Skip to content

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

3

The Economic Survey of India states that PDS allocations lost to leakages were 54%of wheat, 15%of rice, 48%Sugar & 41% of Kerosene. That's over Rs. 68,700 crore rupees.

[tweetthis twitter_handles="@Aun_X, @Vidyut" url="https://t.co/IoqjNglEh2"]Amazing how popular ration items show the most "leakages" #EconomicSurvey http://t.co/YzVnuK7ZWD[/tweetthis]

Wheat, sugar and kerosene are the three items most people prefer to purchase from the PDS system. These are the three items that do not result in any major perception of lower quality from having been purchased from the PDS system, as opposed to rice, which is usually noticeably poorer quality than the more expensive and better tasting store bought varieties. Most purchasers of rice from the PDS system, other than the very poor end up using it for making flour or batter for dosas. Very few who can afford to eat well bother with the rice from the PDS system to eat with cooked grain in tact. Is it not remarkable then, that rice, which often has poorer quality sacks than sugar manages to leak more than sugar? Who are we fooling here?

Here we take a look at the inside story on "leakages" with kerosene. Similar stories exist for other items too.

The PDS system in India was introduced in 1965 and was aimed at poverty alleviation and to curb hunger in the lower classes of the society. With time India has changed, but the good old Public Distribution System remained the same.

The PDS system in India has always been in news for all the wrong reasons. Out of the entire host of commodities those are sold through PDS, Kerosene’s black market alone is worth Rs. 10,000 Crores. While there have been talks and talks only to reduce these losses, no action is visible on ground. We have often heard that black marketers are ruthless, they have been robbing the government and even have killed some honest Government officers like Sonawane in Nasik, Maharashtra or some senior journalist in Andhra Pradesh, but not much of the reporting is done to understand the real cause. We are often told that the price deferential between the Diesel and Kerosene is responsible while that isn’t the complete picture.

The System:

Kerosene is sold in the market through a whole host of dealers and sub dealers. When a tanker is dispatched from the company it is sealed and secured. When it reaches the Dealer or the whole seller, it need to be first checked by the Tahsildar or any officer from his office and certified that the tanker is not tampered with. Only after that a tanker can be unloaded at the depot.

Once the Tanker is unloaded at the depot, it again needs to be certified by the tahsildar that the entire load is unloaded, and the documents are needed to be stamped and signed. Same goes with Semi wholesalers as they buy the entire sealed lorry from the Dealers. The semi-wholesaler then distributes the stock to the Hawkers and retailers.

The Government has fixed approx. Re1 / ltr as commission to the dealer as well as the wholesalers. But the need of unnecessary checks at every level means more money changes hands as bribes right from the clerks in the tahsildar’s office to the District Supply Officers. A Dealer normally pays 5000 to 10000 per month depending on his quota. Higher the quota more is demanded from the District Supply Officers. Even after the payment of these bribes, the dealers and wholesalers are raided and show cause notices are issued against them when they ask questions.

Now let’s talk about hawkers and retailers. Each retailer and hawker has been allotted a monthly quota which can be in the range of 1 to 5 barrels (200 ltr/ barrel) a month, depending upon the need of kerosene in his territory. A retailer buys kerosene from the dealer at the rate of 15.40/ ltr and sells it at 15.66/ltr (or he is suppose to sell at that price). That means he makes Rs. 52/barrel. Imagine this. Just the transportation cost that he bears from the dealer’s depot till the point of distribution costs Rs 200/barrel. Add to it his record keeping expenses which is about Rs 200 per month plus the monthly bribes of Rs. 1000 per month that he has to pay to various clerks of the tahsil office.

All these numbers makes the entire business unviable for him. Since he is the only point of leak in the distribution system, mafias target these poor retail license holders. They purchase the entire monthly quota from them giving them a profit of Rs. 5/ ltr. Or Rs 1000/ Barrel. And then they retail it for Rs. 40/Ltr in the open market.

This is a systematic problem. Apart from a culture of bribery, the narrow margins also contribute to making the business unviable, leading to "leakages". The end result is poor availability of kerosene for the common man, regardless of price.

There is a need to use more realistic language in reporting statistics to citizens. There is also a need to investigate sources of leaks and plug them comprehensively while making necessary revisions for the system to still remain viable enough for the distribution to happen.

Another problem is that kerosene is not available for purchase other than government ration supplies - even if a citizen did not want to purchase it in "black". Unless you have a ration card that allows you to purchase kerosene, there is no legal way if you needed to buy it for say... cooking on an outing or using with oil paints or lighting a bonfire. There is a need for kerosene to be available for purchase on the open market as opposed to government ration sources alone. This will reduce the market for "black" kerosene if people can simply buy legally.

The problem is such that these "leakages" often result in kerosene being unavailable for people to purchase even if they are entitled to purchase with their ration cards. Households dependent on kerosene for cooking end up spending far more money purchasing the kerosene siphoned off from the system at higher prices.

As per The Hindu report, Government is currently losing Rs. 12.54/ ltr by way of subsidies. If the subsidies are removed the kerosene will be retailed in the market for Rs 27.68Rs/ ltr. This is still cheaper than what is being sold by the mafias in the open market. This will raise the price for the poor consumer regardless. The alternative is to devise a system and adequate checks that prevent this pilferage. Possibly by making the margins more realistic and clubbing them with severe punishments for theft.

These solutions are really practical but it needs a strong political will for its implementation. But you can never expect a government which works hand in glove with mafias to implement them.

Regardless, the mafia causing such massive losses to the country have to be eradicated. In the meanwhile, the Economic Survey of India should at least stop lying and call these "leakages" what they are - pilferage. The real problem has to be visible for real solutions to even be deemed necessary.

This post has been written in collaboration with Aun Ajani.

Aun Ajani is a MBA graduate from the Birmingham Business School, UK. He has previously worked with an Investment bank and is now conducting market research to implement his business idea. He has witnessed the problems in kerosene retail and distribution business since his childhood as his family is in the petroleum retail business since the last 75 years.