Thank you, Satan

While citizens and the media have been focused on the COVID-19 lockdown, Satan, a greyhat hacker, has masterminded a series of hacks and data exploits on Nepali businesses.

Greyhats may use illegal means, but do not carry malicious intent. They are not as pure as their whitehat peers who eschew all illegal means, but not as nasty as blackhats who try to make money through cybercrime. Greyhats are usually motivated to draw attention to security vulnerabilities in dramatic ways, and show off their skills to earn accolades from peers. 

On 8 April, the newly created twitter account @satan_cyber_god claimed that it had hacked sensitive customer data from Prabhu Money Transfer saying: ‘Your banking and all other systems lack security! We tried to aware you but you did not respond! Hail Satan!’

Because the internet is full of tall tales and unverifiable claims, it is customary for hackers to provide some evidence that other technologists can use to verify their claims. Satan’s purported evidence was the release of email addresses of Prabhu users, shared through pastebin.com, a website that makes it easy to share large volumes of data anonymously.

Satan was not the only one. Had we learned our lesson from earlier hacks by lesser forms of evil, the Prince of Darkness may not have found it necessary to get personally involved. The unspecifically sinful Twitter handle @paapi_kto_mah, released the names, phone numbers, residential and email addresses of 170,000 Vianet customers on 8 April. A month earlier, @Mr.Mugger had exploited vulnerabilities in the popular food delivery company Foodmandu’s system, and released personal details of 57,000 customers.

Nepali customers have been insulated from the worst consequences of data dumps like financial fraud because credit cards are rare and cash payments are still the norm. Nonetheless, the exposure of one’s personal data has real consequences from increasing the amount of spam in inboxes to the possibility that identities will be used in cybercrime, putting individuals in the crosshairs of international law enforcement bodies.

After the Vianet hack, savvy users in the Nepali tech community suspect that there is an ongoing attempt to use that data to hack into Viber accounts. With so many Nepali’s conducting much of their personal communication through Viber, this would constitute large-scale privacy violation.

Yet, it would be a waste of resources and a misdirection of efforts to track down greyhat hackers. We should instead turn our attention to increasing security across all IT systems. The government is currently pushing a strategy to digitise the economy and governance through policy papers such as the 2018 Digital Nepal Framework.

As e-commerce and digital governance become more commonplace, the consequences of data breaches will become more severe. Of particular concern are e-governance and financial systems. The former could be exploited to create false identities to hide black money, to misdirect bhatta and cash support, or even alter exam records and academic credentials.

As demonstrated by the massive ATM hack recently such data are already at risk. Though largely unreported, it is an open secret within the Nepali tech community that banks here have significant security vulnerabilities which do not just result from substandard technologies but also from more prosaic errors like the use of pirated cracked software by staff. As banks offer more digital products these vulnerabilities will only grow.

The three incidents of data hacking last week created a buzz amongst techies, but it was what came next that got all of us saying ‘Hail Satan’. Immediately following the 8 April hack, Satan found a security flaw on the popular e-commerce site Daraz. To Daraz’s credit, it was quickly fixed, and Satan even got a note of appreciation from its security team for pointing it out.

Satan then issued specific credible warnings to both the Nepali Congress and Kantipur Media Group on its system vulnerabilities, and made a veiled threat that they would be hacked if they did not fix it. With limited evidence, the hacker claimed to have exploited a security flaw that allowed access to data from any website or database hosted on the .gov.np domains. And as a coup de grace, screenshots proving penetration and violation of Mercantile’s IT systems were shared.

Satan’s aim for publicising vulnerability in Nepali digital systems have not been fully realised. While specialist online tech portals have followed the story, it has not been covered prominently by the mainstream press that would have generated pressure on government bodies and financial regulators to mandate stricter security standards. The media also has a major role in educating the public on personal digital hygiene to keep their own data secure.

We recommend three actions to ensure better digital security in Nepal:

Greater attention of owners and senior managers on IT issues. Traditionally, executives in businesses and large institutions have focused on managing financial and political risks personally while leaving all other matters to technical managers. As organisations have increasing digital footprints, senior leadership will have to treat digital security risks on par with the two aforementioned ones.

Public procurement for e-governance services will have to be reformed. No real change is possible if contracts keep going to ‘connected’ firms that do not hire the best talent available in the country. In a sector where even a talented junior developer can earn over Rs150,000 a month doing simple outsourcing jobs, and more skilled entrepreneurs can generate $1 million in revenue with just 8-10 staff members, it is unlikely that credible firms will have any incentive to engage with the insanity of politics and kickbacks that go into public procurement.

To prepare Nepali society for heightened digital intrusion we need wider debate on the broader idea of digital citizenship. Comprehensive public engagement is needed for digital security, digital IDs, fake news, privacy, closing the digital divide, and raising a generation of media literate children who can engage critically with what they find online.

For forcing us to ask these questions and give shape to our future, we should all say ‘Thank you Satan’. 

Sakar Pudasaini is the founder of Karkhana and the author of a series of children’s books on digital citizenship. Prayush Bijukchhe is the Chief Technological Officer and Founder of WASP Labs, a Kathmandu-based IT company.