A national debate has emerged in India about the security of the country through the lack of Cyber Security in the Government sector.

A security practitioner from Sweden has published the e-mail passwords of several Indian embassies in a blog (http://derangedsecurity.com). Several journalists in India have already tested and found that these passwords are still working and several confidential information in the e mail boxes of some of the embassy officials were available for public perusal.

The concern that arises is that while this hacker has made the issue public, in the past terrorists might have been monitoring these e-mail boxes and Indian national security might have already been compromised.

This incident reflects very badly on NIC and CERT-IN as the technological and Cyber security arms of the Government of India.

Perhaps this is as serious a lapse as that which caused the Kargil infiltration and there is a need for the Government to take some very serious action to prevent recurrence of similar incidents in the future.

Speaking to a TV Channel, the hacker reportedly stated “I don’t think that what I have done is illegal and I have never hacked into anything. Moreover, I haven’t logged into any of these accounts, however, I do have access to emails but that is because poor security. Once in a while, you do stumble on to some information on the internet. Usually, I contact the people involved and tell them how to fix it, however, in this case I didn’t really think that I could –probably, the Indian governement would not have listened or if they would have, they would have charged me with cyber crime.”

Though technically Indian law as it stands now can consider this as a crime under section 66 of ITA 2000, perhaps the hacker in this case has adopted this extreme measure for a good cause and this may be a fit case for grant of a respectful pardon.

It may also be noted that it is not only the Indian embassy passwords that have been stolen by the hacker, but also the passwords of embassies of several other countries and agencies such as National Defense Academy.

Looking at the pattern of the passwords unearthed by the hacker, it appears that the predominant method used for extracting the password might have been using a “Packet Sniffer” or a “Key Logger”. The extraction appears to have been made at the user level rather than at the server level. The users might have contributed through their negligence by having not  secured their computers ..may be their laptop/home desktop.

According to on of the TV news channels, in response to the  security threat, the Government of India has instructed the officials to stop using e-mails for exchange of confidential information. We sincerely trust this is not true. But some time back when the security risks of WiFi devices had come to the notice of the Government,  there was a security advisory to the officials not to use WiFi rather than implementing better security measures. The news report though scandalous is therefore not too improbable!.

In the light of this incident, It has been timely that Naavi.org and Digital Society Foundation have anounced an event to discuss “Vision for Indian National Cyber Security Force” for its celebration of Digital Society Day this year. Hopefully the event would throw up some long term solutions in the interest of national security.





Be Sociable, Share!