Nikhil Aryal

(Narapichas)

Roshan Sapkota
Aarya Dahal
Kushal Poudel
Hacking
Hacking is referred to exploiting the system vulnerabilities and
compromising security in order to gain unauthorized or inappropriate
access to system resources misusing electronic devices.

Hackers.
A hacker is an intelligent individual, who breaks into system
without authorization to destroy, steal sensitive data, or perform
malicious activities, with exceptional computer skills with enough
knowledge to discover vulnerability.
TYPES OF HACKERS.
Black Hat Hackers

01 They are the hackers who go out their way to find vulnerabilities
and exploit them for financial gain, malicious purpose, to gain
reputation.
White Hat Hackers

02
They are hired by an organization to test holes in the security
system and attempt to prevent the success of the black hat
hacker through proactive hacking.
Grey Hat Hackers
They attempt to violate standards and principles but without
03 intending to do harm or financial gain and are typically carried out
for the common good.
Vianet’s Data breech: Narapichas

On April 08, 2020 Nepal’s one of the leading ISPs of

Nepal, Vianet Communications, faced a massive data
breach exposing all its 1,76,519 user’s data. The
leaked data included the user’s email address, phone
number, and address. An anonymous hacker leaked
information, under the pseudonym “Narapichas”.
Later to be found that he was 16 years old hacker
Nikhil Aryal aka Narapichas from Rupandehi.
Identify the type of hacker in the mentioned scenario and
his motive. What did he wanted to prove?

Narapichas is categorized as a black hat hacker. Although, he claims that his

motive of the attack was to aware the companies and the consumers about the
vulnerabilities in the system and consequences they could face, his methods
were wrong. He exploited the vulnerabilities he found and publicized the data
he breeched which is something a black hat hacker would do. He wanted to
show the public that the security systems of Nepalese Organizations are not
safe and should be scanned, updated and fixed frequently.
Do a threat, vulnerability, and risk analysis (in the risk assessment
matrix) with the above incidence reference.
Threat analysis
Vianet’s Data Breach falls under Host level threat since its databases were exploited
and unauthorized access was gained.

Vulnerabilities analysis
In case of Vianet, IDOR (Insecure direct object reference, a type of access control
vulnerability in digital security) was exploited by Narapichas. This can occur when a
web application or application programming interface, uses an identifier for direct
access, to an object in an internal database but does not check for access control or
authentication. So, it also falls under the category of external assessment.

Risk analysis
In the risk assessment matrix, Vianet’s Data Breach falls under the scenario where it
is possible to happen in future as well with the severity rating of moderate. Similar
database breaches has have occurred in Nepal with catastrophic severity rating.
Similar Cases Of Database Breaches
Foodmandu
On March 2020, The
hackers have leaked the
database consist of more
than 50,000 Utilizer
denominations, personal
detail, latitude, longitude,
current address, emails,
and phone number.,
Department Mercantile
Regime’s various
of Communications
Departments
Passports Pvt Ltd.
On July 25, 2017, 58 On June 27, 2017, On April 15, a group of
regime websites were Department of hackers gained
reportedly hacked by Passports got unauthorized access to
a hacking group hacked by a group data systems of the dot
called ‘Paradox of Turkish hackers np (.np) domain
Cyber Ghost’, and defaced with of Mercantile
making it one of the threatening notes to Communication Pvt.
largest breaches of all reveal the Ltd  in Nepal and
times in Nepal. government’s data. launched a cyber-attack
As a Security Analyst or Security Engineer what would I do?

If I were the Security Analyst or Security Engineer, I would:

Before Attack:
• Scan the system often to check for possible vulnerabilities.
• When the hacker warned about vulnerabilities, take it seriously and find a way to
patch it up.
• Encrypt the data in the best way possible.

After Attack (if happened):

• Find ways to recover the data of the system.
• Warn the consumers about the consequences that could occur.
• Make the system more secure.
What were the consequences of the data breach?

● Vianet’s reputation was immensely damaged.

● Many scam users started contacting the users whose data were leaked claiming to be
the representative of Vianet.
● Vianet advised the consumers to take some actions regarding their usage.
● A person in the biggest tech company of Nepal, Ask Buddie, found out the
loophole through which he could extract the same details as leaked and reported it to
Vianet. The Vianet fixed it but only after 3 months. And they didn’t even reward
them.
● Other similar companies also started securing the system and apply security
measures.
Legal Actions against Narpichas
 His friends reported Nepal Police with no technical
evidences rather the screenshots of their conversation
with him.
 Then the Nepal Police took the action and took him to the
custody.

 Under the Electronic Transaction Act (ETA) 2063,

Chapter 9.
• Article 45, Unauthorized Access in Computer Materials;
• Article 48, Confidentiality to Divulge
 As he was under 18 years old, he was not imprisoned
instead, was charged certain sum of money. He was
restricted from using devices connecting to internet for
few months.
Awesome
words Thank You!