[HN Gopher] Indian Government Breached, Massive Amount of Critic...
___________________________________________________________________
Indian Government Breached, Massive Amount of Critical
Vulnerabilities
Author : astroanax
Score : 282 points
Date : 2021-02-22 06:57 UTC (16 hours ago)
(HTM) web link (johnjhacking.com)
(TXT) w3m dump (johnjhacking.com)
| Clewza313 wrote:
| This smells a bit off: why is there no detail whatsoever on
| _what_ exactly they breached? The "Indian Government" (central,
| state, other?) is a sprawling octopus that employs on the order
| of 50 million people, and there's a world of difference between
| breaching the public site of the Department of Fertilizers
| (https://fert.nic.in/) vs getting into the internal systems of
| the Ministry of External Affairs. The only clue appears to be
| those 14,000 police records.
|
| Update: the leader of the "Sakura Samurai" appears to be 15 years
| old, which explains a lot.
|
| https://mobile.twitter.com/jacksonhhax
| sneak wrote:
| > _why is there no detail whatsoever on what exactly they
| breached?_
|
| Because this is an ad.
| jcims wrote:
| I think that Twitter user is just a member. One of the founders
| is https://twitter.com/johnjhacking who proclaims to have a
| full time job and be a disabled vet.
| DyslexicAtheist wrote:
| whoever is behind it I find it hard to blame them. As they
| write on their blog:
|
| _> > Governments have an obligation to protect the private
| data of its employees and citizens. In addition, the exposure
| of proprietary government data can be used for great means of
| manipulation and for other destructive purposes. While the
| NCIIPC operates a Responsible Vulnerability Disclosure
| Program, the recklessness and avoidance of communication
| represents the complete opposite of a responsible program._
| <== from https://johnjhacking.com/blog/indian-government-
| breached-mas...
|
| Enough has been said by people inside and outside of India
| about UIDAI / Aadahaar[0][1] and it's many horrible side-
| effects and risks it creates. This situation that has been
| created years ago after loud warnings of researchers and
| citizens who have meanwhile been silenced by the Modi
| government (who are the real culprits here).
|
| India has done this to its people already years ago,
| therefore breaches here today are mere symptoms of
| incompetence (not the cause).
|
| [0] Aadhaar: 'Leak' in world's biggest database worries
| Indians https://www.bbc.com/news/world-asia-india-42575443
|
| [1] French Hacker transcends Aadhaar UIDAI helpline number to
| millions of Android phones in India
| https://www.cybersecurity-insiders.com/french-hacker-
| transce...
| eganist wrote:
| John Jackson (johnjhacking) is not jacksonhhax, though they're
| both part of the same group.
|
| For context, John's a vet who's employed in the field. And
| beyond that, he's published other sound security research in
| the past, e.g. https://johnjhacking.com/blog/cve-2020-28360/
| (https://cve.mitre.org/cgi-
| bin/cvename.cgi?name=CVE-2020-2836..., which links
| https://github.com/frenchbread/private-ip)
|
| As for the attribution chain to sakurasamurai.org, reference
| the following:
|
| * twitter.com/johnjhacking refers users to
|
| * twitter.com/sakurasamuraii, which links
|
| * sakurasamurai.org in a pinned tweet.
|
| Source: I know John personally.
| perryizgr8 wrote:
| "Indian government" means central government, not state. Just
| like "US government" always refers to the federal government.
| DavidSJ wrote:
| I would have the same question of the US federal government
| being breached: which systems, exactly?
| Clewza313 wrote:
| In Indian usage, yes, but this appears to have been written
| by a bunch of American teenagers.
| ethbr0 wrote:
| Well, we can't expect every hacker to know what they're
| looking at...
|
| > Game List
|
| >> GLOBAL THERMONUCLEAR WAR
| DyslexicAtheist wrote:
| premature attribution is as much a fallacy and problem as
| ignoring risks that lead to a breach in the first place.
| joshuaissac wrote:
| > Update: the leader of the "Sakura Samurai" appears to be 15
| years old, which explains a lot.
|
| What does it explain? Anyone who is not familiar with the
| branches of the Indian government could have omitted specific
| details of which departments were hacked.
| Clewza313 wrote:
| It explains that the whole press release/site down to the
| branding looks like amateur hour: https://sakurasamurai.pro/
| bdcravens wrote:
| Looks like every other text file I've seen from hacking
| groups over the last 25 years, which is the aesthetic
| they're going for.
| LockAndLol wrote:
| > Unfortunately, what seemed like a done deal turned out to be
| quite the unprofessional ride. Any organization knows that
| fixing breach-worthy vulnerabilities is extremely time
| sensitive. Once threat actors catch wind of major
| vulnerabilities against an organization they begin poking on
| their own, looking for more vectors of attack.
