Indian Government Breached, Massive Amount of Critical Vulnerabilities (opens in new tab)

(johnjhacking.com)

301 pointsastroanax5y ago67 comments

67 comments

This smells a bit off: why is there no detail whatsoever on what exactly they breached? The "Indian Government" (central, state, other?) is a sprawling octopus that employs on the order of 50 million people, and there's a world of difference between breaching the public site of the Department of Fertilizers (https://fert.nic.in/) vs getting into the internal systems of the Ministry of External Affairs. The only clue appears to be those 14,000 police records.

Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.

https://mobile.twitter.com/jacksonhhax

eganist5y ago

John Jackson (johnjhacking) is not jacksonhhax, though they're both part of the same group.

For context, John's a vet who's employed in the field. And beyond that, he's published other sound security research in the past, e.g. https://johnjhacking.com/blog/cve-2020-28360/ (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2836..., which links https://github.com/frenchbread/private-ip)

As for the attribution chain to sakurasamurai.org, reference the following:

• twitter.com/johnjhacking refers users to

• twitter.com/sakurasamuraii, which links

• sakurasamurai.org in a pinned tweet.

Source: I know John personally.

jcims5y ago

I think that Twitter user is just a member. One of the founders is https://twitter.com/johnjhacking who proclaims to have a full time job and be a disabled vet.

DyslexicAtheist5y ago

whoever is behind it I find it hard to blame them. As they write on their blog:

>> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes. While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. <== from https://johnjhacking.com/blog/indian-government-breached-mas...

Enough has been said by people inside and outside of India about UIDAI / Aadahaar[0][1] and it's many horrible side-effects and risks it creates. This situation that has been created years ago after loud warnings of researchers and citizens who have meanwhile been silenced by the Modi government (who are the real culprits here).

India has done this to its people already years ago, therefore breaches here today are mere symptoms of incompetence (not the cause).

[0] Aadhaar: 'Leak' in world's biggest database worries Indians https://www.bbc.com/news/world-asia-india-42575443

[1] French Hacker transcends Aadhaar UIDAI helpline number to millions of Android phones in India https://www.cybersecurity-insiders.com/french-hacker-transce...

LockAndLol5y ago

> Unfortunately, what seemed like a done deal turned out to be quite the unprofessional ride. Any organization knows that fixing breach-worthy vulnerabilities is extremely time sensitive. Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.

Do you expect them to tell everybody exactly which systems are vulnerable? What is it you're suggesting they do?

sbarre5y ago

I believe they are suggesting that the systems be fixed in a timely manner.

That was my read of the article.

sneak5y ago

> why is there no detail whatsoever on what exactly they breached?

Because this is an ad.

joshuaissac5y ago

> Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.

What does it explain? Anyone who is not familiar with the branches of the Indian government could have omitted specific details of which departments were hacked.

Clewza3135y ago

It explains that the whole press release/site down to the branding looks like amateur hour: https://sakurasamurai.pro/

1 more reply

perryizgr85y ago

"Indian government" means central government, not state. Just like "US government" always refers to the federal government.

DavidSJ5y ago

I would have the same question of the US federal government being breached: which systems, exactly?

Clewza3135y ago

In Indian usage, yes, but this appears to have been written by a bunch of American teenagers.

2 more replies

sn415y ago

Everyone seems to assume it is the central government. No one has remarked on this, the following somewhat obvious. One of the screenshots has a heading in Malayalam, saying "Bill Vivarangal" - "Bill details" [1].

Was it some government of Kerala service which was breached? Or is it one of several governments? Or was it only the central government with Malayalam as the language set for the interface?

If it was an Indian hacker, they would know that the language will be a big giveaway, so they would have obscured it. (India has about 15 official languages, and probably about 10 scripts each with 10+ million users [2].) Overall, I cannot dismiss the feeling that it is some script kiddie who attacked some underfunded department, rather than some big deal.

