Indian internet, website weaknesses
By Rajshekhar Murthy
 
India is the target of bomb blasts almost every month. Hundreds of innocent people die for no reason. While it is difficult to stop all such attacks, it is fairly possible to prevent many such attacks by improvising and using the existing resources effectively.  Let's look at some of the problems we face, many of which could be handled by our skill sets and proper planning

ATS (Anti Terrorism Squad):  It has a wrong focus. While it’s common knowledge that terrorists use the internet for communication, and target Indian websites to highlight their cause, the Anti-terrorist Squad seems to be focused more on tapping mobiles, intercepting GSM networks and voice-privacy solutions. The reality is, even though these do help, they are not a holistic means of tracking terrorists. Talk about internet / web security or Digital forensics, and one gets odd looks. Techies are still insignificant people in front of their "real" world of guns and bullets. Besides we always have the Cyber Crime Cell in Mumbai to put the blame on.

Cyber Crime Cell, Mumbai: I don't mean to be rude, but it's practically a glorified department. Even tracing an email is a challenge. But more than the technical incompetency, the larger issue is attitude. A few intelligent people who know a few technical things prefer to keep mum. Their reason - why open your mouth and invite more work? The complex unsaid ego and divide between "senior" and "junior" officers ensure that sensible work or processes never gets implemented.

NTRO:  is one organization that is making the right moves. NTRO is one organization I personally respect a lot. They have made tremendous efforts to bridge the gap between various agencies over time. With a strong technical team, I feel they are quite equipped to handle Cyber Crime related issues. But again, they are not directly involved or are tasked to tackle it.

CERT India: is a big joke.  I don't know why we have CERT India. What is its role? Let’s see what they say about it.  According to their website the incident reporting and follow up process involves:  "CERT-In will then analyse the information provided by the reporting authority and identify the existence of an incident. In case it is found that an incident has occurred, a tracking number will be assigned to the incident. Accordingly, the report will be acknowledged and the reporting authority will be informed of the assigned tracking number. CERT-In will designate a team as needed." ... and Blah Blah Blah.

Here's the truth. CERT does not have any system for Incident Reporting. Even if you report an Incident, they won't respond back to you. In August 2006, we reported close to 40 plus Government related websites (including the president's) that were vulnerable to hacking. We gave exact links, documented proof, video's (yes, even recorded videos!) and screenshots. This report was also sent to major news channels. What happened? Nothing! With anguish, we could only watch our Indian websites being hacked over time.

NIC:  Almost every government related website is developed and maintained by NIC. And almost every website has a host of vulnerabilities that a defacer can take advantage of. I wonder why NIC does not have decent security training with all that money from the Government? With e-governance on the rise, it will be dangerous if Indian Government does not take a serious look at lack of Information Security awareness.

So what are the solutions to make our country safer? I think the Government must move to quickly allocate resources towards gearing for Cyber warfare. This is where the real battle lies. With the vast confusing mesh of departments, it's best for the Government to seek some professional advice. Here are some suggestions:

- Acknowledge Hackers and work WITH them. Encourage Open Disclosure.
-  Support Indian Hacker groups and community.
- Facilitate Cyber Crime awareness in Academics. Utilize local youths as volunteers for solving cyber crime cases.
-  Make it mandatory for all lawyers to upgrade their technical skills and awareness of Cyber Crime.
-  Consult the corporate sector before drafting or making further amendments to the IT Act Laws
- Understand the importance of training and impart the same to all officials protecting our country. And not expect it to be delivered free by some company.
-  Work out procedures to establish cooperation between different agencies for tackling crime and the faster resolution of problems.

Here is a small list of websites that are vulnerable and we have passed on the information to the Cyber Crime Cell / Government but nothing has been done to rectify it:  Maharashtra State Police website, Passport Office Chandigarh, Tata Memorial Hospital, Ministry of Information and Broadcasting, Dept. Of Education - Govt. of Rajasthan, Official website for Eastern Railway, BSNL - Dotsoft Development Center, Ministry of Defence,  Prime Minister of India - PMOs Office,  Directorate of Public Grievances, Central Information Commission (CIC), Central Vigilance Commission (CVC), Election Commission of India,  Directorate of Technical Education Maharashtra, The Singareni Collieries Company Ltd,  State Information Commission of Himachal Pradesh, NIC - Project Progress Monitoring System,  Public Health Engineering Department,  Tea Board of India.

This is only a partial list of vulnerable sites. Feel free to reach us for further information

(Rajshekhar Murthy, CEO of OrchidSeven Infosec, is a highly qualified security expert who is consulted by a number of high profile Government and private companies.  Rajshekhar in an MCP, CCNA, CEH, H3X, F3X and a Six Sigma Black Belt)