenty thousand researchers. There aren’t even fifty Bangladeshis in that program,” said Siddiki.
“In 2016 HackerOne published statistics showing how many researchers it has from different countries across the world. Twenty percent of its twenty thousand researchers were from our neighbouring country India. And we don’t have fifty Bangladeshis who even signed up with them. We are certainly behind,” Siddiki Informed.
“Have you ever heard Facebook was hacked? In the last two years two major RCE or ‘remote code execution’ was found in Facebook, that had the capability to “spill” data. In November 2016, a Russian hacker found the ‘Image Magic’ (an app) vulnerability in Facebook. A malicious hacker might have breached Facebook data or defaced Facebook. But since Facebook had a bu
g bounty program, that hacker reported the bug to Facebook. Would anyone fancy a guess how much he was paid for reporting just this one exploit? He got forty thousand US dollars,” Siddiki said to a captivated audience.
“Coming back to HackeOne, the biggest pay out it had involved a bug in Sales Force. The logging panel of a Sales Force company was insecure for eight days. A billion-
dollar company was exposed to this for eight straight days! A hacker called Frans Rosen from Netherlands acquired access to it and got possession of the source code. He could have used it or sold it to a competitor. But instead he reported to Sales Force and it paid out thirty thousand US dollars,” Tarek Siddiki said.
“HackerOne ranks its twenty thousand researchers, and currently there is a Bangladeshi programmer who is at the twenty second position among twenty thousand researchers. Synack, an NSA funded company, takes in researchers after rigorous testing. You have to take exams and pass tests. Among the hundred and fifty researchers at Synack, there are five researchers from Bangladesh. And one of the Bangladeshi programmers is in the top ten list of Synack ranking. I certainly think that is an achievement,” Siddiki said.
Shahee Mirzainterrupted Tarek Siddiki to inform the audience that “the person in that top ten Synack ranking is giving the talk right now,” pointing to Tarek. The audience exploded into applause.
The following presentations by Shahee Mirza, Kaisar Y Reagan, and Nahidul Kibria were aimed at developers in the audience and discussed technical issues. Shahee Mirza gave presentation on ‘DevOps’,Kaisar Y Reagan on ‘security coding’, and Kibria on vulnerability analysis and attack prevention by analyzing the Kovter malware.
“When development team, quality assurance team and operations team work together, that is called DevOps,” Mirza told the audience. Mirza explained DevOps and its scope. “The whole point of DevOps is to create a secured product,” he said. “I guess the summary of my talk is that make a plan first, educate the whole team and create full automation, so that we have more time to learn,” Mirza said.
Reagan said that most vulnerability problems arise because programmers fail to recognize the risks. Reagan showed and explained examples of ‘dll hijacking’. He then proceeded to explain the steps through which dll hijacking takes place. Nahidul Kibria opened his presentation saying “I just saw people are listening intently when Tarek was talking about how much money you can make but when speakers started to go into deeper technical details, the audience finding it hard to concentrate,”to which some of the audience membersbroke into uncomfortable whisper and some into guilty laughter. He then proceeded to talk about vulnerability monitoring. He discussed what to do in case of a targeted attack. “Malwares are so sophisticated now that they have become “file less”,” he said. Kibria demonstrated a live malware hunting procedure by infecting a computer and showing how to track the malware. He also warned about not being hasty in memory dumping to ensure post infection forensics. Both Tapan Kanti Sarker and Debdulal Roy spoke briefly saying that they want to see the young generation produce more experts like Tarek and his colleagues. Prabeer Sarker thanked the speakers saying that it was amazing to hear from the young and brilliant speakers. The conference ended with a short question and answer session.