<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Security engineering Archives « Aam JanataSkip to content

Since the last few weeks, there has been a sudden uptick of anonymous accounts supporting Aadhaar and dismissing concerns and news of information leaks, security and privacy issues. These accounts were all either created in may or scrubbed of all content and began tweeting afresh in May. Some of them are propaganda accounts that tweet only positives about Aadhaar and/or gloss over issues raised on grounds of law, constitutionality, fundamental rights, privacy, ethics, security, national security and so on.

Here are some of the accounts.

Out of these the @supportaadhaar has been separately claimed by Rashmi Ranjan so far

But there were more serious handles that were created in May, anonymous and interacted specifically with critics of Aadhaar in various ways that ranged from defamation to threats of legal action. For example, these handles.

It did not take us long to figure out what was going on. Prominent handles that had criticized Aadhaar on technical grounds (not lawyers, or political or ethical grounds) were the main targets. It was rapidly obvious that these were fronts for people from the tech community. Likely people profiting from Aadhaar, because it is really not plausible that the abundantly detailed flaws revealed in Aadhaar could not be understood by them.

When one of these handles, @confident_india tangled with Kiran Jonnalgadda, he was able to make an educated guess at its identity and proved it by verifying the troll account against a real phone number. That phone number belonged to the co-founder, governing body member and director of iSPIRIT - Sharad Sharma. The director of iSPIRIT was going around using a fake handle and planting allegations of profiting from criticism of Aadhaar against critics. Planting allegations about them working for foreign intelligence agencies (ironically, MongoDB that Aadhaar uses is funded by the CIA).

Allegations of foreign intelligence affiliations
Who is funded by the CIA Allegations of foreign intelligence affiliations

On a stray note, after these allegations started happening, Nandan Nilekani ("mentor" to this circus) too referred to critics of Aadhaar with vested interests from his real account while promoting that childish data free article asking personal questions related to motivations of aadhaar critics that is replied to here.

Kiran informed several of us about his investigation into this troll (aka director of iSPIRIT, Sharad Sharma) and we independently verified that his number was indeed attached to the fake account, because he knew that once he exposed Sharad Sharma in public, the phone number would immediately be removed and perhaps the anonymous account as well.

He made this video public in a tweet and later blogged about it. Thiyagarajan M, a fellow at iSPIRIT blogged a reply on medium.com as well stating that Sharad had denied the allegations and they would be investigated, while he admits that the presentation Kiran mentions exists and is just a strategy document that does not recommend anonymous trolling. He states that they were aware that some of them had created an anonymous campaign and claims it is not an official campaign by iSPIRIT. As though an official campaign would be put in writing formally.

We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.

I am not sure what remains to investigate. If it is about investigating how Sharad can possibly be taken off the hook, it shouldn't need an organization existing because of an authentication based product too long to realize that there really is no sane way.

No official handle related with iSPIRIT has so far published any statement to the best of my knowledge. Sharad Sharma and the troll have both promptly denied to it, of course. Except, in the process of denying that he was @confident_india, Sharad seems to have proved himself to be @indiaforward2 as well! He accidentally tweeted his denial of being @confident_india from the @indiaforward2 handle as well as his real handle, before tweeting the new tweets with his real handle. He deleted the tweets that went from both handles of course, but not before someone quick made a timely screenshot. So here we are.

 

Sharad tweeting as @indiaforward2

The denial from his main handle was read by many, but I don't have a screenshot of it... yet. However, he didn't delete it fast enough. Factordaily updated their reporting of the Sharad Sharma controversy with his denial

Sharad Sharma woke to tweetstorm in Atlanta
Sharad Sharma woke to tweetstorm in Atlanta just like @indiaforward2
Sharad tweeting as himself.
Sharad's denial of trolling from his real account
Sharad's denial of trolling from his real account

My immediate thought about it wasn't even so much that people in power use sneaky, unethical methods to get their way and undermine obstacles, but that the director of a company that is a collective of software developers and who were all defending Aadhaar on grounds of security and privacy were so ignorant about securing something as elementary as an anonymous account!

