This smells a bit off: why is there no detail whatsoever on what exactly they breached? The "Indian Government" (central, state, other?) is a sprawling octopus that employs on the order of 50 million people, and there's a world of difference between breaching the public site of the Department of Fertilizers (https://fert.nic.in/) vs getting into the internal systems of the Ministry of External Affairs. The only clue appears to be those 14,000 police records.
Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.
I think that Twitter user is just a member. One of the founders is https://twitter.com/johnjhacking who proclaims to have a full time job and be a disabled vet.
whoever is behind it I find it hard to blame them. As they write on their blog:
>> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes. While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. <== from https://johnjhacking.com/blog/indian-government-breached-mas...
Enough has been said by people inside and outside of India about UIDAI / Aadahaar[0][1] and it's many horrible side-effects and risks it creates. This situation that has been created years ago after loud warnings of researchers and citizens who have meanwhile been silenced by the Modi government (who are the real culprits here).
India has done this to its people already years ago, therefore breaches here today are mere symptoms of incompetence (not the cause).
> Unfortunately, what seemed like a done deal turned out to be quite the unprofessional ride. Any organization knows that fixing breach-worthy vulnerabilities is extremely time sensitive. Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.
Do you expect them to tell everybody exactly which systems are vulnerable? What is it you're suggesting they do?
> Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.
What does it explain? Anyone who is not familiar with the branches of the Indian government could have omitted specific details of which departments were hacked.
Everyone seems to assume it is the central government. No one has remarked on this, the following somewhat obvious. One of the screenshots has a heading in Malayalam, saying "Bill Vivarangal" - "Bill details" [1].
Was it some government of Kerala service which was breached? Or is it one of several governments? Or was it only the central government with Malayalam as the language set for the interface?
If it was an Indian hacker, they would know that the language will be a big giveaway, so they would have obscured it. (India has about 15 official languages, and probably about 10 scripts each with 10+ million users [2].) Overall, I cannot dismiss the feeling that it is some script kiddie who attacked some underfunded department, rather than some big deal.
The domain is fine. My reasoning is that I know John (johnjhacking), have worked with him, have at times educated him, have on more occasions learned from him, and lastly, the attribution chain is
* twitter.com/johnjhacking refers users to
* twitter.com/sakurasamuraii, which links
* sakurasamurai.org
It's not a random group trying to defame a government. It's a known security researcher with a sterling rep.
This manner of disclosure seems rather callous and reaching out on twitter to communicate a discovered vuln smacks of attention seeking. The Indian Government sites are a very wide mix with some where there is active consideration of such criticalities and a huge number created by the local enterprising chap who is no longer involved. Its hardly a surprise that lots of sites are vulnerable. Without some info on the sites, this is just scare mongering. NPCI is a critical piece of financial infrastructure but this could very well be the front-facing website and nothing to do with the financial services. Looks like an ad, as many others have pointed out.
Try reporting something to Indian CERT, its a bureaucratic chore. I tried reporting multiple, still open issues but nothing happened. One exposed PII data at scale, the other one exposed credentials at a critical sector organization. Now I am not reporting it anymore because no one listens.
The key problem is that cyber in government is still very nascent, and security is an afterthought even in policy.
> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes.
Understandable.
> While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. A failure to release notification of breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture. The clock to patch vulnerabilities began immediately when the DC3 contacted the NCIIPC via Twitter, as it is a highly visible space - one which threat actors avidly monitor.
Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?
> Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?
Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.
An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.
> Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.
Also understandable.
> [...] so they can take their own protective measures.
Little can the ordinary citizen do whose data is at risk of exploitation. All responsibility lies on the government because the citizens do not have any other choice, as it seems to me. What protective measure can someone take who is vulnerable?
With a thorough reading of the article, it is clear that the hackers are aware of what they are doing:
> Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.
The industry standard seems to be disclosure to the entity followed by a reasonable grace period, at which point the bug is disclosed to the general public (where there's room to quibble in what the definition of "reasonable" there is).
I'm not sure that helping individuals protect themselves is the main goal, though. It is important that entities respond to these issues in a reasonable timeframe, because if a small group of researchers, academics, or whatever can find a bug, then other nations' intelligence agencies or industrial espionage groups can as well.
Realistically, in the case of companies, the best an individual can do is not do business with them. In the case of government agencies in democratic countries, public pressure is the probably the way to go.
Well. Section 47 is a real delight, a diabolical inversion of the principle of locus standi. Increasingly, there are agencies and laws which say that "you cannot take us to court". As though writing it makes it somehow legal. Reminds me of calvinball.
This has nothing to do with sovereign immunity. It is just an act. Expectedly, it was struck down by the Supreme Court as unconstitutional. It was just a ludicrous thing to try in the first place.
Is there any financial incentive to secure an Indian citizen's data ?
In fact, there's more financial incentive to make things leaky, less work needs to be done to peek into your neighbors yard, and the vast (vast, vast) majority of the people cannot give a damn about this.
Frankly, I'm surprised they replied with an acknowledgement and tried to fix some vulns.
The data is already publicly available via government sites and app store. By making the data public through 3rd parties, government just made it easy for public to access it.
Rs means rupees, specifically Indian rupees in this case, which has the symbol ₹ and code INR. (Other countries have rupees as well, but that symbol is specifically for Indian rupees.)
But that's the definition, and every calculator's "engineering" mode shows it exactly like that, too. And usually you learn in middle school how to interpret that.
Here’s a photo with the calculator I used in middle school, showing exactly the specified number:
I can see how it’s not obvious if you never learnt it, but especially in when working with the SI it’s incredibly useful and makes many hidden relationships quickly obvious.
> ...eg. widespread retina and fingerprint scanning...
This previous HN discussion [1] about a "Falsehoods programmers believe about Biometrics" article might be relevant. Careful, here be dragons, edge cases still abound the unwary implementer.
So in the process of communicating with the Indian Government to resolve the issues responsibly, they announce on Twitter "We Breached The Indian Government!!!".
no/less bounties from gov? researcher wants to show off? 10 year old kid who recently wrote some script and has a lot of over confidence? Who knows.
But its a fault of Indian Government too. They hire programmers who are less competent to save budget for salary. And if someone reports some vulnerebility I bet these government police will come after the reporter. And there is no incentives too.
The same thing happens I believe in almost all developing countries, they don't take security that seriously, all contracts related with technology are awarded to the company, that charge the smallest amount of money and has ties with the public officers at the time, when a researcher detects a bug in their software depending on the entity they either sue the researcher or ignore him, until they are exposed by the public media.
Couple months ago the data of all Venezuelan immigrants got breached the government did nothing until the public media started to talk about it.
I think the article covers that exact question (excerpt below)
Sakura Samurai coordinated with the U.S. DoD Vulnerability Disclosure Program (VDP) to assist in facilitating initial conversations of disclosure. John Jackson spoke with DC3’s Program Manager via email and coordinated on a plan of action
&
Roughly 4 days later, after further communication with the DC3, we felt safe to begin our initial reveal of research on the NCIIPC’s RVDP program.
If they care, as they claim, about the consequences for the indian public, why did they not disclose this less publicly? They think two weeks is a long time but perhaps the Indian government departments concerned don't immediately have the right sorts of people available to fix all these software problems in two weeks?
Very few large organisations, and zero distributed ones like a collection of multiple government departments, can turn around a massive collection of security fixes in 2 weeks.
I believe Google's Security team usually gives vendors 90 days before they go public.
I'd wager they just ran pccleanupscan on their xp boxes for the first tine since 2004 and got a shock, I guess the bulk of it was installed within the last 16 years. They probably had 90% of that malware for 15 years by now. You know how these skits go.
Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.
https://mobile.twitter.com/jacksonhhax