VIJAYAWADA: Even as vulnerabilities in the state government's websites get exposed one after the other each passing day, TNIE has learnt that private information AP's residents is freely available on the 'Mee Kosam' portal. Despite gaps in the portal being exposed at a hackathon held in Visakhaptnam on April 26, the state government is yet to plug them. Now that Aadhaar numbers of lakhs of residents of Andhra Pradesh are available online as exposed by cyber security researchers, all that one has to do to get hold of people's vital information such as name, photograph, salary, phone number, address, etc., is to key in the 12-digit number on the government website.
The portal in question is part of the government's 'People First' initiative under its Real Time Governance (RTG) programme intended to address public grievances without delay. Details of people who participated in the 'Smart Pulse Survey', which was held by the state government last year, are available on the Mee Kosam portal. It may be noted that the survey was an exercise undertaken by the AP government in which the socio-economic data of every citizen of the state was integrated with his/her Aadhaar number.
A college student who participated in the hackathon revealed his team had exposed vulnerabilities in the website, and easily at that. "Some of them were rectified immediately, but others are yet to be corrected. We spotted loopholes in the e-Pragati website too," he added.
Meanwhile, the state government has begun an audit of all government websites to 'sanitise and monitor' leaks. As a part of the exercise, the state government shut down www.ap.gov.in on realising that it contained over 300 backlinks planted by hackers promoting private products. One of the links included the sale of a sexual wellness pill.
In the wake of a series of reports on data leak, IT Minister Nara Lokesh reportedly said an audit was underway to identify vulnerabilities in 33 government websites. He also said that the Andhra Pradesh Cyber Security Operations Centre established in Vijayawada was in the process of identifying how to securely store data.
However, cyber experts TNIE spoke to raised concern that if students could expose private data, it would be child's play for any unscrupulous hacker to sell the information. "Most of the state government's websites don't follow the 'Guidelines for Indian Government Websites' (GIGW) that are formulated by the Ministry of Electronics and Information Technology. Therefore, they are easily prone to hacking," said D Sai Satish, a white hat hacker of national repute from Vijayawada.
Satish observed that encryption and coding standards followed by the state government for designing and maintaining databases and web applications were poor. "That is why it is easy to make a data tampering attack on state government websites," he observed.
Explaining why there were over 300 backlinks in www.ap.gov.in, Satish said, "Online firms need a good Google ranking or Search Engine Optimisation (SEO) score for their businesses to flourish, so they resort to planting backlinks in other websites to make their products popular. Since ranking would be better if a government or a research website endorses their products, vulnerabilities in government portals are usually exploited by hackers," he observed.
Satish explained that data could be protected if the state government applied patches to vulnerabilities without further ado.
-- Guidelines for Indian Government Websites (GIGW) have been drafted by the National Informatics Centre (NIC) of Ministry of Electronics and Information Technology.
-- There are three categories -- mandatory, advisory and voluntary -- of guidelines
-- Cyber experts say that AP government websites don't follow the GIGW
-- Most databases of state government have poor encryption and most web applications have poor coding standards, cybser security expert D Sai Satish said.
-- Satish also suggested that the government formulate a mechanism wherein information can be accessed only after a One Time Password (OTP) is generated.
-- OTP will help eliminate unauthorised access of data as the password would be directly sent to the person's mobile number