‘Hi-tech policing system easy prey for hackers’
Uttar Pradesh police have found that the union home ministry’s flagship project — the Crime and Criminal Tracking Network and Systems (CCTNS) — is vulnerable to hackers who can enter into the system with ease and play havoc with data and information stored on the website.lucknow Updated: Jul 30, 2013 11:50 IST
The state police have found that the union home ministry’s flagship project — the Crime and Criminal Tracking Network and Systems (CCTNS) — is vulnerable to hackers who can enter into the system with ease and play havoc with data and information stored on the website.
The state police stumbled upon this fact about the Rs 2000-crore CCTNS during a security audit.
The Crime and Criminal Tracking Network and Systems aims at creating a nationwide network for investigation of crime and detection of criminals
Though the state government alerted the union home ministry about a month ago and asked it to make the system secure, the latter has taken no step to correct the flaw.
Talking to HT, a home department officer said while implementing the system, the police officers found that the Microsoft internet information service of the CCTNS allows local users to gain access via unknown vectors, related file change notifications in the TP root, the NNTP file root or WWW root folder.
The vulnerability analysis and penetration testing showed there was total information disclosure resulting in compromise of the system’s integrity.
The officer said the software had several shortcomings.
The website of the CCTNS suffered from directory listing vulnerability where all the files were openly listed and accessible to the public, he explained.
Some pages of the website were affected by the shell injection and SQL injection vulnerabilities, resulting in direct access to the backend database.
The attacker could render the resource completely unavailable, he added.
Prescribing a solution, the officer said all that the home ministry officers were required to do was to upgrade the servers to the latest Window server edition 2012 and the IIS 8 for eliminating server related vulnerability.
The officer favoured use of an intrusion prevention system for the security of the server, disabling the directory-browsing feature and setting up of a secure flag on the application.