AnandPrakashisaprolificsecurityresearcherwhoisfamousfor

findingbugsinsomeoftheworld’smostpopularappsandwebsites.Hethrivesoffof“bugsbounties” — largecashprizesheearnsfromcompaniesinexchangefor

successfullyhackingtheirsystemsandshowingthemtheirsecurityflaws.Anandissupremelygoodatwhathedoes,havingdiscoveredvulnerabilitiesatcompanieslikeFacebook,Twitter,andUber.Forthepast5years,Facebook’shasrankedAnandasoneoftheirtopbountyhunters.AndonTwitter’sbountyprogram,he’sranked#3

world-wide.Anand’sreputationasahackerhasledtohimbeingfeaturedinlastyear’sForbes“30under30”forenterprisetechnologyinAsia.AndamajorIndiannewswebsitedeclaredAnand“oneofIndia’sbest

knownwhitehathackers.”

SaiKrishnaKothapalli(IITGuwahati)

SaiKrishnaKothapalliisafinalYearComputerScienceandEngineeringUndergrad,IIT

Guwahati,BugBountyHunter,andSecurityResearcher.HehasfoundsomeseriousbugsinsomepopularwebapplicationsincludingafewintheIndiangovernmentsector.HeisalsooneofthestudentsatIITGwhocampaignedforthecampusbugbountyprogramandhelpedgettingitorganizedandstarted.

AneveningwithWHITEHAT

HackersonBountyHunting

OrganizedBy:InterdisciplinaryCentreforCyber

SecurityandCyberDefenceofCriticalInfrastructures

https://security.cse.iitk.ac.in/

C3iCenter,IITKanpur March21st20185:30PMto8:30PM

Venue:L-19

AnandPrakash(Appsecure)

“Talk1:StoryofaWhiteHatHacker:HowIsavedabillionuseraccounts?”Speaker:AnandPrakashAbstract:BugsBountyprogramsworldwidehavetakenoffbecausemostcustomerfacingwebsitesandwebapplicationsareincreasinglyunderattackbyhackers.LargecompaniessuchasFacebook,twitter,google,Microsoft,aswellasmobileapps-basedcompaniessuchasUbercannotfullyguaranteethatthewebapplicationsandmobileapplicationstheirengineersproducearefreeofsecurityvulnerabilities.Therefore,theyallhaveannouncedlargemonetaryrewardprogramsforethical

TheGood,thebadandtheUgly–WhiteHat,GreyHat,andtheBlackHathackingPanelists:AnandPrakash,SaiKrishnaKothapalliModerator:SandeepK.Shukla

Inthispaneldiscussionwewilldiscusstheon-goingracebetweentheblackhathackerstoexploitinformation and critical systems while the white hat hackers try to save the day with theirrepertoireoftoolsandtechniques.Unfortunately,thiswarisoftentiltedasblackhathackersareoften parts of crime syndicates, and worse yet – recruited by the cyber army and espionagefunctionariesofvariousgovernments.Thenhowarethewhitehathackerstosavethesystemsbyfinding thevulnerabilities faster than theblackhats.Blackhatsarealsoorganized inchat roomsandforumsintheunderbelliesofthedarkweb.Arethewhitehathackersorganizedinthesameway?

1

exploits,andbasedonthecriticalitylevelofthediscovery–theyrewardthebountyhuntinghackerhandsomely.Asanethicalhacker,andbountyhunter,Ihavefoundmanyvulnerabilitiesinthesepopularsitesthatcouldhavebeendisastrousifexploitedbyablackhathacker.Theraceisonbetweenblackhathackerswhouseverysophisticatedtools,andexperience--sometimesemployedbyorganizedcrimesyndicatesaswellasroguestates,andwhitehatethicalhackerswhoalsousetheirexperienceandtoolstofindthevulnerabilitiestohelpthecompanies.Inthistalk,Iwilldiscussmyownexperienceinsavingbillionuseraccounts,andmorestoriesfromthetrenchofthisongoingduelofmindsbetweenwhitehatandblackhathackers.

“Talk2:Landscapeofbugbountyprograms”Speaker:SaiKrishnaKothapalliAbstract:Intheever-advancingDigitalAge,Indiahasplacedsomucheffortindigitizingallwalksoflife,butareweIITGhastakenthefirststepinthisdirectionby

2

takingenoughcaretoprotectourdata?beingtheonlyeducationalinstitutioninAsiatolaunchitsownresponsibledisclosurepolicy(bugbountyprogram).Thistalklaysoutthechallengesfaced,andtheresponsereceivedbyimplementingthisforIITGandhighlightswhatotherinstitutesandgovernmentorganizationscanlearnfromthem.Italsoemphasizesthenecessityandbenefitsofaresponsibledisclosurepolicyingovernmentorganizations.Itwindsupbyfocusingonsomecountry-specificcasestudieswherethingswentdownhillandfindoutwhatcouldhavebeendonetoavertwhateverhadhappened.