|
| Do you expect them to tell everybody exactly which systems are
| vulnerable? What is it you're suggesting they do?
| sbarre wrote:
| I believe they are suggesting that the systems be fixed in a
| timely manner.
|
| That was my read of the article.
| reallymental wrote:
| Is there any financial incentive to secure an Indian citizen's
| data ?
|
| In fact, there's more financial incentive to make things leaky,
| less work needs to be done to peek into your neighbors yard, and
| the vast (vast, vast) majority of the people cannot give a damn
| about this.
|
| Frankly, I'm surprised they replied with an acknowledgement and
| tried to fix some vulns.
|
| Expect no more changes.
| deadalus wrote:
| Indian Government Sold Driver Licence Data to 87 Private
| Companies for Rs 65 Crore -
|
| https://www.news18.com/news/auto/government-sold-drivers-lic...
| _trampeltier wrote:
| Calofornia does it sell for 50Mio USD and Florida for 77Mio
| USD. I guess just everybody sell everything today.
|
| https://www.caranddriver.com/features/a32035408/dmv-
| selling-...
| OmegaPG wrote:
| The data is already publicly available via government sites
| and app store. By making the data public through 3rd parties,
| government just made it easy for public to access it.
| juancb wrote:
| What does RS 65 Croer mean?
| [deleted]
| kuschku wrote:
| Crore is equivalent to 10e6. In this case, that would
| evaluate to 650'000'000 INR.
| chrismorgan wrote:
| > 10e6
|
| Under scientific notation, you should strongly prefer to
| write 1e7. 10e6 is just _begging_ for people to interpret
| it as 106 rather than 10x106 (107).
| kuschku wrote:
| But that's the definition, and every calculator's
| "engineering" mode shows it exactly like that, too. And
| usually you learn in middle school how to interpret that.
|
| Here's a photo with the calculator I used in middle
| school, showing exactly the specified number:
|
| https://i.k8r.eu/qOUpgg.png
| chrismorgan wrote:
| Curious. I don't have a traditional calculator to hand,
| but tools like Rust, Python and Wolfram|Alpha are all
| turning 10e50 into 1e51.
|
| https://en.wikipedia.org/wiki/Scientific_notation#Normali
| zed... agrees with my memory that in normalised form the
| coefficient should be at least one and less than ten.
| whatshisface wrote:
| MeE isn't M^E, it's defined as M * 10^E.
| chrismorgan wrote:
| And that's what I was talking about from the start--10e6
| is 10x106, which is in normalised form 1x107 or 1e7.
| [deleted]
| kuschku wrote:
| And the paragraph below the one you linked... https://en.
| wikipedia.org/wiki/Scientific_notation#Engineerin... is
| directly showing exactly the mode I'm using :)
| chrismorgan wrote:
| Oh, I get it and see what's happening. Kinda careless of
| me to miss it. Thanks for pointing it out.
| perryizgr8 wrote:
| https://perryizgr8.github.io/crores-to-millions/
|
| Tool I wrote to convert between Indian and American
| numbers.
|
| 65 crore = 650 million
| [deleted]
| Clewza313 wrote:
| Crore = 10 million, so 650 million rupees, or around $9M
| USD.
| chrismorgan wrote:
| Rs means rupees, specifically Indian rupees in this case,
| which has the symbol [?] and code INR. (Other countries
| have rupees as well, but that symbol is specifically for
| Indian rupees.)
|
| One crore is 10 million in the Indian numbering system, see
| https://en.wikipedia.org/wiki/Crore.
| ngcc_hk wrote:
| Wonder. If Indian Gov so vulnerable and given the china-india
| conflict ... may be they like to use stick.
| awooooo56709 wrote:
| China this China that. I bet you find a way to blame China if
| your poop comes out discolored.
| aritmo wrote:
| So in the process of communicating with the Indian Government to
| resolve the issues responsibly, they announce on Twitter "We
| Breached The Indian Government!!!".
|
| What is wrong with them?
| cute_boi wrote:
| no/less bounties from gov? researcher wants to show off? 10
| year old kid who recently wrote some script and has a lot of
| over confidence? Who knows.
|
| But its a fault of Indian Government too. They hire programmers
| who are less competent to save budget for salary. And if
| someone reports some vulnerebility I bet these government
| police will come after the reporter. And there is no incentives
| too.
| brianxp wrote:
| The same thing happens I believe in almost all developing
| countries, they don't take security that seriously, all
| contracts related with technology are awarded to the company,
| that charge the smallest amount of money and has ties with
| the public officers at the time, when a researcher detects a
| bug in their software depending on the entity they either sue
| the researcher or ignore him, until they are exposed by the
| public media.
