<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Computer security Archives « Aam JanataSkip to content

Since the last few weeks, there has been a sudden uptick of anonymous accounts supporting Aadhaar and dismissing concerns and news of information leaks, security and privacy issues. These accounts were all either created in may or scrubbed of all content and began tweeting afresh in May. Some of them are propaganda accounts that tweet only positives about Aadhaar and/or gloss over issues raised on grounds of law, constitutionality, fundamental rights, privacy, ethics, security, national security and so on.

Here are some of the accounts.

Out of these the @supportaadhaar has been separately claimed by Rashmi Ranjan so far

But there were more serious handles that were created in May, anonymous and interacted specifically with critics of Aadhaar in various ways that ranged from defamation to threats of legal action. For example, these handles.

It did not take us long to figure out what was going on. Prominent handles that had criticized Aadhaar on technical grounds (not lawyers, or political or ethical grounds) were the main targets. It was rapidly obvious that these were fronts for people from the tech community. Likely people profiting from Aadhaar, because it is really not plausible that the abundantly detailed flaws revealed in Aadhaar could not be understood by them.

When one of these handles, @confident_india tangled with Kiran Jonnalgadda, he was able to make an educated guess at its identity and proved it by verifying the troll account against a real phone number. That phone number belonged to the co-founder, governing body member and director of iSPIRIT - Sharad Sharma. The director of iSPIRIT was going around using a fake handle and planting allegations of profiting from criticism of Aadhaar against critics. Planting allegations about them working for foreign intelligence agencies (ironically, MongoDB that Aadhaar uses is funded by the CIA).

Allegations of foreign intelligence affiliations
Who is funded by the CIA Allegations of foreign intelligence affiliations

On a stray note, after these allegations started happening, Nandan Nilekani ("mentor" to this circus) too referred to critics of Aadhaar with vested interests from his real account while promoting that childish data free article asking personal questions related to motivations of aadhaar critics that is replied to here.

Kiran informed several of us about his investigation into this troll (aka director of iSPIRIT, Sharad Sharma) and we independently verified that his number was indeed attached to the fake account, because he knew that once he exposed Sharad Sharma in public, the phone number would immediately be removed and perhaps the anonymous account as well.

He made this video public in a tweet and later blogged about it. Thiyagarajan M, a fellow at iSPIRIT blogged a reply on medium.com as well stating that Sharad had denied the allegations and they would be investigated, while he admits that the presentation Kiran mentions exists and is just a strategy document that does not recommend anonymous trolling. He states that they were aware that some of them had created an anonymous campaign and claims it is not an official campaign by iSPIRIT. As though an official campaign would be put in writing formally.

We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.

I am not sure what remains to investigate. If it is about investigating how Sharad can possibly be taken off the hook, it shouldn't need an organization existing because of an authentication based product too long to realize that there really is no sane way.

No official handle related with iSPIRIT has so far published any statement to the best of my knowledge. Sharad Sharma and the troll have both promptly denied to it, of course. Except, in the process of denying that he was @confident_india, Sharad seems to have proved himself to be @indiaforward2 as well! He accidentally tweeted his denial of being @confident_india from the @indiaforward2 handle as well as his real handle, before tweeting the new tweets with his real handle. He deleted the tweets that went from both handles of course, but not before someone quick made a timely screenshot. So here we are.

 

Sharad tweeting as @indiaforward2

The denial from his main handle was read by many, but I don't have a screenshot of it... yet. However, he didn't delete it fast enough. Factordaily updated their reporting of the Sharad Sharma controversy with his denial

Sharad Sharma woke to tweetstorm in Atlanta
Sharad Sharma woke to tweetstorm in Atlanta just like @indiaforward2
Sharad tweeting as himself.
Sharad's denial of trolling from his real account
Sharad's denial of trolling from his real account

My immediate thought about it wasn't even so much that people in power use sneaky, unethical methods to get their way and undermine obstacles, but that the director of a company that is a collective of software developers and who were all defending Aadhaar on grounds of security and privacy were so ignorant about securing something as elementary as an anonymous account!