[1] https://johnjhacking.com/uploads/session-chained.png

[2] https://en.wikipedia.org/wiki/Brahmic_scripts

imvetri5y ago

Tamil kooda irukalam

shrikant5y ago

Don't just go by the transliteration in parent comment. If you see the screenshot, it's clearly Malayalam.

sn415y ago

enge?

astatine5y ago

This manner of disclosure seems rather callous and reaching out on twitter to communicate a discovered vuln smacks of attention seeking. The Indian Government sites are a very wide mix with some where there is active consideration of such criticalities and a huge number created by the local enterprising chap who is no longer involved. Its hardly a surprise that lots of sites are vulnerable. Without some info on the sites, this is just scare mongering. NPCI is a critical piece of financial infrastructure but this could very well be the front-facing website and nothing to do with the financial services. Looks like an ad, as many others have pointed out.

vickychijwani5y ago

Sorry I might've missed it, where did you see NPCI (the payments body) mentioned? The organization mentioned repeatedly in the post is NCIIPC.

rishabhd5y ago

Try reporting something to Indian CERT, its a bureaucratic chore. I tried reporting multiple, still open issues but nothing happened. One exposed PII data at scale, the other one exposed credentials at a critical sector organization. Now I am not reporting it anymore because no one listens.

The key problem is that cyber in government is still very nascent, and security is an afterthought even in policy.

smlckz5y ago

> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes.

Understandable.

> While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. A failure to release notification of breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture. The clock to patch vulnerabilities began immediately when the DC3 contacted the NCIIPC via Twitter, as it is a highly visible space - one which threat actors avidly monitor.

Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?

jauer5y ago

> Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?

Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.

An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.

smlckz5y ago

> Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.

Also understandable.

> [...] so they can take their own protective measures.

Little can the ordinary citizen do whose data is at risk of exploitation. All responsibility lies on the government because the citizens do not have any other choice, as it seems to me. What protective measure can someone take who is vulnerable?

With a thorough reading of the article, it is clear that the hackers are aware of what they are doing:

> Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.

2 more replies

bottled_poe5y ago

Because responsible disclosure isn’t as cool and being a l337 h4x0r

swiley5y ago

It also doesn't pay nearly as well with many organizations.

ghoomketu5y ago

If these guys were Indian pretty sure they would be facing jail time for exposing such vulnerabilities (1)

(1) https://www.livemint.com/Opinion/S6Ep52qB9PK1DRLFUbUDBK/The-...

sn415y ago

Well. Section 47 is a real delight, a diabolical inversion of the principle of locus standi. Increasingly, there are agencies and laws which say that "you cannot take us to court". As though writing it makes it somehow legal. Reminds me of calvinball.

xxpor5y ago

Sovereign Immunity means you can't sue the government unless given permission by a statute anyway.

1 more reply

reallymental5y ago

Is there any financial incentive to secure an Indian citizen's data ?

In fact, there's more financial incentive to make things leaky, less work needs to be done to peek into your neighbors yard, and the vast (vast, vast) majority of the people cannot give a damn about this.

Frankly, I'm surprised they replied with an acknowledgement and tried to fix some vulns.

Expect no more changes.

deadalus5y ago

Indian Government Sold Driver Licence Data to 87 Private Companies for Rs 65 Crore -

https://www.news18.com/news/auto/government-sold-drivers-lic...

OmegaPG5y ago

The data is already publicly available via government sites and app store. By making the data public through 3rd parties, government just made it easy for public to access it.

_trampeltier5y ago

Calofornia does it sell for 50Mio USD and Florida for 77Mio USD. I guess just everybody sell everything today.

https://www.caranddriver.com/features/a32035408/dmv-selling-...

juancb5y ago

What does RS 65 Croer mean?

6 more replies

mdoms5y ago

Am I reading a pen test report here? This is just an ad for a pen test agency, isn't it?

ArkanExplorer5y ago

At this point, wouldn't it be easier to design systems as completely open, with all user data exposed?

Then for actual interaction purposes, to rely on biological verification? eg. widespread retina and fingerprint scanning.

As a side effect this would somewhat limit tax evasion - if all tax returns and income were public, as in countries like Norway.

yourapostasy5y ago

> ...eg. widespread retina and fingerprint scanning...

This previous HN discussion [1] about a "Falsehoods programmers believe about Biometrics" article might be relevant. Careful, here be dragons, edge cases still abound the unwary implementer.

[1] https://news.ycombinator.com/item?id=25700026

aritmo5y ago

So in the process of communicating with the Indian Government to resolve the issues responsibly, they announce on Twitter "We Breached The Indian Government!!!".

What is wrong with them?

cute_boi5y ago

no/less bounties from gov? researcher wants to show off? 10 year old kid who recently wrote some script and has a lot of over confidence? Who knows.

But its a fault of Indian Government too. They hire programmers who are less competent to save budget for salary. And if someone reports some vulnerebility I bet these government police will come after the reporter. And there is no incentives too.

brianxp5y ago

The same thing happens I believe in almost all developing countries, they don't take security that seriously, all contracts related with technology are awarded to the company, that charge the smallest amount of money and has ties with the public officers at the time, when a researcher detects a bug in their software depending on the entity they either sue the researcher or ignore him, until they are exposed by the public media.

Couple months ago the data of all Venezuelan immigrants got breached the government did nothing until the public media started to talk about it.

bottled_poe5y ago

They don’t fear jail for some reason...why?

Pick-A-Hill20195y ago

I think the article covers that exact question (excerpt below)

Sakura Samurai coordinated with the U.S. DoD Vulnerability Disclosure Program (VDP) to assist in facilitating initial conversations of disclosure. John Jackson spoke with DC3’s Program Manager via email and coordinated on a plan of action

Roughly 4 days later, after further communication with the DC3, we felt safe to begin our initial reveal of research on the NCIIPC’s RVDP program.

notretarded5y ago

Being 15yo.

da39a3ee5y ago

If they care, as they claim, about the consequences for the indian public, why did they not disclose this less publicly? They think two weeks is a long time but perhaps the Indian government departments concerned don't immediately have the right sorts of people available to fix all these software problems in two weeks?

wyaeld5y ago

Very few large organisations, and zero distributed ones like a collection of multiple government departments, can turn around a massive collection of security fixes in 2 weeks.

I believe Google's Security team usually gives vendors 90 days before they go public.

WigIndian5y ago

I'd wager they just ran pccleanupscan on their xp boxes for the first tine since 2004 and got a shock, I guess the bulk of it was installed within the last 16 years. They probably had 90% of that malware for 15 years by now. You know how these skits go.

ngcc_hk5y ago

Wonder. If Indian Gov so vulnerable and given the china-india conflict ... may be they like to use stick.

1 more reply

mandown23085y ago

This is fine...

j / k navigate · click thread line to collapse

67 comments

Clewza3135y ago

Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.

https://mobile.twitter.com/jacksonhhax

eganist5y ago

John Jackson (johnjhacking) is not jacksonhhax, though they're both part of the same group.

As for the attribution chain to sakurasamurai.org, reference the following:

• twitter.com/johnjhacking refers users to

• twitter.com/sakurasamuraii, which links

• sakurasamurai.org in a pinned tweet.

Source: I know John personally.

jcims5y ago

I think that Twitter user is just a member. One of the founders is https://twitter.com/johnjhacking who proclaims to have a full time job and be a disabled vet.

DyslexicAtheist5y ago

whoever is behind it I find it hard to blame them. As they write on their blog:

India has done this to its people already years ago, therefore breaches here today are mere symptoms of incompetence (not the cause).

[0] Aadhaar: 'Leak' in world's biggest database worries Indians https://www.bbc.com/news/world-asia-india-42575443

[1] French Hacker transcends Aadhaar UIDAI helpline number to millions of Android phones in India https://www.cybersecurity-insiders.com/french-hacker-transce...

LockAndLol5y ago

Do you expect them to tell everybody exactly which systems are vulnerable? What is it you're suggesting they do?

sbarre5y ago

I believe they are suggesting that the systems be fixed in a timely manner.

That was my read of the article.

sneak5y ago

> why is there no detail whatsoever on what exactly they breached?

Because this is an ad.

joshuaissac5y ago

> Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.

What does it explain? Anyone who is not familiar with the branches of the Indian government could have omitted specific details of which departments were hacked.

Clewza3135y ago

It explains that the whole press release/site down to the branding looks like amateur hour: https://sakurasamurai.pro/

1 more reply

perryizgr85y ago

"Indian government" means central government, not state. Just like "US government" always refers to the federal government.

DavidSJ5y ago

I would have the same question of the US federal government being breached: which systems, exactly?

Clewza3135y ago

In Indian usage, yes, but this appears to have been written by a bunch of American teenagers.

2 more replies

sn415y ago

Was it some government of Kerala service which was breached? Or is it one of several governments? Or was it only the central government with Malayalam as the language set for the interface?

[1] https://johnjhacking.com/uploads/session-chained.png

[2] https://en.wikipedia.org/wiki/Brahmic_scripts

imvetri5y ago

Tamil kooda irukalam

shrikant5y ago

Don't just go by the transliteration in parent comment. If you see the screenshot, it's clearly Malayalam.

sn415y ago

enge?

astatine5y ago

vickychijwani5y ago

Sorry I might've missed it, where did you see NPCI (the payments body) mentioned? The organization mentioned repeatedly in the post is NCIIPC.

rishabhd5y ago

The key problem is that cyber in government is still very nascent, and security is an afterthought even in policy.

smlckz5y ago

Understandable.

Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?

jauer5y ago

> Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?

Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.

An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.

smlckz5y ago

> Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.

Also understandable.

> [...] so they can take their own protective measures.

With a thorough reading of the article, it is clear that the hackers are aware of what they are doing:

> Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.

2 more replies

bottled_poe5y ago

Because responsible disclosure isn’t as cool and being a l337 h4x0r

swiley5y ago

It also doesn't pay nearly as well with many organizations.

ghoomketu5y ago

If these guys were Indian pretty sure they would be facing jail time for exposing such vulnerabilities (1)

(1) https://www.livemint.com/Opinion/S6Ep52qB9PK1DRLFUbUDBK/The-...

sn415y ago

xxpor5y ago

Sovereign Immunity means you can't sue the government unless given permission by a statute anyway.

1 more reply

reallymental5y ago

Is there any financial incentive to secure an Indian citizen's data ?

Frankly, I'm surprised they replied with an acknowledgement and tried to fix some vulns.

Expect no more changes.

deadalus5y ago

Indian Government Sold Driver Licence Data to 87 Private Companies for Rs 65 Crore -

https://www.news18.com/news/auto/government-sold-drivers-lic...

OmegaPG5y ago

The data is already publicly available via government sites and app store. By making the data public through 3rd parties, government just made it easy for public to access it.

_trampeltier5y ago

Calofornia does it sell for 50Mio USD and Florida for 77Mio USD. I guess just everybody sell everything today.

https://www.caranddriver.com/features/a32035408/dmv-selling-...

juancb5y ago

What does RS 65 Croer mean?

6 more replies

mdoms5y ago

Am I reading a pen test report here? This is just an ad for a pen test agency, isn't it?

ArkanExplorer5y ago

At this point, wouldn't it be easier to design systems as completely open, with all user data exposed?

Then for actual interaction purposes, to rely on biological verification? eg. widespread retina and fingerprint scanning.

As a side effect this would somewhat limit tax evasion - if all tax returns and income were public, as in countries like Norway.

yourapostasy5y ago

> ...eg. widespread retina and fingerprint scanning...

This previous HN discussion [1] about a "Falsehoods programmers believe about Biometrics" article might be relevant. Careful, here be dragons, edge cases still abound the unwary implementer.

[1] https://news.ycombinator.com/item?id=25700026

aritmo5y ago

So in the process of communicating with the Indian Government to resolve the issues responsibly, they announce on Twitter "We Breached The Indian Government!!!".

What is wrong with them?

cute_boi5y ago

no/less bounties from gov? researcher wants to show off? 10 year old kid who recently wrote some script and has a lot of over confidence? Who knows.

brianxp5y ago

Couple months ago the data of all Venezuelan immigrants got breached the government did nothing until the public media started to talk about it.

bottled_poe5y ago

They don’t fear jail for some reason...why?

Pick-A-Hill20195y ago

I think the article covers that exact question (excerpt below)

Roughly 4 days later, after further communication with the DC3, we felt safe to begin our initial reveal of research on the NCIIPC’s RVDP program.

notretarded5y ago

Being 15yo.

da39a3ee5y ago

wyaeld5y ago

Very few large organisations, and zero distributed ones like a collection of multiple government departments, can turn around a massive collection of security fixes in 2 weeks.

I believe Google's Security team usually gives vendors 90 days before they go public.

WigIndian5y ago

ngcc_hk5y ago

Wonder. If Indian Gov so vulnerable and given the china-india conflict ... may be they like to use stick.

1 more reply

mandown23085y ago

This is fine...

j / k navigate · click thread line to collapse