We do not need new methods or new security products - what we need are secure products - Interview with Rahul Tyagi, Associate Vice President - Training at Lucideus

Hi Folks,

today we are very happy to introduce you to Rahul Tyagi, Associate Vice President - Training at Lucideus. We talked about situation in cyber security and what kind of challenges it has to face. What is more he told us, what it means to be a good, qualified hacker  – take a read, it’s worth it! 

You can reach Rahul  on www.facebook.com/officialrahultyagi, Twitter and LinkedIn 

[Hakin9 Magazine]: Could you tell us more about yourself? How did hacking become your passion?

[Rahul Tyagi]: Hello, my name is Rahul Tyagi. I am the Associate Vice President - Training at Lucideus, a global digital security services provider; our mission is to secure large enterprises from debilitating cyber-attacks. I play a crucial role in training and arming professionals, and even students, with the most advanced cyber security training programs to teach and equip them in how to protect their digital infrastructure.

Since I was a child, I was fascinated with technology. Eventually my love of computers led me to IT (compared to others at my graduation time), the real fun started when I hacked into my university's attendance system and changed almost 1,800 students’ attendance records! Obviously, it was a dumb step. On the other hand,  I realized  how vulnerable computer systems and networks are. After a confession on my side, I started working with developers at the university to correct and strengthen the code to make the university’s framework more secure and stable then it had been before.

[H9]: Hacking is an area that evolves constantly, do you think that we need new methods or should we enhance the ones we already use?

[RT]: First - learn the existing technology; you cannot move forward without knowing where you have been and where you are. Therefore, understanding the existing attacks and the way we can secure from them is important; although one needs to keep exploring new dimensions as well. The way digitalization is evolving, we obviously have a lot to explore in the fields of hacking and security.  Moreover, my professional opinion concerning a defense against hackers, is that in today's’ digital arenas, we do not need new methods or new security products - what we need are secure products out of the box, period.

 

[H9]: There are many training opportunities, courses in hacking and the security area. Is it better to learn on your own or participate in trainings?

[RT]: Let me answer from my point of view. There are lots of online tutorials on the internet which show you how open heart surgeries are performed.  Now, after watching those, can you possibly be assured that you could perform in the same successful manner?  In the same sense online tutorials give you just an idea about the latest methods for attacks and security. You may get the knowledge on your own but how to implement this knowledge in the real world requires proper instruction and hands on training.  Moreover, you can only get this training  from people who are actually involved in professional security assessments.

 A caution, considering the complexity and the changing dynamics of cyber security, even when you are participating in trainings, it is you who will determine your skillset level. As I always say in our training seminars, we will teach you the breadth of hacking, however it is you who has to dive deep and get to the depth. We, of course, are here to guide you, should there be any hurdles in your way.

 

[H9]: Can you tell us more about UnHack?

[RT]: Today your cell phone has become an extension - a facilitator - of your lifestyle and is not "just another gadget". Sadly, it remains a black box for over 99% users who, nevertheless use it as a lifeline for both work and personal purposes. UnHack delivers a very basic service which gives you complete control of your cell. It does so simply by reversing the permission base that the applications take on your phone. In simpler words, it can show you which apps are accessing your SMS, call logs, camera, pictures, etc. All this control with just 2 clicks - we guarantee it.

 

[H9]: What kind of skills should a good hacker should possess?

[RT]: A good hacker needs to possess only one skill - he has to be a seeker. He has to accept, no matter how much knowledge he possesses, that there is so much more to learn. He must be hungry, honest, and hardworking to aspire and achieve what is not visible to the eye of a software or systems developer. Technically - obviously - a good hacker has to master multiple programming languages, needs to be thorough with Unix basics along with understanding the fundamentals of computer architecture - as the saying goes: you need to know the rules in order to bend them; and hacking is all about bending what is known and coming up with something that the world never expected. Now coming back to the question, I feel that technical skills can always be acquired; however, what really defines a hacker is in their nature, that of being a curious person who likes to dig deep into every possible thing around him and will just not take “no” for an answer.

 

[H9]: You have found many critical vulnerabilities on various websites, can you tell us more about it? Was it challenging? Do you consider it a public service?

[RT]: Although my specific position is AVP Training, with the kind of corporate culture that we have in our organization every person who is a trainer also participates in live penetration testing projects of different kinds; this so that we (as trainers) do not become disconnected from what is going on in the real world of information security assessments. There was a time (three, four years back) when I used to repeatedly try the same type of payloads on multiple parameters of large websites and manage to exploit them.

Currently, after some good years, we do find critical vulnerabilities; however, it has become  more of a team effort rather than individual pursuit. Now instead of spending my time on bug bounty, my team and I spend more time on our organization's’ projects, pushing the limits of security while testing the security parameters of clients.

So instead of simply finding bugs like XSS, now we have a sea of Zero day exploits and new technology methods.  Essentially, we target the maximum, the RCE kind of vulnerability which actually makes sense for our clients with respect to the critical impact for their organization.

[H9]: You have quite a few publications on your account, which is impressive, because I always thought that there are not many books about hacking. What inspired you to write them?

[RT]: I strove, that for whatever I wrote, it should be practical. I took care that things in my mind that readers would enjoy and prosper from would also be productive. That my writings should be productive to teachers and students as well.

