Government Website Vulnerabilities: Mitigating the RisksWhat Needs to Be Done to Protect Citizens' Data?
First, Bharat Sanchar Nigam Limited, the state-run telecommunications company; India Post; the Indian Space Research Organization; and numerous portals were discovered to be exposing Aadhaar details of Indian citizens. Now, the website of Union Ministry of Home Affairs, or MHA, also has been confirmed to be vulnerable.
The MHA website uses Let's Encrypt Authority X3 to encrypt data that can be edited by any programmer and bypassed by any hacker, according to Kislay Chaudhary, founder of the Indian Cyber Army, an association of ethical hackers.
Chaudhary says he pointed out the MHA site vulnerability issue to the department on the same day he discovered it. MHA apparently has been no action taken so far, he says.
Clearly, the government isn't doing enough to ensure its websites are secure. For starters, the government should pay prompt attention to warnings from local security researchers.
Where Are the Vulnerabilities?
In the past few weeks, a number of government website vulnerabilities have been pointed out by a French researcher who goes by the name Elliot Alderson on Twitter, taking on the name of the main protagonist in the popular TV series "Mr. Robot."
"In theory, a government website is very secure but in India, it's another story," Alderson wrote on Twitter after discovering vulnerabilities on the Telangana government portal.
Most vulnerabilities in government websites apparently are due to failure to address basic issues. For example, in the case of BSNL, the state-run telecommunications company, its websites were hackable because of SQL injection vulnerabilities, according to Alderson. In the case of India Post, the attacks were carried out using a flaw in Apache Struts, Alderson had remarked.
"Government officials have little or no accountability for security breaches which occur under their watch and often have vested interests in promoting a vendor who is close to them," says a security practitioner from Bangalore, who claims he has pointed out vulnerabilities to government departments but was given a cold shoulder.
A common complaint among Indian security researchers is that there is little action or acknowledgement by the government when website vulnerabilities are being pointed out to them. "Even for effecting required changes, the approval at times is sought from the bureaucracy, who are just too busy to approve them," says Sivakumar Krishnan, former head IT at M Power .
Bangalore-based Sujatha Yaksiri, a computer scientist at EdgeVerve, a subsidiary of Infosys, shares her experience reporting vulnerability to the government.
"One of the nationalized banks exposed confidential data of customers and its internal employees to the public. In spite of telling them that they have breached the security principles, people who were responsible to handle this vulnerability program were very reluctant to take any action to fix the issues," Yaksiri claims. "Multiple reminders for about one and half months went in vain."
Alderson has repeatedly pointed out that most of the vulnerabilities at government websites that he's highlighted had already been discovered by Indian researchers.
So looks like crowdsourcing has found a solution.— Your connection has timed out. (@anant_bhushan) March 12, 2018
Government departments now has a bug disclosure mechanism.
1. If you find an issue than DM @fs0c131y
2. The issue gets wide publicity.
3. Issue gets fixed.
1. No jail time.
2. No FIR
Alas, #aadhaar is above even this.
BSNL and India Post acted on Alderson's tweets that pointed to the flaws but apparently had remained unconcerned when local researchers had flagged them.
It's unfortunate that a government pushing "Make in India" has failed to practice what it's preaching.
"I once reported a bug I found on the website of Indian Railway Catering and Tourism Corporation, or IRCTC. They threatened me with legal action for accessing their website unauthorizedly," says a Pune-based researcher, who asked not to be named.
India lacks laws that protect researchers who expose security flaws. The Information Technology Act makes it clear that anyone who gains unauthorized access to a computer resource is liable.
Indian security research groups are as competent and strong as any other international researchers. Perceptions that government gives more attention to researchers outside of India could be changed if Cert-In engaged with the local security community in a more proactive manner.
A Call to Action
The government needs to create a policy to recognize and reward findings from ethical hackers and researchers based in India.
"The efforts of security researchers should be appreciated via bug bounty programs," Yaksiri says.
Other steps the government needs to take include:
- Mandate cybersecurity awareness programs for all government employees;
- Conduct regular security and phishing drills;
- Do more to attract and retain qualified cybersecurity staff, recruiting experts from the private sector.