Once this expose was public, several people independently verified that they too had been able to authenticate access to the troll account with Sharad Sharma's personal number. For example:

 

Rohin Dharmakumar went a step ahead and showed how a mobile phone can't simply be attached to a Twitter account without actually verifying the number.

 

There are also a lot of people unaware of the developments in that country called Digital India who are aghast at what they are discovering. This is what you get for being gullible. Here. Educational. Video published from official iSPIRIT handle. Watch Pramod Varma, Sanjay Jain ex-UIDAI now "volunteer" at the ISpirt that "donates" to Govt and how this serves to avoid oversight by CAG, RTI.

In other words, what you have here is a bunch of private people who are creating products off big data collected from all citizens in a manner that allows them to evade accountability to the citizens for it. They also fund the government, push the expansion of Aadhaar in spite of extensive risks and violations of citizens rights being documented. In spite of the fact that Aadhaar effectively allows any infiltrator to become a "citizen" of the country by facilitating the creation of all documents that a citizen would have. And when the concerns raised get too alarming and there is no coherent defense of them possible, they make fake accounts to go around undermining dissenters so that the imposition of Aadhaar that puts citizens and country at risk may not be challenged.

If you do not speak up for your rights, they will be trampled on by profiteers out to exploit them at any cost.

2

This post has been updated to take out some points that were misunderstood by me and have been clarified and another issue which appears to be resolved.

Okay, I'm spooked. I don't understand this enough to even claim something is wrong. This is the most bizarre "email situation" I have ever seen.

It began with the government giving the address blackmoneyinfo@incometax.gov.in as the email address for citizens to send tip offs to the government about people who have black money. Leaving the Nazi like technique aside, I was puzzled by the address, as the Indian Income Tax Department's website is incometaxindia.gov.in

So I tried to find the website this email that the government provided belongs to. It doesn't exist. Okaaay. Does the domain exist? It does. And it seems to be registered to the income tax department as well. So far, so good.

Got a brainwave. If it was a server configured only for email, it wouldn't be seen by looking up domain, which looks at website address on port 80. So I did an MX lookup (that would be specifically for email server). Bingo! There it was, configuration errors and warnings and all, hosted on a subdomain pdcsmtp02.incometax.gov.in - which apparently is blacklisted for SPAM!!! The IP address for this is 125.19.19.84 (more on this later) and the reverse IP address does not match. It is for mail.incometaxindia.gov.in!!! Which seems to be blacklisted on FIVE spam lists? So the replies to the email will either not be received by people, or they will be received. It is unclear what has got the domains a spam status. The reasons could range from a relatively benign misuse of official address by a few employees to the server being compromised and used to send spam to even worse, the server being infected and emails could be infected too (spam is often the vector for malware, which is why you never click links in it, remember?)

Anyway, spam or not, whatever it was, I thought I'd found the holy grail. I tried going to the subdomain pdcsmtp02.incometax.gov.in. Page never stopped loading. It is still loading as I write this article. I have no idea what is on the other side. This is like a sarkari Darknet site.

I tried pinging it. Nothing. Depending on tool used, DNS service returns "domain not found" "name or service not found" etc.

Something very odd going on with this email address and server configuration. Is that why the Income Tax Department's server itself is being blacklisted for spam? Given how much the ruling party had done hatchet jobs on Somnath Bharti as a "spammer" without him being on any lists, I wonder what the government is now going to say about the Income Tax Department of INDIA!!!

On a relatively unrelated note, the IP address the Income Tax Department mail server is on, is hosted at DIT Jhandewalan and managed by a Mr. Simanchal Dash using his personal email address on yahoo and uses a Bharti Airtel network. Mr Simanchal Dash is personal secretary to Finance Minister Arun Jaitley. A server is important and official property. It is unclear why the secretary of the Finance Minister controls the server for the income tax department using a private yahoo account, and not an official government email or, for that matter why the government needs to buy network connections from Airtel.