|
| Couple months ago the data of all Venezuelan immigrants got
| breached the government did nothing until the public media
| started to talk about it.
| notretarded wrote:
| Being 15yo.
| bottled_poe wrote:
| They don't fear jail for some reason...why?
| Pick-A-Hill2019 wrote:
| I think the article covers that exact question (excerpt
| below)
|
| _Sakura Samurai coordinated with the U.S. DoD Vulnerability
| Disclosure Program (VDP) to assist in facilitating initial
| conversations of disclosure. John Jackson spoke with DC3's
| Program Manager via email and coordinated on a plan of
| action_
|
| &
|
| _Roughly 4 days later, after further communication with the
| DC3, we felt safe to begin our initial reveal of research on
| the NCIIPC's RVDP program._
| da39a3ee wrote:
| If they care, as they claim, about the consequences for the
| indian public, why did they not disclose this less publicly? They
| think two weeks is a long time but perhaps the Indian government
| departments concerned don't immediately have the right sorts of
| people available to fix all these software problems in two weeks?
| TargetedVictim wrote:
| Dutch police and mainstream media is trying to kill me over
| bitcoin and ethereum, for over 3 years now.
| https://pastebin.com/btAfNf3T
| mandown2308 wrote:
| This is fine...
| rishabhd wrote:
| Try reporting something to Indian CERT, its a bureaucratic chore.
| I tried reporting multiple, still open issues but nothing
| happened. One exposed PII data at scale, the other one exposed
| credentials at a critical sector organization. Now I am not
| reporting it anymore because no one listens.
|
| The key problem is that cyber in government is still very
| nascent, and security is an afterthought even in policy.
| sn41 wrote:
| Everyone seems to assume it is the central government. No one has
| remarked on this, the following somewhat obvious. One of the
| screenshots has a heading in Malayalam, saying "Bill Vivarangal"
| - "Bill details" [1].
|
| Was it some government of Kerala service which was breached? Or
| is it one of several governments? Or was it only the central
| government with Malayalam as the language set for the interface?
|
| If it was an Indian hacker, they would know that the language
| will be a big giveaway, so they would have obscured it. (India
| has about 15 official languages, and probably about 10 scripts
| each with 10+ million users [2].) Overall, I cannot dismiss the
| feeling that it is some script kiddie who attacked some
| underfunded department, rather than some big deal.
|
| [1] https://johnjhacking.com/uploads/session-chained.png
|
| [2] https://en.wikipedia.org/wiki/Brahmic_scripts
| _hello_user wrote:
| https://sakurasamurai.org is newly added domain (suspicious).
| In India there are some motivated groups try to blame central
| government for every action. I believe this is a new group and
| trying the same thing.
| vijaybritto wrote:
| > "some motivated groups try to blame central government for
| every action"
|
| Nice try there bro. But unfortunately newly added domain
| doesnt disprove anything mentioned in the article.
| sn41 wrote:
| I am not a fan of any government or political party in
| particular. Just pointing out an obvious fact.
|
| But the newly registered domain is not a red flag per se.
| That's how experienced groups might also go about covering
| their tracks.
| eganist wrote:
| The domain is fine. My reasoning is that I know John
| (johnjhacking), have worked with him, have at times educated
| him, have on more occasions learned from him, and lastly, the
| attribution chain is
|
| * twitter.com/johnjhacking refers users to
|
| * twitter.com/sakurasamuraii, which links
|
| * sakurasamurai.org
|
| It's not a random group trying to defame a government. It's a
| known security researcher with a sterling rep.
| imvetri wrote:
| Tamil kooda irukalam
| shrikant wrote:
| Don't just go by the transliteration in parent comment. If
| you see the screenshot, it's clearly Malayalam.
| sn41 wrote:
| enge?
| astatine wrote:
| This manner of disclosure seems rather callous and reaching out
| on twitter to communicate a discovered vuln smacks of attention
| seeking. The Indian Government sites are a very wide mix with
| some where there is active consideration of such criticalities
| and a huge number created by the local enterprising chap who is
| no longer involved. Its hardly a surprise that lots of sites are
| vulnerable. Without some info on the sites, this is just scare
| mongering. NPCI _is_ a critical piece of financial infrastructure
| but this could very well be the front-facing website and nothing
| to do with the financial services. Looks like an ad, as many
| others have pointed out.
| vickychijwani wrote:
| Sorry I might've missed it, where did you see NPCI (the
| payments body) mentioned? The organization mentioned repeatedly
| in the post is NCIIPC.
