How to hack a government website? The dummy’s guide

Government agencies themselves curate and publish a list of vulnerabilities in various government portals, on a fortnightly basis, that is used by hackers to easily gain unauthorised access.
Image used for representational purpose
Image used for representational purpose

HYDERABAD: How do government websites fall prey to hackers? The answer is simpler than you think. Government agencies themselves curate and publish a list of vulnerabilities in various government portals, on a fortnightly basis, that is used by hackers to easily gain unauthorised access. At least seven hackers that New Indian Express spoke to confirmed this was the easiest route they used. Experts say this is equivalent to locking up all your valuables in a room and leaving the key in open for anyone to access.

The National Critical Information Infrastructure Protection Centre (NCIIPC) releases a Common Vulnerabilities and Exposures (CVE) report on a fortnightly basis. According to the agency, the CVE is “a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities.” The report, however, is not originally prepared by NCIIPC. It’s sponsored by a unit of the Department of Homeland Security of the US government. NCIIPC only compiles a list of vulnerabilities in Indian government portals from the original document. In both cases, the data is accessible by anyone on the internet.

The NCIIPC started curating these reports for critical infrastructure in October 2016. This, experts say, made the job easier for hackers looking to specifically target Indian government websites. However, speaking to Express, NCIIPC officials said they were not liable for how the information was being used. “The onus of fixing issues lies with the owner of the digital assets,” said an official.

Express spoke to five Hyderabad-based youngsters who claimed to have used the information to target government websites. “The report uses something called a CVE ID under which websites are classified based on their vulnerabilities. We use this CVE ID to gain entry into the servers,” said one hacker. “Most of the time, server administrators of these sites are not even aware of their CVE scores. They get to know this only when an assessment of the server is done. By then the data could be stolen,” said another hacker.

“We are aware of this issue,” confirmed Abhijeet Raj Shrivastava, the sectoral coordinator of NCIIPC. “This information is not released by us and it’s openly available to anyone accessing the internet. What we do is find the latest one and provide it to users and agencies.

It can be used negatively or could be used as a proactive measure to fix the problem,” he added. Interestingly, a whopping 114 government websites were hacked between April 2017 and January 2018, according to government data.

Expert Take

Speaking to Express, city-based cyber forensics analyst and founder of Kryptix Infotech V Dhanunjaya had this to say about the issue:

  • Around 70 to 80 per cent of these govt websites are critically vulnerable

  • Hackers have been using the CVE identification code (ID) to find vulnerabilities on government servers

  • There is no proper communication between the NCIIPC and other government departments

  • Even if you want to report a pressing matter, you are directed to a toll-free number

  • 301 alerts on potential vulnerabilities to multiple systems and applications were issued by CERT-In between Apr 2017 & Jan 2018

Related Stories

No stories found.
The New Indian Express
www.newindianexpress.com