Once this expose was public, several people independently verified that they too had been able to authenticate access to the troll account with Sharad Sharma's personal number. For example:

 

Rohin Dharmakumar went a step ahead and showed how a mobile phone can't simply be attached to a Twitter account without actually verifying the number.

 

There are also a lot of people unaware of the developments in that country called Digital India who are aghast at what they are discovering. This is what you get for being gullible. Here. Educational. Video published from official iSPIRIT handle. Watch Pramod Varma, Sanjay Jain ex-UIDAI now "volunteer" at the ISpirt that "donates" to Govt and how this serves to avoid oversight by CAG, RTI.

In other words, what you have here is a bunch of private people who are creating products off big data collected from all citizens in a manner that allows them to evade accountability to the citizens for it. They also fund the government, push the expansion of Aadhaar in spite of extensive risks and violations of citizens rights being documented. In spite of the fact that Aadhaar effectively allows any infiltrator to become a "citizen" of the country by facilitating the creation of all documents that a citizen would have. And when the concerns raised get too alarming and there is no coherent defense of them possible, they make fake accounts to go around undermining dissenters so that the imposition of Aadhaar that puts citizens and country at risk may not be challenged.

If you do not speak up for your rights, they will be trampled on by profiteers out to exploit them at any cost.

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

Bhavyanshu Parasher, a young computer science engineer took a look at Prime Minister Narendra Modi’s Android application (among popular apps he studied for his own research purposes). The Narendra Modi app had 500,000+ downloads at that time. He found a major security flaw in how the app accesses the “api.narendramodi.in/api” API.

At the time of disclosure, API was being served over “HTTP” as well as "HTTPS". "HTTP" was being served on older versions of the app. So people who were still using older version of the app were exposed to additional vulnerability. Data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted by MiTM attacks. Another bigger problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address) for any user and posting comments as any registered user of the app.

The magnitude of the seriousness of the loophole can be understood with the following exploit. The vulnerabilities have been fixed.

Exploit demo

Bhavyanshu wrote an exploit to demonstrate how easy it was to extract email addresses using the security flaw.

"The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user." - Original Vulnerability Disclosure.

See, for instance, here is the sample output for xrange(1,10).

Exploit Result
Extracted email addresses of first 10 users

Also, he was able to post comment as any user. For example,

Comment Exploit
Comment sent as user 4234
After this security flaw was exposed, Bhavyanshu and I made considerable efforts to draw attention of the Prime Minister's development team for improving the security, but it would be another three days before the API would stop leaking the information to whoever wished to use the security loophole. It is difficult to say who and how many people have already had access to the user data for all the users of the Narendra Modi app. "Why it took them so long to connect me with developers directly? This issue could have been resolved earlier. The email address provided on play store does not work. Government should find a way to create a direct communication channel between those who report flaws and the developers. They should adopt CVRF.", Bhavyanshu said.

What are the implications for Digital India?

At a time when Indian developers are stunned by the emergence of Ankit Fadia (mostly known as a self publicized, copy-paste plagiarist at-best-mediocre script kiddie), while concerns for data security are paramount, for the Prime Minister's app to leak user information amounts to any malicious entity having a ready list of every social media savvy mobile user supporter of the Prime Minister and ruling party among other citizens. What such information could be used for is anyone's guess.

With the Prime Minister releasing a site a month on an average, the complete lack of interest in securing the application from unauthorized use is alarming. What kind of information crucial to the country could be leaked to the unscrupulous with such a casual approach to securing the information that the government seems bent on putting online if the security for such a key app with 5-6 lakh users was so careless designed.

What happens if a hacker publishes problematic information as another user?

Digital India cannot succeed if it merely courts the big business of the internet without actually having the competence to secure its own data. That would be like riding a race horse without saddle, stirrups or even knowing how to ride. Sooner or later, the horse goes rogue and you have no way to save yourself, let alone control it.

2

Statement by Tarun Tejpal

If conclusive proof was needed of the political vendetta that has been unleashed against me, under the guise of a sexual molestation investigation, it has been emphatically provided today. In a blatant attempt at twisting and concealing the facts, the Goa police while filing a 3000 page highly spurious charge sheet, has not presented or handed over the most crucial piece of evidence in this case, the CCTV footage of the incident

In my first and only press note of November 22nd 2013 I had urged, "the police to obtain, examine and release the CCTV footage so that the accurate version of events stands clearly revealed". I said this at a time, from Delhi, when I had neither accessed nor seen the footage. But since I was the man on the spot I knew the truth of what had happened.