What sorcery is this?

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

Bhavyanshu Parasher, a young computer science engineer took a look at Prime Minister Narendra Modi’s Android application (among popular apps he studied for his own research purposes). The Narendra Modi app had 500,000+ downloads at that time. He found a major security flaw in how the app accesses the “api.narendramodi.in/api” API.

At the time of disclosure, API was being served over “HTTP” as well as "HTTPS". "HTTP" was being served on older versions of the app. So people who were still using older version of the app were exposed to additional vulnerability. Data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted by MiTM attacks. Another bigger problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address) for any user and posting comments as any registered user of the app.

The magnitude of the seriousness of the loophole can be understood with the following exploit. The vulnerabilities have been fixed.

Exploit demo

Bhavyanshu wrote an exploit to demonstrate how easy it was to extract email addresses using the security flaw.

"The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user." - Original Vulnerability Disclosure.

See, for instance, here is the sample output for xrange(1,10).

Exploit Result
Extracted email addresses of first 10 users

Also, he was able to post comment as any user. For example,

Comment Exploit
Comment sent as user 4234
After this security flaw was exposed, Bhavyanshu and I made considerable efforts to draw attention of the Prime Minister's development team for improving the security, but it would be another three days before the API would stop leaking the information to whoever wished to use the security loophole. It is difficult to say who and how many people have already had access to the user data for all the users of the Narendra Modi app. "Why it took them so long to connect me with developers directly? This issue could have been resolved earlier. The email address provided on play store does not work. Government should find a way to create a direct communication channel between those who report flaws and the developers. They should adopt CVRF.", Bhavyanshu said.

What are the implications for Digital India?

At a time when Indian developers are stunned by the emergence of Ankit Fadia (mostly known as a self publicized, copy-paste plagiarist at-best-mediocre script kiddie), while concerns for data security are paramount, for the Prime Minister's app to leak user information amounts to any malicious entity having a ready list of every social media savvy mobile user supporter of the Prime Minister and ruling party among other citizens. What such information could be used for is anyone's guess.

With the Prime Minister releasing a site a month on an average, the complete lack of interest in securing the application from unauthorized use is alarming. What kind of information crucial to the country could be leaked to the unscrupulous with such a casual approach to securing the information that the government seems bent on putting online if the security for such a key app with 5-6 lakh users was so careless designed.

What happens if a hacker publishes problematic information as another user?

Digital India cannot succeed if it merely courts the big business of the internet without actually having the competence to secure its own data. That would be like riding a race horse without saddle, stirrups or even knowing how to ride. Sooner or later, the horse goes rogue and you have no way to save yourself, let alone control it.

First of all, what is National Encryption Policy?

“Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or methods for encryption”. So DeitY has framed a draft of such rules which will decide the future of how encrypted services are to be used or provided to users in India. The preamble in the draft clearly shows that they very well understand what encryption is meant to be used for. What they fail to understand is how it helps secure communication between two entities. The problem lies in the strategies stated in the draft. Let us break the draft into parts and try to analyze how exactly they can possibly ruin encrypted services and also how it will affect you.

