Cyber security brass steps in as experts flag delay in fixing lapses
RESEARCHERS FOUND ISSUES IN SEVERAL GOVERNMENT-RUN WEB SERVICES, MORE THAN HALF OF WHICH BELONGED TO STATE GOVERNMENTS. THE ISSUES INCLUDED POTENTIAL ACCESS TO INFORMATION, POSSIBLE LEAKS OF SENSITIVE FILES AND KNOWN BUGS
NEW DELHI: India’s top cybersecurity officials stepped in as a group of researchers said agencies were slow in fixing a slew of critical vulnerabilities pointed out over two weeks ago, which has potentially created a situation where attackers could access sensitive information and carry out more disruptive operations against government servers.
Issues were found in dozens of government-run web services, more than half of which belonged to different state governments. Several of them had multiple issues, including exposed credentials that would allow someone unauthorised access, leaks of sensitive files and the existence of known bugs which, if exploited, could lead to deeper access, the researchers told HT.
“Remedial actions have been taken by NCIIPC (National Critical Information Infrastructure Protection Centre) and Cert-in (Indian Computer Emergency Response Team)… NCIIPC handles only the Critical Information Infrastructure issues. In this case the balance pertained to other states and departments that were immediately informed by Cert-in. It is likely that some action may be pending by users at state levels which we are checking,” National Cyber Security Coordinator (NCSC) Lt Gen Rajesh Pant told HT on Sunday.
The remark by the official came as members of his team opened communications with the researchers who found the vulnerabilities, according to a person aware of the development, asking not to be named. The researchers – part of a collective that calls itself Sakura Samurai -- said they reached out to the NCIIPC in the first few days of February but most of the issues they flagged were unresolved for over two weeks.
“You need to fix this. I’ve went through our report and not even 1/8 of these Critical Vulnerabilities are fixed, weeks later. Do the Indian Citizens know that they are exposed? They have the right to be protected. This isn’t fluff. Fixing this is Critical,” said Sakura Samurai’s John Jackson, in a series of tweets addressed to NCIIPC on February 19.
Late on Saturday, Jackson published a blog with an overview of the vulnerabilities that, without citing specifics, mentioned the discovery of 35 instances of credentials pairs, 3 instances of sensitive files, over 13,000 personally identifiable information instances, dozens of police FIRS.
Additionally, they discovered multiple vulnerabilities that could be chained to potentially compromise extremely sensitive government systems.
In the blog, Jackson said they tested gov.in systems for vulnerabilities as part of the NCIIPC’S Responsible Vulnerability Disclosure Program (RVDP), a practice followed world over in which companies and countries allow developers, researchers and security professionals to report issues that could pose a risk to information security.
On Sunday, after backchannel lines were opened to the NCSC, the official’s team escalated the incident to the respective agencies, according to a person aware of developments who asked not to be identified.
Cert-in did not respond to requests for a comment to HT.
Experts said the incident highlights the need to improve coordination on such issues.
“Vulnerability management is a complex science. No government gets it right. Transparency in disclosure and swiftness of response become crucial then. The ‘coordination’ part of the National Cyber Coordination Centre needs a major reboot,” said Pukhraj Singh, a cyber threats analyst, while suggesting that manual notification and assessment protocols be automated.
“We need not wait for a catastrophe like the Solarwinds attack to make us realise how our cyber vulnerabilities could set back our national security by decades,” he added.
Concerns about response times were also flagged by an Indian researcher, who found a trove of data relating to Covid-19 test results of people in a particular state.
The issue “is resulting in the leakage of lakhs of Covid test reports. These include sensitive information like name, age, residence address exact date of sample testing, etc,” said Sourajeet Majumder. Majumder flagged the issue to Cert-in on February 10 but the issue was yet to be fixed. HT is not identifying the state in order to minimise the risk of the information being targeted.