It is violative of due process, to not make all collected evidence available to the accused at the time of filing the charge sheet. In fact, receipt of the footage is what we have been impatiently waiting for since the last three months. This duplicity is in keeping with the sinister and motivated political vendetta that is being pursued.

I have been in jail since November 30th simply because the goa police, clearly acting under the orders of their political bosses, have refused to release this crucial footage of the relevant days, 7th and 8th November. This entire case hinges on the 130 and 45 seconds (as per the charge sheet) of contested time which can be brought to light via the CCTV footage. The goa police know their fabricated case will collapse the moment the footage is revealed and compared with the 'testimony' of the alleged victim, on the basis of which the Goa police filed it's FIR under draconian provisions.

As it were, I viewed the relevant footage of both days whilst being 'held' in police custody and the footage clearly validates me. The fact is most of the officers in the crime branch know there is no case, and have said as much to me. Even so the IO has been pursuing an agenda spelt out for her by her political masters, totally violating the principle of police neutrality.

I'm afraid what we are witnessing here is an early sign of the inherent fascism of the right wing that will target its detractors in the most sinister and underhand ways, using all the government machinery at its disposal. This is a warning shot across the bows of all liberals and opponents of communal politics. It's a crying shame that a major party that is bidding to rule the great pluralism that is India is imbued with no tolerance of dissenters and critics, of whom I certainly am one.

4

"While governments can impose curfew to bring 'offline' life to a halt in times of emergency, why is it unacceptable to do so 'online'?" asked @pragmatic_d

This obviously refers to the government's increasing inclination to police internet use in India in the name of security. The question was the trigger for months and months of thoughts to fall into place.

I wouldn't complain of enforced outage or restrictions of all internet use in an emergency - for example, like the 26/11 attack - though it would only add panic. Say by throttling upload speed very low, so that information can be accessed, but not passed in order to attempt to cut off communication that could aid terrorists. But this is about an emergency. The circumstances must be of a nature that necessitates it. And the call would be a security call - from the cops or Army rather than the government and certainly not in the form of a proposed law for use any time at the discretion of the government.

At the foundation of this dilemma lies the question of credibility and authority. The online life is structured differently from the offline life. They both have their advantages over the other and disadvantages, but mainly, it is about them being distinct from each other in terms of social structure.

I see several aspects to this:

Freedom of Speech and Equality

The online world doesn't recognize boundaries of states. Connections form across the globe in its natural state of being. The expectation is that people meet as equals. Differences in freedom of speech will be experienced and perceived as inequality and injustice. It will be a blot on the human rights record of that country.

Of course, as long as machines exist physically and networks rely on communication services, they can be throttled - like China, for example. But that is more like taking a chunk out rather than influencing the nature of the web.

Right and Responsibility

The general idea of accepting the restrictions or rules imposed by an authority is a psychological exchange for the protection and maintenance of environment by that authority. This is not true on the internet. The government is incapable of ensuring protection - be it social (trolls, slander, etc), information security (viruses, hacking, attacks, etc) or financial (scams, fraudulent billing/transactions, etc). It is unclear what advantage conformity will bring to the netizen for the restrictions it places.

Colonial thinking versus democracy

For a netizen to give up freedoms for a vaguely described possibility in the real world doesn't cut it. It is colonial thinking to expect one world to give up for the convenience/whim of another. For it to be democratic, it would need to have a buy in by the netizens. Such a buy in has never even been attempted or considered. And yes, the "worlds" are different enough that rules can't simply be imposed and accepted across them.

Authority

An authority is generally considered as one with enough knowledge and/or power to be capable and credible as a decision maker and enforcer for all it controls. Or the control breaks. The Indian government hasn't shown any kind of competence in the virtual world. Neither is it influential in terms of leading thought (and thus power), nor is it competent enough to hold its own in terms of security. Government websites are routinely hacked and not just hacked, but hacked using the same flaw again - which simply never got fixed... what command can be claimed, that people can follow?

