When Abiral Shrestha and Suyash Nepal, members of a private research team, carried out an investigation into the status of data security on Nepali websites last year, they were taken by surprise.
“We were aware that Nepali websites were not safe, but the number was really alarming: 700 plus websites were found attacked by hackers,” Nepal remembers, “We concluded that almost an equal number of websites get hacked every year. It was a serious issue.”
This was when ThreatNix, a private internet security service providing company, realised the need to increase awareness about such issues among internet users and the public.
Threat Con, one of Nepal’s first hacker meets, is the latest effort by Shrestha, Nepal and their team to increase ‘hacking literacy’ in Nepal. The event is being hosted this Thursday and Friday at Hotel Annapurna in Kathmandu.
Erasing the misunderstanding
The first thing that Shrestha and Nepal want to educate Nepalis about hacking is: it is not always mala fide.
“Hacking is not a negative activity in itself. Both attackers and defenders can be called hackers,” Nepal defines, “People who manipulate software and websites, and operate them in the way they want are hackers. But, their intentions differentiate whether they are attackers or defenders.”
According to him, people who hack software and websites with malicious intentions are called ‘crackers’. “The international community differentiates hackers from crackers,” Shrestha informs, “However, in the case of Nepal, they are all hackers. Therefore, here, we use the phrase ‘ethically active hackers’ to refer to people like us, who hack software and websites to help people enhance their security.”
Nepal, meanwhile, informs that the international community of ethically active hackers is quite big. “It is amazing that there are hundreds of people who hack websites of other people and companies, find out their shortcomings, fix them and come out without revealing the identity, many times without expecting any reward.”
This is what the first edition of Threat Con wants to achieve, according to Shrestha.
Bridging the gap
Secondly, they want to bridge the gap between the of hacking professionals and the market need. The organisers have identified that Nepali hackers are insufficient as well as underqualified to meet the demand of the market.
“Every place that stores data in digital form and uses the internet to disseminate information needs hackers to keep data safe. Therefore, our scope is very wide,” Shrestha informs, “But, today, the number of professional hacking personnel in Nepal is around 20-25.”
Even these people are not equipped with updated and comprehensive information about emerging threats and defence tactics. The two-day event has been designed to address both of these problems, they claim.
“Though the number of professionals is very low, there are many people who are interested to work in this field. Most of them are students of computer science and different engineering programmes. Some private colleges in Kathmandu have introduced dedicated cybersecurity courses under foreign university affiliations,” Nepal informs, adding the event will give them ideas about emerging employment opportunities.
The organisers have invited international speakers, who will share their ideas about different issues with the participants.
In fact, they had issued a call for application for conference papers from everyone interested. “We had received around 25 submissions and had commissioned an experts’ panel to select the speakers and topics,” Shrestha informs, “Though two of the submissions were domestic, the experts’ panel did not select them and all the speakers happened to be foreigners.” It also suggests that Nepali personnel need to learn more from international practices.
About the event
Activities of the two days of the event are designed for different target groups. There will be two workshops—on building secure APIs and web applications, and bug bounty—on the first day. Both the workshops will be full of extensive teaching sessions so that the attendees can have a solid idea about the topics. It will help them develop their skills into their career goals. Around 30 professionals have registered to attend the workshops.
There will also be a conference on the second day. It will include five paper presentations—on building and developing communities, OWASP top 10 proactive controls of 2018, exploiting cloud synchronization to mask hack IoTs, licence management, and managing organisation’s cloud security posture–and a panel discussion on challenges of cybersecurity in Nepal. Representatives of concerned government agencies and private companies, as well as security professionals, will be on the panel.
Over 250 persons have confirmed their participation in the conference. Around 30 per cent of them are students.
“Besides talk sessions and workshops, we offer the participants an opportunity to build networks of the professionals,” Shrestha informs as Nepal adds, “On the sidelines of the conference we have tool exhibition stalls, live bug bounty demonstrations and hacking games. There will be a chill out area where you can take rest and talk about anything if any of the presentations bores you. It will be a completely fun event.”
ThreatNix has partnered with Internet Society Chapter Nepal and CAN Federation among others to host the event. Meanwhile, government agencies like Nepal Telecommunications Authority and the Department of Information Technology have extended ‘moral support’.
“We have requested the government agencies to bear some costs of the event as well, and we are hopeful about their cooperation,” Nepal shares.
But for now, ThreatNix and other organisers are covering the costs. There are some sponsors and the participants also have to pay certain charges to attend the workshops. But, the revenues are not sufficient to fund the entire event, according to Nepal.
“If you are concerned about the finance, we are in loss,” he says, “But, we are looking forward to other nonmonetary benefits the event will provide.”
“Ethically active hackers are altruistic; hence we are doing this event for the security of everyone.”