Hacker News new | past | comments | ask | show | jobs | submit login
Indian Government Breached, Massive Amount of Critical Vulnerabilities (johnjhacking.com)
301 points by astroanax 14 days ago | hide | past | favorite | 67 comments



This smells a bit off: why is there no detail whatsoever on what exactly they breached? The "Indian Government" (central, state, other?) is a sprawling octopus that employs on the order of 50 million people, and there's a world of difference between breaching the public site of the Department of Fertilizers (https://fert.nic.in/) vs getting into the internal systems of the Ministry of External Affairs. The only clue appears to be those 14,000 police records.

Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.

https://mobile.twitter.com/jacksonhhax


John Jackson (johnjhacking) is not jacksonhhax, though they're both part of the same group.

For context, John's a vet who's employed in the field. And beyond that, he's published other sound security research in the past, e.g. https://johnjhacking.com/blog/cve-2020-28360/ (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2836..., which links https://github.com/frenchbread/private-ip)

As for the attribution chain to sakurasamurai.org, reference the following:

• twitter.com/johnjhacking refers users to

• twitter.com/sakurasamuraii, which links

• sakurasamurai.org in a pinned tweet.

Source: I know John personally.


I think that Twitter user is just a member. One of the founders is https://twitter.com/johnjhacking who proclaims to have a full time job and be a disabled vet.


whoever is behind it I find it hard to blame them. As they write on their blog:

>> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes. While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. <== from https://johnjhacking.com/blog/indian-government-breached-mas...

Enough has been said by people inside and outside of India about UIDAI / Aadahaar[0][1] and it's many horrible side-effects and risks it creates. This situation that has been created years ago after loud warnings of researchers and citizens who have meanwhile been silenced by the Modi government (who are the real culprits here).

India has done this to its people already years ago, therefore breaches here today are mere symptoms of incompetence (not the cause).

[0] Aadhaar: 'Leak' in world's biggest database worries Indians https://www.bbc.com/news/world-asia-india-42575443

[1] French Hacker transcends Aadhaar UIDAI helpline number to millions of Android phones in India https://www.cybersecurity-insiders.com/french-hacker-transce...


> Unfortunately, what seemed like a done deal turned out to be quite the unprofessional ride. Any organization knows that fixing breach-worthy vulnerabilities is extremely time sensitive. Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.

Do you expect them to tell everybody exactly which systems are vulnerable? What is it you're suggesting they do?


I believe they are suggesting that the systems be fixed in a timely manner.

That was my read of the article.


> why is there no detail whatsoever on what exactly they breached?

Because this is an ad.


> Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.

What does it explain? Anyone who is not familiar with the branches of the Indian government could have omitted specific details of which departments were hacked.


It explains that the whole press release/site down to the branding looks like amateur hour: https://sakurasamurai.pro/


Looks like every other text file I've seen from hacking groups over the last 25 years, which is the aesthetic they're going for.


"Indian government" means central government, not state. Just like "US government" always refers to the federal government.


I would have the same question of the US federal government being breached: which systems, exactly?


In Indian usage, yes, but this appears to have been written by a bunch of American teenagers.


Well, we can't expect every hacker to know what they're looking at...

> Game List

>> GLOBAL THERMONUCLEAR WAR


premature attribution is as much a fallacy and problem as ignoring risks that lead to a breach in the first place.


Everyone seems to assume it is the central government. No one has remarked on this, the following somewhat obvious. One of the screenshots has a heading in Malayalam, saying "Bill Vivarangal" - "Bill details" [1].

Was it some government of Kerala service which was breached? Or is it one of several governments? Or was it only the central government with Malayalam as the language set for the interface?

If it was an Indian hacker, they would know that the language will be a big giveaway, so they would have obscured it. (India has about 15 official languages, and probably about 10 scripts each with 10+ million users [2].) Overall, I cannot dismiss the feeling that it is some script kiddie who attacked some underfunded department, rather than some big deal.

[1] https://johnjhacking.com/uploads/session-chained.png

[2] https://en.wikipedia.org/wiki/Brahmic_scripts


[flagged]


I am not a fan of any government or political party in particular. Just pointing out an obvious fact.

But the newly registered domain is not a red flag per se. That's how experienced groups might also go about covering their tracks.


The domain is fine. My reasoning is that I know John (johnjhacking), have worked with him, have at times educated him, have on more occasions learned from him, and lastly, the attribution chain is

* twitter.com/johnjhacking refers users to

* twitter.com/sakurasamuraii, which links

* sakurasamurai.org

It's not a random group trying to defame a government. It's a known security researcher with a sterling rep.