 

[H9]: Can you tell us more about cyberspace in India? What kind of challenges does it face?

[RT]: To explain that I would like to share my working experience in Lucideus. Offense is the new defense, and we are the organization who provides that offense; we are hiring hackers who are actually breaching, with permission, global organizations who want to test their security.  Now the irony is that many organizations, not only in India but globally too, are unable to fathom how an  information security company is going to help them establish an effective security enabled business framework? And how an information security company which is providing a digital lock of security can help them to earn more money?

So these are some of the challenges which we face from various organizations globally.

Now, to better understand how an information security establishment can help any world organization to increase their earnings, let us explore the three pillars on which every organization runs their business: Web, Systems, and Mobile.

First the WEB, when we talk about the WEB we think about something that consists of servers, software, and applications. Believe me when I say that we were able to breach into some of the largest PSU banks of  the country with their authorization, and we got the username and password of every net user and we gave that to the GM of IT of that bank. Now if we can do it them, anyone who is sitting in China, Russia, Turkey, etc. can also do it and this makes them very very vulnerable. Now this is what we call a Web Applications hack.

Second is Systems, now the biggest misconception many companies have is that if they have genuine copies of Antiviruses and firewalls in their company then that will protect them from the latest malwares. Now we have seen and tested that with FUD malwares. Criminals  can bypass any kind of Antivirus detection mechanism, and today even a 10$ online crypto can encrypt your malware - and not a single antivirus can detect it. Hence systems are also vulnerable.

Third, let us talk about the last important component of today's digital business, which are mobile phones. We thoroughly believe at Lucideus that in next 5 years, laptops will be obsolete. Now I hope many of you have read the report from Verizon last year which shows that almost 90% of all Google Play Store applications are vulnerable and can be compromised - and many of them were actually compromised. Now Mobiles are also vulnerable and can be breached.

Finally, how we can enhance business with security. Organizations must understand that if they do not take these three pillars of security under consideration, one day they will be compromised. Moreover, if their customers’ identities and other financial credentials goes online they will lose their client’s trust  These days finding a substitute for any online business is not a major undertaking for a customer. So essentially, we must take care of the most important aspect of business, our customer’s trust.  And with security employed and enabled,employed and enabled, we can make users feel safe and retain their patronage for a long time. Retaining customers will results in interaction with your business products and services; thus increased revenue.   

 

[H9]: What mistakes are made most often by companies that have been attacked by hackers?

[RT]: Well, in my estimation, and to put it in simple words, the illusion, the idea of being secure makes you the most vulnerable. As an organization, you need to look at 360° of protection to ensure the security; however a hacker needs only one  entrance out of many.

[H9]: Do have a favorite story or anecdote about hacking that you could share with us?

[RT]: I do not have one particular story to share, however I do have a real life experience. I was giving an interview for the security analyst position for my company, and all  of the applicants were certified specialists from well-known certification provider institutes. I asked them how to hack websites which are protected by web application firewalls. The first hilarious part was that most of them have never implemented web application firewalls by themselves.  Others  who have seen the firewalls have never tried to audit them. Moreover, when I asked “Let us  imagine that a website is hacked, what procedure would you suggest to coders?” The funniest answer was “I only know how to hack, protecting a website is not my job”!

This is the biggest blunder I am seeing from last three years. While talking to people who are into information security, especially who are concentrated with only, and only, hacking into things, they think if we breach the security, our works is done.  We must understand as information security consultants that yes, you must know how to hack, but at the same time you must know how to secure and protect as well.  

 

[H9]: Do you have any thoughts or experiences you would like to share with our audience? Any good advice?

[RT]: Today you cannot run any business without technology, and in next 5 years and believe me when I say this it is going to change like nothing the way the world has seen before. There is a thing known as IoT ( Internet of Things).

Today 2.2 billion people are connected to the internet, the planet’s population is 7 billion, so one third of humanity is online and connected to the Internet. Now, when I say they are connected with the internet, that means the distance between one out of every three  persons on the planet is only a few milliseconds -  that is the length of time it takes to send an email. THIS power has not been seen by humanity ever since the inception of humanity.

According to Eric Smith, every two days we produce 5 Hex Byte of data, and this amount of data is the total information produced by mankind from the beginning from the civilization until 2003. We are producing the same amount of data EVERY TWO DAYS.

Now, if we are at this stage where with IoT, the impact to the physical world, as well as the virtual, with such a huge amount of Information will be life altering. Information security is not only concerned virtually in my organization,  Lucideus is working on securing not only things which are virtual but things which will be a part of human life - via IoT.  This, so that people globally can make the best use of emerging technologies in real life with full security. When there is security, there will be safety.  Finally, if we can embed technology features with security, then we can truly give customers of any organization the real comfort in technology which every person deserves.

[H9]: Thank you!

Lucideus is an Indian company which provides Digital Security Consulting & Operational Services to Businesses, Governments and Institutions across the globe. Incubated out of Indian Institute of Technology, Bombay, Lucideus is now headquartered in New Delhi and continues to have its research and innovation lab located at the computer science department of IIT Bombay.

Lucideus Website: www.lucideus.com

Twitter: @lucideustech

Facebook: Lucideus

LinkedIn: Lucideus