For example, Google, Twitter, Facebook, WordPress, W3C, Microsoft, Apple, Wikipedia, and such popular sites are a more realistic "authority", because the value they provide gives them tremendous following and thus they actually have teeth to ban or bar something and actually expect it to hurt.

Disproportionate effort for result

This, of course is more social boycott than censorship, but censorship itself is near impossible to enact on the net. There are ways over, under, around, through... data is fluid. And a person silenced tends to speak out and use different strategies. It would take disproportionately large force to even create an adequately dampened effect and would be too easy to find a new way around it - in other words, a battle guaranteed to be lost on any magnitude worth making a law for.

The US failure to make Wikileaks disappear on the net should be a learning point for this.

Relevant Authority

The government doesn't investigate, monitor or collect intelligence. We have agencies for that. Agencies that get their sites hacked routinely and mostly don't have enough computers to begin with. Why does the government need access to my information? I don't see any reason why the government should be initiating this at all, without people who might actually need this access first making such requirements known. This makes me suspicious that this is more of an access to power to control rather than a legitimate intelligence need.

Vague, all encompassing access

Passwords are encrypted, access to bank accounts, email, and many other things is encrypted for security. It is beyond irresponsible to say we want access to unencrypted everything. Either irresponsible, or ignorant of the nature of their own demand.

Trust

There is no trust for the government's intent or ability. The government has consistently and unhesitatingly used all power it has access to at will and with disregard for the citizen's wishes, and often in harm for the citizens. It makes absolutely no sense to agree to give it power over personal information. That would be masochistic.

It would be too simple for the government to victimize people by using their personal information. Ugly thoughts coming to mind include electoral rolls in the hands of the killers of Sikhs in 1984 on an extreme level, or accessing private information to harass RTI activists asking inconvenient questions... for example.

There is also lack of trust in the government's ability to safeguard the access to data that it has. If the government's security systems are so easily breached, what is to say that they won't be used as information backdoors - or even sold, seeing our propensity for scams? Would the government, in its current state of cluelessness even know how to troubleshoot security?

Moral Policing and Political Suppression

There are already signs of the internet being censored to suit taste and interfere with freedom of information. For example Savita Bhabhi is blocked, while most porn sites are accessible, or reports from Google of requests for censorship of dissent or criticism of politicians from the ruling party. This is different from - say - all terrorist websites or child pornography being blocked - which is something few will have a problem with. Even with what they can do at the moment, there are signs of irresponsible and self-serving use of censorship.

To extend it to being able to persecute all bloggers at will - for example - for having content or even comments that are perceived as being against National interest would be a disservice to the Constitution of our country and Freedom of Media. It is also ironic that in a country where media is free, but perceived as sold to power lobbies, a law like this will threaten the smaller independent media - which indeed is what blogs and social networking sites are - and will serve to complete the destruction of free speech and freedom of media at the hands of vested interests (government included).

For example, this blog could be declared anti-national for its constant and multi-faceted criticism of existing systems in the country. It is not, but then, the proposed law is vague enough for subjective interpretation to be used. It would become possible to coerce me into ignoring certain subjects or tempering certain opinions at the cost of losing the entire readership from the country I am writing for. In other words, it would be possible to silence me if someone in the government didn't like what I said. There may be ways for such a law to edge around it in the constitution, but it is obvious to anyone that it will violate the spirit of the constitution in any democracy.

But really, it boils down to Freedom of Speech and the inherent wrong for the state to have unquestioning access to the personal life of anyone, or the capacity to control or silence anyone.

I think the government should abandon this idea completely, and first make the internet a widespread and excellent quality phenomenon in the country. Make it so that Indians don't find Californian servers better and cheaper than Indian ones. Shift to IPv6. Create a learning environment for cutting edge security and intellectual capital on the internet. Have an official interactive presence with its citizens, and then try and influence reforms, engage with and resolve dissent or simply provide a countering view and leave it to citizens to educate themselves - like in offline life.

It is a continuing failure of our government to engage with people and to substitute laws for social intervention and engagement with dissent to find solutions. This power will not help. It will harm and make the problem less visible, but far more dangerous.