> "some motivated groups try to blame central government for every action"

Nice try there bro. But unfortunately newly added domain doesnt disprove anything mentioned in the article.


Tamil kooda irukalam


Don't just go by the transliteration in parent comment. If you see the screenshot, it's clearly Malayalam.


enge?


This manner of disclosure seems rather callous and reaching out on twitter to communicate a discovered vuln smacks of attention seeking. The Indian Government sites are a very wide mix with some where there is active consideration of such criticalities and a huge number created by the local enterprising chap who is no longer involved. Its hardly a surprise that lots of sites are vulnerable. Without some info on the sites, this is just scare mongering. NPCI is a critical piece of financial infrastructure but this could very well be the front-facing website and nothing to do with the financial services. Looks like an ad, as many others have pointed out.


Sorry I might've missed it, where did you see NPCI (the payments body) mentioned? The organization mentioned repeatedly in the post is NCIIPC.


Try reporting something to Indian CERT, its a bureaucratic chore. I tried reporting multiple, still open issues but nothing happened. One exposed PII data at scale, the other one exposed credentials at a critical sector organization. Now I am not reporting it anymore because no one listens.

The key problem is that cyber in government is still very nascent, and security is an afterthought even in policy.


> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes.

Understandable.

> While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. A failure to release notification of breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture. The clock to patch vulnerabilities began immediately when the DC3 contacted the NCIIPC via Twitter, as it is a highly visible space - one which threat actors avidly monitor.

Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?


> Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?

Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.

An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.


> Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.

Also understandable.

> [...] so they can take their own protective measures.

Little can the ordinary citizen do whose data is at risk of exploitation. All responsibility lies on the government because the citizens do not have any other choice, as it seems to me. What protective measure can someone take who is vulnerable?

With a thorough reading of the article, it is clear that the hackers are aware of what they are doing:

> Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.


The industry standard seems to be disclosure to the entity followed by a reasonable grace period, at which point the bug is disclosed to the general public (where there's room to quibble in what the definition of "reasonable" there is).

I'm not sure that helping individuals protect themselves is the main goal, though. It is important that entities respond to these issues in a reasonable timeframe, because if a small group of researchers, academics, or whatever can find a bug, then other nations' intelligence agencies or industrial espionage groups can as well.

Realistically, in the case of companies, the best an individual can do is not do business with them. In the case of government agencies in democratic countries, public pressure is the probably the way to go.


> What protective measure can someone take who is vulnerable?

Like deleting your sensitive documents that you have uploaded already. Removing contact information and other personal details.


Because responsible disclosure isn’t as cool and being a l337 h4x0r


It also doesn't pay nearly as well with many organizations.


If these guys were Indian pretty sure they would be facing jail time for exposing such vulnerabilities (1)

(1) https://www.livemint.com/Opinion/S6Ep52qB9PK1DRLFUbUDBK/The-...


Well. Section 47 is a real delight, a diabolical inversion of the principle of locus standi. Increasingly, there are agencies and laws which say that "you cannot take us to court". As though writing it makes it somehow legal. Reminds me of calvinball.


Sovereign Immunity means you can't sue the government unless given permission by a statute anyway.


This has nothing to do with sovereign immunity. It is just an act. Expectedly, it was struck down by the Supreme Court as unconstitutional. It was just a ludicrous thing to try in the first place.

https://www.timesnownews.com/business-economy/economy/articl...


Is there any financial incentive to secure an Indian citizen's data ?

In fact, there's more financial incentive to make things leaky, less work needs to be done to peek into your neighbors yard, and the vast (vast, vast) majority of the people cannot give a damn about this.

Frankly, I'm surprised they replied with an acknowledgement and tried to fix some vulns.

Expect no more changes.


Indian Government Sold Driver Licence Data to 87 Private Companies for Rs 65 Crore -

https://www.news18.com/news/auto/government-sold-drivers-lic...


The data is already publicly available via government sites and app store. By making the data public through 3rd parties, government just made it easy for public to access it.


Calofornia does it sell for 50Mio USD and Florida for 77Mio USD. I guess just everybody sell everything today.

https://www.caranddriver.com/features/a32035408/dmv-selling-...


What does RS 65 Croer mean?


Rs means rupees, specifically Indian rupees in this case, which has the symbol ₹ and code INR. (Other countries have rupees as well, but that symbol is specifically for Indian rupees.)