| ArkanExplorer wrote:
| At this point, wouldn't it be easier to design systems as
| completely open, with all user data exposed?
|
| Then for actual interaction purposes, to rely on biological
| verification? eg. widespread retina and fingerprint scanning.
|
| As a side effect this would somewhat limit tax evasion - if all
| tax returns and income were public, as in countries like Norway.
| yourapostasy wrote:
| _> ...eg. widespread retina and fingerprint scanning..._
|
| This previous HN discussion [1] about a "Falsehoods programmers
| believe about Biometrics" article might be relevant. Careful,
| here be dragons, edge cases still abound the unwary
| implementer.
|
| [1] https://news.ycombinator.com/item?id=25700026
| ghoomketu wrote:
| If these guys were Indian pretty sure they would be facing jail
| time for exposing such vulnerabilities (1)
|
| (1)
| https://www.livemint.com/Opinion/S6Ep52qB9PK1DRLFUbUDBK/The-...
| sn41 wrote:
| Well. Section 47 is a real delight, a diabolical inversion of
| the principle of locus standi. Increasingly, there are agencies
| and laws which say that "you cannot take us to court". As
| though writing it makes it somehow legal. Reminds me of
| calvinball.
| xxpor wrote:
| Sovereign Immunity means you can't sue the government unless
| given permission by a statute anyway.
| sn41 wrote:
| This has nothing to do with sovereign immunity. It is just
| an act. Expectedly, it was struck down by the Supreme Court
| as unconstitutional. It was just a ludicrous thing to try
| in the first place.
|
| https://www.timesnownews.com/business-
| economy/economy/articl...
| mdoms wrote:
| Am I reading a pen test report here? This is just an ad for a pen
| test agency, isn't it?
| smlckz wrote:
| > Governments have an obligation to protect the private data of
| its employees and citizens. In addition, the exposure of
| proprietary government data can be used for great means of
| manipulation and for other destructive purposes.
|
| Understandable.
|
| > While the NCIIPC operates a Responsible Vulnerability
| Disclosure Program, the recklessness and avoidance of
| communication represents the complete opposite of a responsible
| program. A failure to release notification of breach to affected
| citizens and to patch highly-critical vulnerabilities in a timely
| manner reflects poorly on the state of their Information Security
| posture. The clock to patch vulnerabilities began immediately
| when the DC3 contacted the NCIIPC via Twitter, as it is a highly
| visible space - one which threat actors avidly monitor.
|
| Why did they published anything about the vulnerabilities before
| they were absolutely sure all of those has been mitigated?
| jauer wrote:
| > Why did they published anything about the vulnerabilities
| before they were absolutely sure all of those has been
| mitigated?
|
| Because various entities tried to exploit that to defer any
| publicaton, which lead to things never getting fixed.
|
| An entity may not want to fix things, but at some point their
| users / constituents have a right to know so they can take
| their own protective measures.
| smlckz wrote:
| > Because various entities tried to exploit that to defer any
| publicaton, which lead to things never getting fixed.
|
| Also understandable.
|
| > [...] so they can take their own protective measures.
|
| Little can the ordinary citizen do whose data is at risk of
| exploitation. All responsibility lies on the government
| because the citizens do not have any other choice, as it
| seems to me. What protective measure can someone take who is
| vulnerable?
|
| With a thorough reading of the article, it is clear that the
| hackers are aware of what they are doing:
|
| > Once threat actors catch wind of major vulnerabilities
| against an organization they begin poking on their own,
| looking for more vectors of attack.
| bee_rider wrote:
| The industry standard seems to be disclosure to the entity
| followed by a reasonable grace period, at which point the
| bug is disclosed to the general public (where there's room
| to quibble in what the definition of "reasonable" there
| is).
|
| I'm not sure that helping individuals protect themselves is
| the main goal, though. It is important that entities
| respond to these issues in a reasonable timeframe, because
| if a small group of researchers, academics, or whatever can
| find a bug, then other nations' intelligence agencies or
| industrial espionage groups can as well.
|
| Realistically, in the case of companies, the best an
| individual can do is not do business with them. In the case
| of government agencies in democratic countries, public
| pressure is the probably the way to go.
| vijaybritto wrote:
| > What protective measure can someone take who is
| vulnerable?
|
| Like deleting your sensitive documents that you have
| uploaded already. Removing contact information and other
| personal details.
| bottled_poe wrote:
| Because responsible disclosure isn't as cool and being a l337
| h4x0r
| swiley wrote:
| It also doesn't pay nearly as well with many organizations.
___________________________________________________________________
(page generated 2021-02-22 23:02 UTC)