By Pranay Manocha:
The Indian government’s biometric attendance system is now online and the information is publicly available in real time. Released with good intentions of making governance more transparent and accountable, the platform exposes a number of very real vulnerabilities.
The departments for which attendance information is available include the Ministry of Defence, Ministry of External Affairs and National Informatics Centre. The website makes available in real time, the names, designation, office building and in a majority of cases, their personal email address as well. This is very worrying.
For a hacker, being able to obtain a categorized list of personal email addresses is the hardest part of the battle. The government has handed this to them on a silver platter. Other countries recognize these risks. Under data protection laws in the European Union, revealing someone’s personal email address is a breach of privacy. Stricter laws usually apply to those working for the government and in organizations that handle sensitive data.
Not so in the Indian government. The risks of publishing private information of its employees who work in departments such as Agriculture was silly enough, but to publish personal information for senior scientists, under secretaries and technical assistants working in organizations like DRDO is unforgivable.
Many of us have faced the incredibly distressing scenario of our email, Facebook or Twitter accounts being hacked. This exposes our personal information, such as who we message and what we say, as well as our financial information and our private photos. In a ‘simple’ attack, these pieces of information can be used for blackmail. Where there is more malicious intent, the possibilities really take on a different dimension.
For instance, The Intercept revealed that the National Security Agency (USA) targeted personal accounts of System Administrators (SysAdmins) in other countries. Once an email address for a SysAdmin was obtained, multiple tactics could be attempted, including sending realistic ‘news alerts’ with links to fake BBC or CNN reports. Visiting these pages deployed a payload (a specialized computer program – like a virus or worm) that infected the SysAdmin’s computer and provided an access route to the organisation that was being targeted. This is not unusual to the NSA and Chinese hackers, who frequently employ similar methods to gain access to confidential information, as happened at the New York Times in 2013.
The Employee Attendance Register website has published personal email addresses for 50000 employees, including SysAdmins, making the new vulnerability more severe as given the motivation, anyone with a reasonable understanding of computer systems and security is now potentially able to attack.
It is possible, albeit unlikely, that hackers already had access to this information in such structured form. The Employee Attendance Register website not only makes this information available on a single website, it is categorised for easy access and in plaintext, even downloadable as a CSV (comma separated values) file.
Revealing government information of this sort exposes us to vulnerability and could reveal details like backdoor trade negotiations, information of a military or sensitive nature and the command and control mechanisms inside the government. Such information is valuable to other countries, multi-national companies, as well as terrorists. For these reasons, this development is one that should alarm everyone interested in India’s national security.
Update: Since publication of this piece, the personal info pages have been taken offline. However, the risk remains with this information already in google and other search engine caches.