Cyber security brass steps in as experts flag delay in fixing lapses
NEW DELHI: India’s top cybersecurity officials stepped in as a group of researchers said agencies were slow in fixing critical vulnerabilities pointed out over two weeks ago, which has potentially created a situation where attackers could access sensitive information and carry out more disruptive operations against government servers.
Issues were found in dozens of government-run web services, more than half of which belonged to state governments. Several of them had multiple issues, including exposed credentials that would allow someone unauthorised access, leaks of sensitive files and the existence of known bugs which, if exploited, could lead to deeper access, researchers told HT.
“Remedial actions have been taken by NCIIPC (National Critical Information Infrastructure Protection Centre) and Cert-in (Indian Computer Emergency Response Team)… NCIIPC handles only the Critical Information Infrastructure issues. In this case the balance pertained to other states and departments that were immediately informed by Cert-in. It is likely that some action may be pending by users at state levels which we are checking,” National Cyber Security
Coordinator (NCSC) Lt Gen Rajesh Pant told HT on Sunday.
The remark by the official came as members of his team opened communications with the researchers who found the vulnerabilities, according to a person aware of the development, asking not to be named. The researchers – part of a collective that calls itself Sakura Samurai -- said they reached out to the NCIIPC in the first few days of February but most of the issues they flagged were unresolved for over two weeks.
“You need to fix this. I’ve went through our report and not even 1/8 of these Critical Vulnerabilities are fixed, weeks later. Do the Indian Citizens know that they are exposed? They have the right to be protected. This isn’t fluff. Fixing this is Critical,” said Sakura Samurai’s John Jackson, in a series of tweets addressed to NCIIPC on February 19.
Late on Saturday, Jackson published a blog with an overview of the vulnerabilities that, without citing specifics, mentioned the discovery of 35 instances of credentials pairs, 3 instances of sensitive files, over 13,000 personally identifiable information instances, dozens of police FIRS.
Additionally, they discovered multiple vulnerabilities that could be chained to potentially compromise extremely sensitive government systems.