Cyber security brass steps in as experts flag delay in fixing lapses | Latest News India - Hindustan Times
close_game
close_game

Cyber security brass steps in as experts flag delay in fixing lapses

By, Sunetra Choudhury, Hindustan Times, New Delhi
Feb 22, 2021 03:07 AM IST

Late on Saturday, Jackson published a blog with an overview of the vulnerabilities that, without citing specifics, mentioned the discovery of 35 instances of credentials pairs, 3 instances of sensitive files, over 13,000 personally identifiable information instances, dozens of police FIRs.

India’s top cybersecurity officials stepped in as a group of researchers said agencies were slow in fixing a slew of critical vulnerabilities pointed out over two weeks ago, which has potentially created a situation where attackers could access sensitive information and carry out more disruptive operations against government servers.

Cyber security firms collect information from all web platforms, including Dark Web forums, to prevent real-time attacks on leaked data, actionable intelligence on illegal drug and medication trades and insider-threat monitoring.(Shutterstock)
Cyber security firms collect information from all web platforms, including Dark Web forums, to prevent real-time attacks on leaked data, actionable intelligence on illegal drug and medication trades and insider-threat monitoring.(Shutterstock)

Issues were found in dozens of government-run web services, more than half of which belonged to different state governments. Several of them had multiple issues, including exposed credentials that would allow someone unauthorised access, leaks of sensitive files and the existence of known bugs which, if exploited, could lead to deeper access, the researchers told HT.

Hindustan Times - your fastest source for breaking news! Read now.

“Remedial actions have been taken by NCIIPC (National Critical Information Infrastructure Protection Centre) and Cert-IN (Indian Computer Emergency Response Team)… NCIIPC handles only the Critical Information Infrastructure issues. In this case the balance pertained to other states and departments that were immediately informed by Cert-IN. It is likely that some action may be pending by users at state levels which we are checking,” National Cyber Security Coordinator (NCSC) Lt Gen Rajesh Pant told HT on Sunday.

Also Read | Ex-defence personnel hit by phishing attack

The remark by the official came as members of his team opened communications with the researchers who found the vulnerabilities, according to a person aware of the development, asking not to be named. The researchers – part of a collective that calls itself Sakura Samurai -- said they reached out to the NCIIPC in the first few days of February but most of the issues they flagged were unresolved for over two weeks.

“You need to fix this. I’ve went through our report and not even 1/8 of these Critical Vulnerabilities are fixed, weeks later. Do the Indian Citizens know that they are exposed? They have the right to be protected. This isn’t fluff. Fixing this is Critical,” said Sakura Samurai’s John Jackson, in a series of tweets addressed to NCIIPC on February 19.

Late on Saturday, Jackson published a blog with an overview of the vulnerabilities that, without citing specifics, mentioned the discovery of 35 instances of credentials pairs, 3 instances of sensitive files, over 13,000 personally identifiable information instances, dozens of police FIRs.

Additionally, they discovered multiple vulnerabilities that could be chained to potentially compromise extremely sensitive government systems.

In the blog, Jackson said they tested gov.in systems for vulnerabilities as part of the NCIIPC’s Responsible Vulnerability Disclosure Program (RVDP), a practice followed world over in which companies and countries allow developers, researchers and security professionals to report issues that could pose a risk to information security.

On Sunday, after backchannel lines were opened to the NCSC, the official’s team escalated the incident to the respective agencies, according to a person aware of developments who asked not to be identified. Cert-IN did not respond to requests for a comment to HT.

Experts said the incident highlights the need to improve coordination on such issues.

“Vulnerability management is a complex science. No government gets it right. Transparency in disclosure and swiftness of response become crucial then. The ‘coordination’ part of the National Cyber Coordination Centre needs a major reboot,” said Pukhraj Singh, a cyber threats analyst, while suggesting that manual notification and assessment protocols be automated.

“We need not wait for a catastrophe like the SolarWinds attack to make us realise how our cyber vulnerabilities could set back our national security by decades,” he added.

Concerns about response times were also flagged by an Indian researcher, who found a trove of data relating to Covid-19 test results of people in a particular state.

The issue “is resulting in the leakage of lakhs of Covid test reports. These include sensitive information like name, age, residence address exact date of sample testing, etc,” said Sourajeet Majumder. Majumder flagged the issue to Cert-IN on February 10 but the issue was yet to be fixed. HT is not identifying the state in order to minimise the risk of the information being targeted.

Unveiling Elections 2024: The Big Picture', a fresh segment in HT's talk show 'The Interview with Kumkum Chadha', where leaders across the political spectrum discuss the upcoming general elections. Watch now!

Get Current Updates on India News, Election 2024, Arvind Kejriwal News Live, Bihar Board 10th Result 2024 Live along with Latest News and Top Headlines from India and around the world.
SHARE THIS ARTICLE ON
Share this article
  • ABOUT THE AUTHOR
    author-default-90x90

    Binayak reports on information security, privacy and scientific research in health and environment with explanatory pieces. He also edits the news sections of the newspaper.

  • ABOUT THE AUTHOR
    author-default-90x90

    Sunetra Choudhury is the National Political Editor of the Hindustan Times. With over two decades of experience in print and television, she has authored Black Warrant (Roli,2019), Behind Bars: Prison Tales of India’s Most Famous (Roli,2017) and Braking News (Hachette, 2010). Sunetra is the recipient of the Red Ink award in journalism in 2016 and Mary Morgan Hewett award in 2018.

SHARE
Story Saved
Live Score
OPEN APP
Saved Articles
Following
My Reads
Sign out
New Delhi 0C
Thursday, March 28, 2024
Start 14 Days Free Trial Subscribe Now
Follow Us On