  • (III Objectives i)) states “to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”. This is perfect but then they contradict themselves by saying (IV Strategies 4), “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organization/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”. Yeah, so what is wrong with this? Well, to answer this, let us take an example. You are currently using messaging services that encrypt data sent over network. You still have a sense of security that you can freely talk about things over the network without worrying that ISPs, private companies and the government are continuously monitoring/logging what you say. The problem arises when the private companies like your Internet service provider, government and even notorious hackers can misuse this data. What government has stated under “Strategies” is not exactly that but a different version of this. They don’t want to get rid of the encryption but want a backdoor access to the encrypted networks. This is not acceptable. By demanding this, they are putting critical data and infrastructure in danger. Why? Ask these questions to yourself. Can we trust the authorities to keep the keys and the data in “Plain text” safe from hackers? It is common that hackers target government organizations everyday to get their hands on information. Governments are easy targets for most hackers because they don’t invest enough resources in security. Can we trust the government employees with our data who can’t prevent hacks on government websites? The cost of such security breaches would be severe. Think if e-commerce companies are forced to keep currently encrypted data in plain text as well. Not challenging anyone’s security but knowing that hackers always find a way in, from experience, I can tell that I would probably never use e-commerce services again knowing they are storing critical data in plain text as well. Like me, many would not want to access such services ever. This will affect the economic growth. These services will lose users. If there is a security breach and hackers have access to data stored in “plain text”, people will think twice before using such services ever again. At least currently the data is encrypted. Even if hackers get in, there is still an extra layer of protection. They may or may not be able to decrypt the data easily. Of course it all depends on the methods used to encrypt such data. This is one of the major problems that I personally see with government asking services for back-doors.
  • (IV Strategies 5) states that “B/C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India”. The entity B is any business and commercial private or public bodies providing encrypted services and entity C includes every citizen. This is completely broken. They say that all information should be stored by concerned B/C entity for 90 days from the date of transaction. How can they expect citizens to store such information? What if the hackers hack into anyone under “C” entity and gets access to that information. In that case, who will be held responsible? Will the government take responsibility because they demand users to store such important information for 90 days? Moreover, they are clearly saying that they will be the ones to dictate what encryption algorithms to use and what should be the size of the key. This will cause problems to any business on the technical front. What if their business wants to use a different encryption algorithm because it suits their requirements better? Now the government will decide how you should do business and the technology used behind your encrypted network? That’s why this is completely broken.
  • The most absurd point, according to me, (IV Strategies 7), states that “Users within C group (i.e. C2C Sector) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All citizens (C), including personnel of Government/Business (G/B) performing non-official/personal functions, are required to store the plain-texts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”. This is a horrible strategy to propose. See, C group contains every citizen. So this clearly applies to communication between two citizens. Now let us take an example. I encrypt most of my emails with PGP and now according to the above stated strategy, the government can tell me to stop using PGP and use something else or they can also tell me to reduce the size of the key. This will only make my data more vulnerable. There is a reason why PGP exists. I use it so I can be sure that the email is only read by the person whom I grant access to. No matter what network it passes through, no one else will be able to read that data. I have this sense of security right now. The point 7 even takes away that from me.
  • (V Regulatory Framework 1), states that “while seeking registration, the vendors shall submit working copies of the encryption software/hardware to the Government along with professional quality documentation, test suites and execution platform environments”. This is very stupid. Why? See, if some xyz organization has some patented or closed source encryption technology, the government cannot just ask them disclose every detail of the encryption technology. The government will have to get a license from the organization to get each and every detail of how the encryption is implemented. Think about the cost. Secondly, the more problematic situation is that what if such details land up in the hands of competitors? Bam! that will expose your whole security infrastructure to competing company. That can happen. How can you rule out such possibility when you know more than one organization has all this information stored somewhere? Whom can you trust?
  • (V Regulator Framework 3), states that “The vendors of encryption products or service providers offering encryption services shall necessarily register their products / services with Government for conducting business in the country”. So most of the services will probably not wanna do business in India because of above stated reasons. Now you only decide if it’s going to affect the economy or not.
  • Lastly, (V Regulator Framework 5), states “Users in India are allowed to use only the products registered in India”. Well, say goodbye to VPN services. You see what they did there?

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

[Update - September 21]

New exemptions to DeitY policy
New exemptions to DeitY policy

All those who are saying that the proposed addendum exempts social media apps, messaging apps, etc., have clearly not read the addendum point 1 carefully. It states that “mass use encryption products” are exempted from the NEP. The “mass use encryption products” definitely does not include copyright crypto algorithms/proprietary encryption products owned by respective companies. So it does not clarify anything but only adds to the problems.

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

Originally published by Bhavyanshu Parasher here.