Skip to content

1

So a few days ago,anonymous hackers calling themselves "Legion" hacked Rahul Gandhi's Twitter account and made profane tweets from it.

Anonymous legion hackers then compromised the official Congress handle and other accounts, all of them with official inc.in email IDs.

Yesterday, the anonymous hackers calling themselves "Legion" hacked Barkha Dutt's Twitter account

followed by Ravish Kumar's.

The group of hackers made a tweet claiming not to be affiliated with the BJP.

Which is all very excellent, except there are some very good reasons to believe that the hackers could indeed be affiliated with the BJP. And BJP has a long history of its fronts being "apolitical" or "not-affiliated", going right back to a notable event I attended in 2009 or 2010 (I forget), organized by "Friends of BJP" - which claimed to be an apolitical group. Countless Hindu Sena this that and the other variants have conveniently popped up to attack targets of BJP at opportune moments and vanished into obscurity.

India Against Corruption ran a nationwide protest against the previous government. An "apolitical" organization, that just happened to be amply funded by the RSS, included plenty of BJP affiliated public figures, AND had protests happening in front of every BJP office, was... apolitical.

For that matter, the RSS itself, whose members form a large part of the government and who gets foreign funds for rescue and social work, but managed to put LAKHS of its workers on the streets campaigning for BJP's Lok Sabha electoral campaign is.... (you guessed it by now) an apolitical, cultural organization. I hope you get my drift. If it walks like a BJP affiliate, acts like a BJP affiliate, quacks like a BJP affiliate AND it claims to be apolitical...

A heads up by the BJP insider handle

A handle calling itself "BJP insider" had tweeted in July that BJP's IT cell had recruited professional hackers to hack and suspend accounts causing problems to boss (Modi) on Twitter and Facebook. This handle has been around for a couple of years at least and consistently tweets what it claims is the scuttlebutt around BJP headquarters.

By itself, it may not mean much, as several months had passed. Or it could mean a lot. Who knows. It is hardly like BJP has never hired people to do their dirty work online.

Rumors of targeting of political opponents and critics being planned

After the second week of demonetistion, there were several rumors that BJP had plans to target political opponents in various ways. The manner in which they circulated and the variety of actions being suggested as possible don't suggest a single source.

Also some deliberate events happening to discredit conspicuous critics of the demonetisation gave credibility to the rumors. For example, the most popular one expected was Income Tax raids on people. However the "false alarm" with Mamata Banerjee as well as ex-Prime Minister Manmohan Singh under investigation for a scam within days of a powerful speech and article pointing out concerns about demonetisation certainly raise questions about the timing.

The targets of the hacks

All the identities targeted are top targets of BJP's online troll gangs. Both individuals and organizations. Incidentally, once this was raised, @Joydas was among the first to comment that a token BJP hack would happen. And it did. No undesirable tweets got posted and a large "dump" of their database was apparently put up that no one seems to have downloaded (because the hotshots basically DoSed their own server with it, looks like). What is in it could be anyone's guess. But given the complete lack of agitation in the bhakts normally frenzied about the slightest adverse development, it is difficult to believe this to be an adverse development.

Symptoms of BJP's photoshop industry at work

Screenshots posted of what appears to be a transaction notification email to Barkha Dutt from the Standard Chartered bank have two glaring issues.

 

Receipient? Seriously?

Should be recipient, yes? Strange to believe that either Standard Chartered or a mobile application coder good enough to get the interest of a "hacker" would make such a basic mistake. Leads one to question whether the screenshots are real. It wouldn't be the first time the BJP's photoshop department threw up an "original" document, only to reveal themselves with atrocious spelling mistakes (entire political science, anyone?)

Standard Chartered seems particularly lazy about sending notifications

When is the last time you received bank notification of  transaction a day after it happened? And that too for what would apparently be a VIP account given the balances claimed. And no, there doesn't seem to be the possibility of a transaction done just before midnight and notified after midnight, given that this is the afternoon of the next day.

What email application is it anyway?

While I admit I didn't search very hard, I did employ the assistance of google search. The only match anywhere in applications seems to be one called "fake text messenger" - unless of course the hacker built their own email app or has something obscure. Or it may be some custom OS - who knows, maybe will help cops trace the phone.

What navigation is that anyway?

There doesn't seem to be any "menu" provided for this "email". Back arrow next to the icon one can understand - goes back to the archive. Where would an arrow pointing right go? Twitter? :p

No need to delete, archive, etc and reply is out of question of course, given the quality of spellings.