One crore is 10 million in the Indian numbering system, see https://en.wikipedia.org/wiki/Crore.


Crore = 10 million, so 650 million rupees, or around $9M USD.


https://perryizgr8.github.io/crores-to-millions/

Tool I wrote to convert between Indian and American numbers.

65 crore = 650 million


Crore is equivalent to 10e6. In this case, that would evaluate to 650'000'000 INR.


> 10e6

Under scientific notation, you should strongly prefer to write 1e7. 10e6 is just begging for people to interpret it as 10⁶ rather than 10×10⁶ (10⁷).


But that's the definition, and every calculator's "engineering" mode shows it exactly like that, too. And usually you learn in middle school how to interpret that.

Here’s a photo with the calculator I used in middle school, showing exactly the specified number:

https://i.k8r.eu/qOUpgg.png


Curious. I don’t have a traditional calculator to hand, but tools like Rust, Python and Wolfram|Alpha are all turning 10e50 into 1e51.

https://en.wikipedia.org/wiki/Scientific_notation#Normalized... agrees with my memory that in normalised form the coefficient should be at least one and less than ten.


And the paragraph below the one you linked... https://en.wikipedia.org/wiki/Scientific_notation#Engineerin... is directly showing exactly the mode I'm using :)


Oh, I get it and see what’s happening. Kinda careless of me to miss it. Thanks for pointing it out.


I can see how it’s not obvious if you never learnt it, but especially in when working with the SI it’s incredibly useful and makes many hidden relationships quickly obvious.

MeE isn't M^E, it's defined as M * 10^E.


And that’s what I was talking about from the start—10e6 is 10×10⁶, which is in normalised form 1×10⁷ or 1e7.


Am I reading a pen test report here? This is just an ad for a pen test agency, isn't it?


At this point, wouldn't it be easier to design systems as completely open, with all user data exposed?

Then for actual interaction purposes, to rely on biological verification? eg. widespread retina and fingerprint scanning.

As a side effect this would somewhat limit tax evasion - if all tax returns and income were public, as in countries like Norway.


> ...eg. widespread retina and fingerprint scanning...

This previous HN discussion [1] about a "Falsehoods programmers believe about Biometrics" article might be relevant. Careful, here be dragons, edge cases still abound the unwary implementer.

[1] https://news.ycombinator.com/item?id=25700026


So in the process of communicating with the Indian Government to resolve the issues responsibly, they announce on Twitter "We Breached The Indian Government!!!".

What is wrong with them?


no/less bounties from gov? researcher wants to show off? 10 year old kid who recently wrote some script and has a lot of over confidence? Who knows.

But its a fault of Indian Government too. They hire programmers who are less competent to save budget for salary. And if someone reports some vulnerebility I bet these government police will come after the reporter. And there is no incentives too.


The same thing happens I believe in almost all developing countries, they don't take security that seriously, all contracts related with technology are awarded to the company, that charge the smallest amount of money and has ties with the public officers at the time, when a researcher detects a bug in their software depending on the entity they either sue the researcher or ignore him, until they are exposed by the public media.

Couple months ago the data of all Venezuelan immigrants got breached the government did nothing until the public media started to talk about it.


They don’t fear jail for some reason...why?


I think the article covers that exact question (excerpt below)

Sakura Samurai coordinated with the U.S. DoD Vulnerability Disclosure Program (VDP) to assist in facilitating initial conversations of disclosure. John Jackson spoke with DC3’s Program Manager via email and coordinated on a plan of action

&

Roughly 4 days later, after further communication with the DC3, we felt safe to begin our initial reveal of research on the NCIIPC’s RVDP program.


Being 15yo.


If they care, as they claim, about the consequences for the indian public, why did they not disclose this less publicly? They think two weeks is a long time but perhaps the Indian government departments concerned don't immediately have the right sorts of people available to fix all these software problems in two weeks?


Very few large organisations, and zero distributed ones like a collection of multiple government departments, can turn around a massive collection of security fixes in 2 weeks.

I believe Google's Security team usually gives vendors 90 days before they go public.


I'd wager they just ran pccleanupscan on their xp boxes for the first tine since 2004 and got a shock, I guess the bulk of it was installed within the last 16 years. They probably had 90% of that malware for 15 years by now. You know how these skits go.

Wonder. If Indian Gov so vulnerable and given the china-india conflict ... may be they like to use stick.


This is fine...




Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: