This smells a bit off: why is there no detail whatsoever on what exactly they breached? The "Indian Government" (central, state, other?) is a sprawling octopus that employs on the order of 50 million people, and there's a world of difference between breaching the public site of the Department of Fertilizers (https://fert.nic.in/) vs getting into the internal systems of the Ministry of External Affairs. The only clue appears to be those 14,000 police records.
Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.
I think that Twitter user is just a member. One of the founders is https://twitter.com/johnjhacking who proclaims to have a full time job and be a disabled vet.
> Unfortunately, what seemed like a done deal turned out to be quite the unprofessional ride. Any organization knows that fixing breach-worthy vulnerabilities is extremely time sensitive. Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.
Do you expect them to tell everybody exactly which systems are vulnerable? What is it you're suggesting they do?
> Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.
What does it explain? Anyone who is not familiar with the branches of the Indian government could have omitted specific details of which departments were hacked.
Everyone seems to assume it is the central government. No one has remarked on this, the following somewhat obvious. One of the screenshots has a heading in Malayalam, saying "Bill Vivarangal" - "Bill details" [1].
Was it some government of Kerala service which was breached? Or is it one of several governments? Or was it only the central government with Malayalam as the language set for the interface?
If it was an Indian hacker, they would know that the language will be a big giveaway, so they would have obscured it. (India has about 15 official languages, and probably about 10 scripts each with 10+ million users [2].) Overall, I cannot dismiss the feeling that it is some script kiddie who attacked some underfunded department, rather than some big deal.
This manner of disclosure seems rather callous and reaching out on twitter to communicate a discovered vuln smacks of attention seeking. The Indian Government sites are a very wide mix with some where there is active consideration of such criticalities and a huge number created by the local enterprising chap who is no longer involved. Its hardly a surprise that lots of sites are vulnerable. Without some info on the sites, this is just scare mongering. NPCI is a critical piece of financial infrastructure but this could very well be the front-facing website and nothing to do with the financial services. Looks like an ad, as many others have pointed out.
Try reporting something to Indian CERT, its a bureaucratic chore. I tried reporting multiple, still open issues but nothing happened. One exposed PII data at scale, the other one exposed credentials at a critical sector organization. Now I am not reporting it anymore because no one listens.
The key problem is that cyber in government is still very nascent, and security is an afterthought even in policy.
> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes.
Understandable.
> While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. A failure to release notification of breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture. The clock to patch vulnerabilities began immediately when the DC3 contacted the NCIIPC via Twitter, as it is a highly visible space - one which threat actors avidly monitor.
Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?
> Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?
Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.
An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.
Well. Section 47 is a real delight, a diabolical inversion of the principle of locus standi. Increasingly, there are agencies and laws which say that "you cannot take us to court". As though writing it makes it somehow legal. Reminds me of calvinball.
Is there any financial incentive to secure an Indian citizen's data ?
In fact, there's more financial incentive to make things leaky, less work needs to be done to peek into your neighbors yard, and the vast (vast, vast) majority of the people cannot give a damn about this.
Frankly, I'm surprised they replied with an acknowledgement and tried to fix some vulns.
> ...eg. widespread retina and fingerprint scanning...
This previous HN discussion [1] about a "Falsehoods programmers believe about Biometrics" article might be relevant. Careful, here be dragons, edge cases still abound the unwary implementer.
So in the process of communicating with the Indian Government to resolve the issues responsibly, they announce on Twitter "We Breached The Indian Government!!!".
no/less bounties from gov? researcher wants to show off? 10 year old kid who recently wrote some script and has a lot of over confidence? Who knows.
But its a fault of Indian Government too. They hire programmers who are less competent to save budget for salary. And if someone reports some vulnerebility I bet these government police will come after the reporter. And there is no incentives too.
If they care, as they claim, about the consequences for the indian public, why did they not disclose this less publicly? They think two weeks is a long time but perhaps the Indian government departments concerned don't immediately have the right sorts of people available to fix all these software problems in two weeks?
Very few large organisations, and zero distributed ones like a collection of multiple government departments, can turn around a massive collection of security fixes in 2 weeks.
I believe Google's Security team usually gives vendors 90 days before they go public.
I'd wager they just ran pccleanupscan on their xp boxes for the first tine since 2004 and got a shock, I guess the bulk of it was installed within the last 16 years. They probably had 90% of that malware for 15 years by now. You know how these skits go.
Clewza313|5 years ago
Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.
https://mobile.twitter.com/jacksonhhax
eganist|5 years ago
For context, John's a vet who's employed in the field. And beyond that, he's published other sound security research in the past, e.g. https://johnjhacking.com/blog/cve-2020-28360/ (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2836..., which links https://github.com/frenchbread/private-ip)
As for the attribution chain to sakurasamurai.org, reference the following:
• twitter.com/johnjhacking refers users to
• twitter.com/sakurasamuraii, which links
• sakurasamurai.org in a pinned tweet.
Source: I know John personally.
jcims|5 years ago
LockAndLol|5 years ago
Do you expect them to tell everybody exactly which systems are vulnerable? What is it you're suggesting they do?
sneak|5 years ago
Because this is an ad.
joshuaissac|5 years ago
What does it explain? Anyone who is not familiar with the branches of the Indian government could have omitted specific details of which departments were hacked.
perryizgr8|5 years ago
sn41|5 years ago
Was it some government of Kerala service which was breached? Or is it one of several governments? Or was it only the central government with Malayalam as the language set for the interface?
If it was an Indian hacker, they would know that the language will be a big giveaway, so they would have obscured it. (India has about 15 official languages, and probably about 10 scripts each with 10+ million users [2].) Overall, I cannot dismiss the feeling that it is some script kiddie who attacked some underfunded department, rather than some big deal.
[1] https://johnjhacking.com/uploads/session-chained.png
[2] https://en.wikipedia.org/wiki/Brahmic_scripts
_hello_user|5 years ago
[deleted]
imvetri|5 years ago
astatine|5 years ago
vickychijwani|5 years ago
rishabhd|5 years ago
The key problem is that cyber in government is still very nascent, and security is an afterthought even in policy.
smlckz|5 years ago
Understandable.
> While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. A failure to release notification of breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture. The clock to patch vulnerabilities began immediately when the DC3 contacted the NCIIPC via Twitter, as it is a highly visible space - one which threat actors avidly monitor.
Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?
jauer|5 years ago
Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.
An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.
bottled_poe|5 years ago
ghoomketu|5 years ago
(1) https://www.livemint.com/Opinion/S6Ep52qB9PK1DRLFUbUDBK/The-...
sn41|5 years ago
reallymental|5 years ago
In fact, there's more financial incentive to make things leaky, less work needs to be done to peek into your neighbors yard, and the vast (vast, vast) majority of the people cannot give a damn about this.
Frankly, I'm surprised they replied with an acknowledgement and tried to fix some vulns.
Expect no more changes.
deadalus|5 years ago
https://www.news18.com/news/auto/government-sold-drivers-lic...
mdoms|5 years ago
ArkanExplorer|5 years ago
Then for actual interaction purposes, to rely on biological verification? eg. widespread retina and fingerprint scanning.
As a side effect this would somewhat limit tax evasion - if all tax returns and income were public, as in countries like Norway.
yourapostasy|5 years ago
This previous HN discussion [1] about a "Falsehoods programmers believe about Biometrics" article might be relevant. Careful, here be dragons, edge cases still abound the unwary implementer.
[1] https://news.ycombinator.com/item?id=25700026
aritmo|5 years ago
What is wrong with them?
cute_boi|5 years ago
But its a fault of Indian Government too. They hire programmers who are less competent to save budget for salary. And if someone reports some vulnerebility I bet these government police will come after the reporter. And there is no incentives too.
bottled_poe|5 years ago
notretarded|5 years ago
da39a3ee|5 years ago
wyaeld|5 years ago
I believe Google's Security team usually gives vendors 90 days before they go public.
WigIndian|5 years ago
ngcc_hk|5 years ago
awooooo56709|5 years ago
[deleted]
TargetedVictim|5 years ago
[deleted]
mandown2308|5 years ago