What's that url again?

We have here a banking notification that points to a mobile site at one place and regular site the other. No https (though the url will redirect). Who in the world points to mobile sites in notification emails in the age of autodetection? Probably "hackers" who hack using mobile phones. Either they are very very good or nowhere near the server, given how tricky mobiles can be.

Whoever has seen an email from a bank that ends like this?

No disclaimer text "this is an automated email blah blah blah" What to do if you've got a notification for a transaction you didn't do, etc. No support email... No sign off... really? With half the email being an overlap, unlikely they had to cut it off for space.

Though in all honesty, I don't have a Standard Chartered account, and they may have the casual approach to notifications. If you do have a Standard Chartered account, do me a favor and send me a screenshot of a notification (blurring as appropriate) on Twitter? My handle is @Vidyut

And well, finally... what the hacker chooses to see or ignore

Some emails supposedly "leaked" by the hacker are like total Kashmir Pakistan obsession. I mean seriously, a politically indifferent hacker gets into a big journo's account, and all he can find is emails on Kashmir? ok.

Really? REALLY?

This is probably the first when a hacker out to "expose" missed actionable information (or even to seek it, looks like, if this is the highlight of the hack). For that matter, it could be anyone's inbox.

Worldclass hackers, put up a 98MB download with piddly bandwidth, DoSed their own expose? Hilarious. I suppose by the time the traffic goes down, BJP will have it taken down as "action taken".

If you can download the files they have posted, I would highly recommend you not do so unless you know what you are doing and have secured your machine appropriately. If you have to ask how to, don't.

Maybe it is possible that Legion ain't BJP backed. I'll believe it when BJP arrests them. Surely an attack on a political party, account of an MP and journalists - who have protected sources who could be at risk - warrants investigation and arrests right? So let us see.

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

Bhavyanshu Parasher, a young computer science engineer took a look at Prime Minister Narendra Modi’s Android application (among popular apps he studied for his own research purposes). The Narendra Modi app had 500,000+ downloads at that time. He found a major security flaw in how the app accesses the “api.narendramodi.in/api” API.

At the time of disclosure, API was being served over “HTTP” as well as "HTTPS". "HTTP" was being served on older versions of the app. So people who were still using older version of the app were exposed to additional vulnerability. Data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted by MiTM attacks. Another bigger problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address) for any user and posting comments as any registered user of the app.

The magnitude of the seriousness of the loophole can be understood with the following exploit. The vulnerabilities have been fixed.

Exploit demo

Bhavyanshu wrote an exploit to demonstrate how easy it was to extract email addresses using the security flaw.

"The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user." - Original Vulnerability Disclosure.

See, for instance, here is the sample output for xrange(1,10).

Exploit Result
Extracted email addresses of first 10 users

Also, he was able to post comment as any user. For example,

Comment Exploit
Comment sent as user 4234
After this security flaw was exposed, Bhavyanshu and I made considerable efforts to draw attention of the Prime Minister's development team for improving the security, but it would be another three days before the API would stop leaking the information to whoever wished to use the security loophole. It is difficult to say who and how many people have already had access to the user data for all the users of the Narendra Modi app. "Why it took them so long to connect me with developers directly? This issue could have been resolved earlier. The email address provided on play store does not work. Government should find a way to create a direct communication channel between those who report flaws and the developers. They should adopt CVRF.", Bhavyanshu said.

What are the implications for Digital India?

At a time when Indian developers are stunned by the emergence of Ankit Fadia (mostly known as a self publicized, copy-paste plagiarist at-best-mediocre script kiddie), while concerns for data security are paramount, for the Prime Minister's app to leak user information amounts to any malicious entity having a ready list of every social media savvy mobile user supporter of the Prime Minister and ruling party among other citizens. What such information could be used for is anyone's guess.

With the Prime Minister releasing a site a month on an average, the complete lack of interest in securing the application from unauthorized use is alarming. What kind of information crucial to the country could be leaked to the unscrupulous with such a casual approach to securing the information that the government seems bent on putting online if the security for such a key app with 5-6 lakh users was so careless designed.

What happens if a hacker publishes problematic information as another user?

Digital India cannot succeed if it merely courts the big business of the internet without actually having the competence to secure its own data. That would be like riding a race horse without saddle, stirrups or even knowing how to ride. Sooner or later, the horse goes rogue and you have no way to save yourself, let alone control it.