As soon as news was came out that hackers may have accessed sensitive data of more than 6000 Indian companies from National Internet Exchange of India, a statement was released by the spokesperson of NIXI ‘denying’ any such leak. The statement as reported by several news outlets not only fails to inspire any confidence but also raises several doubts about the security mechanisms in place. As per the news reports, the statement reads as below:
‘It has come to our knowledge that a business organization dealing with enterprise security solution has sent information to various news agencies that it has found that an advertisement was given on darknet announcing secret access to data bases of over 6000 business and ISPs, Government and private organization and the said actor is attempting to sell this database of Indian Registry for Internet Names and Numbers (IRINN). It claimed that seller’s ability to temper the IP allocation pool will cause huge outage or distributed denial of service. It also mentioned the names of several prominent private and Government entities were displayed by the actor.
NIXI hereby clarifies that there has been no serious security breach of its IRINN system, as it has a robust security protocol in place. The hacker has no capacity to cause any damage or initiate distributed denial of service to any entity who has been allocated Internet resources through IRINN System. There was an attempt to penetrate the system and hacker was able to collect some basic profile information of the contact persons of some of the affiliates which was displayed by him on the darknet.
The existing security protocol of NIXI is robust and capable in countering such attacks. However, following this breach, security protocol has been further strengthened and review of existing infrastructure has also been initiated.
We assure our affiliates and all concerned that our system is secured and security protocol in practice is capable of handling such attacks. The claim by the actor of Dark Net is audacious and far from truth.‘
The tone of the above statement clearly shows that NIXI is trying to downplay the seriousness of the issue. If one reads closely, there is at least one thing very clear that there was, in fact, an attempt to penetrate NIXI and some data was stolen by the hacker(s). The original blogpost of seQtree InfoServices (the security arm of Quick Heal, who had tracked down the database leak) would show that the data which is now on sale is not just ‘some basic profile information’ as claimed by NIXI. The statement by the registry also fails to indicate the timeline as to when the alleged act of hacking took place and for how long they had knowledge of the breach. If NIXI was aware of the data breach then why it waited for a private company to announce data breach on their blog? We do not know if NIXI alerted the affected organisations and taken any preventive measures from further attacks? From the tenor of the statement, it is plausible that NIXI had no knowledge about the breach before seQtree informed them.
NIXI has also assured that their systems are secure and the security protocol is strong enough to avert any DOS type attacks. The statement released by NIXI is very vague and makes it difficult to estimate the extent of damage which can be caused with the type of leaked information. Can NIXI also ensure that the information leaked from the registry cannot be used by malicious hackers from starting a social engineering campaign to further compromise individual organisations? One needs to be reminded that on the list of affected organisations there are not only government websites but also organisations like UIDAI which retain private and sensitive data of private individuals, who will have no recourse if their information is abused for other ulterior purposes by hackers.
The response from NIXI is not only weak but also very opaque. In order to deal with such situations there needs to be more transparency and accountability in the manner in which organisations like NIXI protects itself and its customers from such threats. By barely denying and implicitly admitting the security loopholes in the system may save one from the wrath of media houses but would render sensitive data of thousands of people/ organisations exposed to malicious attacks by cyber criminals and rogue foreign/ domestic state actors alike.
National Internet Exchange denies breach in IRINN database http://www.ecoti.in/oMLbAZ
Also available at author’s blog: https://synackscan.wordpress.com/2017/10/04/database-dump-of-6000-indian-companies-leaked/